Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena - PowerPoint PPT Presentation

Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena EuroCAMP Athens. 13 November, 2008 Image courtesy of wikipedia.org

To Assertions Attributes From 13 November, 2008 Terena EuroCAMP Athens.

What will I be talking about? • Background: – Identity management at Dundee – Access management in UK academia • Dundee deploys Shibboleth: – Authenticating against eDirectory – Generating and releasing attributes – How did it go? Terena EuroCAMP, Athens. 13 November, 2008

13 November, 2008 Terena EuroCAMP, Athens.

Dundee University • Over 18,000 students • Over 3000 staff • Strong Identity Management • File/Print Infrastructure based on Terena EuroCAMP, Athens. 13 November, 2008

• eDirectory is the enterprise directory • Zenworks manages the desktop • Novell Groupwise for campus email • Novell IDM for directory synchronisation Terena EuroCAMP, Athens. 13 November, 2008

But there are other “X500” Directories • N ovell eDirectory • Microsoft Active Directory • SunOne/iPlanet • OpenLDAP • IBM Tivoli (SecureWay) Terena EuroCAMP, Athens. 13 November, 2008

ALL use LDAP • It’s a “Standard” – Isn’t it? • The nice thing about standards is that you have so many to choose from ( furthermore, if you don’t like any of them you can just wait for next years model ) – Andrew Stuart Tanenbaum » Computer Networks, Terena EuroCAMP, Athens. 13 November, 2008

Directory population • Automatic processes (scripts) – from Student records (SITS) – From HR • Usernames – ALS123 ? – M81V003 ? – MCRALS ? – ALSwiffin • John Smith gets an extra initial – JZSmith, JYSmith, JXSmith etc Terena EuroCAMP, Athens. 13 November, 2008

Novell IDM • Novell Identity Manager – (aka DirXML) – Synchronisation between eDirectory trees • Bidirectional (if you want) – Also to Groupwise – To Microsoft AD (if we want it)! – Large number of other connectors. 5 Terena EuroCAMP, Athens. 13 November, 2008

SITS Main Dundee Tree Vault Tree LDAP Tree HR IPT Tree Groupwise Terena EuroCAMP, Athens. 13 November, 2008

13 November, 2008 Terena EuroCAMP, Athens.

13 November, 2008 Terena EuroCAMP, Athens.

Even Applicants get an entry • As soon as someone applies • 19,000 per year – But only ~5000 come • Huge wastage of usernames – But disambiguation is not a big problem – John Smith was never going to get JSmith anyway Terena EuroCAMP, Athens. 13 November, 2008

Leavers accounts retained • Automatic processes Identify – Staff leaving – Students completing their course • The clock starts ticking – After a month: • Accounts disabled • Moved into the holding pen Terena EuroCAMP, Athens. 13 November, 2008

Active accounts retained • If an account has been used – It is retained for 2 years! • After which it is recycled • YES! We reuse ePPN! What?? You mean you expose it!!! Terena EuroCAMP, Athens. 13 November, 2008

LDAP with everything • So: – Dundee is well established in Identity management – Email and login accounts are automatically created – LDAP is used by all applications for authentication • But what about external resources? Terena EuroCAMP, Athens. 13 November, 2008

Athens • An Access Management System for controlling secure access to web based services. • Originally created at Bath University • Adopted by JISC as preferred authentication mechanism • Eduserv created in 1999 and ran Athens on behalf of the academic community • Usernames and password held by Athens but administered at a local level • originally: “a big database table with about 4.5 million rows and 300 columns” – Athens DA – “Devolved Authentication” Terena EuroCAMP, Athens. 13 November, 2008

Athens • 500 HE and FE institutions used Athens • 300 licenced resources • But: – Athens used proprietary protocols – Mostly only used by UK Academia (and a few others) – So, little international acceptance 10 Terena EuroCAMP, Athens. 13 November, 2008

JISC announcement - 2006 Terena EuroCAMP, Athens. 13 November, 2008

13 November, 2008 Terena EuroCAMP, Athens.

• > 600 UK members (and increasing) • Uses Shibboleth – Operates in a similar way to Athens DA – Uses SAML to exchange information – Protects privacy • Least sensitive attibutes released • Member, staff, student, medic, • Shibboleth – growing globally – USA, France, Switzerland, China, Belgium, Greece, Finland, Australia, Canada, Czech Republic, Netherlands……. Terena EuroCAMP, Athens. 13 November, 2008

What we intended to do • JISC had funded Athens <-> Shibboleth gateways • Plan to use Shibboleth to access Athens resources this way. • January 22 nd 2008 – There was a “disagreement” • Athens access would still be available – but at a price….. Terena EuroCAMP, Athens. 13 November, 2008

What we actually did • Deployed two IdPs • One Real and one Virtual • With HAShib and Cisco “content switching” for automatic failover Terena EuroCAMP, Athens. 13 November, 2008

What we actually did • And decided to stop using Athens entirely and rely on the Federation for authentication Terena EuroCAMP, Athens. 13 November, 2008

The building blocks • Linux • OpenSSl • Apache • Mod_proxy_ajp • Tomcat • Java • Shibboleth IdP Terena EuroCAMP, Athens. 13 November, 2008

The building blocks • Linux Novell SLES 10 • OpenSSl 0.9.8g • Apache 2.2.6 • Mod_proxy_ajp • Tomcat 5.5.25 • Java jdk1.5.0_14 • Shibboleth IdP 1.3.3 Terena EuroCAMP, Athens. 13 November, 2008

Also available on • Some experimentation: • Bare bones XP box + – Apache 2.2.9 • Includes OpenSSL! – Tomcat 5.5.26 – JRE 1.5.0.16 – Shib 1.3.3 • INSTALL in 10 Minutes! • (There is also a windows installer) 15 Terena EuroCAMP, Athens. 13 November, 2008

Authentication • Shibboleth 1.3 relies on Apache or Tomcat for authentication • I decided to use Tomcat – With Apache you get a popup box – With a Tomcat “Realm” you have a whole page to “brand” • Shib 2 has the authentication bundled in Terena EuroCAMP, Athens. 13 November, 2008

Tomcat Realm • /usr/local/tomcat/conf/server.xml objectClass: inetOrgPerson; organizationalPerson; Person; ndsLoginProperties; Top; Terena EuroCAMP, Athens. 13 November, 2008

/usr/local/tomcat/webapps/shibboleth-idp/WEB-INF/web.xml The login web pages Terena EuroCAMP, Athens. 13 November, 2008 objectClass: inetOrgPerson; organizationalPerson; Person; ndsLoginProperties; Top;

What if I don’t understand it? • You don’t really need to! –Just cut and paste! • Cook books: – https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/Tomcat %20Authentication%20for%20Shibboleth%20IdP – https://spaces.internet2.edu/display/SHIB/IdPUserAuthnConfig • What you’re actually doing: – http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html Terena EuroCAMP, Athens. 13 November, 2008

Other directories? • Most will work as described • But AD won’t • A problem of “Referrals” – “I don’t have it but I know someone who does” – http://java.sun.com/products/jndi/tutorial/ldap/referral/jndi.html • There is a Tomcat “fix” Terena EuroCAMP, Athens. 13 November, 2008

• http://wiki.apache.org/tomcat/JNDI_HowTo • http://www.jspwiki.org/wiki/ActiveDirectoryIntegration Terena EuroCAMP, Athens. 13 November, 2008

Authorisation • Shibboleth will be asked for some attributes • Normally the Trinity of: – eduPersonScopedAffiliation • Member, Staff, Student @dundee.ac.uk – eduPersonTargetedId • <Hash>@dundee,ac,uk • The same <hash> each time you visit that resource • A different <hash> for each different resource – eduPersonEntitlemen t • Defined by the Service Provider • Eg – access to medical resources • eduPersonPrincipalName • NOT RELEASED! 20 Terena EuroCAMP, Athens. 13 November, 2008

Attributes: Where are you going to get them from? • First you need access to your directory • /usr/local/shibboleth-idp/etc/resolver.xml Search with cn = PRINCIPAL in this LDAP server • Will work with most directories – Except AD Terena EuroCAMP, Athens. 13 November, 2008

For AD: Restrict the attributes returned The GC: Beware! Referrals fix • https://spaces.internet2.edu/display/SHIB/JNDIDataConnector • Some people have given up and used a database! Terena EuroCAMP, Athens. 13 November, 2008

Attributes: Are you going to store them? • Extend the Schema? • You don’t need to do that – The information may already be there! Terena EuroCAMP, Athens. 13 November, 2008

Simple attribute stored: • Scoped affiliation Member Staff Member@dundee.ac.uk Staff@dundee.ac.uk Terena EuroCAMP, Athens. 13 November, 2008

But you may already have the information! M81V003 ‘ workforceID: M81V003 ’ 0 1 2 3 4 5 6 7 8 9 10 11 12 13 workforceidstr=workforceid.get(0) ‘M81V003’ Terena EuroCAMP, Athens. 13 November, 2008