Sender: <cgplmgr@cni.org>
To: CNI-ANNOUNCE
Date: Tue, 22 Apr 2008 15:45:45 -0400
Message-ID: <redirect-42988126@cni.org>
Mime-Version: 1.0
From: Clifford Lynch <cliff@cni.org>
Subject: Release of Shibboleth Version 2
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

I wanted to share this Internet2 press release announcing the release 
of Shibboleth Version 2 with the CNI community.

Clifford Lynch
Director, CNI

------------------------------

Internet2 Community Releases Shibboleth Version 2.0

New Major Release of Open Source Federated Authentication Suite Provides
Enhanced Functionality; Enables More Seamless Installation and Operation

Arlington, VA - April 21, 2008 - Internet2 today announced that it has
released Shibboleth 2.0, the latest major version of the most
widely-deployed federated authentication implementation. Developed by the
Internet2 community and its partners around the world, the latest release
greatly enhances several key elements of Shibboleth in an effort to ensure
interoperability with other commercial and open-source federated identity
solutions; to improve personalization and security; as well as to ease
installation, management and operation processes.

The goal is to provide a more robust and interoperable platform that will
help catalyze the worldwide growth of higher education and research
federations like the InCommon Federation which serves the U.S. higher
education sector and provides a framework for participating organizations to
collaborate and share resources using Shibboleth technology.

"Shibboleth aims to help our community meet the increasing demand for access
to protected online applications and resources as well as to support the
growing need for campus-based researchers to use online collaboration tools
to support work with peers at other institutions. Shibboleth 2.0 provides an
improved platform for exchanging information in a secure and
privacy-preserving manner while at the same time reducing the administrative
burdens for institutions and their service provider partners," said Ken
Klingenstein, Internet2 senior director of middleware and security. "We are
grateful for the tremendous collaboration in developing this important new
release and look forward to working with the worldwide Shibboleth community
to further roll out and refine this technology."

Shibboleth 2.0 adds an open source implementation of the OASIS SAML 2.0
standard to the suite of protocol implementations available in previous
releases. The software provides a secure, single-sign on mechanism for
institutions to enable their users to access protected online resources
within their campuses and from their external service provider partners
while at the same time protecting individual user privacy.

Shibboleth leverages an institution's login and directory systems to
authenticate users at their home institution (or "identity provider") and
then passes only the relevant information, or "attributes," to the service
provider to enable the user access to its online resources. Attributes can
include a wide range of information that characterize the user, e.g.
identity, permissions at the service provider, employee or student status at
the university, class enrollment, age, graduating class, etc. The service
provider and institution make agreements on which attributes are needed to
make that user eligible to access specific resources.

Shibboleth 2.0 enhances the ability for identity providers to use and manage
"anonymous identifiers" to protect user privacy but still allow for
personalization. The identity provider assigns a persistent unique
identifier to a specific user which allows service providers to tailor and
improve services based on the needs of that user without knowing their
specific identity. For instance, a medical student searching for articles on
a specific disease or treatment via an online medical journal could save his
or her searches using the anonymous identifier and then build on their
research over time. For the user, this is a transparent process; no
knowledge of the identifier is needed.

"Library users are frustrated with having to remember multiple passwords in
order to get their research done. The ability to use Shibboleth to access
personalized resources with a single user name and password greatly
simplifies the user's experience. Shibboleth's unique anonymous identifier
gives the user control over what additional identifiable information (if
any) they choose to provide to a vendor, and assures the user's privacy
across services," said Holly Eggleston, Assistant Department Head, UC San
Diego Library Acquisitions.

Shibboleth 2.0 also adds new security features to ensure additional
protection of user information. It includes encryption technology specified
in the SAML 2.0 standard and provides an improved method for usage logging
at the home institution to better track abuse or inappropriate use of the
system.

From an operational perspective, the new version of Shibboleth makes it
easier for IT staff both at the identity provider institution and service
provider to install, operate and manage the software. For instance, to
participate in a federation, institutions typically are required to
implement a directory schema which provides a consistent set of user
attributes among the federating organizations. Shibboleth 2.0 allows
institutions to utilize their legacy directory schema by translating the
data into the federation-specific attributes as needed in real time. In
doing so, Shibboleth 2.0 greatly decreases the resources needed to implement
the solution.

Penn State University, an early adopter of Shibboleth technology and a
participant in InCommon, has had much experience in the implementation and
operation of the technology and sees many benefits to the new version.

"Shibboleth has provided us the unprecedented ability to deliver both
improved security and privacy for our users while at the same time greatly
enhancing collaboration opportunities," said Kevin Morooney, CIO, Penn State
University. "Shibboleth 2.0 removes several implementation barriers from an
administration and management standpoint providing a more seamless path for
institutions large or small to migrate to a federated environment. Because
of this, we believe we will see even more rapid adoption of federations like
InCommon."

As organizations continue to deploy identity management solutions like
Shibboleth, the vision is to move these institutions and their service
providers into "trust federations." Federations bring together multiple
organizations with common needs into one group or association to leverage
the use of a common set of attributes, practices and policies to exchange
information about their users and resources to simplify the management of
collaborations and transactions.

The InCommon Federation which serves the U.S. higher education sector now
has close to two million users at close to 80 institutions as well as
service providers and continues to rapidly expand. In addition, there are a
growing number of state level Federations that include state and municipal
governments and the K-12 sector.

To support the continued growth of federations, Shibboleth 2.0 enables
organizations to seamlessly comply with a federation's policies and
practices without changing campus directory infrastructures, and extends
automated support for federation processes. For instance, as new service
providers or institutions are added to a federation, new "metadata" is
required to setup the technical exchange for collaboration. In the past,
adding new metadata required IT staff to develop their own methods to update
the information. Shibboleth 2.0 automatically downloads the metadata as
often as the organization specifies.

In addition, as federations continue to proliferate, it becomes increasingly
important to support multiple protocols to ensure interoperability between
federations. Using Shibboleth, federations and partners that utilize any
authentication architecture built on popular standards such as SAML 2.0 and
Active Directory Federation Services specifications will have the ability to
interoperate and interfederate with any federation or partner utilizing
those standards.

Beyond the multi-protocol support, Shibboleth offers additional features for
the higher education and research communities: management of attribute
release policies on a site, group and user basis; policy-based management of
attribute acceptance; real scalable support for large-scale federations; and
strong support for application integration.

Klingenstein added, "Shibboleth 2.0 will play a critical role in helping to
realize the vision of creating interconnected trust communities for seamless
and secure access to information and services. Over the last year,
Shibboleth has moved from being an open source project to a community source
project; increasingly, the community is supporting itself and participating
in the software development process."

Internet2 and its partners announced the release of Shibboleth 2.0 at the
annual Internet2 Spring Member Meeting held in Arlington, VA from April
21-23, 2008. Meeting sessions on middleware technology like Shibboleth and
InCommon, include: http://www.internet2.edu/middleware/2008SMM-MW.html

For more information on Shibboleth, visit:  http://Shibboleth.internet2.edu
For more information on InCommon, visit: http://www.incommonfederation.org/

About Internet2(R)
Internet2 is the foremost U.S. advanced networking consortium. Led by the
research and education community since 1996, Internet2 promotes the missions
of its members by providing both leading-edge network capabilities and
unique partnership opportunities that together facilitate the development,
deployment and use of revolutionary Internet technologies. Internet2 brings
the U.S. research and academic community together with technology leaders
from industry, government and the international community to undertake
collaborative efforts that have a fundamental impact on tomorrow's Internet.
For more information: http://www.internet2.edu

###