Thanks for the kind words Heather :-)
I did wonder whilst I was making coffe if I should go a step further?!
Here goes...
You implied "using Shibboleth with a VLE". So you have a few chioces.
If you already have set up a Shibboleth IdP, or if you sign up to use a "hosted IdP", then all you
need to do with your VLE is to make it a Service Provider to your users! Depending on your VLE,
there might be a module for you to use, or you can download the Shibboleth SP software and put a
bit of effort in to configuring it for your needs. In essence what you need to do is replace the
traditional VLE login screen with the Shib SP.
If you don't have access to an IdP, then you can assess if your VLE is suitable to perform the
functions of a Shib IdP. If so, your VLE remains the log in page but in this instance as the Shib IdP.
In this sort of configuration I would recommend configuring your VLE to be both IdP and SP (it's
the purest in me :-). Again depending on your VLE, there might already be modules for this. If not
you can still download the Shib software and put the effort into configuring both components. For
the VLE to be the IdP you'd need to extend the VLE user database to cope with the eduPerson
schema, specifically those attributes used by the Federation, and of course provide some
management web pages to populate the data (probably by the VLE administrators).
I find it easier to think of the user registration and attribute data as a seperate application from
the protected web content. In other words I keep im mind that the IdP is distinctly seperate from
the SP. Even if they are both running on the same web server!).
For a VLE, you can use the eduPersonEntitlement attribute to construct entitlement to courses/
modules inside your VLE, and eduPersonScopedAffiliation to distinguish between staff and
student.
(Warning Data Protection Act discussion on the horizon :-)
For persistance, it's recommended to use eduPersonTargetedID and have the VLE store this
against the VLE's copy of personalisation data. This way Shibboleth IdP remains separated from
the the personal data that may have been gathered by the SP. So the IdP is legally responsible for
protecting it's data, and the SP is legally responsible for it's data. In terms of the Data Protection
Act, this reduces the burden on the IdP from ensuring that the data processor is acting responsibly
and storing data securely. Without this, and where the IdP and the SP are seperate organisations,
the IdP would have to enter into contract terms to ensure data processing is appropriate and the
data is secure, as well as seeking the consent of the data subject to allow the processing by a third
party.
Remember Shibolleth does not want to send data that "could identify a person", you can choose to
ignore this, for example by populating the givenName attribute, and allowing SPs to request it's
release, but it's frowned upon. It's better for the VLE to remember the person by comparing the
eduPersonTargetedID across sessions, and allowing the user to enter personal information into
the VLE database.
I really must stop now
Regards
Paul
***************** List information: *****************
Remember - replies go by default to the entire list.
Access the list via the web on http://www.jiscmail.ac.uk/lists/vle.html
To unsubscribe, email [log in to unmask] with the message: leave vle
|