Shibboleth Today and Tomorrow Over the last year, Shibboleth, the inter-institutional authorization system, has progressed from advanced testing to widespread deployment. This session will include campus case studies in transitioning from testing to production, including an introduction to the policy, technical, and transition issues each institution addressed. The Shibboleth roadmap for the coming year will be presented as well. University at Buffalo Closing In On Production Services Salon I/II/III Daniel Arrasjid daniel@buffalo.edu This is the session we were talking about originally. After the tutorial session appeared as a possibility, we began to think of targeting this track session toward Shib novices, and using this session as a status update, and a quick look at the Shib roadmap. I'd like to ask three deploy sites with significant experience to describe their use of Shib - original goals, applications, status, next steps, etc. Each speaker/site (except me) would have about 20 minutes. Of necessity, these presentations will be higher level and less detailed than the tutorial sessions, and will likely describe what you did, rather than how you did it. And probably more background info than on monday Copyright 2004 Daniel Arrasjid. Computing and Information Technology. University at Buffalo. Buffalo, New York 14260 USA. Permission to copy all or part of this material is granted provided that (a) the copies are not distributed for direct commercial benefit (b) the University at Buffalo copyright notice is present, and (c) notice is given that copying is with permission of the University at Buffalo. To copy otherwise requires a fee, specific permission, or both. 22 February 2019
Agenda Overview of UB Goals and Drivers Applications Technical Considerations Current Status and Next Steps 2/22/2019
Overview of UB Doctoral/research extensive university Large and comprehensive public university 27,000+ students,13,000+ employees Two main campuses Central and Distributed IT Part of the SUNY system Existent Identity Management System (’97) Shibboleth Planned for Summer ‘04 Existent is important – Provisioning of services and directories Several thousand groupings already defined Policies on data access and group/attributes 2/22/2019
Goals And Drivers Key Component (DCE) of Identity Management set to retire Business Continuity and Disaster Recovery Virtualization of services, dynamic provisioning Applications requiring more robust attributes Library resource access management SUNY Federation 2/22/2019
Architecting For Biz Continuity 2/22/2019
Architecting For Biz Continuity 2/22/2019
Applications Web Application Farms – Summer 2004 Portal Transcripts Course Registration Course Applicability System Electronic Payment …All of the above currently housed on 1 large system 2/22/2019
Technical Challenges Testing Shibboleth Against Our Needs Scalability Stability Performance Virtualization / Web Farms Performance Targets 5500 WebISO/hour – 1.5 WebISO/second WebISO transaction under 3 seconds Does it scale well with hardware/cpu Is it stable, under load Can it handle heavy loads Does it support Web Server Farms 2/22/2019
Technical Challenges Stability and Performance Issues: Shib 1.1 SHAR crashes under load on Solaris Shib 1.1 tomcat returns error 500 every 100 HS requests Co-sign adds to much overhead to WebISO Java SSL adds significant overhead Tomcat and native SSL (from Co-Sign) > 1.8 WebISO/second WebISO transaction 2.5 seconds (5 seconds) Using 1 Dell 6650 4x2GHz for HS/WebISO/AA 2/22/2019
Virtualized Services 2/22/2019
Transition to Production Applications Migrate applications to Web Farm model Migrate application to use Shibboleth instead of legacy sign-on (mod_auth_dce) Certificate Authority Verisign Certificates in a Web Farm model($250/server/yr) InQueue and InCommon Start InQueue, Move to InCommon Staff Training IDM support team, application developers Equipment 2/22/2019
Status Pre-production environment in place Load testing complete Installed and configure web application farm Shibboleth development team involved w/issues Training of IDM support team 2/22/2019
Status – Next Steps Test Shibboleth 1.2 Install and configure the production origin farm Complete virtualization in WebISO LDAP service to multi-master Configure CSS 11K source IP NAT Complete training and support documentation Refine/Document in process for new Targets 2/22/2019
Status – Next Steps Work out schema governance - AD governance model might be a good straw-dog. Policy for attributes in LDAP mirror what we have in our legacy system(DCE) grand-fathered under our legacy(DCE) authorization policies, Focus on centrally services. Expect the distributed community to have keen interest. 2/22/2019
Costs* and System Configurations LDAP 440 Hours* 4x Sun Enterprise 280 systems, 2Gig RAM, 2x900MHz CPUs, Sun crypto accelerator cards, Solaris, Sun ONE DS, $54,000 Kerberos 365 Hours* 4x Sun V120 systems with 512Meg RAM and 650MHz CPUs, Solaris, Kerberos 5, $14,000 Shibboleth Origin/AA/Cosign 460 Hours* 8x Dell 6650 systems, Quad Xeon 3.2GHz, 2Gig RAM, Redhat Advanced Server, $35,000 Total Cost: 1,265 hours* $103,000 *Estimated 2/22/2019
Identity Management and Shibboleth Acknowledgements Joel Murphy Len Swiat Lisa Maira Dan Boyd Dennis Gilhooley Rob Wright Kathy Murphy Matt Stock Eddy Arrasjid Ewa Arrasjid Jim Brandt UB’s Distributed IT Community Our friends at OSU, PSU, Ohio U, Cal-Poly Ponoma 2/22/2019
2/22/2019