Saturday, January 08, 2005
Can You Say Shibboleth?
Many of today's online environments and communities suffer from vulnerability to exploitation by those who seek to use the Internet's intrinsic anonymity to their own selfish advantage. Marketers, spies, and other unscrupulous Internet denizens have forced their way into private communities and email inboxes, disrupting the communities that they find - and sometimes even completely killing them. Those of us who have participated heavily in online communities over the years have lots of experience dealing with the imposters, forgers, and the ever-present anonymous cowards who can disrupt meanigful discourse or reduce it to a very low common denominator. Effective online educational environments must be efficiently insulated from such cruft. Here at UW we're looking into integrating federated identity management with Croquet. By doing so, Croquet users who use their own institutional login/password could access protected resources in Croquet places that are hosted by other institutions. The idea is that educational environments will benefit from people not being able to hide behind masks.
This is where the Shibboleth Project comes in. The project started in the late 1990s by Internet2 as a way of developing an open-source standards-based architecture that provides trusted, inter-institutional access to Web resources. It consists of an institutional Identity Provider component that authenticates users and provides trusted assertions about the user and a resource provider's Service Provider component which validates assertions and makes access control decisions about the user. Generally speaking, when an unidentified user attempts to access services, Shibboleth initiates a handshake between the Service and Identity Providers and allows the Identity Provider to create attribute assertions about the user without the Service Provider needing to keep track of the IDs of all potential users of the system.
Althogh it can get a bit freaky (as the above diagram suggests), this form of federated identity management permits the user's home institution to vouch for a users identity and provide a service provider with only the information necessary for a given session - an important way of protecting personal information, mitigating against identity theft, meeting FERPA and HIPPA requirements etc.. Integrating this now Web based system with Croquet would provide lots of benefits to educational and institutional uses of Croquet. Multiple insititutions (those with attribute repositories such as LDAP) could cooperate in creating restricted access learning environments in which students and educators from those institutions could interact and learn - without the need for each institution to set up an account for all the users of such spaces. A side benefit of this is that Fair Use limitation provisions on copyright laws would allow copyrightable materials to be distributed in such spaces - a feature that's really important to educators (and is probably one of the main reasons that academic institutions employ the use of cumbersome Course Management Systems over plain old websites, blogs, and wikis).
In case you're wondering, the word shibboleth refers to a kind of linguistic password: A way of speaking (a pronunciation, or the use of a particular expression) that identifies one as a member of an 'in' group. The term derives from the biblical story where two Semitic tribes, the Ephraimites and the Gileadites, have a great battle. The Gileadites defeat the Ephraimites, and set up a blockade to catch the fleeing Ephraimites. The sentries asked each person to say the word shibboleth (meaning 'ear of grain' or 'stream' depending on who you talk to). The Ephraimites, who had no sh sound in their language, pronounced the word with an s and were thereby unmasked as the enemy and slaughtered (and perhaps a few lisping Gileadites met their fate this way as well).