March 2009 - PESC
March 2009 - PESC
March 2009 - PESC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The<br />
Po s t s e c o n d a ry Electronic Standards Council<br />
<br />
www. the P E S C. Sta o the n r gd a Sta rdn page d a rd1page 1<br />
Standard<br />
n ews and commentary on technology and standards in postsecondary education<br />
I n s i d e<br />
Keeping Up With <strong>PESC</strong> (p. 3)<br />
• 6th Annual Conference on<br />
Techology and Standards<br />
• <strong>PESC</strong> Board of Directors Elections<br />
• 11th Annual <strong>PESC</strong> Membership<br />
Meeting<br />
• New Members<br />
• Authentication: The Status of<br />
Shibboleth by Arnie Miles<br />
Technology Tidbits (p. 3)<br />
Data Quality Campaign Release<br />
Action Guide (p. 34)<br />
Volume 8 ~ Issue 3 ~ <strong>March</strong> <strong>2009</strong><br />
S t eve Biklen, David Moldoff & Clare Smith-Lars o n<br />
Recognized with Distinguished Service Awards<br />
Steve Biklen has served on the <strong>PESC</strong> Board of Directors since November<br />
2002; and for most of those years, as Treasurer. Mr. Biklen is the founding<br />
President of the Citibank Student Loan Corporation and served on the<br />
Advisory Committee on Student Financial Assistance for eight years (note: we<br />
inadvertently reported in a previous communication that Mr. Biklen was also<br />
chair of the Advisory Committee. He was not and we apologize for the<br />
error). Mr. Biklen, who currently sits on the Board of Directors at American<br />
Student Assistance, has decided that he will not be renominated when his current<br />
term on the Board expires this June 30. David Moldoff has served on the<br />
<strong>PESC</strong> Board of Directors since July 2003 and currently Co-Chairs <strong>PESC</strong>'s<br />
Academic Progress XML Development Workgroup. Mr. Moldoff joined the<br />
Board as Senior Vice President of Solutions Architecture and Infrastructure at<br />
SCT (now SunGard Higher Education) and currently serves on the <strong>PESC</strong><br />
Board as Founder and CEO of AcademyOne, Inc., a company he launched several<br />
years back. Clare Smith-Larson of Iowa State University is a long-time<br />
champion of <strong>PESC</strong> having been involved with <strong>PESC</strong> since its launch. Ms. Smith-<br />
Larson has also served as Chair of AACRAO's SPEEDE Committee and currently<br />
serves as Chair of <strong>PESC</strong>'s Steering Committee for the Standards Forum<br />
for Education.<br />
NA S FAA Proposes New Student Loan Program Model<br />
N ew Loan Concept Incorporates Best Aspects of<br />
Pe r k i n s, F F E L , and Direct Loan Prog ra m s<br />
1250 Connecticut Avenue, NW<br />
Suite 200<br />
Washington, DC 20036<br />
Executive Director<br />
Michael Sessa<br />
Michael.Sessa@<strong>PESC</strong>.org<br />
Editor<br />
Heidi L. Weber<br />
hlweber@verizon.net<br />
The Standard is the electronic newsletter published monthly by<br />
The Po s t s e c o n d a ry Electronic Standards Council (<strong>PESC</strong>). T h e<br />
S t a n d a rd covers news and events that impact information techn<br />
o l o gy and data exchange; and promotes <strong>PESC</strong>’s goals of<br />
i m p roving serv i c e, c o n t rolling costs, and attaining intero p e r a b i l-<br />
ity within higher education.For information about subscriptions,<br />
a d ve rt i s i n g , and article submissions, please visit www. P E S C. o r g .<br />
© 2008 <strong>PESC</strong><br />
The National Association of Student Financial Aid Administrators re c e n t ly<br />
fo r w a rded to its members, the Obama administration, and selected members<br />
of Congress a new ap p roach to student loans that would replace the<br />
Federal Family Education Loan Pro g r a m , the Direct Loan Pro g r a m , and the<br />
Federal Perkins Loan Program with a program that integrates the best<br />
aspects of all thre e.<br />
D r awing on the expertise of thousands of student aid pro fessionals thro u g h<br />
its National Conversation Initiative on College Access (NCI), N A S FA A<br />
d eveloped a conceptual framework for a new student loan model combining<br />
the most desirable fe a t u res of today's existing loan pro g r a m s .<br />
See NASFAA, Page 2
the Sta n d a rd page 2<br />
NASFAA, from Page 1<br />
This new, integrated loan program would be simpler and<br />
m o re equitable for students while expanding the amount<br />
of capital available to make loans through the cap i t a l<br />
m a r ke t s . The proposed loan model encourages all beneficiaries<br />
of postsecondary education (i.e. , b o rrowe r s ,<br />
state gove r n m e n t s , private employe r s , friends and famil<br />
i e s , and all Americans) to help pay down borrowe r s '<br />
debt levels and raise capital for a self-sustaining loan<br />
f u n d .<br />
N A S FAA's proposed student loan model:<br />
• Provides consistent and equal terms, c o n d i t i o n s , a n d<br />
benefits to all borrowers<br />
• Offers a seamless loan origination, disbursement and<br />
re p ayment experience for students<br />
• Ensures a predictable and continuous source of cap i t a l<br />
for student loan funding that isn't dependent on any single<br />
entity<br />
• A l l ows individuals, f a m i l i e s , c o m p a n i e s , financial institut<br />
i o n s , and all Americans to express their support fo r<br />
higher education by using gove r n m e n t - b a c ked special<br />
purpose bonds<br />
• Reduces federal expenditures by creating a self-sustaining<br />
funding source that relies on new, s a fe inve s t-<br />
ment vehicles<br />
• Leverages technological and business innovations in<br />
the private sector by creating a common servicing platform<br />
that relies on a centralized database of all borrowers<br />
and can be used by multiple servicing agents<br />
• Creates new incentives for businesses, i n d i v i d u a l s , a n d<br />
states to help students re p ay student loan debt<br />
• Capitalizes on the expertise and best practices deve l-<br />
oped by all entities curre n t ly participating in the existing<br />
loan programs<br />
• Is not the FFEL, D i rect Loan, or Perkins Loan pro g r a m ,<br />
but rather an entire ly new loan program created fro m<br />
the most positive aspects of all three<br />
" We now have a unique opportunity to dramatically<br />
redesign the program to better serve students," said<br />
N A S FAA President and CEO Dr. Philip Day. "Our new<br />
model offers the gro u n d work for pro d u c t i ve discussions<br />
that I expect will ultimately result in a simple, e f f i c i e n t ,<br />
re l i a b l e, and transparent system of providing education<br />
loans to families."<br />
This pre l i m i n a ry student loan model is just one piece of<br />
a larger set of NCI student aid policy re c o m m e n d a t i o n s<br />
that NASFAA will make public short ly.The re c e n t<br />
release of President Obama's FY 2010 budget has convinced<br />
us to release our student loan model in advance<br />
to ensure that it is considered as part of the continu i n g<br />
c o nversation and dialogue on changes to the student<br />
loan pro g r a m .<br />
NCI re p resents the collective recommendations of<br />
thousands of financial aid pro fe s s i o n a l s , input fro m<br />
re n owned public policy expert s , and careful analysis of<br />
m o re than 40 prominent re s e a rch studies.The ove r a l l<br />
goal of the NCI campaign is to create policy re c o m m e n-<br />
dations that increase college access, reduce the financial<br />
b u rden placed on students and families, and increase the<br />
numbers of students who ultimately graduate with a college<br />
degre e - - e s p e c i a l ly those who have been historically<br />
u n d e rre p resented and underserve d . To learn more about<br />
N C I , go to nasfaa.org/re d e s i g n / n c i / n c i c e n t e r. h t m l .<br />
Members of the media and others are welcome to contact<br />
NASFAA Vice President of Planning and<br />
D evelopment Justin Draeger for more information about<br />
N A S FAA's student loan model at (202) 785-6960 or<br />
D r a e g e r J @ N A S FA A . o r g .
the Sta n d a rd page 3<br />
Keeping Up With <strong>PESC</strong><br />
6th Annual Conference on Technology &<br />
Standards<br />
The final program is now posted on the <strong>PESC</strong> website.<br />
We thank NCHELP and SHEEO for partnering with<br />
<strong>PESC</strong> on the 6th Annual Conference on Technology &<br />
Standards; and we thank our generous sponsors that<br />
help make this event possible: AcademyOne, Inc,<br />
NASLA, and USA Funds.<br />
<strong>PESC</strong> Board of Directors Elections<br />
Elections for <strong>PESC</strong>'s Board of Directors will be held<br />
during <strong>PESC</strong>'s 11 Annual Membership Meeting scheduled<br />
for Tuesday April 7, <strong>2009</strong> from 5:30pm - 6:30pm<br />
EDT at the Hyatt Regency Washington on Capitol Hill<br />
(400 New Jersey Ave NW,Washington DC, 20001).<br />
Membership meetings are open to all <strong>PESC</strong> Members<br />
and Affiliates and with prior notification, other interested<br />
parties. Backgrounds and biographies of nominees<br />
are on page 4 of this edition of The Standard.<br />
11th Annual <strong>PESC</strong> Membership Meeting<br />
Please be advised that <strong>PESC</strong>'s 11th Annual Membership<br />
Meeting will take place on Tuesday April 7, <strong>2009</strong> from<br />
5:30pm - 6:30pm EDT at the Hyatt Regency<br />
Washington on Capitol Hill during the Spring <strong>2009</strong><br />
<strong>PESC</strong> Member Summit. Membership meetings are open<br />
to all <strong>PESC</strong> Members and Affiliates, and with prior notification,<br />
other interested parties. Registration for the<br />
Summit is not required in order to attend the<br />
Membership Meeting.<br />
New Members<br />
• University of California at Berkeley<br />
• Washington State University<br />
• unisolution<br />
Authentication: The Status of S h i b b o l e t h<br />
by Arnie Miles<br />
<strong>PESC</strong> has recently released a Technical Briefing on<br />
Authentication: The Status of Shibboleth. Authored by<br />
Georgetown University's Arnie Miles, this briefing provides<br />
an in-depth account of Shibboleth, its relationship<br />
to SAML, and its use with higher education. The<br />
Briefing is on page 7 of The Standard and also posted<br />
on the <strong>PESC</strong> Website.<br />
TechnologyT i d b i t s and Standards Snippets<br />
“Electronic portfolios provide a vehicle for a transition into<br />
the future of higher education,” according to a recent Academic<br />
Commons article.The authors illustrate their views through<br />
four key purposes of the ePortfolio; integrate student learning,<br />
connect disparate parts of a student's education, improve<br />
engagement in learning process and a tool for student assessment.To<br />
access the full article, visit http://www.academiccommons.org/commons/essay/making-common-cause-electronic-por<br />
tfolios.<br />
A recent U.S. House of Representatives hearing challenged<br />
the effectiveness of PCI rules, claiming that the standard is overly<br />
complex and fails at preventing data thefts and fraud. One<br />
example was a grocery store's PCI certification being achieved<br />
at the same time its network was being hacked and credit card<br />
numbers and expiration dates were being stolen.While no proposals<br />
have come from the hearing, it was clear that Congress<br />
will be calling for increased in oversight in how credit card data<br />
is secured. http://www.computerworld.com/action/article.do?<br />
command=viewArticleBasic&articleId=9130901
Nominee Background<br />
JEFFREY ALDERSON<br />
RUSSELL BUYSE<br />
DIRECTOR OF DATA STANDARDS<br />
CONNECTEDU, INC.<br />
Jeff serves as ConnectEDU’s primary liaison to data standards bodies such as SIFA<br />
and <strong>PESC</strong>, and is an active member of <strong>PESC</strong>’s Functional Acknowledgement,<br />
Education Record and Academic Progress workgroups. While actively guiding the<br />
development of new products and services for the p20 landscape at ConnectEDU, Jeff<br />
collaborates with other vendors of student information systems, electronic transcript<br />
exchange systems and key stakeholders in secondary and postsecondary institutions.<br />
Through his leadership, ConnectEDU became the first vendor of an electronic transcript<br />
exchange network to use the <strong>PESC</strong> High School XML Transcript standard in an<br />
operational capacity in August of 2006. Prior to joining ConnectEDU in 2004, Jeff was<br />
a security engineer in Oracle Corporation’s advanced programs group. Jeff carries<br />
professional certifications that are directly applicable to his work with <strong>PESC</strong>, including<br />
PMI Program Management, Oracle Database Administration, Microsoft Certified<br />
Systems Engineer, Microsoft Certified Database Administrator, and Cisco Certified<br />
Network Administrator. Jeff has over 10 years experience in deploying secure,<br />
standards-based, data solutions for education and government, as well as five years<br />
service as a commissioned officer in the U.S. Air Force. Mr. Alderson received his B.S.<br />
in Electrical and Computer Engineering from Worcester Polytechnic Institute in<br />
Massachusetts.<br />
COO AND VICE PRESIDENT OF R & D, RECORD AND TRANSCRIPT SOLUTIONS<br />
NATIONAL TRANSCRIPT CENTER<br />
Russell is a software executive with over 20 years experience. The last 4 years have<br />
been with the National Transcript Center (NTC) and ESP Solutions Group. Both<br />
companies are pioneers in the adoption of new technologies to the problems of<br />
education. NTC in particular was the first transcript solution to adopt the <strong>PESC</strong><br />
standard and has been a major proponent of <strong>PESC</strong> with all if customers and the<br />
industry in general. NTC, now a part of Edustructures/Pearson, is a web-based<br />
software-as-a-service solution designed to improve the efficiency, reliability, cost and<br />
security of academic transcript exchange for PK-12 schools, state education agencies,<br />
colleges and universities, and co-academic organizations. Russell managed product<br />
development and customer delivery for NTC since its founding. As COO, he has<br />
responsibility for product develment and services. He leads the team responsible for all<br />
aspects of product development and services including product roadmap, quality<br />
assurance, software, and documentation. He also manages executive level<br />
relationships for all key accounts including senior representiatves in Texas, California,<br />
Colorado, Virginia, West Virginia, and Wyoming. Mr. Buyse hold a bachelor’s degree in<br />
Computer Science and is a graduate of the Institute for Managerial Leadership from<br />
The University of Texas at Austin.
MANUEL DIETZ<br />
FOUNDER AND MANAGING DIRECTOR<br />
UNISOLUTION<br />
unisolution was co-founded in 2001 by Manuel Dietz in the TU Darmstadt and since<br />
then specializes in the development of high quality and future-oriented software<br />
solutions and consulting services for the internationalization of higher education<br />
institutions. From headquarters in Stuttgart, Germany, Mr. Dietz serves as managing<br />
director of unisolution and also serves on the Steering Committee of the Rome Student<br />
Systems and Standards Group (RS3G), the European initiative to implement systems<br />
and standards to support the Bologna process.<br />
WLLIAM HOLLOWSKY<br />
Incumbent<br />
MANAGING DIRECTOR<br />
SUNGARD HIGHER EDUCATION<br />
Bill Hollowsky currently serves as Managing Director of SunGard Higher Education,<br />
where he has been for the past several years. Prior to SunGard Higher Education,<br />
Oracle, Mr. Hollowsky served as Senior Director of Applications Development at Oracle<br />
where he was for over eight years focused on product strategy and development. Mr.<br />
Hollowsky was previously with KPMG Peat Marwick, LLP and also worked at the<br />
University of Maryland for ten years.<br />
RUSSELL JUDD<br />
DAVID MOLDOFF<br />
Incumbent<br />
CHIEF INDUSTRY AND GOVERNMENT RELATIONS OFFICER<br />
GREAT LAKES EDUCATIONAL LOAN SERVICES, INC.<br />
REPRESENTING NASLA – THE NATIONAL ASSOCIATION OF STUDENT LOAN ADMINISTRATORS<br />
Russell Judd is Chief Industry and Government Relations officer for Great Lakes<br />
Educational Loan Services, Inc. an affiliate of Great Lakes Higher Education<br />
Corporation (Great Lakes), headquartered in Madison, WI. Great Lakes is the 4 th<br />
largest student loan guarantor and among the top 5 largest student loan servicers.<br />
Russ has been in the postsecondary student aid industry for over 20 years serving in<br />
various senior management capacities at Great Lakes, including both Imformation<br />
Technology and business areas. Russ’ IT experience spans 30 years with an<br />
emphasis on Application Architecture, Data Management, Software Product<br />
Development, and Quality Assurance. Russ has been very active in industry<br />
standardization and collaboration initiatives beginning with the NCHELP team that<br />
developed the initial CommonLine standards and he has been an active participant in<br />
several standards focus groups led by the Department of Education. Russ is an<br />
original member of the Meteor Advisory Team and is its current Chair for the Business<br />
Development Team. Russ has developed and presented numerous presentations for<br />
various industry conferences and groups including NCHELP, state, regional and<br />
national financial aid administrator association conferences, Financial Aid Management<br />
Systems user groups, and the Department of Education’s Electronic Access<br />
Conferences. He has spoken on such topics as: Benefits of Standards Utilization,<br />
Emerging E-Commerce standards; Authentication Standardization; and the use of<br />
standards in open systems.<br />
FOUNDER AND CEO<br />
ACADEMYONE, INC.<br />
David K. Moldoff, Founder and CEO of AcademyOne, Inc., is a visionary in higher<br />
education responsible for AcademyOne’s overall strategy with specific emphasis on the<br />
technology infrastructure, integration of applications and services as well as exploiting<br />
his vast industry network with regards to sales, strategic partnerships, associations, etc.
Mr. Moldoff is a successful entrepreneur with over 30 years of experience in launching<br />
and managing new companies and new products in technology for higher education.<br />
Before forming AcademyOne in 2005, he was SVP of Solutions Architecture and<br />
Infrastructure for SCT, which he was instrumental in selling to SunGard in 2004. Mr.<br />
Moldoff has been an active board member with several organizations including <strong>PESC</strong>,<br />
Bommi, Inc, and the Open Enterprise Application Integration Foundation for Higher<br />
Education; and has been an active member of Educause, NACUBO, NASFAA,<br />
NACUBO and AACRAO through his company affiliations, sponsoring keynote<br />
speakers, and national awards for innovation. Mr. Moldoff is a Gundaker Fellow and<br />
multiple Paul Harris Fellow, lives in West Chester, Pennsylvania with his wife and two<br />
children, and is a graduate of Drexel University.<br />
RICK SKEEL<br />
Incumbent<br />
DIRECTOR OF ACADEMIC RECORDS<br />
UNIVERSITY OF OKLAHOMA<br />
REPRESENTING AACRAO – AMERICAN ASSOCIATION OF COLLEGIATE REGISTRARS AND<br />
ADMISSIONS OFFICERS<br />
Rick Skeel is the Director of Academic Records at the University of Oklahoma. In his<br />
30+ years at that institution he has been responsible for the business design and<br />
development of most of the administrative systems used at the University. He is an<br />
active and current member of AACRAO’s SPEEDE Committee and has served on the<br />
Committee for eighteen years including as its Chair. Mr. Skeel has also served as<br />
Chair of AACRAO’s Nominating Committee and as President of SACRAO and currently<br />
serves as liaison between the SPEEDE Committee and <strong>PESC</strong> and as Co-Chair of the<br />
Course Inventory Workgroup.
Technical Brief<br />
Authentication<br />
The Status of Shibboleth<br />
Arnie Miles<br />
Georgetown Unviersity<br />
February 24, 2008
Technical Brief Authentication: The Status of Shibboleth<br />
Technical briefs are prepared for use by <strong>PESC</strong> Work<br />
Groups. They provide a historical perspective, a<br />
comparison of a proposed standard with others, an<br />
assessment of a related technology, or materials used for<br />
training. Tech Briefs are directly related to <strong>PESC</strong>’s mission<br />
and judged to be accurate and fair. As all <strong>PESC</strong> work, these<br />
are authored by volunteers.<br />
The Tech Briefs are published under the Creative<br />
Commons license. The documents can be reproduced<br />
without restriction and the information contained in them<br />
may be used by others.<br />
The opinions in these Tech Briefs are those of the author(s)<br />
and are not those of the Postsecondary Electronic Standards<br />
Council or the institutions or organizations with whom the<br />
authors are affiliated.<br />
The <strong>PESC</strong> Board appreciates the volunteer efforts of<br />
authors, editors, and others who contributed to this effort.<br />
I hope you find these useful.<br />
Michael Sessa<br />
Executive Director<br />
Arnie Miles, Georgetown University 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Executive Summary<br />
1 Internet2 is the foremost<br />
U.S. advanced networking<br />
consortium. Led by the<br />
research and education<br />
community since 1996,<br />
Internet2 promotes the<br />
missions of its members by<br />
providing both leading-edge<br />
network capabilities and<br />
unique partnership<br />
opportunities that together<br />
facilitate the development,<br />
deployment and use of<br />
revolutionary Internet<br />
technologies. See (Internet2,<br />
<strong>2009</strong>a).<br />
2 The Shibboleth System is<br />
a standards based, open<br />
source software package for<br />
web single sign-on across or<br />
within organizational<br />
boundaries. It allows sites to<br />
make informed authorization<br />
decisions for individual<br />
access of protected online<br />
resources in a privacypreserving<br />
manner. See<br />
(Internet2, <strong>2009</strong>b).<br />
3 OASIS is a not-for-profit<br />
consortium that drives the<br />
development, convergence<br />
and adoption of open<br />
standards for the global<br />
information society. See<br />
(OASIS, <strong>2009</strong>a).<br />
4 Specifications defining and<br />
maintaining a standard XMLbased<br />
framework for<br />
creating and exchanging<br />
security information between<br />
online partners. See<br />
(OASIS, <strong>2009</strong>b).<br />
5 Open source is a<br />
development method for<br />
software that harnesses the<br />
power of distributed peer<br />
review and transparency of<br />
process. The promise of<br />
open source is better quality,<br />
higher reliability, more<br />
flexibility, lower cost, and an<br />
end to predatory vendor<br />
lock-in. See (OSI, 2007)<br />
This paper discusses the current status of the Internet2 1<br />
project Shibboleth 2 . While the target audience is higher<br />
education, extra efforts have been made to discuss issues<br />
beyond higher education, including United States Federal<br />
government certification. Shibboleth is described, as is the<br />
Organization for the Advancement of Structured<br />
Information Standards (OASIS) 3 Standard Security<br />
Assertion Markup Language (SAML) 4 on which Shibboleth<br />
is based. Commercial projects that implement the SAML<br />
standard are touched on in a very general fashion.<br />
Steven Carmody was interviewed for this paper over a 2-<br />
week period in September 2008, and his quotes are used<br />
liberally throughout. Carmody is an IT Architect at Brown<br />
University, and the Project Manager for the Shibboleth<br />
Initiative. These discussions give the reader a flavor of how<br />
the Shibboleth team views its charter. Being an open<br />
source 5 project, contributors come from all over the world,<br />
and Carmody has the responsibility for compiling their<br />
work and attempting to publish product on time. Carmody<br />
has taken great pains not to speak poorly of what some<br />
would consider his competition.<br />
Having said that, there are commercial products available<br />
that comply with the SAML 2.0 standard. Some of these<br />
products go so far as to tailor their product to comply<br />
specifically with government certification processes.<br />
However, adoption of Shibboleth is more then just the<br />
adoption of a piece of middleware. 6 Rather, adoption of<br />
Shibboleth is the adoption of the critical concept of<br />
Federation. Carmody observed:<br />
I think it’s worth differentiating the concept of<br />
Federation from Shibboleth as a specific “product”<br />
(implementation of a set of protocols that support<br />
Federation). Federation is clearly taking hold in the<br />
Higher Education space (although much more<br />
slowly in the US than in many other countries).<br />
He further observed “Shibboleth is the market leader in<br />
standards-based interoperability. Its worldwide adoption in<br />
the higher education community supports that statement.”<br />
Shibboleth was created to be standards based from the<br />
beginning, and has contributed back to the standard. The<br />
Arnie Miles, Georgetown University 1 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
6 Common definitions are<br />
that middleware is the "glue"<br />
between software<br />
components or between<br />
software and the network or<br />
it is the slash in<br />
Client/Server. See (Defining<br />
Technology Inc., <strong>2009</strong>).<br />
7 Under the Federal<br />
eAuthorization program<br />
(eAuth). The General<br />
Services Administration now<br />
has a requirement that the<br />
Liberty Alliance provide<br />
interoperability testing. See<br />
(General Services<br />
Administration, 2008).<br />
concept of anonymity was first introduced by Shibboleth to<br />
solve the anonymous access to library materials problem<br />
and subsequently introduced to the SAML v2 standard.<br />
This concept alone has opened doors to a vast array of new<br />
use cases, and has added new levels of scalability to the<br />
consumption of authentication assertions.<br />
Most readers should not be concerned with the Federal<br />
Government certification processes 7 , as it only applies to<br />
inter-federal government uses. It would be of passing<br />
interest if it had specific bearing on the quality of the<br />
software or it’s compliance to real world uses of the SAML<br />
profile, so the discussion of certifications enclosed are<br />
mostly to explain why potential implementers of Shibboleth<br />
should not be concerned by the lack of certification.<br />
Arnie Miles, Georgetown University 2 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Preface<br />
8 As used here the term<br />
anonymous<br />
authentication is<br />
"...an individual's<br />
membership<br />
in a group without<br />
revealing that<br />
individual's<br />
identity and without<br />
restricting how the<br />
membership of the group<br />
may be changed"<br />
(Schecter. 1999).<br />
The phrase is also used<br />
to mean there is no<br />
assertion<br />
of the person's identify,<br />
i.e. "public."<br />
9 From (Robertson,<br />
1996, paragraph 1).<br />
See also (Metcalfe<br />
2006).<br />
10 From (Allison, 1995,<br />
Section 15 “Costs of the<br />
Internet”).<br />
Shibboleth is an implementation of the OASIS SAML<br />
standard. It is not the only implementation, nor is it the<br />
only open source implementation. However, Shibboleth has<br />
significant market share in the higher education<br />
community, partially due to the creation, adoption and<br />
contribution back to the standard of the concept of<br />
anonymous authentication 8 as requested by higher<br />
education librarians to prevent the use of on-line journals<br />
and books to create a profile of the user’s reading.<br />
Robert Metcalf's law states that the "value" or "power" of a<br />
network increases in proportion to the square of the number<br />
of nodes on the network. 9 Marc Andressen stated it:<br />
A network in general behaves in such a way that the<br />
more nodes that are added to it, the whole thing gets<br />
more valuable for everyone on it because all of a<br />
sudden there's all this new stuff that wasn't there<br />
before. You saw it with the phone system. The more<br />
phones that are on the network, the more valuable it<br />
is to everyone because then you can call these<br />
people. Federal Express, in order to grow their<br />
business, would add a node in Topeka and business<br />
in New York would spike. You see it on the Internet<br />
all the time. Every new node, every new server,<br />
every new user expands the possibilities for<br />
everyone else who's already there. 10<br />
Unfortunately, this tends to discourage early adopters, and<br />
increases the resistance in the path towards reaching the<br />
point where the value is perceived to be more than the cost.<br />
Every aspect of new networking technology tends to have a<br />
massive upfront cost that must be overcome prior to<br />
widespread adoption. SAML in general and Shibboleth in<br />
particular may be approaching that critical mass where this<br />
tipping point is achieved. Historical evidence is that once<br />
this tipping point is achieved, growth is overwhelming, and<br />
Metcalf’s law is cited as an example of the exponential<br />
growth of the Internet.<br />
Arnie Miles, Georgetown University 3 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Now, many are considering the implementation of<br />
Shibboleth. More accurately, many are considering the<br />
implementation of Federations, which SAML examples<br />
make possible, which will lead to an explosion of<br />
installations of Shibboleth and other SAML products. With<br />
the release of Shibboleth 2.0, increased functionality and<br />
improved stability are encouraging immediate adoption.<br />
Arnie Miles, Georgetown University 4 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Background<br />
11 From (Internet 2,<br />
<strong>2009</strong>b, para. 1).<br />
12 From (Merit<br />
Network, 2008, para<br />
6).<br />
Shibboleth implements a standards-based federation model<br />
to provide authentication information about users to service<br />
providing applications for the exchange of data among<br />
institutions, and for validation of digitally signed<br />
documents. Users authenticate at their home institution and<br />
manage the release of their information, which service<br />
providers use to make access control decisions. Internet 2<br />
describes Shibboleth, saying: “The Shibboleth System is a<br />
standards based, open source software package for web<br />
single sign-on across or within organizational boundaries. It<br />
allows sites to make informed authorization decisions for<br />
individual access of protected online resources in a privacypreserving<br />
manner.” 11<br />
Shibboleth was established as a separate effort to create a<br />
useful example of the SAML specification to meet a<br />
requirement of university librarians: provide anonymous<br />
authentication. Anonymous authentication was not part of<br />
the original SAML specification, but the Shibboleth team<br />
extended the SAML specification to allow for anonymous<br />
authentication, which was then added to SAML in version<br />
2. Shibboleth may be used to identify the user as affiliated<br />
with a set of attributes, e.g. a specific university or that<br />
user's role as a student, faculty, or alumni, rather than the<br />
specific identification of the individual. Thus an individual<br />
cannot be linked with use of specific journals or books.<br />
Shibboleth 2.0 enhances the ability for identity<br />
providers to use and manage "anonymous<br />
identifiers" to protect user privacy but still allow<br />
for personalization. The identity provider assigns<br />
a persistent unique identifier to a specific user<br />
which allows service providers to tailor and<br />
improve services based on the needs of that user<br />
without knowing their specific identity. For<br />
instance, a medical student searching for articles<br />
on a specific disease or treatment via an online<br />
medical journal could save his or her searches using<br />
the anonymous identifier and then build on their<br />
research over time. For the user, this is a<br />
transparent process; no knowledge of the<br />
identifier is needed. 12<br />
Arnie Miles, Georgetown University 5 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
This functionality is applicable beyond the requirements of<br />
anonymous authorization of users who have authenticated<br />
at their Identity Providers. By default, since anonymous<br />
authentication is available, additional authorization schemes<br />
can be created around attributes that group these<br />
anonymous users by the attributes assigned to these users<br />
at their home institutions. The impact is greater then what<br />
is immediately visible, or initially intended, as authorization<br />
based upon user attributes allows the creation of scalable<br />
yet secure distributed applications, and potentially solving<br />
a host of challenges. One example is computational and data<br />
grids.<br />
According to Ian Foster:<br />
A Grid is a system that:<br />
1) coordinates resources that are not subject to<br />
centralized control …<br />
(A Grid integrates and coordinates resources and<br />
users that live within different control domains—<br />
for example, the user’s desktop vs. central<br />
computing; different administrative units of the<br />
same company; or different companies; and<br />
addresses the issues of security, policy, payment,<br />
membership, and so forth that arise in these<br />
settings. Otherwise, we are dealing with a local<br />
management system.)<br />
2) … using standard, open, general-purpose<br />
protocols and interfaces<br />
… (A Grid is built from multi-purpose protocols<br />
and interfaces that address such fundamental<br />
issues as authentication, authorization, resource<br />
discovery, and resource access. As I discuss further<br />
below, it is important that these protocols an<br />
interfaces be standard and open. Otherwise, we are<br />
dealing with an application-specific system.)<br />
13 Ian Foster, “What is the<br />
Grid? A Three Point<br />
Checklist” published in<br />
GRIDToday, Vol. 1, No. 6.<br />
(July 20, 2002), but no<br />
longer available at On-<br />
Demand Enterprise<br />
“formerly known as<br />
‘GRIDToday’”. See (Foster,<br />
2002) for a copy of his<br />
paper.<br />
3) … to deliver nontrivial qualities of service. (A<br />
Grid allows its constituent resources to be used in a<br />
coordinated fashion to deliver various qualities of<br />
service, relating for example to response time,<br />
throughput, availability, and security, and/or coallocation<br />
of multiple resource types to meet<br />
complex user demands, so that the utility of the<br />
combined system is significantly greater than that<br />
of the sum of its parts.) 13<br />
Computational and data grids require anonymous<br />
authentication to enable scalable authorization mechanisms,<br />
which has been lacking until now. This lack has largely<br />
Arnie Miles, Georgetown University 6 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
contributed to the perceived failure of grid systems outside<br />
huge government funded projects. Therefore, one example<br />
would be a new class of grid middleware that rid owners of<br />
services of the responsibilities for maintaining awareness of<br />
user identities. Any situation where an owner of a service is<br />
more concerned with a general attribute about a user then<br />
exactly who the user is can be an ideal candidate for a<br />
Shibboleth implementation. Other examples of previously<br />
unrecognized uses for anonymous authentication include<br />
corporate mergers and takeovers, vertical integrations of<br />
companies and academic institutions, and other places<br />
where sharing of resources is open to groups of users en<br />
masse.<br />
Arnie Miles, Georgetown University 7 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Current Status<br />
14 Chad LaJoie, SWITCH,<br />
is the primary author of the<br />
announcement (LaJoie,<br />
<strong>2009</strong>b). Others were not<br />
listed, but according to<br />
LaJoie Scott Cantor also<br />
authored the text.<br />
15 The referenced table is<br />
from the Internet2 web site<br />
(La Joie, <strong>2009</strong>,a) and<br />
reproduced in Appendix 2.<br />
16 Software Engineer and<br />
Project Manager for<br />
SWITCH, Shibboleth Java<br />
Components Lead at<br />
Internet2. See (La Joie,<br />
2007).<br />
17 An applications<br />
developer and security<br />
architect who specializes in<br />
web technology and<br />
distributed computing. He<br />
splits his time between The<br />
Ohio State University and<br />
the Internet2 consortium's<br />
Middleware Initiative. At<br />
Ohio State, Scott has spent<br />
a decade developing<br />
distributed and web-based<br />
applications, and solutions<br />
for authentication,<br />
authorization, and single<br />
sign-on. See (Cantor, <strong>2009</strong>).<br />
18 See (OASIS, 2007).<br />
19 The quotation is from<br />
(Hughes, J., Cantor, S.,<br />
Hodges, J., Hirsch, F.,<br />
Mishra, P., Philpott, R.,<br />
and Maler, E. (Eds.),<br />
2005). All SAML2.0<br />
documents, including this<br />
one, are available from<br />
(OASIS, 2007).<br />
20 See (Cantor and<br />
Carmody, <strong>2009</strong>).<br />
Shibboleth 2.0 was released 19 <strong>March</strong> 2008. 14 This version<br />
provides “Support for SAML 2.0 and SAML 1.1.”<br />
Shibboleth implements a crucial but incomplete set of<br />
SAML profiles, as indicated by the attached table 15<br />
prepared by Chad La Joie 16 and Scott Cantor 17 . These<br />
profiles can be found in the “Profiles for the OASIS<br />
Security Assertion Markup Language (SAML) V2.0.” 18 In<br />
section 1.1 of this document, the authors state:<br />
Another type of SAML profile defines a set of<br />
constraints on the use of a general SAML protocol<br />
or assertion capability for a particular<br />
environment or context of use. Profiles of this<br />
nature may constrain optionality, require the use<br />
of specific SAML functionality (for example,<br />
attributes, conditions, or bindings), and in other<br />
respects define the processing rules to be followed<br />
by profile actors. 19<br />
The decision about which profiles to implement is based on<br />
requirements of the worldwide Higher Ed community, in<br />
conjunction with evaluation of which elements are under the<br />
control of Shibboleth. Shortly after the attached table<br />
discussing implemented SAML profiles was released on the<br />
Internet, a posting to the Shibboleth Users mailing list<br />
observed that people were unaware that a number of the<br />
profiles listed as being in development were being worked<br />
on, and a Shibboleth roadmap was requested. An updated<br />
Shibboleth development roadmap was published on<br />
September 2, 2008. 20 This roadmap lists the functionality<br />
that will be included in Shibboleth 2.2, including additional<br />
SAML 2 functionality, such as back-channel support for<br />
Single Logout (SLO). This roadmap also includes a call for<br />
use cases to further refine requirements.<br />
According to Shibboleth developer Chad La Joie,<br />
interoperability testing was done at “Interop Fests” by<br />
Scott Cantor, principal author of the SAML 2.0<br />
specification and developer of OpenSAML on Shibboleth<br />
2.0 with Sun Microsystems’ Federated Access<br />
Management, Ping Identity Corporation’s PingFederate,<br />
and Oracle Corporation’s Access Manager for the profiles<br />
Arnie Miles, Georgetown University 8 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
that Shibboleth implements. It was found that each of these<br />
products interacted with Shibboleth and with each other.<br />
21 Software to view<br />
Shibboleth attributes and<br />
Attribute Release<br />
Policies (Witzig 2007).<br />
Because of the maturity of SAML 2.1, interoperability is<br />
expected, so this is nothing new. Interoperability has been<br />
improving since SAML 2.0. Carmody continued, stating<br />
“Shibboleth differentiates itself by providing the Higher<br />
Education community with functionality beyond the basic<br />
protocols, functionality that addresses the unique needs of<br />
this community.” Some of these functionalities include<br />
attribute release policies, the ArpViewer, and federation<br />
scalability, which is required by the Higher Education<br />
community’s more than 3000 members. Attribute Release<br />
Policies allow sites to easily manage the release of attributes<br />
and specific values to individual service providers, another<br />
requirement for simplifying management of partner<br />
relationships and inter-federated operations. The<br />
ArpViewer gives users the ability to manage what is<br />
released about them. 21<br />
The strength of Shibboleth lies in part with the concept of<br />
the Federation, where communities build trust relationships<br />
and join together. Carmody pointed out Shibboleth’s wide<br />
deployment in the global higher education arena and<br />
Shibboleth’s status as a key component of the broader<br />
Internet2 Middleware initiative. He stated “…although the<br />
initial use cases were related to licensed library resources, it<br />
appears that a) collaboration spanning campus boundaries,<br />
and b) cross-registered students are the use cases that are<br />
really driving adoption of Federation.”<br />
Individual states in the United States are building state-level<br />
Federations that span all academic grade levels, local and<br />
state governments and higher education. According to<br />
Carmody, “Federations based on Shibboleth (or compatible<br />
software) now exist across all of western and middle<br />
Europe, North America, Australia, New Zealand, China,<br />
and Japan (starting up right now!). Federation is an<br />
actuality. Inter-federated operation will soon be a reality”<br />
Additionally, the United Kingdom higher education has<br />
committed to implement Shibboleth. Established under the<br />
Joint Information Systems Committee (JISC), Shibboleth<br />
Arnie Miles, Georgetown University 9 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
will replace Athens as the method of authenticating UK<br />
university students for publishers to provide access to<br />
electronic books and journals.<br />
Today [31 July 2008] nearly 500 institutions and<br />
organizations will complete the transition to a<br />
new open standard SAML compliant access<br />
management system and the UK Access<br />
Management Federation. The federation will be<br />
providing access to approximately 8 million users<br />
across the UK.<br />
22 See (JISC, 2008,<br />
paras. 1 and 3).<br />
The Federation is operated by JANET (UK) on<br />
behalf of JISC and Becta and brings the entire UK<br />
education and research sector a step closer to<br />
achieving single sign-on to network and online<br />
resources. The Federation now has over 150<br />
Service Provider platforms registered with over<br />
100 educational publishers such as the BBC,<br />
Elsevier, ProQuest, Thomson Scientific, Institute<br />
of Physics and a range of smaller publishers, such<br />
as Rock's Backpages. 22<br />
But Shibboleth provides value beyond the Federation. To a<br />
large measure, the real strength of Shibboleth is the ability<br />
to provide standards compliant, open source and robust<br />
mechanism for implementing a federated model. The initial<br />
mission of SAML was to provide real identities across<br />
boundaries. Anonymous authentication was part of the<br />
initial mission of Shibboleth 1.1, and continues to be of vital<br />
importance in the library community, as well as in higher<br />
education and beyond. This anonymous authentication,<br />
enabled by the generalized use of attributes, has added<br />
scalability to authorization schemes. This was later<br />
incorporated into the SAML 2.0 specification. No longer<br />
does each individual user need register with a service<br />
provider to obtain services, this work is done based upon<br />
the attributes the user can advertise. SAML, via Shibboleth,<br />
makes this possible. While these benefits are multiplied<br />
exponentially in the Federation, they are valid even within a<br />
single administrative domain. It will be interesting to see<br />
federations that handle huge numbers of transactions per<br />
second, but even without evidence of this level of<br />
transactional scale the power of attribute based<br />
authorization should not be dismissed. Carmody asserts<br />
Arnie Miles, Georgetown University 10 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
that since “access control occurs at the start of a session;<br />
once a session is created, there is no further overhead.”<br />
There is no reason to assume that this is not completely<br />
correct, but the demonstration in the real world will be<br />
critical.<br />
Arnie Miles, Georgetown University 11 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Defusing the United States Government<br />
Certifications Discussion<br />
23 See (General Services<br />
Administration, 2008).<br />
24 See (Liberty Alliance,<br />
<strong>2009</strong>).<br />
25 The<br />
governmentblogger.com<br />
blog (Anonymous, 2007,<br />
para 3). We were unable<br />
to identify the blogger<br />
“Howard,” who is<br />
considered authoritative<br />
by others.<br />
26 See (Drummond, <strong>2009</strong>).<br />
The United States Federal Government has made efforts to<br />
establish certifications for SAML compliance within its<br />
confines, including the Federal eAuthorization program<br />
(eAuth) 23 and the General Services Administration<br />
requirement that the Liberty Alliance provide<br />
interoperability testing. 24<br />
Identity federation requires a common standard<br />
that can be embedded by product manufacturers.<br />
The e-authentication program started with SAML<br />
1.0 as the identity protocol for user<br />
authentication when it first went live in 2005.<br />
Two months ago, the program upgraded to SAML<br />
2.0 and the GSA, which had previously performed<br />
testing, turned over the testing of the standard to<br />
the Liberty Alliance Project. Liberty Alliance<br />
chose Drummond Group to provide SAML 2.0<br />
interoperability testing. 25<br />
The Drummond Group is a company that provides test lab<br />
services and verifies software interoperability. 26 Federal<br />
Government certifications only apply to inter-agency uses<br />
of SAML based projects, and therefore do not apply to<br />
higher education or commercial use. The lack of such<br />
certification is discussed here mostly to defuse concerns<br />
about the importance of certifications to the potential<br />
implementer of Shibboleth.<br />
SAML defines discrete profiles, each describing a specific<br />
functionality. To date, certification efforts have required<br />
conformity with the entire set of profiles, which has<br />
prevented Shibboleth certification.<br />
The certification that should have made the most sense for<br />
Shibboleth is federal eAuth. The eAuth mission is:<br />
• Enable millions of safe, secure, trusted online<br />
transactions between Government and the<br />
citizens and businesses it serves.<br />
• Reduce online identity management burden for<br />
Government agency application owners and<br />
system administrators.<br />
Arnie Miles, Georgetown University 12 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
27 From (General Services<br />
Administration, 2008, para.<br />
2). This appears unrelated<br />
to the first paragraph that<br />
announces the November<br />
5, 2008 ”Identity<br />
Management Services<br />
Industry Day.” Speaker<br />
slides, agenda, speaker<br />
biographies and resources<br />
are available from (General<br />
Services Administration<br />
2008a) and as a single<br />
consolidated file from<br />
(instructional media +<br />
magic, inc., 2008a).<br />
Additional notes are<br />
available (instructional<br />
media + magic, inc, 2208b)<br />
• Provide citizens and businesses with a choice of<br />
credentials when accessing public-facing online<br />
Government applications. 27<br />
However, according to Carmody:<br />
The vision of the Federtal E-Authentication<br />
Federation offers a lot of promise to the Higher Ed<br />
community. It could greatly simplify authenticated<br />
access to federal agency websites for faculty,<br />
researchers, students, and campus administrators.<br />
Unfortunately, the current E-authn membership<br />
model will not scale to allow thousands of campuses<br />
to join the E-Authn Federation. Consequently, E-<br />
Authn and the US Higher Ed InCommon Federation<br />
opened discussions on creating a framework for<br />
inter-federated operation. Unfortunately, E-Authn<br />
reallocated their resources, and these discussions<br />
stopped before completing. As a result, US Federal<br />
agencies have begun to directly join InCommon,<br />
rather than waiting for an inter-federation framework<br />
to arise. The E-Gov session at the October 2008<br />
Internet2 member Meeting will showcase this<br />
process.<br />
The US Government Services Administration (GSA)<br />
reports that Shibboleth is not certified, but acknowledges<br />
that those agencies receiving waivers to use Shibboleth have<br />
demonstrated interoperability.<br />
28 The GSA text is<br />
available via the federal<br />
CIO website under E-<br />
Authentication. See<br />
(General Services<br />
Administration, 2007). The<br />
Liberty Alliance press<br />
release provides additional<br />
detail about the<br />
announcement. See<br />
(Liberty Alliance, 2007).<br />
29 Jane McInerney<br />
describes herself in Linkin<br />
as “Consultant – E-<br />
Authentication Solutions at<br />
General Services<br />
Administration." (Inerney<br />
2008).<br />
As of September 26, 2007, a pre-requisite for<br />
interoperability testing, GSA requires that product<br />
vendors complete the Liberty Alliance SAML 2.0<br />
v2.0 interoperability testing requirements. 28<br />
In an e-mail on September 16, 2008, Jane McInerney from<br />
the eAuth organization of the GSA wrote:<br />
Shibboleth 1.0 is not an approved product and<br />
Shibboleth 2.0 (SAML) has not even undergone E-<br />
Authentication Interoperability testing. Shib 1.0 is<br />
used by a couple of agency Relying Party<br />
Applications which received waivers to use the<br />
product. When the applications were deployed<br />
using Shib, those apps, were proven interoperable<br />
in the Federation. 29<br />
Arnie Miles, Georgetown University 13 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Additionally, the U.S. General Services Administration now<br />
requires Liberty Alliance SAML 2.0 interoperability testing<br />
for products used in the U.S. federal government:<br />
30 See (Liberty<br />
Alliance, 2008) quoting<br />
a Gartner Inc.<br />
report (Kreizman<br />
2007).<br />
“E-Authentication Solutions wants federal<br />
agencies to be able to select the software that<br />
meets their unique business requirements while also<br />
delivering assurances that it will interoperate with<br />
other applications used within the Federation,”<br />
said Myisha Frazier-McElveen, Acting Program<br />
Executive, E-Authentication Solutions. “The US<br />
GSA is requiring vendors to pass Liberty Alliance<br />
SAML 2.0 interoperability testing to help ensure<br />
identity products can interoperate from day one<br />
and provide long-term business value to US<br />
Government Agencies.” 30<br />
The problem with all of this is that the Liberty Alliance<br />
conformance testing, performed by the Drummand Group,<br />
requires compliance with all profiles defined by SAML (see<br />
attached table).<br />
Therefore, it is impossible to get either eAuth or GSA<br />
Liberty Alliance certification unless every requirement of<br />
the SAML profile is met. The customer base the Shibboleth<br />
team serves has given them clear directions concerning<br />
which profiles they are interested in. Higher Ed has not<br />
indicated that every profile is required.<br />
The fall 2008 Internet2 Member Meeting has a session<br />
scheduled titled “Federation and e-Government,” with<br />
representatives of the National Institutes of Health, the<br />
National Science Foundation and Internet2. The abstract as<br />
published by Internet2 seems particularly relevant to this<br />
discussion.<br />
31 See (Internet2,<br />
2008).<br />
Session Abstract: The Internet2 Middleware<br />
Initiative and the InCommon Federation have<br />
been working with partners at US government<br />
agencies for quite some time. This year there have<br />
been significant breakthroughs in federated access<br />
to agency services, and prospects of more to<br />
come. This work has led to engagement with key<br />
campus sectors, in particular grants management,<br />
and a better understanding of complex agency<br />
application requirements. Representatives from<br />
government agencies and participating campuses<br />
will provide updates and discuss opportunities. 31<br />
Arnie Miles, Georgetown University 14 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
It could be that the certification discussion will take a<br />
whole new direction, and in the arena of higher education<br />
may become irrelevant. This subject bears attention.<br />
Carmody agrees, observing, “as US Federal agencies join the<br />
InCommon Federation, certification becomes increasingly<br />
irrelevant.” Once the certification issues are removed,<br />
Shibboleth has a clear advantage in the federal government<br />
arena, as it already has outside the federal government.<br />
Carmody points out “because Shibboleth is standardsbased<br />
from the beginning as opposed to standards<br />
compatibility being an add-on, and because of close<br />
connections to the standards process, we think that<br />
Shibboleth is the market leader in standards-based<br />
interoperability. Its worldwide adoption in the higher<br />
education community supports that statement.” Thus,<br />
interoperability and standards compatibility is more<br />
important in higher education then government certification.<br />
Arnie Miles, Georgetown University 15 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Summary<br />
Shibboleth is the most widely deployed open source<br />
implementation of any part of the SAML v2.0<br />
specification, and one of the key developers is a co-author<br />
of the specification. The US federal government has made<br />
some decisions regarding certification that may appear to be<br />
a stumbling block to those who wish to use Shibboleth to<br />
perform the work it was created to do within the federal<br />
government, but no potential adopter outside the confines<br />
of the federal government should allow themselves to be<br />
concerned. There are reports of government agencies<br />
implementing Shibboleth despite the lack of certification<br />
and the lack of a current mechanism for waivers. According<br />
to Carmody, the higher education community appears to be<br />
unconcerned with US Federal Government certification<br />
issues, “as Federal agencies bypass E-Authn and join<br />
InCommon directly.”<br />
The Federal Government’s efforts to enforce<br />
standardization through certification appear well<br />
intentioned. However, in the case of higher education, it<br />
may be irrelevant at best, and damaging at worst, as<br />
potential implementers misunderstand the meaning of the<br />
lack of certifications. Breaking apart the certification to<br />
apply to specific SAML profiles or sub-groups of profiles<br />
may be a short-term solution, but a fundamental change in<br />
the way the federal government views the process of<br />
certification is in order. Acceptance of open source<br />
solutions within the federal agencies responsible for making<br />
certification decisions should also be encouraged.<br />
If a consumer wants to install a web user based Single Sign-<br />
On solution that provides anonymity while using data from<br />
any properly formed identity store, Shibboleth is an<br />
appropriate solution. Shibboleth provides standards<br />
compliant set of the most demanded SAML profiles.<br />
Further, if guaranteed continued interoperability and<br />
Federation membership and growth is seen as a priority,<br />
Shibboleth appears to be a logical choice.<br />
Arnie Miles, Georgetown University 16 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Acknowledgements<br />
This paper grew from a 2 page conversation to what you<br />
have before you over the course of several months. The<br />
author hopes you find it to be useful.<br />
It would have been impossible to achieve this document<br />
without the generous support and guidance of Jim Farmer<br />
and Jon Allen, who guided the discovery of vast resources,<br />
edited mercilessly and accurately, and handled much of the<br />
detail work involved in correctly and accurately<br />
documenting what was written.<br />
Charlie Leonhardt generously provided the time necessary<br />
to do the research and writing of this document.<br />
Interviews were cited in the body of the paper, but special<br />
thanks go to Stephen Carmody for his extended e-mail<br />
interview.<br />
Arnie Miles, Georgetown University 17 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
References<br />
More information about the topics in this technical brief can be found on the internet.<br />
Below is a list of web references that coincide with the notes above. At the time of this<br />
writing, each of these links was verified to be active and accurate to their topic. However<br />
as web links are often changing and unreliable, they have been complied here rather than<br />
placed in the content of this brief.<br />
Allison, D.J. (1995, June). Oral and video Histories: Marc Andreesen. Washington DC:<br />
Smithsonian Institution. Retrieved 14 February <strong>2009</strong> from:<br />
http://americanhistory.si.edu/collections/comphist/ma1.html<br />
Anonymous “Howard” (2007, 4 December). SAML and Federated Identity Initiative<br />
Make Big Advancement. Governmentblogger.com. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.governmentblogger.com/saml.htm<br />
Cantor, S. (<strong>2009</strong>). Scott Cantor senior systems developer. Boulder, Colorado: Educause<br />
Inc. Retrieved 14 February <strong>2009</strong> from:<br />
http://connect.educause.edu/eprofile/116949<br />
Cantor S. and Carmody S. (<strong>2009</strong>, 21 January). Shibboleth22Roadmap. Ann Arbor:<br />
University Corporation for Advanced Internet Development. Retrieved 14 February <strong>2009</strong><br />
from:<br />
https://spaces.internet2.edu/display/SHIB2/Shibboleth22Roadmap<br />
Defining Technology Inc. (<strong>2009</strong>). Welcome. St. Petersburg, Florida: Defining<br />
Technology Inc. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.middleware.org/<br />
Drummond (<strong>2009</strong>: 19 January). Drummond Group is the trusted source for test lab<br />
services and software interoperability. Austin, Texas: Drummond Group Inc. Retrieved<br />
14 February <strong>2009</strong> from:<br />
http://www.drummondgroup.com/<br />
Farmer, J and Miles, A. (2008b, 5 November). Notes from GSA’s<br />
Identity Services Industry Day Briefings (November 5, 2008). Washington DC:<br />
Instructional media + magic inc. [im+m]. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.immagic.com/eLibrary/ARCHIVES/GENERAL/IMM/I081108F.pdf<br />
Foster, I (2002, 20 July). What is the Grid? A Three Point Checklist. Chicago, Illinois:<br />
Argonne National Laboratory and University of Chicago. Retrieved 14 February from:<br />
http://www-fp.mcs.anl.gov/~foster/Articles/WhatIsTheGrid.pdf<br />
Foster I., Kesselman, C. and Tuecke, C. (2001). The anatomy of the grid: Enabling<br />
scalable virtual organizations. International J. Supercomputer Applications, 15(3) 200-<br />
222. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.globus.org/alliance/publications/papers.php#anatomy<br />
Arnie Miles, Georgetown University 18 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
General Services Administration (2008a, 6 November). Library: Identity Services<br />
Industry Day Briefings (November 5, 2008). Washington DC: U.S. General Services<br />
Administration. Retrieved 14 February <strong>2009</strong> from<br />
http://www.cio.gov/eauthentication/drilldown_ea.cfm?action=ea_library<br />
General Services Administration (2008b, 6 November). Welcome to the e-authentication<br />
solutions. Washington DC: U.S. General Services Administration. Retrieved 14 February<br />
<strong>2009</strong> from:<br />
http://www.cio.gov/eauthentication/<br />
General Services Administration (2007, 26 September). [untitled pdf]. Washington DC:<br />
U.S. General Services Administration. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.cio.gov/eauthentication/documents/InteroperabilityTesting.pdf<br />
instructional media + magic, inc. [im+m] (2008a, 5 November). Identity Management<br />
Services Industry Day Briefings (November 5, 2008). Washington DC: Instructional<br />
media + magic inc. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.immagic.com/eLibrary/ARCHIVES/GENERAL/US_GSA/G081105I.pdf<br />
Internet2 (<strong>2009</strong>a). About us. Ann Arbor: University Corporation for Advanced Internet<br />
Development. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.internet2.edu/about/<br />
Internet2 (<strong>2009</strong>b). Shibboleth®. Ann Arbor: University Corporation for Advanced<br />
Internet Development. Retrieved 14 February <strong>2009</strong> from:<br />
http://shibboleth.internet2.edu/<br />
Internet2 (2008). Federation and e-Government, Fall 2008 Internet2 Member Meeting.<br />
Ann Arbor, Michigan: University Corporation for Advanced Internet Development.<br />
Retrieved 24 February <strong>2009</strong> from:<br />
http://events.internet2.edu/2008/fallmm/sessionDetails.cfm?session=10000170&event=911<br />
JISC (2008, 31 July). Education and research sectors prepare for access management<br />
transition. Bristol, United Kingdom: Joint Information Systems Committee. Retrieved 14<br />
February <strong>2009</strong> from:<br />
http://www.jisc.ac.uk/news/stories/2008/07/accessmanagement.aspx<br />
Kreizman, G. Pescatore, J., and Wagner, R. (2007, 29 October). The U.S. Government’s<br />
Adoption of SAML 2.0 Shows Wide Acceptance. Stanford, Connecticut: Gartner Inc.<br />
La Joie, C. (2007, October). Chad La Joie senior software developer and project<br />
manager. Mountain View, California: LinkedIn Corporation. Retrieved 14 February <strong>2009</strong><br />
from:<br />
http://www.linkedin.com/in/clajoie<br />
Arnie Miles, Georgetown University 19 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
La Joie, C. (<strong>2009</strong>a, 13 January). Shibboleth 2 implemented protocols and profiles. Ann<br />
Arbor, Michigan: University Corporation for Advanced Internet Development. Retrieved<br />
14 February <strong>2009</strong> from:<br />
https://spaces.internet2.edu/display/SHIB2/ShibProtocols<br />
La Joie, C. (<strong>2009</strong>b, 14 January). Shibboleth® 2 available. Ann Arbor, Michigan:<br />
University Corporation for Advanced Internet Development. Retrieved 14 February <strong>2009</strong><br />
from:<br />
http://shibboleth.internet2.edu/shib-v2.0.html<br />
Liberty Alliance (<strong>2009</strong>). Documents. Piscataway, New Jersey: Liberty Alliance Project<br />
c/o IEEE-ISTO. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.projectliberty.org/liberty/liberty_interoperable/documents<br />
Liberty Alliance (2008, 29 January). Google, NTT and the US GSA Deploy SAML 2.0 for<br />
Digital Identity Management. Piscataway, New Jersey: Liberty Alliance Project c/o<br />
IEEE-ISTO. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.projectliberty.org/liberty/news_events/press_releases/google_ntt_and_the_us<br />
_gsa_deploy_saml_2_0_for_digital_identity_management<br />
Liberty Alliance (2007, 29 October). US GSA Requires Liberty Alliance Interoperability<br />
Testing as Public Sector SAML 2.0 Adoption Soars. Piscataway, New Jersey: Liberty<br />
Alliance Project c/o IEEE-ISTO. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.projectliberty.org/liberty/news_events/press_releases/us_gsa_requires_liberty<br />
_alliance_interoperability_testing_as_public_sector_saml_2_0_adoption_soars<br />
McInerney, J. (2008, 16 September 3:46 PM). e-mail Re: Question about Shibboleth and<br />
eAuth approval. Washington, DC: eAuthentication Office, General Services<br />
Administration.<br />
Merit Network (2008, 21 April). Internet2 community releases shibboleth version 2.0.<br />
Ann Arbor, Michigan: Merit Network Inc. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.merit.edu/internet2/news/i2article.php?article=20080421_shib<br />
Metcalfe, B. (2006, 19 August). Metcalfe’s Law Recurses Down the Long Tail of Social<br />
Networking. VCMike's Blog. Retrieved 23 February 2006 from:<br />
http://vcmike.wordpress.com/2006/08/18/metcalfe-social-networks/<br />
OASIS (2007, 16 November). Index of /security/saml/v2.0/. Coraopolis, Pennsylvania:<br />
Oasis Open. Retrieved 14 February <strong>2009</strong> from:<br />
http://docs.oasis-open.org/security/saml/v2.0/<br />
OASIS (<strong>2009</strong>a). Home. Coraopolis, Pennsylvania: Oasis Open. Retrieved 14 February<br />
<strong>2009</strong> from:<br />
http://www.oasis-open.org/home/index.php<br />
Arnie Miles, Georgetown University 20 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
OASIS (<strong>2009</strong>b). OASIS Security Services (SAML) TC. Coraopolis, Pennsylvania: Oasis<br />
Open. Retrieved 14 February <strong>2009</strong> from:<br />
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security<br />
OSI (2007, 13 <strong>March</strong>). Home. San Francisco, California: Open Source Initiative.<br />
Retrieved 14 February <strong>2009</strong> from:<br />
http://www.opensource.org/<br />
Robertson, J (1996, 30 January). Metcalf’s law. Newark, New Jersey: New Jersey<br />
Institute of Technology. Retrieved 14 February <strong>2009</strong> from:<br />
http://www-ec.njit.edu/~robertso/infosci/metcalf.html<br />
Robertson, J (2004, 11 October). The fundamentals of information science: an online<br />
overview. Newark, New Jersey: New Jersey Institute of Technology. Retrieved 14<br />
February <strong>2009</strong> from:<br />
http://www-ec.njit.edu/~robertso/infosci/index.html<br />
Schechter, S., Todd Parnell,T., and Hartemi A. (1999). Anonymous Authentication of<br />
Membership in Dynamic Groups, Financial Cryptography (pp. 184-195). Berlin:<br />
Springer Deutschland GmbH (DE). Retrieved 25 February <strong>2009</strong> from:<br />
http://www.immagic.com/eLibrary/ARCHIVES/GENERAL/SPRING_DE/S990000S.pdf<br />
Shapiro, C. and Varian, H. (1999). Information Rules: A Strategic Guide to the Network<br />
Economy. Cambridge Massachusetts: Harvard Business School Press.<br />
Witzig, C. (2007). ArpViewer Manual, Version 1.0.6, Datum 30.9.2007. Zurich,<br />
Switzerland: SWITCH Swiss Education and Research Network. Retrieved 23 February<br />
<strong>2009</strong> from:<br />
http://www.switch.ch/aai/downloads/ArpViewer-1.0.6.pdf<br />
Arnie Miles, Georgetown University 21 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
SAML 2.0 Specifications<br />
The “SAML 2.0 Specifications” consist of seven documents authored 15 <strong>March</strong> 2005 and<br />
an accumulative errata last published 14 August 2007. These are:<br />
Cantor, S., Kemp, J., Philpott, R., and Maler, E. (Eds.) (2005, 15 <strong>March</strong>). Assertions and<br />
Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. Coraopolis,<br />
Pennsylvania: Oasis Open. Retrieved 14 February <strong>2009</strong> from:<br />
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf<br />
Cantor, S., Moreh, J., Philpott, R. and Maler, E. (Eds.) (2005, 15 <strong>March</strong>). Metadata for<br />
the OASIS Security Assertion Markup Language (SAML) V2.0. Coraopolis, Pennsylvania:<br />
Oasis Open. Retrieved 14 February <strong>2009</strong> from:<br />
http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf<br />
Hirsch, F., Philpott, R., and Maler, E. (Eds) (2005, 15 <strong>March</strong>). Security and Privacy<br />
Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0.<br />
Coraopolis, Pennsylvania: Oasis Open. Retrieved 14 February <strong>2009</strong> from:<br />
http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf<br />
Hodges, J. Philpott, R. and Maler, E. (Eds.) (2005, 15 <strong>March</strong>). Glossary for the OASIS<br />
Security Assertion Markup Language (SAML) V2.0. Coraopolis, Pennsylvania: Oasis<br />
Open. Retrieved 14 February <strong>2009</strong> from:<br />
http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-os.pdf<br />
Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, P., Philpott, R., and Maler, E.<br />
(Eds.) (2005, 15 <strong>March</strong>). Profiles for the OASIS Security Assertion Markup Language<br />
(SAML) V2.0. Coraopolis, Pennsylvania: Oasis Open. Retrieved 14 February <strong>2009</strong> from<br />
http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf<br />
Kemp, J., Cantor, S., Mishra, P., Philpott, R., and Maler, E. (Eds.) (2005, 15 <strong>March</strong>).<br />
Authentication Context for the OASIS Security Assertion Markup Language (SAML)<br />
V2.0. Coraopolis, Pennsylvania: Oasis Open. Retrieved 14 February <strong>2009</strong> from:<br />
http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf<br />
Kemp, K., Cantor, S., Mishra, P., Philpott, R. and Maler, E. (Eds.) (2005, 15 <strong>March</strong>).<br />
Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0. Coraopolis,<br />
Pennsylvania: Oasis Open. Retrieved 14 February <strong>2009</strong> from:<br />
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf<br />
Arnie Miles, Georgetown University 22 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Mishra, P., Philpott, R. and Maler, E. (Eds.) (2005, 15 <strong>March</strong>). Conformance<br />
Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0.<br />
Coraopolis, Pennsylvania: Oasis Open. Retrieved 14 February <strong>2009</strong> from:<br />
http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf<br />
Maler, E. and Barbir, A. (2007, 14 August). SAML V2.0 Errata Approved Errata August<br />
14, 2007. Coraopolis, Pennsylvania: Oasis Open. Retrieved 14 February <strong>2009</strong> from:<br />
http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.pdf<br />
Arnie Miles, Georgetown University 23 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Appendix 1<br />
Liberty Alliance (Drummand Group)<br />
Requirements for Conformance Testing<br />
Extracted from the Conformance Requirements for the OASIS Security Assertion<br />
Markup Language (SAML) V2.0<br />
http://docs.oasis-open.org/security/saml/v2.0/<br />
The following matrices identify unique sets of conformance requirements by means of a triple taken from<br />
Table 1 with the form: profile, message(s), binding The message component is not always included when it<br />
is obvious from context.<br />
Feature IdP IdP Lite SP SP Lite ECP<br />
Web SSO,<br />
,HTTP MUST MUST MUST MUST N/A<br />
redirect<br />
Web SSO, ,<br />
HTTP POST<br />
MUST MUST MUST MUST N/A<br />
Web SSO, ,<br />
HTTP artifact<br />
MUST MUST MUST MUST N/A<br />
Artifact Resolution, SOAP MUST MUST MUST MUST N/A<br />
Enhanced Client/Proxy<br />
SSO, PAOS<br />
MUST MUST MUST MUST MUST<br />
Name Identifier<br />
MUST<br />
MUST<br />
Management, HTTP<br />
MUST<br />
MUST<br />
NOT<br />
NOT<br />
redirect (IdP-initiated)<br />
N/A<br />
Name Identifier<br />
Management, SOAP (IdPinitiated)<br />
Name Identifier<br />
Management, HTTP<br />
redirect<br />
Name Identifier<br />
Management, SOAP (SPinitiated)<br />
Single Logout (IdP-initiated)<br />
– HTTP redirect<br />
Single Logout (IdP-initiated)<br />
– SOAP<br />
Single Logout (SP-initiated)<br />
– HTTP redirect<br />
Single Logout (SP-initiated)<br />
– SOAP<br />
Identity Provider Discovery<br />
(cookie)<br />
MUST<br />
MUST<br />
MUST<br />
MUST<br />
NOT<br />
MUST<br />
NOT<br />
MUST<br />
NOT<br />
OPTIONAL<br />
MUST<br />
OPTIONAL<br />
MUST<br />
NOT<br />
MUST<br />
NOT<br />
MUST<br />
NOT<br />
N/A<br />
N/A<br />
N/A<br />
MUST MUST MUST MUST N/A<br />
MUST OPTIONAL MUST OPTIONAL N/A<br />
MUST MUST MUST MUST N/A<br />
MUST OPTIONAL MUST OPTIONAL N/A<br />
MUST MUST OPTIONAL OPTIONAL N/A<br />
Arnie Miles, Georgetown University 24 24 February, <strong>2009</strong>
Technical Brief Authentication: The Status of Shibboleth<br />
Appendix 2<br />
Shibboleth 2 Implemented Protocols and Profiles<br />
Extracted directly from the Shibboleth 2 Documentation Internet2 Wiki<br />
https://spaces.internet2.edu/display/SHIB2/ShibProtocols<br />
The following table shows whether Shibboleth implements various SSO-related protocols and protocol<br />
profiles.<br />
• A YES does not indicate that every possible option has been implemented as some protocol/profiles<br />
have many tens or hundreds of possible options. It does indicate that at minimum all required options<br />
are supported.<br />
• Some protocols implementations may not be available in the base download, but are available as<br />
extensions.<br />
SAML 1<br />
Protocol/Profile Identity Provider C++ Service Provider<br />
Shibboleth SSO YES YES<br />
Attribute Query YES YES (1)<br />
Artifact Resolution YES YES<br />
SAML 2<br />
SSO YES YES<br />
Attribute Query YES YES (1)<br />
Artifact Resolution YES YES<br />
ECP NO (IN DEVELOPMENT) YES<br />
Single Logout<br />
NO (BACK CHANNEL<br />
SUPPORT IN DEVELOPMENT)<br />
Arnie Miles, Georgetown University 25 24 February, <strong>2009</strong><br />
YES<br />
Name ID management NO YES (2)<br />
Name ID mapping NO NO<br />
WS-Federation<br />
Active NO NO<br />
Passive (ADFS)<br />
US eAuth v1<br />
NO<br />
NO<br />
YES (INCLUDED WITH SP,<br />
BUT NOT ENABLED)<br />
YES (VIA SAML 1.0 ARTIFACT<br />
SUPPORT)<br />
Microsoft Cardspace NO (IN DEVELOPMENT) NO<br />
WS-Trust 1.3 NO NO<br />
OpenID 1 NO NO<br />
OpenID 2 NO NO<br />
OAuth NO NO<br />
(1) Implemented as part of SSO profile support, not currently exposed separately.<br />
(2) Implemented only in the form of application notification hooks for IdP-initiated protocol. SP-initiated not<br />
supported.<br />
ALSO IMPLEMENTED:<br />
• Shib 1 Discovery (WAYF) Protocol by the Shib Discovery Service<br />
• SAML 2 Discovery Service Protocol by the Shib Discovery Service
Contact:<br />
Jessica Schwartz Hahn<br />
703-478-0658 (w)<br />
571-239-3260 (c)<br />
Jessica@peithocom.com<br />
Secretary Duncan, NGA Chair Rendell, Congressman Miller<br />
Urge States to Use Data Systems for Continuous Education Improvement<br />
Data Quality Campaign Releases Action Guide for<br />
State and Federal Policy Makers;<br />
Receives $4.8 Million from the Gates Foundation<br />
<strong>March</strong> 12, <strong>2009</strong> – Washington DC – Tuesday, U.S. Secretary of Education<br />
Arne Duncan urged states and school districts to continue their momentum<br />
towards building longitudinal data systems and developing the capacity of<br />
educators, policymakers, and other education stakeholders to understand and<br />
use this data to proactively drive continuous improvement throughout the<br />
education system.<br />
"Now that the Data Quality Campaign has put data quality on the map, we need<br />
to work together to leverage this work and push it to the next level by using data<br />
to drive reform," said Secretary Duncan Tuesday at a forum held in Washington<br />
DC convened by the Data Quality Campaign. "The Department has made an<br />
early commitment to this by providing funding in the stimulus package for data<br />
systems so we can assess what's working and what's not. The path to real<br />
reform begins with the truth - and we must keep facing the truth and finding the<br />
answers until every classroom has a great teacher, and every child has an<br />
education that prepares him for college, for work, and for life."<br />
The forum, “Leveraging the Power of Data to Improve Education,” brought<br />
together hundreds of state and federal policymakers and education leaders to<br />
discuss the integral role of data to the national education improvement agenda,<br />
the challenges to growing and using these systems, the necessary leadership of<br />
state and federal policymakers, and how the newly available stimulus funds can<br />
be used to improve student achievement and close achievement gaps. The<br />
entire forum can be viewed via webcast at<br />
http://ne.edgecastcdn.net/000172/dataqualitycampaign/031009/DQCArchive.htm<br />
- more -<br />
MANAGING PARTNERS OF THE DATA QUALITY CAMPAIGN<br />
Achieve, Inc. • Alliance for Excellent Education • Council of Chief State School Officers • Education Commission of the States<br />
The Education Trust • National Association of State Boards of Education • National Association of System Heads<br />
National Center for Educational Achievement • National Center for Higher Education Management Systems<br />
National Governors Association Center for Best Practices • Schools Interoperability Framework Association<br />
Standard & Poor’s School Evaluation Services • State Educational Technology Directors Association<br />
State Higher Education Executive Officers
Page Two / Data Quality Campaign<br />
To guide state and federal policymakers in building capacity of education<br />
stakeholders to understand and use longitudinal data in effective decision<br />
making, the Data Quality Campaign released “The Next Step: Using<br />
Longitudinal Data Systems to Improve Student Success.” The guide<br />
provides ten action steps states need to take to move from collecting data for<br />
compliance to using data for improvement. These ten state actions ensure<br />
effective data use will expand the ability of state longitudinal data systems to link<br />
across the P–20 education pipeline and across state agencies; ensure that data<br />
can be accessed, analyzed and used, and communicate data to all stakeholders<br />
to promote continuous improvement; and build the capacity of all stakeholders to<br />
use longitudinal data for effective decision making. The guide, with examples of<br />
states which have implemented model efforts, is available at<br />
http://www.dataqualitycampaign.org/resources/384.<br />
The ten action steps are:<br />
1) Link state K–12 data systems with early learning, postsecondary<br />
education, workforce, social services and other critical state agency data<br />
systems.<br />
2) Create stable, sustained support for robust state longitudinal data<br />
systems.<br />
3) Develop governance structures to guide data collection, sharing and use.<br />
4) Build state data repositories (e.g., data warehouses) that integrate<br />
student, staff, financial and facility data.<br />
5) Implement systems to provide all stakeholders timely access to the<br />
information they need while protecting student privacy.<br />
6) Create progress reports with individual student data that provide<br />
information educators, parents and students can use to improve student<br />
performance.<br />
7) Create reports that include longitudinal statistics on school systems and<br />
groups of students to guide school-, district- and state-level improvement<br />
efforts.<br />
8) Develop a purposeful research agenda and collaborate with universities,<br />
researchers and intermediary groups to explore the data for useful<br />
information.<br />
9) Implement policies and promote practices, including professional<br />
development and credentialing, to ensure that educators know how to<br />
access, analyze and use data appropriately.<br />
10) Promote strategies to raise awareness of available data and ensure that<br />
all key stakeholders, including state policymakers, know how to access,<br />
analyze and use the information.<br />
Chairman of the National Governors Association, Governor Ed Rendell<br />
(PA), told the forum that state policy leaders should ensure that all state agencies<br />
work together and share vital information to inform a common goal of ensuring<br />
- more -
Page Three / Data Quality Campaign<br />
individual state citizens are prepared for the demands of the knowledge based<br />
competitive economy.<br />
"Longitudinal data is not just a K-12 issue; it requires gubernatorial commitment<br />
because all of our systems - from early childhood, to K-12 education, to colleges<br />
and universities, to workforce development, to employment databases - must<br />
work together to make data collection possible," Governor Rendell said. "And we<br />
need to do more to make the data useful, because even the best data collection<br />
system is worthless if it does not change what goes on in the classroom."<br />
In 2005, the Data Quality Campaign identified ten essential elements that states<br />
must include to build a highly effective longitudinal data system. At that time, no<br />
state had all ten elements in place. In 2008, six states had all ten elements, and<br />
48 had five or more elements in place. Within the next three years, 47 states<br />
plan to have eight or more elements. To learn more visit<br />
http://www.dataqualitycampaign.org/survey/elements.<br />
The recent federal economic stimulus package included $250 million for funding<br />
statewide education longitudinal data systems. The Institute of Education<br />
Sciences (IES) is developing the competitive grants process to distribute the<br />
funds to states which will be used to implement and use statewide longitudinal<br />
data systems which include education data for elementary and secondary<br />
students as well as postsecondary and workforce information. In addition, to tap<br />
into the State Fiscal Stabilization formula funds, a state must assure the USDOE<br />
that it is building its longitudinal data system across the P-20 education pipeline<br />
and linking it with workforce data.<br />
Congressman George Miller, Chairman of the Committee on Education and<br />
Labor in the U.S. House of Representatives, also voiced strong support for the<br />
new federal investment.<br />
“Congress has stepped up to make this investment a priority, and we will be<br />
watching implementation of the data systems very carefully,” said Chairman<br />
Miller. “It is our hope that states and districts will take a serious and thoughtful<br />
approach about how they can use this data to help improve student learning.”<br />
This week, The Bill & Melinda Gates Foundation granted the Data Quality<br />
Campaign $4.8 million to support continuance of its work over the next three<br />
years. The new grant will allow the DQC to continue to assist states in<br />
developing data systems based on the ten essential elements as well as<br />
encouraging states to take actions necessary to help support effective data use.<br />
The DQC will continue to survey states and provide resources and assistance<br />
around the ten essential elements as well as on the new ten state actions to<br />
ensure effective data use.<br />
- more -
Page Four / Data Quality Campaign<br />
"Thanks to the tireless efforts of the Data Quality Campaign, educators and<br />
policymakers have a much better understanding of the critical role effective<br />
longitudinal data systems play in improving opportunities for all students in<br />
America,” said Stefanie Sanford, Deputy Director, U.S. Program Advocacy,<br />
The Bill & Melinda Gates Foundation, who also presented at the forum. “The<br />
Bill & Melinda Gates Foundation is pleased to continue its support of the<br />
campaign with a new grant to further its efforts."<br />
Other participants in the forum included: T. Kenneth James, Chair of the Council<br />
of Chief State School Officers and Arkansas Commissioner of Education; Reggie<br />
Robinson, Chair of the State Higher Education Executive Officers and President<br />
& CEO of the Kansas Board of Regents; Eric Smith, Florida Commissioner of<br />
education; Michael Casserly, Executive Director, Council of the Great City<br />
Schools; Michael Cohen, President of Achieve, Inc.; Kati Haycock, President of<br />
The Education Trust; Dane Linn, Education Division Director of the National<br />
Governors Association Center for Best Practices; and Gene Wilhoit, Executive<br />
Director of the Council of Chief State School Officers. Jay Pfeiffer, retired Florida<br />
Deputy Commissioner of Education, received a Lifetime Achievement Award<br />
from the Data Quality Campaign for his leadership in developing Florida’s model<br />
data system which provides best practices and lessons for other states.<br />
“States have made great progress in building their longitudinal data systems, but<br />
now we need a cultural shift to build the political will and take the practical steps<br />
needed to ensure that this data is accessed, shared, and used for continuous<br />
education improvement, said Aimee Rogstad Guidera, Director of the Data<br />
Quality Campaign. “That’s what the Campaign will focus on now - helping<br />
states identify and put in place the necessary policies and practices so that key<br />
stakeholders actually use longitudinal data to help students succeed.”<br />
The Data Quality Campaign (http://www.dataqualitycampaign.org/) (DQC) is a<br />
national, collaborative effort to encourage and support state policymakers to<br />
improve the availability and use of high-quality education data to improve student<br />
achievement. The campaign provides tools and resources that help states<br />
implement and use longitudinal data systems, while providing a national forum<br />
for reducing duplication of effort and promoting greater coordination and<br />
consensus among the organizations focused on improving data quality, access<br />
and use. The Campaign has 14 managing partners and 39 endorsing partners.<br />
The Bill & Melinda Gates Foundation is DQC´s founding funder; additional<br />
support has been provided by the Casey Family Programs, the Lumina<br />
Foundation for Education and the Michael & Susan Dell Foundation.<br />
###