Shibboleth: authentication of the future

For over a decade, the University of Calgary has used a piece of software called the Central Authentication System, or simply CAS. CAS is a fairly simply concept, it is a single sign-on provider, which means if your logging into a web application – you just need to enter your credentials once and your good. Any service you visit logs you in automatically. When you close your browser everything is torn down and you are no longer logged in to anything.

We take single sign-on (or just SSO) for granted these days. As a user, it is generally expected that you only need to log in once and being asked for your password a second time while still at the same website doesn’t make sense. However universities are quite a diverse ecosystem of different web applications being built by different people in different departments, so a unified single sign-on architecture is a little like running a federal train system. You have a number of cities and provinces each with their own priorities and agendas and you need to make sure everyone agrees on what signals and rails to use for the benefit of the passengers. No one wants to get off one train and onto another just because no one could agree on what track gauge to use.

 

However what if your train wants to leave the country and go to another one? It is quite common in Europe for tracks to be different gauges, different signals being used, and even different sources of electricity. This was both out of ignorance and sometimes on purpose to prevent enemy trains from using your tracks. However it sure makes it difficult for people to get around.

CAS has the same problems as trains do. It is great when travelling around University of Calgary web applications to only log in once. However it is not unreasonable to want to visit another institution’s websites. The unique heart of a university is collaboration, on a academic level universities are not competitors rather collaborators. Of course, this problem was solved a while ago.

 

 

Europe, the same guys who struggle with trains, created an organization called eduGAIN. eduGAIN is known as an interfederation, which connects together country level federations. The Canadian federation is called the Canadian Access Federation, whose role is to connect together Canadian universities, research institutions, and software providers focused on education and research; then hook up to eduGAIN. With these existing connections, a university can simply join up and open up their authentication to the world, and in turn consume the authentication capabilities of others.

Shibboleth was a piece of software collaboratively created to connect up to this world-wide federation of identity providers and service providers. Now, the University of Calgary could use this service to not just connect her internal services together for our student and staff’s use, but connect up to a world-wide network of services.

And we did.

So now we have a Shibboleth identity provider. We’ve joined the Canadian Access Federation. We even have a few applications using it. However nothing is simple with 50 years of history and 35,000 users. We still have CAS, and a lot of services still using it. It is hardly single sign-on if we have two single sign-on providers.

And we don’t, we have three. We are currently using Active Directory Federated Services (AD FS) to sign our students into Office 365.

 

CAS (left) and AD FS (right). Maybe if we make them look the same, users won’t realize they had to login twice…

 

Okay so step one. Shibboleth uses CAS for single sign-on, but still leverages the federation for the actual authentication bits. This means CAS-enabled applications and Shibboleth-enabled applications can work together and its still a single sign-on during the transition. However we will have to get rid of CAS eventually, Shibboleth is a far superior and more modern authentication mechanism.

However we still have AD FS. So we need to get those two talking together. Luckily Microsoft is willing to let users log into Office 365 using Shibboleth, so that is our future path. One identity provider, one type of train track. It does feel like we just finished up a war that ripped our single sign-on capabilities apart, however once we have finished rallying around Shibboleth our authentication systems will be better than ever.

CAS will still take a while to dismantle. We have heavily customized it to smooth out the user experience in our complex directory infrastructure. However, there is a lot to look forward to in Shibboleth and Microsoft’s modern authentication which will make the transition effort worth it.

Opinions in this blog related to my employment at the University of Calgary are my own, and do not represent the interests of the University of Calgary.

 

Sean Feil