Shibboleth Penn State Steve Kellogg Penn State University
Shibboleth @ Penn State Steve Kellogg Penn State University 4/20/2004
Penn State • 24 Campuses • 100, 000+ Users • Large scale integrated infrastructure – “Penn State Access Account” Auth Domain • K 4/AFS/PH; circa ’ 92 • DCE/DFS; circa ’ 95 • K 5/LDAP; circa ’ 03 (Need a filesystem)
Why was Shibboleth Interesting? • • • True Collaborative effort Open Source/Open Standards Solves today’s problems Leverages existing infrastructure Authentication agnostic Privacy (FERPA)
Shib at Penn State • A clear need – Physics Dept. use of Web. Assign at NCSU – Dept. account administration • Fine for hundreds • Realized the pain of thousands • Proposal to set up server at NCSU to use our KDCs (Denied!)
Pilot w/ Web. Assign • Summer of 2002 – ~20 Students, 2 weeks, 1 course • Fall 2002 – ~200 Students – 3 Courses • Spring 2003 – ~1800 Students – 63, 026 successful authentications – Limited Production
More Shib @ Penn State • A decision by the university came down Fall 2003 – Provide Napster to on-campus students by 1/12/2004 • Immediate Thoughts – Preserve I 1 bandwidth – Use Access Accounts – Time • to invent, develop, test, deploy
Napster • Quickly formed two teams – Caching Server team • Multimedia Delivery System, MDS – Registration System team • Clear need to authenticate locally and act globally – Shibboleth
Napster • Concern; Shib is heavyweight and anticipated high demand on opening day • Developed a test suite (Perl) – Simulated transaction flow – In-house test target – Then live Napster target • Varied number of concurrent sessions and sleep duration between sessions
Napster performance testing • Concluded w/ Napster that >8 sec would be too long • Studies indicated 25 concurrent sessions max per origin server. • Many thousands of on-campus students • 5 Intel blades, Load balanced via Cisco 6509 w/SLB feature
Shib – Next Steps • Expand Napster service to rest of the population • In. Common for new deployments • Lion. Share • Additional corporate and other expressed interest
Summary • Shibboleth was an obvious solution for both Web. Assign and Napster • Current implementation is pretty heavy weight • Transaction times can be long, but was able to manage via loadbalancing origin site • Look forward to more efficient implementation
- Slides: 11