About ShibboLEAP

This project was intiated by the London School of Economics & Political Science ( LSE ) in response to the JISC Call 11/04 for Early Adopters of Core Middleware for Access Management, and in response to a request from JISC to combine six separate similar project proposals (from the six partner institutions supporting this project) into a single proposed project.

The six supporting partner institutions were:

• Birkbeck College (Birkbeck)
• Imperial College (Imperial)
• King's College London (KCL)
• Royal Holloway College (RHUL)
• School of Oriental & African Studies (SOAS)
• University College London (UCL)

Each of the seven partners in this project maintains an institutional self-archive of academic publications, based on the Eprints.org software, as part of the SHERPA-LEAP consortium. Access to documents in these archives is public and unrestricted, but access management is required to authenticate the identities of academic staff depositing documents, and of library staff who must check or amend descriptive metadata, and approve documents to appear within the public collection. Originally authentication and authorisation was handled within the Eprints.org server, requiring the registration and use of (yet another) password by users, and administration of these registrations by staff supporting the archive.

Project aims

• Creation of a Shibboleth Identity-Provider (‘Origin') service for all academic and support staff (at each of seven partner institutions in the SHERPA-LEAP consortium) who are involved in controlled access to their respective institutional Eprints servers.
• Implementation of modifications to the seven Eprints.org servers of the consortium, to enable them as Shibboleth Resource-Providers (‘Targets').
• Enabling all students and staff at all seven partner institutions to use the Shibboleth Identity-Provider service for access to any other Shibboleth-enabled Resource-Providers within the two established Federations.

Because existing institutional directory services was used to implement Shibboleth Identity-Provider services, completion of the project made it possible for all staff and students registered with each of the seven partners to access other Shibboleth-enabled resources, either directly or via the Shibboleth-Athens Gateway constructed by Eduserv. LSE was already fully capable of operating as a Shibboleth Identity-Provider.

All partners registered independently for membership of both the Eduserv and SDSS (Edina) Federations, although the project also explored the possibility of a SHERPA-LEAP Federation, addressing part of the “WAYF scalability problem” that is inherent in the current Shibboleth architecture.

Shibboleth is a particularly appropriate access management technology for this purpose, because much of the potential content that could be included in an archive is jointly authored by colleagues, not necessarily affiliated to the same institution. This project built in the potential for authorised users from any other ‘Shibboleth-enabled' institution to authenticate to our Eprints servers when and if the managers of each archive are organisationally ready to permit this.

Software development of Eprints for this project collaborated with other efforts, worldwide, to integrate the Eprints Open Source Software (OSS) with institutional access management middleware. Developments achieved by this project are made available in the public domain by being included as OSS releases.

The Projects Team at the Library of the London School of Economics & Political Science was used to provide project management, technical support for the Shibboleth Identity-Provider and Resource-Provider implementations, and strategic advice and support to other partners on integration with existing institutional services and the organisational issues of supporting such devolved access management. LSE is also a member of the SHERPA-LEAP consortium, and was already capable of operating as a Shibboleth Identity-Provider as a result of prior work (largely supported by JISC) in the SECURe and PERSEUS projects. Resources available from the Core Middleware Assisted Take-Up Service provided on behalf of JISC from March 2005 were used to help to grow local expertise in Shibboleth and related technologies, amongst appropriate support staff at each partner. Staff involved in this project made full use of discussion facilities to be provided by the service, to share their experiences and benefit from those of other early adopters.

Amongst them, the seven partners used a variety of existing methods for user identity and resource access management. Those included Athens (‘traditional'), AthensDA, various implementations of LDAP, and various data sources used to hold and maintain identity and role attribute information about users (staff and students) registered with them. All had strategic goals to work towards ‘single sign-on', and all had the technical capabilities to support the platforms and integration infrastructure needed to operate as Shibboleth Identity-Providers, at least on the pilot scale required to achieve the minimum objectives of this project.

This project started on 1 April 2005, and was completed by 30 April 2006.

Methodology

The ShibboLEAP project was managed by John Paschoud at LSE. Each partner appointed a Coordinator (0.1fte) at a senior level, ensuring that key institutional staff and resources could be engaged to support the project at appropriate times, and that opportunities for the project to further institutional strategic goals (such as for enterprise directory management) could be recognised. An important role of the six coordinators was to promote awareness of the project, and its potential wider impact amongst their own colleagues and decision makers, and via their own established channels for informing staff and students.

A Consortium Agreement was signed by all partners, enabling LSE to act as lead partner with responsibility to JISC for the undertaking of the project, and detailing the distribution of JISC funding covering staff costs to each partner by LSE as set out in the budget included in the project proposal.

Decisions at five critical stages during the project were taken by formal Project Team meetings, involving all key project services staff and supported by strategic and technical advice from LSE when necessary.

Local technical support was available in the form of earmarked time (0.4fte) from an IT support specialist at each partner who was familiar with the existing network and services infrastructure. This was supported by the availability of expertise and experience in Shibboleth, and related technologies, from LSE.

As a minimum, the project aimed to enable authentication via Shibboleth to the seven Eprints servers. Due to the potentially complex set of authorisations for roles and actions within the Eprints software (deposit, approve, edit-metadata etc), the extent to which authorisation (based on role attributes maintained within seven different institutional directories) could be fully ‘Shibbolised' was determined at an early stage, during the technical audits prior to installation of the Shibboleth-Origins.

Useful links:

The LSE Eprints server is publicly accessible at: http:// eprints.lse.ac.uk/
Eprints servers of other partners are at similar locations, and all are physically hosted by UCL.

Eprints.org homepage: http://www.eprints.org/

SHERPA homepage: http://www.sherpa.ac.uk/

Discussion of WAYF scalability options: MACE-Shibboleth Conference Call -- June 20, 2001: http://shibboleth.internet2.edu/minutes/SHIB-20-June-2001.html

Internet2 - Shibboleth