Slashdot Mirror

← Back to Stories (view on slashdot.org)

Penn State Launches Napster Music Service

Posted by timothy on from the so-that's-what-college-was-for dept.

Owner of Azkaban writes "CNN has a story about PSU launching Napster for its own students." Also at live.psu.edu." This is the service we posted about last fall; in three days, the Penn State system has served more than 100,000 songs.

1 of 249 comments (clear)

  1. Some Cool Technical Stuff by finkployd · · Score: 4, Informative

    One piece of this that is not getting much attention right now (that would probably be of interest to /. readers) is the registration system. I'm not getting into the politics of this, the DRM or the "right or wrong" arguments.

    In this initial rollout PSU and Napster decided to limit the service to students living in the residence halls. It does not matter which of the 21 campuses you are on, just that you live in a res hall.

    We also needed to ACTIVELY protect the privacy of the students, not just to comply with FERPA but because we are not in the business of providing marketing data to private institutions.

    The way we went about this was to use the Internet2 Middleware Initiative's Shibboleth software. Similar to Liberty in that it is a federated single sign on system that uses SAML, it is one of the unsung heros in this.

    Without getting into TOO much low level detail of how Shib works (which is available at the above link for those interested), here is a quick overview of what we are doing:

    Basically PSU students are redirected to Napster's shibboleth protected registration webpage (this shib component is an Apache auth module) which sends them back to a PSU server to do the actual authentication. The student authenticates to the web server (kerberos backended userid and password). This server is also a component of Shib and it redirects the user (actually an http post) back to the Napster reg system along with a SAML authentication assertion.

    The SAML authentication assertion is a blob of XML data that contains an opaque handle for the user (used in the next step) and a URI back to the last piece of Shibboleth at PSU called the Attribute Authority. This assertion is also digitally signed with an x.509 cert (w3c's XML-Signature spec) so that Napster knows it can trust this (not tampered with, generated from a rogue "man in the middle" server, etc).

    The last step is when Napster makes an SSL wrapped call to the Attribute Authority requesting attributes about the student who is trying to get in. Remember up to this point all they know is his opaque handle (long string of numbers which uniquely identifies the user, but provides no information). The Attribute Authority looks as the cert of the requesting server, sees that it is Napster and queries LDAP for the data about the user that it is allowed to release. This is configurable to be anything we have, name, email, address, department, semester standing, etc. HOWEVER we only pass TWO things to Napster. (1) an entitlement string that identifies whether or not that user is allowed to get this service, and (2) a persistent opaque handle, which is basically the userID encrypted with the name of the target site and a secret seed value.

    The entitlement string is generated at PSU and is populated in the user's LDAP entry based on the criteria that was set (res hall students only for now) and the persistent opaque handle gives Napster something to look at to make sure each students only registers once, but they still have no idea who that user is or anything about them other than that they are a student at PSU in a res hall.

    Now if the student chooses to use their PSU email address when creating their Napster account, or gives them their CC number because they want to purchase songs that is their decision. The doubleplus good factor here is that PSU does not give that data up. We merely assert on the user's behalf that they are allowed to sign up under this agreement.

    This Shibboleth stuff is running on Linux at both places and with the exception of requiring Java at the Origin end (PSU), is entirely comprised of open source software. The Napster guys we worked with were also very clueful and were definitely down with Linux, using it except where Windows was necessary (WMA streaming)

    So I are very pleased at what