From Rich Wenger (MIT)
Our overall aim is to implement Shibboleth SSO as widely as possible so we can return authentication where it belongs; with central computing where credentials are managed.
Whether for personalized features of the ILS, or for access to ILLiad, or authentication to EZproxy, staff and patrons should be able to authenticate with their primary campus credentials. It should be seamless, self-explanatory, and easy to use.
Our primary campus Shibboleth IdP accepts three different modes of authentication: x.509 certificate, Kerberos userid and password, Kerberos tickets. Our Collaboration Account IdP accepts registered userids and passwords or OpenID, and connections from the InCommon Federation.
We need EZproxy to redirect patrons to those IdPs as needed, regardless of who they are and where they are coming from.
Business Case
- Enhanced patron experience. Patrons will have one id and password that works in all environments that require authentication. Currently they must register and remember many sets of access credentials.
- Better security. Password systems in local applications are by definition easily subverted and insecure. Central computing has the staff and expertise to
maintain a serious authentication system, Shibboleth in this case. - Efficiency of staff time when we no longer need to maintain ids and
passwords in our ILS, and ILLiad, and do not need to validate certificates in
EZproxy. - Simplified technical environment. Central computing already has an
infrastructure for authentication. Let them do it instead of managing systems that do it for each application