Shibboleth Capabilities of Bodington (Guan Xi)

JA SIG UK are the umbrella body in the UK for people who are using uPortal, SAKAI and OSPI. We feel that Bodington 2.4.3 in conjuction with Guan Xi can help these people as it can be used 'out of the box' as a 'system formerly known as a Shibboleth orgin' - we should now refer to it as a Shibboleth service provider.

We're hoping to attract attention to Bodington from all UK (and indeed worldwide) Shibboleth developers and users.

I've been faffing around with a 'press release' type article that will be handed out and now seem to have volunteered myself to design a t-shirt. As if I didn't have enoungh to do already! Still I suppose it make a change from the drudgery of working on LUSID (http://sourceforge.net/projects/lusid/). [I should actually say 'not quite getting around to working on LUSID'!]

Here's the article:

Improved Shibboleth Identity Provider Capabilities in the Bodington VLE

The Joint Information Systems Committee (JISC) has recently endorsed Shibboleth as the next generation authentication and authorisation system controlling access to e-learning systems . The intention is that it will replace the current Athens authentication system for accessing on-line resources. Work to provide a gateway which will allow institutions who use Shibboleth compatible systems to access Athens protected resources has already begun .
Bodington is an ideal testbed for developers wishing to have their first play with Shibboleth especially as it is very simple to install.

Guan Xi is a standalone Shibboleth compatible Identity Provider (IdP, formerly known as 'Shibboleth Origin'). The first version is available as a stand alone webapp from: http://sourceforge.net/projects/guanxi The Guan Xi team is also working on the Service Provider (SP) (formerly known as 'Shibboleth Target') which should be completed later on this year.

Getting Started

To get started with the Shibboleth profile, developers should download the 2.4 release of the Bodington VLE. This contains a pre-configured Guan Xi IdP that gets you up and running and a member of a Shibboleth Federation with zero configuration. We'd recommend developers go this way at first.

Although the 2.4 release of Bodington contains a zero configuration IdP, to support multiple federations, the Guan Xi team envisage some simple configuration in the next release but the bulk of the work will still be done by Guan Xi itself. An explanation of what Guan Xi is, (specifically describing the Bodington version), what it does and what you can expect to get from it is available at: http://www.weblogs.uhi.ac.uk/sm00ay/?p=71

There is a requirement to sign SAML assertions but this is not a problem as the Guan Xi IdP that comes with Bodington provides a default certificate store with pre-configured XML fragments for use in a Service Provider's FederationProvider configuration. It also contains XML for the IQ-trust.xml entries used by the Guan Xi IdP. The default keystore and self-signed certificates are generated using random data and passwords to ensure each Guan Xi enabled Bodington is unique in a federation.

The default configuration is not intended for a production environment, rather it's there to allow developers to quickly install Bodington, join a federation, such as SDSS (http://sdss.ac.uk) and "kick the tyres".

For a production IdP we recommend creating your own keystore and purchasing commercially available secure certificates. By that time, you should have an idea of what's involved in running an IdP service.

Why Bodington?

The Bodington VLE has a very fine-grained user permissions environment and combined with the Guan Xi IdP you can use this to your advantage when arranging access to SP resources in a federation.

As Bodington has its own user store, a user can log in to their IdP and manage attribute release policies. Logging in also provides you with true SSO between multiple federations and service providers. As long as your Bodington session is valid, the Guan Xi IdP will honour this and not require you to login each time you access a different service provider.

Guan Xi will soon support self registration when combined with Bodington, so you can allow users who do not have local accounts to register with your Bodington IdP and gain access to resources at the lowest level of access. Once created, you can upgrade the self registered accounts to give a greater degree of access to those users.

If you fancy giving it a go, the Guan Xi community can provide some Shibboleth compatible resources for you to access and we can help with fine tuning attribute access to let you see what's involved in deploying and managing a Shibboleth compatible IdP.