introduction
play

Introduction http://iam sect.ncl.ac.uk/ 2 Overview Morning - PowerPoint PPT Presentation

Shibboleth and the IAMSECT Project Introduction http://iam sect.ncl.ac.uk/ 2 Overview Morning session: History of access control Current solutions Problems with current solutions: For users For administrators The solution:


  1. 56 Where are you from? • Analogous to Athens DA Home Domain Discovery (HDD) • Remember this relationship http://iam sect.ncl.ac.uk/

  2. 57 Mutual Policies • Federation membership may dictate abiding by a set of mutually agreed policies • A common Certificate Authority (CA) for security http://iam sect.ncl.ac.uk/

  3. 58 Example Federations • InQueue • InCommon • Athens • SDSS http://iam sect.ncl.ac.uk/

  4. 59 SDSS Federation technical requirem ents • Use Eduperson attributes: eduPersonScopedAffiliation: required eduPersonTargetedID: optional eduPersonEntitlement: contemplated • Use Globalsign as a certificate provider moving away from this, they will be trailing Thawte with newcastle. http://iam sect.ncl.ac.uk/

  5. 60 SDSS Federation Policy V1.0 • All members of the federation must: – Observe best practice in the handling and use of your digital certificates and private keys • All identity providers (origins) must: – Make reasonable attempts to ensure that only members of your institution are provided with credentials permitting authentication to your handle server, and that the assertions made to service providers by your attribute authority are correct. • All service providers (targets) must: – Agree not to aggregate, or disclose to other parties, attributes supplied by identity providers. http://iam sect.ncl.ac.uk/

  6. 61 Attribute Standards • A common scheme for the exchange of attributes between service and identity providers http://iam sect.ncl.ac.uk/

  7. 62 Baseline Rules • Newcastle in the SDSS federation • Newcastle currently BIOSIS subscriber but not UPDATE subscriber • Can access BIOSIS via Shib, but not UPDATE http://iam sect.ncl.ac.uk/

  8. 63 Attributes • Descriptive information about a user • Can technically be any descriptive text e.g. has green eyes http://iam sect.ncl.ac.uk/

  9. 64 How to identify useful attributes (theory) • the attributes that are required by the web application; • your institutes privacy policy; • which attributes you can collect in a timely and scalable manner; http://iam sect.ncl.ac.uk/

  10. 65 Identifying attribute (reality) • Type and format will be decided by the federation you join • Different Federations still likely to use the same standards • You are not limited by federation, it is just there for convenience http://iam sect.ncl.ac.uk/

  11. 66 Attribute identification (detail) Current attribute use is limited to a dull but useful core One major attribute standard in real use at present: EduPerson One currently used attribute: edupersonScopedAffiliation http://iam sect.ncl.ac.uk/

  12. 67 eduPersonScopedAffiliation • MACE-Dir eduPerson attribute • Example: member@ed.ac.uk • Gives subject’s relationship to an institute • At present can be one of: member, student, employee, faculty, staff, alum, affiliate. • Many resources licensed on these terms • “member” is all providers want to know for now http://iam sect.ncl.ac.uk/

  13. 68 Attribute identification (detail) Several more contemplated: • eduPersonPrincipalName • eduPersonTargetedID • Given name • Surname • Common name • eduPersonEntitlement http://iam sect.ncl.ac.uk/

  14. 69 eduPersonEntitlement • MACE-Dir eduPerson attribute • Examples: – urn:mace:ac.uk:sdss.ac.uk:entitlement: resource – http://provider.co.uk/resource/contract.html • states user’s entitlement to a particular resource • Service provider must trust identity provider to issue entitlement • Good fine grained fall-back approach. http://iam sect.ncl.ac.uk/

  15. 70 eduPersonTargetedID • MACE-Dir eduPerson attribute Example: sObw8cK@ncl.ac.uk • A persistent user pseudonym, specific to a given service, intended to enable personal customisation • Value is an uninformative but constant • Allows personalisation and saved state without compromising privacy…much • Issues about stored vs. generated forms http://iam sect.ncl.ac.uk/

  16. 71 Attributes for the future • Attributes are flexible so can be anything requires • E.g. user on campus, “kiosk” walk in user, alumni. Flip chart discussion http://iam sect.ncl.ac.uk/

  17. 72 What is happening with shib now Americans moving forward: • Shibboleth being actively deployed • 120 members with a test registration • 13 Members already in their service federation ($700 upfront $1000 per year) Uk moving forward: JISC £7m core middleware fund...more later Athens infrastructure turbo charges UK shib http://iam sect.ncl.ac.uk/

  18. 73 Athens services ADITUS Butterworths Stair Memorial EIU Countrydata MIMAS Landmap Mediterranean AMADEUS Butterworths Stone's Justices Manual EIU Marketindicators & Forecasts MIMAS LitLink AMICO library Butterworths Tax Direct ESDS International MIRA Virtual Automotive Info Centre APU Library Proxy Butterworths Tax Planning Service ESDU Data Martindale & Stockleys Drug Interactions Axiom Butterworths Trusts and Estates Direct ESRI NTF Converters Mintel Reports BANKSCOPE Butterworths UK & International GAAPplus Education Image Gallery Mulberry BIDS CAB Abstracts Butterworths US Banking Editions Online Education Media OnLine NeLH Evidence-Based on Call BIDS IBSS Service CHEST Associated Site Contacts Education Media OnLine medical-restrict NeLH Journal of Medical Screening BIDS Silver Platter INSPEC service CHEST Further Education Site Contacts Electronic Surgeons in Training Educatio NetLibrary BIDS SilverPlatter PsycINFO Service CHEST Higher Education Site Contacts Emerald Fulltext NewsBank InfoWeb BLISS CHEST Ireland Site Contacts Emerald Management Reviews OCLC FirstSearch Service BMJ Journals CSA Aqualine Encyclopaedia Britannica OSIRIS BioMed Central CSA Artbibliographies Modern Engineering Village 2 Ovid Online Blackwell-Synergy.com CSA Internet Database Service Extenza e-Publishing Service Oxford English Dictionary Online British Standards Online CSA Linguistics & Language Behaviour FAME Oxford Reference Online Business Ratio Reports CSA e-psyche Gale Group InfoTrac Papyrus software for DOS Butterworths Accountancy Direct Cartalinx ISI JCR Science Edition Papyrus software for the Mac Butterworths All England Direct Census Dissemination Unit ISI JCR Social Sciences Edition Parlianet Butterworths Banking Law Direct Census Geography Data Unit (UKBORDERS) ISI Web of Knowledge Perfect Analysis Butterworths Businesscompliancedirect.co Census Interaction Data Service Idrisi Primal Pictures Basic Anatomy (NHS) Butterworths CaseSearch Census Learning Resources Ingenta Full Text Journals Primal Pictures anatomy.tv Butterworths Civil Procedure Online Census Microdata Unit at the CCSR Ingenta Select ProQuest Butterworths Commercial Property Law Census Registration Service Int. Civil Engineering Abstracts ProQuest Reference Asia Butterworths Corporate Finance Chadwyck-Healey KnowEurope Irish Reports and Digest RCS Affiliates Area Butterworths Corporate Law Direct Chadwyck-Healey KnowUK Database Isle of Man GIS data RCS Discussion Fora Butterworths Crime Online Chadwyck-Healey LION for colleges JASPER RCS Library Electronic Journals Butterworths EBL Direct Essentials Chadwyck-Healey Literature Online JUSTIS Celex and OJC RCS Members Area Butterworths EBL Direct Premium Chadwyck-Healey PCI Full Text Database JUSTIS Daily Cases RefWorks Butterworths EOR Direct Childlink.co.uk JUSTIS ECJ Proceedings Reuters Business Insight Unlimited Butterworths EU Direct City University Virtual Library JUSTIS Family Law SCOTBIS: Members Area Butterworths Employment Online Cochrane Library JUSTIS Hermes SCRAN Web Site Butterworths Family and Child Direct Computer Abstracts JUSTIS Human Rights ScienceDirect Butterworths Financial Regulations Servi Creative Club JUSTIS Industrial Cases Sentient DISCOVER Butterworths Forms and Precedents Direct CrossFire Service (PLUSABGM) JUSTIS Law Reports (eLR) SilverPlatter Arc2 Butterworths HSE Direct CrossFire self-teach modules (MIMAS-XFT) JUSTIS Law Reports Digest Snapshots International: Market Research Butterworths Halsbury's Laws of ... Dialog DataStar JUSTIS Lloyd's Law Reports Statistical Accounts of Scotland Butterworths Human Rights Direct Dialog Education@Site JUSTIS Mental Health Law Reports SwetsWise Butterworths IRS Employment Review Dialog@Site JUSTIS Official Journal C Synsoft HYDRA and HYDRA ONLINE Butterworths Immigration and Asylum Law EBSCOhost EJS JUSTIS Prison Law Reports TRILT Butterworths Insolvency Law Direct EBSCOhost databases JUSTIS UK Statutes and SIs Taylor and Francis eBook Subscriptions Butterworths Intellectual Property ... EDINA AGDEX JUSTIS Weekly Law Technical Indexes Info4Education Butterworths International Tax EDINA BIOSIS Jobs admin stuff Technical Indexes Info4HealthEstates Butterworths Law Direct EDINA BIOSIS Previews 1969 - 1984 JustCite The Academic Library Butterworths Law Reports Direct EDINA CAB Abstracts Keynote The Times Law Reports Butterworths Legal Updater EDINA Compendex KumarandClark.com UK JSTOR Mirror Service Butterworths Legislation Direct EDINA Digimap LexisNexis WILSONWEB Butterworths Licensing Direct EDINA EconLit MD Consult Westlaw UK Butterworths Local Government Direct EDINA INSPEC METAPRESS Wiley InterScience Butterworths PI Online EDINA Index to The Times, 1790 - 1980 MIMAS ISI BIOSIS Previews WriteNote Butterworths PensionsPro EDINA MLA MIMAS ISI Chemistry Server XpertHR Butterworths Property Tax Direct EDINA PAIS MIMAS ISI Current Contents Connect ZETOC - BL Electronic Table of Contents Butterworths Scotland Direct EDINA UPDATE MIMAS ISI Derwent Innovations Index eSTEP administrators resource Butterworths Scots Law Direct EEBO MIMAS Infoterra images.MD Butterworths Sergeant Sims Stamp Duty EIU Citydata MIMAS Landmap xreferplus http://iam sect.ncl.ac.uk/

  19. 74 What is happening with shib now Europeans: 2. Swiss switch project 3. Finns, Danes, Norwegians moving 4. Spanish, Germans seem keen Australia: Backing shibboleth after pilot studies http://iam sect.ncl.ac.uk/

  20. 75 What is happening with shib now Blackboard and WebCt actively integrating into their offerings Elsevier deploying service JSTOR service deployed Athens integration Anecdotal evidence that journal providers are very keen. http://iam sect.ncl.ac.uk/

  21. 76 The future of shib Shibboleth is a disruptive technology Authentication, privacy barrier removed • Online “reputation based” systems kill journals • Services bought in from outside e.g. webmail for students • Niche services flourish • Desktop applications e.g. Lionshare http://iam sect.ncl.ac.uk/

  22. 77 • “ I nter-institutional A uthorisation anagement to S upport e Learning with M reference to C linical T eaching” • JISC funded – Core Middleware Strand http://iam sect.ncl.ac.uk/

  23. http://iamsect.ncl.ac.uk/ http://iam sect.ncl.ac.uk/

  24. 79 I nter-institutional • Collaboration – Durham – Newcastle • Web team • Faculty of Medical Sciences – Northumbria http://iam sect.ncl.ac.uk/

  25. 80 Other relationships • SDSS – core middleware – EDINA • SAPIR – early adopters – Newcastle University Library • EPICS – regional e-learning – 5 Universities inc. us, 2 FE colleges http://iam sect.ncl.ac.uk/

  26. 81 A uthorisation, C linical T eaching • a proverbial goldmine of privacy and confidentiality issues • Involvement of Newcastle FMSC http://iam sect.ncl.ac.uk/

  27. 82 A uthorisation, C linical T eaching • Shared students http://iam sect.ncl.ac.uk/

  28. 83 A uthorisation, C linical T eaching • In-house medical-oriented virtual learning environment (VLE) http://iam sect.ncl.ac.uk/

  29. 84 What we’ve done (1) • Technical-oriented guides – Local SSO (pubcookie) – Shibboleth Origin http://iam sect.ncl.ac.uk/

  30. 85 Guide to installing pubcookie http://iam sect.ncl.ac.uk/

  31. 86 Guide to installing shibboleth http://iam sect.ncl.ac.uk/

  32. 87 The guides Written for redhat AS 3.0 linux: • most popular • will be supported for next 5 years • Mostly applicable to other linux systems • Cheap ($60 per year…educational) Content: • Includes installation of all the required technologies for a shibboleth deployment • Aimed solely at system administrators! http://iam sect.ncl.ac.uk/

  33. 88 The guides • Developed collaboratively – Written by Newcastle – Tested and proof-read by Durham • Creative Commons • In the process of hiring a technical author http://iam sect.ncl.ac.uk/

  34. 89 Creative Commons http://iam sect.ncl.ac.uk/

  35. 90 Future guides How to identify attributes attribute stores • Which attributes are useful • Identifying stores • Pros and con of store types A managerial guide to getting shib: • what skill set you need in your team • Privacy data protection issues • Certificate provider issues • Negotiating in a federation http://iam sect.ncl.ac.uk/

  36. 91 The theory of our guides • Endorsed by link from pubcookie site • Possibly rolled into whatever the American's come up documentation wise for shib 1.3 • Looking for comments/feed back http://iam sect.ncl.ac.uk/

  37. 92 What we’ve done (2) • Shibboleth origin installation • Shibboleth federation testing (SDSS) • Glossary • Questionnaire http://iam sect.ncl.ac.uk/

  38. 93 http://iamsect.ncl.ac.uk/glossary/ http://iam sect.ncl.ac.uk/

  39. 94 Questionnaire • Determine ‘baseline’ opinions • http://iamsect.ncl.ac.uk/questionnaire/ http://iam sect.ncl.ac.uk/

  40. 95 Questionnaire http://iam sect.ncl.ac.uk/

  41. 96 A thought http://iam sect.ncl.ac.uk/

  42. 97 What we’re doing • Zope-based VLE • Blackboard VLE • Managerial documentation • Further events http://iam sect.ncl.ac.uk/

  43. 98 How to prepare for shibboleth Read the guides at: http://shibboleth.internet2.edu/shibboleth-docu Beware they are not user friendly Mix managerial concerns with technical concerns http://iam sect.ncl.ac.uk/

  44. 99 How to prepare for shibboleth Identify the following skill sets Ability to: Install secure ssl apache web servers Install apache tomcat Some familiarity with java Familiarity with unix/linux Technical staff to read the guides at http://iamsect.ncl.ac.uk/deliverables/ http://iam sect.ncl.ac.uk/

  45. 100 How to prepare for shibboleth Technical needs: Identify password store or stores (how a federation can help) Get a web sign on system (helped by our docs) Identify attributes Establish a certificate provider (Globalsign) http://iam sect.ncl.ac.uk/

Recommend


More recommend