ISIS to Shibboleth Migration - Frequently Asked Questions
Here are questions you might ask when migrating your ISIS application to Shibboleth. If you have additional questions, please contact us.
- Why is UCLA Migrating to Shibboleth?
- When do I have to migrate?
- What is Shibboleth? What can it do for me?
- How do ISIS and Shibboleth differ relative to my application?
- Will I get more user data if I move to Shibboleth?
- What is the system requirement for Shibboleth?
- I have multiple applications. If I only migrate some of them now, will the users continue to have single sign-on?
- Will I still be able to customize my login page?
- How will the login experience differ for my user when I migrate to Shibboleth?
- I am ready to start, What's next?
Q. Why is UCLA Migrating to Shibboleth?
When ISIS rolled out in 1996, Web Single Sign-on was rare. UCLA was an early pioneer in this area. As Web single sign-on technology matured, and standards started to emerge over the past 10 years, it became obvious that it would be to UCLA's benefit to migrate to a standards-based single sign-on service.
Since its introduction in 2003, Shibboleth has become the web single sign-on platform of choice for higher education institutions throughout the world. Shibboleth not only enables single sign-on within a campus, it enables a user to potentially have single sign-on across a wide range of research and learning resources among universities, government agencies, and commercial vendors.
On the technical side, Shibboleth provides a number of significant improvements over ISIS. With Shibboleth, we have a vastly better attribute release control mechanism, which allows us to release a lot more attributes to applications who should have access, while at the same time preventing other applications from seeing the same attributes. Shibboleth also includes Service Provider modules for installation on the application servers. These modules handle all the communication between the application and the Shibboleth Identity Provider, thus eliminating the bulk of the complicated programming involved to integrate an application with the campus Single Sign-on environment.
Finally, because Shibboleth is an open source project maintained by the higher education community, we are able to shift our resources to helping the applications integrate instead of writing server code.
Q. When do I have to migrate?
The official migration period starts in January 2008 and runs through 2009. Obviously, the early you can migrate your application, the better. Though we do understand that you may need time to assess the impact of migration within your application and to schedule it into your application life cycle. For additional details, see the migration roadmap.
Q. What is Shibboleth? What can it do for me?
Shibboleth is a federated single sign-on system based on SAML. It is developed by Internet2.
Shibboleth has become the system of choice for higher eduction institutions all over the world to perform single sign-on and to provide federated sign-on across organizations.
Shibboleth offers two key advantages for UCLA applications. First, Shibboleth has a much more granular attribute management mechanism. This enables us to finely control releasable attributes by application, which enable us to release a much richer set of user information to applications who has legitimate need to know, while protecting user privacy against applications who should not see those data. Second, Shibboleth includes Service Provider modules to be installed on application servers. The Service Provider modules handle all communications between the application and the Shibboleth Identity Provider. Campus developers no longer have to write complicated code in order to integrate with the campus single sign-on.
Q. How do ISIS and Shibboleth differ relative to my application?
From an UCLA application's perspective, the key differences between ISIS and Shibboleth are:
- Shibboleth provides service provider modules to be installed on application servers. These modules handle all the communication between an application and the Shibboleth Identity Provider. There is no more need to write complicated web service client code in order to integrate with the campus single sign-on service.
- The Shibboleth service provider module is directly integrated with Apache and IIS. You can use the module to protect static content without any programming.
- Shibboleth enables your application to plug into the world of federated access, allowing users from other universities to login into your application (with your permission of course) using his/her local campus logon ID!
- Shibboleth provides a rich attribute release management mechanism. This mechanism allows us to finely control attribute release per user, per application, per attribute. This ability enables us to offer a lot more attributes to qualifying applications while protecting user privacy from applications who shouldn't see the same user data.
Q. Will I get more user data if I move to Shibboleth?
Over time, you'll begin to see a much richer set of user attributes coming through Shibboleth as we deploy additional IAMUCLA services.
With the introduction of Shibboleth, we are also moving to strictly enforce university policies regarding data release. This means that we will require data steward approval before we release any protected attribute to an application. We are working to streamline the release approval process, and we very much welcome your input.
Q. I have multiple applications. If I only migrate some of them now, will the users continue to have single sign-on?
Yes. We have implemented an ISIS/Shibboleth Interoperability service on our side. A user logging in using his/her UCLA Logon ID will have single sign-on between an existing ISIS application and a Shibboleth service provider.
Q. What is the system requirement for Shibboleth?
Internet2 provides Shibboleth Service Provider modules for Apache and IIS. As long as you are running one of those web servers, you are fine. If you are not, for example: You have a Java servlet application serving content directly from a Java application server, please contact us for further details.
Q. Will I stil be able to customize my login page?
Yes. You will have the same login page customization options.
Q. How will the login experience differ for my user when I migrate to Shibboleth?
If you haven't already done so, login to this site. This site is a Shibboleth-enabled application. You'll probably notice very little change.
Note: This site is set up to function in federated mode. When you log in, you'll see the InCommon Where-Are-You-From (WAYF) page prompting you to select a university before being directed to the UCLA login page. If you set up your application to function in bilateral mode, you'll skip that WAYF page.
Q. I am ready to start, What's next?
We have prepared a Pre-migration Self Assessment Guide to help you work through the issues you should consider. We recommend starting there.