thoughts on the shibboleth user experience

Fri, Jul 4, 2008

I was reading the eFoundations blog and came across this interesting article about the user experience side of Shibboleth and it rang a bell, as I happen to think the user experience isn’t that good. In the UK Federation, we have a weird and wonderful concoction of access terminology that is just bound to confuse users. Indeed, I spoke about this last December at the McShibb meeting in Edinburgh. Each service provider has its own access vocabulary, depending whether you’re using Athens or Shibboleth:

Access Terminology

There are ways round this, such as WAYF-less URLs which take a user direct to a resource, which means they are taken direct to the IdP’s login page if they haven’t already authenticated. This can cause information loss however, in that service providers like to display downtime messages etc on the front pages of their sites and WAYF-less URLs bypass all that information. Extending Shibboleth to allow an IdP to fetch information an SP would like published would be nice, such that the IdP’s login page could display SP specific messages. One more request parameter is all that would be needed. The IdP could fetch the contents, brand and display. I’ve partly gone down this road with Guanxi as the IdP can be tailored depending what SP is contacting it. This lets the institution tailor a login page to an SP, detailing help options etc.

Another really bad user experience is the Griffin. It’s probably the worst error page I’ve ever seen, in user terms. Displaying a big bird with an indecipherable error message such as “Session creation failure” and leaving you stranded in the Shibbosphere. Again, a simple extension to Shibboleth could sort this. Instead of the SP displaying that page, it could easily complete the Shibboleth cycle by redirecting back to the IdP with an error condition. That lets the institution brand the error page and add user friendly advice to it.

The Shibboleth profile is meant to be an open standard but extending it is seen as too onerous. Indeed, the UK Federation is running on deprecated software, mostly I2 Shibboleth 1.3f, which I found out when researching an obscure XML signature problem I was getting when a Guanxi2 IdP was talking to a federation SP, so I’m not sure who is leading the federation where. There are some movements in this area however, with the JISC Access Management Team asking for opinions on the way ahead for federated access management but the team is about to be disbanded.

So where are we in the Shibboshpere? Well, we’ve somehow got past the initial birth of the Shibboverse and are heading away from the intense heat of creation, hopefully towards a more stable orbit. But the spaceship is about to lose its crew and I’m not sure who or what will replace them. In the meantime I’ll continue to steer our course through the asteroid field, dealing with service providers appearing via wormholes, minus all Athens personalisations. At least we know what to expect now, in terms of getting access to resources and shifting personal settings from once “account” to another.

Looking at the charts, the outer reaches of the Shibboverse should be marked “here be dragons”. Or should that be Griffins?

comments powered by Disqus