Pilot Summary – OARnet (Ohio)
September 2015
Pilot Description
Pilot target constituents: 23 Public community colleges in the state of Ohio
Pilot Scope: Initial scope will be 3-5 community colleges and 3 applications.
Initial Pilot Goals: The Goals of the OARnet pilot are to enhance the classroom and online teaching in Ohio Community Colleges by increasing adoption of federated access to three key services: Library Access, State Dept of Higher Education Student Services, and Roaming Wireless Network Access.
Targeted start and end dates for initial pilot: 7/2013-7/2015 (extended a year past initial plans)
Post-pilot longer term goals: Community and technical colleges are a bridge between K12 educations and 4-year universities; the long-term goal of the pilot is to extend the benefits of federation down to K12 in order to provide a seamless transition process to higher education.
Federation model selected for project: Hybrid. Some IdP’s will be individually operated in a distributed mesh as part of the federation and will also be members of InCommon; there will also a central “IdP of last resort” for institutions not operating their own or institutions that are not members of InCommon.
InCommon Affiliate assistance/role in pilot: The initial plan was for Fischer International Identity to provide IdP services to constituents who need assistance with IdP setup/operations.
Targeted applications or cloud services:
1. Library Access: Federated web-based access to the OhioLINK library network via SAML
2. State Department of Higher Education applications: Federated authentication to reporting, education, and research services within the State of Ohio Dept of Higher Ed.
3. Shared roaming wireless: Federated, authenticated access to wireless networks across all participating Ohio institutions using the Eduroam model
Outcomes
· Challenges encountered and how were they addressed
· Installation and operation of an IdP was more challenging than expected for smaller institutions due to expertise, time, priority, and budget constraints (in that order)
· There was extremely low adoption of services from InCommon Affiliates including Fischer.
· What did you spent or expect to spend?
- OARnet hired an additional FTE with expertise in IDM/Federation/Security, devoted about 50% to the program; in addition there were outlays for purchase and operations of a pair of RADIUS proxy servers for the eduroam portion.
- Less tangible costs were in the readiness, outreach, and education front. For example, OARnet hosted an InCommon Shibboleth Workshop in order to provide educational opportunities to those members considering adoption.
· Successes/Benefits
- In lieu of wide adoption of services from commercial InCommon Affiliates, OARnet found great success by providing institutions with a streamlined Shibboleth/RADIUS IdP installer packaged as a VM. This package was based on the similar Canadian Access Federation project (see https://github.com/knasty51/idp-installer-InCommon-EduroamUS) The institution provides the VM host, and OARnet provides installation and support of a tandem InCommon-Shibboleth/eduroam-RADIUS server image, enabling very quick onboarding (~8 hrs).
- Tying adoption to specific services has been a successful strategy, in particular tying Library Services (OhioLINK) and secure wireless (eduroam) to the adoption of federation has been driving adoption since there is an immediately visible and real value to doing so.
Number of students/instructors benefiting from the pilot:
- As of summer 2015, the pilot for has now encompassed 7 Community/Technical Colleges in the state of Ohio, serving over 76,000 students and 4,000 instructors. No K12 institutions have entered the pilot at this time.
Illustrative scenarios:
- The pilot has included 2 community colleges located in rural Appalachia, a historically underserved and economically distressed community area. Adoption of Internet-ready federated services has enabled these institutions to provide their students with services that are the equal of those available at more economically and geographically advantaged institutions.
- Non-traditional campus scenarios such as shared campus and remote campuses have been key use cases and are growing in importance. One of the community college shares two of its campuses with 4-year institutions. Federated services make it easier for students and faculty to access services at those shared campus locations without maintaining separate helpdesks at that location. Another community college has a cohort of students attending a remote campus in Europe; the use of federated authentication to services, regardless of location, greatly simplifies the burden of creating and maintaining separate identities for these students.
Moving Forward
· Lessons learned and recommendations to others
- Different institutions have different capabilities and preferences; don’t assume that one solution can be exactly replicated. Some institutions will prefer a commercial service provider such as in InCommon Affiliate, others will prefer to “DIY”, others will need a directly-engaged trusted partner of some kind.
- Although eduroam and InCommon have different technological underpinnings (RADIUS and Shibboleth), at the business level these are both seen as kindred federated security technologies that enable collaborative activities, incrementally improve security, and provide an infrastructure for innovative services. OARnet’s pilot has found that “bundling” the services is received positively.
· Plans for scaling beyond current scope
- OARnet will extend this service to its other constituencies, including 4-year public and private universities and the K12 community as the opportunities arise.
· Next Steps
- Continue to on-board institutions into eduroam and InCommon using the Shibboleth/RADIUS IdP installer where institutions need assistance
- Investigate how to engage with K12 community
- Investigate operation of shared centralized infrastructure for RADIUS and Shibboleth where appropriate
· New challenges expected in moving forward
- Funding – federation involves a lot of moving parts and providing all the parts in an affordable and easy-to-consume model may be a challenge due to the current economic climate for many institutions
Mark Beadles, Chief Information Security Officer
OARnet, a member of the Ohio Technology Consortium
www.oar.net www.oh-tech.org