Title of Service: Shibboleth Service
Status of Document: This document describes services offered in June 2011.
The Shibboleth Service provides middleware for the authentication of Oxford users and the release of a defined attribute set, via an Identity Provider (IdP) to trusted Shibboleth Service Providers (SP). Shibboleth facilitates federated access management where the user's home institution authenticates the user and the Service Provider decides, on the basis of attributes received from the home institution, what authorisation, if any, the user has to access a networked resource. The implementation of Shibboleth at Oxford interoperates with Web-based Single Sign On (Webauth) to enable authenticated access to trusted networked systems (whether the user is within or outwith Oxford). The Shibboleth IdP service can be used to support access to systems within Oxford where a Shibboleth Service Provider is considered more appropriate than the direct implementation of Webauth, including access to an Oxford system by remote users using their home institution's IdP. Examples of services where the end-user will encounter Shibboleth include:
- access to external digital resources licensed by Bodleian Libraries (via OxLIP+)
- access to the Oracle Student System (OSS)
- access to the CareerConnect service managed by the Careers Service
This service is owned by the Systems Development and Support Section Manager and was released for general use in July 2007.
Overview of Service
- Provision of infrastructure for web-based, federated SSO authentication of Oxford SSO account holders to registered ITSS within Oxford University.
- Registered ITSS wishing to use this service may contact email@example.com for advice on implementing the Shibboleth Service Provider (SP) modules or to register a trusted, remote Service Provider within the Shibboleth Attribute Release Policy.
This service is provided for use by registered ITSS wishing to authenticate Oxford users to internal or remote Web-based services.
2. Summary of IT Services' responsibilities
Hours of Service
2.1 The service is offered as follows:
- 9am - 5pm on weekdays: the service operates with full technical support.
- All other times: the service operates without technical support. Automated service monitoring will take place, and informal arrangements exist for staff to be notified of exceptions, however no funding is provided for contractual cover or guaranteed response.
- Exclusions: service maintenance carried out during the JANET maintenance period (7am - 9am every Tuesday).
2.2 IT Services will commence investigation of reported faults within one hour when full technical support is available (provided that no similar fault is already being handled by the same team).
2.3 It is intended, as far as is possible, to maintain service of all components at all times.
2.4 The service infrastructure employs fault tolerance to reduce the risk of component failure impacting availability of the service.
2.5 There are various methods of providing protected access to services: this is the only University shared service for federated access management.
Hardware and Software Maintenance
2.6 The machines used are maintained under warranty by the supplier.
2.7 Software updates are applied by IT Services staff – this is done with the minimum of interruption to service. Any scheduled downtime for maintenance or upgrade will be notified at least 24 hours in advance.
Administration and Support
2.8 IT Services is responsible for managing Oxford University's membership of the UK Access Management Federation, including ensuring compliance with the Federation's Rules of Membership.
2.9 IT Services maintains the Shibboleth IdP Attribute Release Policy (ARP). Currently, and in line with the UK Federation's recommendations, the Shibboleth IdP releases on request by a remote Service Provider, any of the following attributes:
- eduPersonScopedAffiliation (by default, firstname.lastname@example.org);
- eduPersonTargetedID (an opaque, pseudonymous but persistent identifier that allows for personalisation services by a service provider without that service provider requiring any personal details);
- eduPersonPrincipalName (for those Service Providers that require it, in the form email@example.com)
- eduPersonEntitlement (assertion that user satisfies additional criteria to enable authorisation by Service Provider)
Other attributes may be released on request by an authorised Oxford service owner or provider (e.g. ITSS).
2.10 Notification of faults, outages, etc is circulated on the mailing list firstname.lastname@example.org.
2.11 Technical support (operations and 2nd/3rd line user support) for the service is provided by IT Services. Service requests and fault reports relating to the service should be sent to the IT Services Help Centre.
2.12 User support (1st line) for the service is provided through a combination of local IT support (via local ITSS) and the IT Services Help Centre. Users should seek support from their local ITSS in the first instance. Local ITSS may refer a user to IT Services, or contact IT Services on behalf of a user. Users and ITSS may always contact IT Services about any aspect of the service. The initial point of contact for user support at IT Services is the Help Centre - in person, by telephone, or using our contact form.
Education and Training
2.13 Not applicable.
3. Summary of client’s responsibilities
3.1 Departments and colleges deploying a Shibboleth Service Provider interoperating with the central Shibboleth Identity Provider must comply with any applicable terms of usage, whether of IT Services or the UK Federation.
3.2 End-users are responsible for maintaining the security of their Single Sign-on password, and in particular for ensuring that authenticated sessions are not left in operation unattended or after the user has finished using them.
4. Premium services