innovative technology services
Athens Shibboleth Interoperability
Eduserv is pleased to announce the development of gateway functionality within the Eduserv Athens service to allow Shibboleth-enabled organisations to be able to access Athens protected resources, and to allow Athens users, whether centralised or devolved, to be able to access Shibboleth-enabled resources.
Athens is an authentication and authorisation system, which facilitates access to protected web resources. Eduserv has contracts with the JISC for all UK further and higher education and with the NHS Information Authority for all employees of NHS England. Athens currently has over 2000 registered organisations, over 3 million user accounts and 260 protected resources. Athens registered organisations can elect to use central Athens facilities to create and manage usernames; alternatively they can use the Devolved Authentication facilities to utilise local usernames and locally stored attributes to determine access rights to Athens-protected resources.
Athens also offers Single Sign-On capability which combined with Devolved Authentication functionality offers substantial benefits to portal-style applications such as VLEs and Content Management systems, giving one-shot authentication to the portal and seamless authenticated access outboard of the portal to Athens-protected resources.
Athens Access Management technology is offered as a managed service, with committed Service Levels of 99.99% availability for the authentication and authorisation service.
Shibboleth is an emerging web authorisation architecture using standard Security Assertion Markup Language (SAML) protocols to pass attribute information from an organisation (origin) to a resource (target). Key concepts are:
- Responsibility for authentication vested in organisation
- Attribute Authority at organisation
- Privacy protection for individuals where conditions of access allow
- Authorisation decisions made by resource provider based on user attributes
- Reference implementation software available
Shibboleth is not an authentication system, nor an authorisation system. It is a standards-based method of passing attribute information securely between the organization and the resource provider. It is currently in use by around 50 US organisations. For more information on Shibboleth see http://shibboleth.internet2.edu/
Over the course of this year, Eduserv will be working to develop Shibboleth gateway functionality within the Athens service. This will allow Shibboleth-enabled organisations to access Athens-protected resources at the same high availability service levels as offered by the full Athens service. Similarly, Athens users will be able to access Shibboleth-protected resources through the Athens infrastructure.
Comparison between Shibboleth and Athens
| Description | Athens | Shibboleth |
| Status | Live Commercial Service | Emerging Architecture |
| Purchase options | Technology or managed service | Reference software available |
| Published open standard | No | Yes |
| Access Management System | Yes | No |
| Authentication System | Yes | Out of scope |
| Account Management Facilities | Yes | No |
| Authorisation System | Yes | Yes |
| Single Sign-On | Yes | Out of scope |
| Devolved Authentication | Optional | Mandatory |
| Active Development program | Yes | Yes |
| Statistical Usage Data | Yes | No |
| Commercial Resources protected | 260 | <5 |
2 March 2004