SOCKET

QMShibb - Shibboleth enabling Questionmark Perception

If you are interested in Shibboleth, then you are probably aware of the complex shuttling between the Service Provider (SP) and the Identity Provider (IdP) ultimately leading to a set of attributes emerging from the Service Provider and being presented to the Shibboleth-protected resource. (If this is all new to you, read the excellent introduction in the Educause Quarterly.)

Let's assume that the user has tried to access a Shibboleth-protected resource. She has been intercepted by the SP and sent off to the WAYF which in turn sends her on to the IdP. She authenticates to the the IdP which then sends an authentication assertion to the SP. The SP responds by requesting the user's attributes from the IdP. But what happens when they arrive? Many diagrams of the Shibboleth authentication process simply end at this point with 'access to resource granted'. This may be the case if all that is necessary for access is for certain Shibboleth attributes to be present in the HTTP request. In this case the protected resource doesn't use the values of the attributes. It is enough to know for example that there is an attribute present that indicates that the user is a member of an organization that has paid a subscription for access to the resource.

Shibboleth as originally developed has a very strong emphasis on protecting the user's privacy and not releasing more information than absolutely necessary. For example, as long as the user or her organization has paid a subscription, there is no need to release her identity to a publisher's website. However, this does not work in the world of e-learning where the protected resource might be a bulletin board or an online assessment system such as Questionmark Perception. Students need to be assessed. How can you assess a student if you don't know who she is? If you are accessing systems such as Questionmark Perception, then the minimum user attributes necessary will be some sort of system-specific identifier (e.g. a username), probably the student's real name and possibly an indication of the groups to which she belongs.

This means that you can't just put Perception behind a Shibboleth SP and expect it to work. You need another software component, a Resource Manager, that can extract the information from the Shibboleth attributes and pass it on to Perception in a form that it can use. Perception has web service called Questionmark Web Integration Services environment (QMWISe). This allows password-free access to much of Perception's functionality, including account and group creation, presentation of assessments and other administrative functions. As part of the SOCKET JISC eLF project, we have developed a resource manager that will allow Shibboleth attributes to be passed to QMWISe. The resource manager is called QMShibb.

Questionmark Perception is a Windows web application running within Microsoft Internet Information Server (IIS). We are primarily interested in interfacing Perception to our VLE, which uses the Bodington software written in Java. Bodington has the advantage that it has both Shibboleth IdP and Shibboleth SP functionality built-in. QMShibb is a set of Java servlets which run in a servlet container that implements the Java Servlet Specification version 2.3 or above. It can be deployed on the same server as the VLE, the same server as Perception or on a third server. There is no restriction on the domains in which the servers reside, but they should not use HTTP proxies.

The preferred servlet container for QMShibb is Apache Tomcat. This can be installed as a standalone application, or it can be installed within Apache or IIS. In the latter case, it can be installed within the same installation of IIS as that running Perception.

When QMShibb is installed behind a Shibboleth SP, it expects to find the following attributes in the HTTP request headers:

An attribute containing the user's principalName. This will usually take the form of a site-qualified username e.g. username@mysite.myuni.ac.uk This attribute is required and QMShibb will report an error if it is not present.

A single attribute containing the user's real name or a pair of attributes containing the first and last names. If there is no name attribute, the user will be given the default name 'Anonymous User'

An optional attribute containing a list of the names of groups to which the user belongs. The list separator character can be set in QMShibb's configuration file.

The names of the HTTP headers containing these attributes can be set in the configuration file. The configuration file also contains entries for setting the SOAP security header required by QMWISe. Other entries allow optional automatic participant account creation, automatic addition of the participant to existing groups within Perception, or the automatic creation of groups (with the same names as those in the Shibboleth attribute) and the addition of the participant to them.

Currently, three servlets are provided with QMShibb. These are:

getaccessassessment
This servlet receives the Shibboleth attributes, carries out optional account/group creation and then redirects to a Perception assessment whose id is specified as a parameter in the request's query string. This servlet is accessed via a URL of the form: http://path.to.tomcat/QMShibb/getaccessassessment?assessment=1234567890
The user is presented with the assessment as if she had logged into the perception.dll

getaccessassessmentlist
This servlet receives the Shibboleth attributes, carries out optional account/group creation and then redirects to the user's list of available Perception assessments. This servlet is accessed via a URL of the form: http://path.to.tomcat/QMShibb/getaccessassessmentlist
The user is presented with the assessment list as if she had logged into the perception.dll

getaccessadministrator
This servlet receives the Shibboleth attributes of an existing Perception administrator, and redirects to the Perception Enterprise Manager without account or group creation. This servlet is accessed via a URL of the form: http://path.to.tomcat/QMShibb/getaccessadministrator
The user is presented with the Enterprise Manager as if she had logged into it directly.

Here's an image of a Perception assessment accessed via Shibboleth (the Guanxi implementation)+QMShibb+QMWISe from the Bodington VLE.

Following a conversation with John Kleeman, the Questionmark chairman, we modified the behaviour of the getaccessassessment and getaccessassessmentlist servlets. Both of these now ensure that the participant is added to the group 'external_shibboleth_users'. In addition, the getaccessassessment servlet checks to see if a schedule exists that links the user to the assessment. If not, then it creates a schedule that allows the user a single attempt at the assessment. For any further use of the assessment by that user a new schedule must be created.

Posted at 12:10PM May 09, 2006 by Andrew G. Booth in Questionmark Perception  |