About PERSEUS

PERSEUS : portal enabled resources via Shibbolized end-user security

About PERSEUS

Overview of the PERSEUS Project

1. General background

2. Basic concepts

3. LSE context

4. Project aims and objectives

5. Approach

6. Useful links

1. General background

Staff and students in HE and FE institutions currently struggle with an overload of information, held in different systems, available via widely differing levels of access control, and ranging from open access to strictly controlled access subject to data protection legislation and/or tough licensing conditions. That is before one attempts to match information to subject needs for teaching and learning or research. Portals can provide a superficial environment for presentation of information, but they need to be underpinned by intelligent access and authorisation management systems which can match user attributes and privileges to information and licensing/access conditions. This can be done by using Middleware. The most important function for portal middleware is authorisation management to the hybrid collections of resources, for institutional learning, teaching, research and administration - resolving (with minimal human intervention) questions of 'who can access what'. Access management needs to be fine-grained to take account of multiple user roles and complex content provider requirements. Licensing conditions are generally strict for commercial resources, such as e-journals, but access to statistical datasets may be governed by rules set by individual government departments which produced the data, as well as the administrative requirements of the host data centre.

2. Basic concepts

The Joint Information Systems Committee (JISC) defines Middleware as

'...the process of helping institutions to connect people to resources. Middleware can be implemented at all levels and is not a single piece of software or single service that resides visibly on an end-user's desktop. Technically, it can be viewed as a layer of software or 'glue' between the network and applications. Middleware can be shared by many applications serving various purposes in different environments.' (http://www.jisc.ac.uk/index.cfm?name=middleware_team)

The JISC is currently focusing on Core Middleware, which can be defined as:

'...the central services that are essential to middleware as a whole. These are: authentication, authorisation, directory services, and identifiers.' (http://www.jisc.ac.uk/index.cfm?name=middleware_team)

For more information on Core Middleware, visit the JISC Core Middleware Programme pages. The Programme is intending to build a UK Core Middleware architecture using Shibboleth technology. JISC has recently announced its roadmap for a next generation access management system, based on the Shibboleth technology, at the 'Accessing the Future' Event.

Shibboleth technology, developed by Internet2, is open source software that can be used for developing middleware architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. Shibboleth is an open, standards-based protocol for securely transferring attributes between the home site and resource site to establish whether the user should have access to the requested information. A useful demonstration of how Shibboleth works can be found on the Swiss Education & Research Network's (SWITCH) website.

4. LSE context

As part of an institutional information strategy, work has already been done at LSE in investigating user roles and attributes and in identifying key information resources to which users want seamless access. The PERSEUS project will build on this work to develop a model institutional architecture for information resource management. This will include administrative information (building on LSE for You) to remove the information blockages which currently cause frustration and wasted time to academics, administrators and students. LSE for You is the existing LSE portal for administrative and financial information for staff and students. The project will also pull together learning and research information of relevance to users held in disparate systems such as VLEs (Virtual Learning Environments), library catalogues, e-journal collections, reading list systems, data libraries, unpublished research resources. PERSEUS will investigate the complexities of user attributes, drilling down below the standard roles of teacher, student etc, to cover multiple roles (a research student can also be a class teacher, an alumnus and even a university student governor) and the mix of permanent and temporary roles and institutional relationships that exist in real-life.

The project will build on the deliverables and experience gained in the JISC AAA (06/02) Programme, in particular the SECURe Project recently undertaken by LSE, and other work closely related to SECURe (funded by JISC and other sources) including:

The JISC UK Scoping Study for eduPerson and related schemas, which aimed to establish 'grass roots' requirements in HE, FE and other UK education sectors for schema describing institutional students, staff and other users.
The baseline study (for SURF-NL) of current access management technologies and projects throughout the world.
The evaluation for JISC (supporting the SHELL and NIIMLE projects) of cross-institutional access management technologies for transcript sharing between consortia of HE and FE institutions.
Long-standing collaboration between LSE and the NSF Internet2 and NMI-EDIT programmes, to establish the first UK institutional pilot implementation of Shibboleth and to produce 'roadmap' guides for institutions implementing campus middleware architectures (documentation produced by the SECURe Project has proved of interest and use in the US, as well as the UK).
The role of LSE as one of the founding institutional members of JISCInfoNet, and the continuing role of LSE staff in promoting the goals of JISCInfoNet for dissemination and the encouragement of good practice in the F&HE community.

The project will also make use of the conceptual middleware architecture designed to underpin the development of an institutional managed information environment for learning, teaching, research and administration at LSE. This identified the need for a middleware layer consisting of Collection Level Registries to manage large, complex collections of resources held in different administrative domains, and sophisticated access management to cope with a wide variety of user roles and attributes. The possible architectures described by Don Gourley (in 'Library Portal Roles in a Shibboleth Federation') will be used to inform the architecture developed by PERSEUS; but will need further development to integrate the requirements of a 'library (only) portal' into those for an institutional (university or college) portal, structured to cater for the diverse information and knowledge management needs of learners, teachers, researchers and support staff.

LSE has a well developed alumni association with many subject and regional-based special interest groups. Alumni benefit from access to e-mail, library and portal facilities and, as such, are already authenticated through the 'LSE for You' portal. The LSE Library registers approximately 2,500 new alumni each year and over 4,000 are registered to use an LSE email account. The alumni special interest groups such as the Lawyers Group and the American Friends of LSE are good examples of virtual organisations. These groups are self-administering and semi-autonomous. Membership of different groups overlaps and access to third party information resources is often restricted by subscription and licence conditions. Modeling access to resources, discussion lists and other facilities and services by these groups within a portal environment would be a good test for the abilities of Shibboleth (and the chosen authority manager toolset) to cope with delegated management of identity credentials.

4. Project aims and objectives

PERSEUS will address the key challenge of Shibboleth-based access management to information resources via an institutional portal, using the uPortal Open Source portal toolkit. The project will deliver a generalised campus architecture for adoption by FE and HE institutions, supported by documentation at conceptual and technical levels, and reusable software components available as Open Source.

PERSEUS will address the essential requirement to develop a model institutional information environment architecture that can take full advantage of the JISC Information Environment, and the next generation national access management infrastructure that JISC is planning to resource. It will present this model as a working example and provide documentation and software tools that can be re-used by other UK institutions to develop similar architectures.

In addition to testing the potential for integration of the PERMIS authorisation management system with Shibboleth, the project proposes to evaluate alternative or complementary technologies for this function. In particular, the system initially developed at Stanford University under the Stanford Authority Project is favoured for further development by NMI-EDIT, and is now the subject of the Signet Project.

The primary objective will be to develop an institutional architecture for multi-tiered use of the Shibboleth protocol (Shibbolizing resources within a Shibbolized portal).

The PERSEUS project will also investigate methods of authority management for less well-defined groups of users, by implementing secure portal access for 'short-term virtual organisations', such as LSE Alumni Special Interest Groups, and the problems raised by 'multi-layered portal' environments - where users wish to access resources managed by one portal (such as a subject collection shared between several libraries), via the consolidated view presented by their own institutional portal.

5. Overall Approach

PERSEUS will design a systems architecture, and populate it with middleware components to serve an institutional information portal using a range of proprietary (supplier-led) and bespoke information resources, user directory services, integrated authentication services (based on Shibboleth and Yale CAS) and authorisation services middleware to determine 'who can access what'. The architecture will cover the entire range of diverse resource types, both intra-institutional and inter-institutional, from high-security databases (such as student and financial records), to large-scale externally-managed repositories (such as controlled-access statistical datasets and e-journal collections). Recognising the growing institutional trend to integrate access to resources (superficially) via web portals, the project will use uPortal as the presentation layer of this architecture, but concentrate effort on the authentication, authorisation and directory services that are required between presentation layer and content.

PERMIS at Salford University currently supports the securing of user attributes in long-lived X.509 attribute certificates, since this provides their validity times in a tamper-proof digitally signed certificate, and in addition states who is the assigning Attribute Authority. These certificates are not generally anonymised. Shibboleth currently secures attributes in optionally short-lived digitally signed SAML messages, but leaves it up to the home site how to secure the attributes long term. The SAML messages are normally anonymised. This basic difference of approach makes integration a challenge. There are several ways in which PERMIS and Shibboleth may be integrated, depending on how the two software architectures are modified to accommodate each other. LSE will work with the developers of PERMIS, with the staff of the Stanford Authority Project and with the Shibboleth development team to evaluate which of these ways (or some other authority management mechanism) is the most appropriate.

Shibboleth-based access management (and the 'single sign-on' experience that this enables for end-users) ideally requires the implementation of Shibboleth Target components in information resource hosts that form the content layer, beneath the presentation (portal) and middleware (access management) layers of the architecture. LSE has already secured support from several commercial partners that supply or operate information systems holding key portal content sources:

WebCT (the Virtual Learning Environment in use at LSE)
Endeavor Information Systems, Inc (suppliers of the Voyager library management systems and Encompass resource discovery tool; with international publishers Elsevier as their parent company)
Sentient Learning Ltd (suppliers of the Discover reading list management system)
SITS Ltd (the UK market leader in student record systems whose product Systems InTuition is currently used by 113 HE and FE institutions, representing over 60% market share of UK universities)

PERSEUS will work with Endeavor to integrate the Voyager and Encompass systems within the multi-tiered portal architecture and will liaise with US-based institutions using these products. The project will also maintain contact with a potential SURF (NL) project working to similar goals with the Ex Libris products Aleph and Metalib-SFX, with the aim of ensuring that library systems integration is reasonably generic and potentially portable to other products. PERSEUS will collaborate with the international NEREUS Consortium for economics research resources for this purpose.

PERSEUS will also enable LSE to continue developing relationships (established under the SECURe Project, via the Internet2 Shibboleth pilot group) with 'primary' content vendors that are important to the UK community, such as JSTOR, Elsevier and EBSCO.