Shibboleth at LSE

LSE Library

LSE Shibboleth architecture and technical implementation - summary

The London School of Economics involvement with Shibboleth began in 2001 in the Angel project, when the Library Projects team carried out an evaluation of the software for JISC of Shibboleth as a potential replacement for the Athens authentication system then used in the UK Higher Education community. As part of this, the team set up the first functioning Shibboleth installation outside the US (using version 0.7 of the software), using the school's Active Directory installation as an authentication and attribute source. The team produced a considerable quantity of documentation for this and later projects. For further information about the Library Projects Team involvement with Shibboleth and Federated Access Management generally, see the LSE Library Projects Wiki and the LSE Library Projects website.

The LSE currently has two main Shibboleth 1.3 Identity Providers, one of which is used as the school's main access route to external electronic resources (both directly and via EZProxy) and the other (known as LSE Login Plus) being enhanced on a test basis with attribute release consent software and using the beta Enterprise Directory as an attribute source rather than Active Directory. There are several service providers operated within the School, and the FAR Project runs a Shibboleth 2.0 Identity Provider and Service Provider as part of its software testing environment. Over the summer of 2009, the LSE aims to migrate to Shibboleth version 2.1.

The Shibboleth work done by the Library Projects team produced a requirement for a directory which was more flexible than the Active Directory installation. This is met through the use of an Enterprise Directory, which is intended to act solely as a source of user metadata for applications, rather than being a directory which has another main purpose (such as network administration or as an adjunct to an email server). A beta version of this directory was set up during 2008, and is now being tested through use for a production application (WCN - an online HR mgmt system), as well as for the components developed during the FLAME project.

The Library Projects team has also been involved in investigation of Shibbolised versions of software products. This has included both evaluation of other people's software (e.g. in the SECURe project) and development (e.g. in the PERSEUS, FLAME and FAR projects). Software where we have been involved in projects which carried out development work includes twiki, DSpace, uPortal and EPrints. The team also worked with Microsoft to test the integration between ADFS and Shibboleth, which led to the production of a Microsoft White Paper on the subject.

More general interest in FAM led to the UKeduPerson project, which looked at how users from the UK might be described in a similar style to the eduPerson schema. This in turn led to study of the business processes surrounding identity in UK higher education, with the Identity Project and most recently the Identity Management Toolkit.

The FLAME project investigated tools for privilege management (Signet/Grouper, and tools developed by the project team) and user management of access release (ShARPe/Autograph and ArpViewer). (See the team's summary of this work.) This technical work laid the foundation for the rigorous study of user attitudes to the use of these tools which was the main focus of the project, the results of which can be found on the project wiki.