The JISC Access Management Team has received an enquiry from
U.Southampton, who want to Shibbolize their institutional Blackboard VLE
- so that they can extend access to users who are not registered at
Soton.

This seems to break down into two problems:

1) Implement a Shib SP (do Soton have their own SP already?) as
authentication front-end for Blackboard. We think U.Kent have done this
and may have experience to share(???); and that U.Liverpool have done so
too (http://www.liv.ac.uk/LSIP/Blackboard_shibboleth_integration.html).


Soton might want to try getting Blackboard to externalise it's
authorisation too, based on group value attributes about courses a
student is on, etc - as the FLAME Project at LSE is aiming to do (but
with Moodle, and we think this is "not rocket science" but fairly
application-specific - see http://www.angel.ac.uk/FLAME/). But that's
more ambitious and requires institutional adoption of something like
Grouper as well as Shibboleth.

2) Recognise users who are not in the current Soton institutional
directory (i.e. not [log in to unmask], I guess). This they could do
either by (in what I think is order of preference):

2a) Being truly federated, and expecting that such external users *will*
each already be in the directory of some other identity-provider
organisation, such as a local FE college (and letting their SP recognise
the IdP of that organisation, either via the UK Federation or by setting
up their own small parallel federation, as we did for the ShibboLEAP
Project (http://www.angel.ac.uk/ShibboLEAP/). This of course will be an
added incentive for those colleges to adopt FAM/Shib... ;->

2b) Soton assuming identity-management responsibility for such users,
and creating a general purpose LDAP enterprise directory, to include
*all* the people for whom Soton might have identity-management
responsibilities (these external VLE users, non-Soton library users,
etc), and using that as the backend for their Shib-IdP. This is the
route that LSE is taking (using Fedora Directory to replace MS
ActiveDirectory in this role) in parallel with the FLAME Project.

2c) Soton assuming identity-management responsibility for such users,
and adding them to the current directory they use as a backend to their
own Shib-IdP; but not giving them the [log in to unmask] ePSA
attribute-value. This will probably work unless an entry in their
directory automatically 'assumes' some other rights, because the
directory was really intended for some specific purpose (e.g. as MS
ActiveDirectory is usually a backend service for MS Exchange and MS
networking). This might be the easiest/cheapest option, if (2a) is
impossible because the non-member VLE users have no recognisable
affiliations with another potential IdP, and (2d) is unmanageable
because the number of such users is large.

2d) If the number of such external users is small(-ish), and they have
no other IdP affiliations, getting them to register with the TypeKey
Bridge (see
http://www.sdss.ac.uk/content/Documents/TypeKeyIdentityBridge) or
ProtectNetwork (http://www.protectnetwork.org/) so
TypeKey/ProtectNetwork acts as their IdP, and then allowing their
(Soton's) SP to recognise/admit the specific identities of those users.
--

I'm sure relevant staff at Soton will be interested in any other
suggestions in reply to JISC-SHIBBOLETH@JISCmail... (and can join this
list if they're not on it already)

John
--
John Paschoud
Projects Manager & Infosystems Engineer
LSE Library
London School of Economics & Political Science
10 Portugal Street
London WC2A 2HD

Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm