View Source

Shibboleth Integration with eAcademy

Background

Microsoft is partnering with e-academy to enable Microsoft Work at Home licensees to download licensed software electronically.

To verify the licensee's identity/eligibility, there is proposal to do so via Shibboleth.

e-academy is already a member of InCommon. It has also completed similar integration with member schools in several federations.

Status

August 12, 2010

The UC Trust subgroup met with eAcademy via conference call to discuss options for asserting individual's eligibility to download MS software under MCCA. Two options were discussed. eAcademy can support either.

	Option 1 - Shibboleth Attribute Assertion	Option 2 - Back Channel Data Feed
Description	Campus IDP aggregates local MCCA eligibility data and transforms it into eduPersonEntitlement values.	Campus prepares back channel data feed, either via IDM office or Software Licensing office and delivers to eAcademy. eAcademy resolves individual's eligibility using supplied feed and user identifier (most likely ePPN) coming through Shibboleth.
Pro	There is no separate data feed out of the campus. One less process to maintain. The technique better aligns with Shibboleth practice and scales better in the long run.	Back channel feed may be easier to implement for the IDP, especially if the Software License office already tracks individual eligibility in a central database.
Con	Depending on the IDP's readiness to assert entitlement values, this can trigger substantial work on the IDP side.	The technique is another one off data feed. It doesn't scale well longer term.

There were a few additional details:

Under UC's MCCA license terms, departments can selectively license individual software products. That means the campus will need to somehow express not only who is eligible, but also for which software the individual can download.
Even though we want to have a consistent data provisioning mechanism from the UC Trust perspective, e-academy can and is willing to support different integration options by campus.
So far, UCLA and UCI are definitely going forward. UCD most likely will do so. UCSC is following with keen interest.

Action Items:

Albert will write up a proposed design spec for Option 1.
We need volunteer to write up in greater detail how the back channel feed will work. In particular, we need to define data format and transmission mechanism.
UC Trust to discuss at the Aug. meeting (update: the Aug. UC Trust meeting was canceled. We'd most likely move this to the UC Trust discussion list)

History

June 2010

Tom Trappler reports that based on his conversation with Microsoft, the campuses do need to assert individuals' eligibility. The individual cannot self-identify.

May 14, 2010

A subgroup of UC Trust members have expressed interest to move ahead with integration. UCLA recently met with eAcademy. Albert updated the UC Trust subgroup via email:

------

Hello everyone:

I have updates from Tom Trappler and eAcademy. We had a prelim call with eAcademy sales to coordinate the bigger call. Instead, they brought their engineers. So we took the opportunity to find out some details:

It appears that eAcademy is already a member of several federations, including InCommon. It has completed several Shibboleth integration with universities around the world. They seem very familiar with the process. That'll make the technical integration easy.

UC's Microsoft license is unique in that it allows departments to opt in/out of the Work at Home program. This means that in theory, we need to somehow determine who is and is not eligible to download software within a campus.

eAcademy states that Microsft is willing to allow the end user to self-verify eligibility. eAcademy can host a page asking the user to certify that he/she is eligible to download the software per the license terms. This shifts the license compliance responsibilities to the end user. Tom is verifying with our Microsoft rep to make sure that Microsoft is in fact OK with this. If so, this makes integration easy.

So there are two integration scenarios on the table:

1. If all parties agree that the end user can assume legal responsibility for downloading from eAcademy, then the IDP only needs to send a unique identifier (likely targetedID) and eduPersonAffiliation (the program applies to employees only, so the IDP needs to be able to assert "employee"). eAcademy would present the user with the agreement page prior to him/her downloading.

2. If we somehow have to assert eligibility, then we are looking at using the eduPersonEntitlement attribute. This means that each campus will have to somehow figure out a way to capture and assert the proper values. According to Tom's description of how this license data is tracked, this may be challenging.

For now, we are waiting to hear from Tom and Microsoft. I suggest that we schedule a follow up call with everyone once we know Microsoft's position.

In the meantime, if we have to go with option 2, how would that impact your campus in terms of implementation?

albert