ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Slides:



Advertisements
Similar presentations
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Advertisements

Distributed Access Control System
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Active Directory: Final Solution to Enterprise System Integration
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
Identity Management, what does it solve By Gautham Mudra.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Public Key Infrastructure from the Most Trusted Name in e-Security.
Public Key Infrastructure Ammar Hasayen ….
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
AAI with simpleSAMLphp
Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,
Feide is a identity management system on a national level for the educational sector in Norway. Federated Electronic Identity for Norwegian Education Tromsø,
BIBSYS System Architecture Jan Erik Kofoed BIBSYS Library Automation ELAG 2004 in Trondheim.
Middleware challenges to service providers, the Nordic view TERENA, Ingrid Melve, UNINETT.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Gregorio Martínez Pérez University of Murcia PROVIDING SECURITY TO UNIVERSITY ENVIRONMENT COMMUNICATIONS.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Module 11: Securing a Microsoft ASP.NET Web Application.
Shibboleth: An Introduction
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.
Baltic IT&T, Riga 2007 Identity Management within the educational sector in Norway Senior Adviser Jan Peter Strømsheim, Norwegian ministry of Education.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
PORTALS WORKSHOP REPORT (group 7) ELAG 2004 Trondheim, Norway
TOPIC: AUTHENTICITY CREATED BY SWAPNIL SAHOO AuthenticityAuthorisation Access Control Basic Authentication Apache BASIC AUTHENTICATIONDIGEST ACCESS AUTHENTICATIONDHCP.
Java Web Server Presented by- Sapna Bansode-03 Nutan Mote-15 Poonam Mote-16.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Exploring Access to External Content Providers with Digital Certificates University of Chicago Team Charles Blair James Mouw.
Jakob Gadegaard Bendixen, Shibboleth protected proxy servers a case study from the Danish library sector.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,
Secure Connected Infrastructure
WLCG Update Hannah Short, CERN Computer Security.
Apache web server Quick overview.
Use case: Federated Identity for Education (Feide)
Shibboleth Project at GSU
Punching data to the authentication server
Web Portal Project.
Radius, LDAP, Radius used in Authenticating Users
Tweaking the Certificate Lifecycle for the UK eScience CA
Shibboleth Implementation in EZproxy
Update on EDG Security (VOMS)
Authentication and Access:
Dartmouth College Status Report
Public Key Infrastructure from the Most Trusted Name in e-Security
GNOMIS – the northern light TF-AACE, Ingrid Melve, UNINETT
Presentation transcript:

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway

ELAG Trondheim Some definitions Authentication - Process of providing the identity of a user. (Who are you?) Authorization - Process of granting or denying access rights for a resource to an authenticated user. (What are you allowed to do?) Credentials - Information that includes identification and proof of identification that is used to gain access to resources. Examples of credentials are user names and passwords, smart cards, and certificates.

ELAG Trondheim Problems in a distributed environment Lots of credentials Lots of registration and logon procedures

ELAG Trondheim Distributed Access Control

ELAG Trondheim Single Sign On (SSO) SSO = challenges Technological issues proxies cookies timeout Security issues shared credentials different security levels trust

ELAG Trondheim The trend in distributed access control

ELAG Trondheim Some BIBSYS-facts BIBSYS is an integrated library system used by all Norwegian University Libraries, the National Library, all College Libraries, and a number of research libraries The BIBSYS users Primary users: Ca librarians End users: Ca – patrons (not all active) Ca 4000 – academic users (research document database) – users of other different systems

ELAG Trondheim Access Control: A1 – Unix A2 – User file BIBSYS history of access control (the late eighties) Legacy System (cataloguing, search, etc) A1 = Authentication A2 = Authorization Users UNIX pw. file

ELAG Trondheim BIBSYS history of access control (mid. nineties) A1 = Authentication A2 = Authorization Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file Legacy System Web search Patrons IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file

ELAG Trondheim Access Control: A1 – Apache password-file Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file BIBSYS history of access control (late nineties) Legacy System Web search A1 = Authentication A2 = Authorization Some web service Patrons Apache pw. file IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file Access Control: A1 – Apache password-file Some web service Apache pw. file

ELAG Trondheim BIBSYS in the late nineties BIBSYS

ELAG Trondheim BIBSYS Access Control Project Goal: Provide interoperability between internal systems Offer access control to our patrons. Avoid administration overhead. Consider cross-organizational access control.

ELAG Trondheim BIBSYS Access Control Project We considered two commercial access control systems, Candle/Cactus ISOS/Athens. Conclusion: Too expensive BIBSYS is not the right institution to host a cross- organizational access control system for our end users. Decisions: Develop our own access control for internal use Wait and see for an cross-organizational solution.

ELAG Trondheim Common role based access control system A common A common role based access control system Only access-relevant information: credentials, roles, IPs Patrons Apache pw. file IP-list Users UNIX pw. file Apache pw. file

ELAG Trondheim Starting point A1 = Authentication A2 = Authorization Access Control: A1 – Apache password-file Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file Legacy System Web search Some web service Patrons Apache pw. file IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file Access Control: A1 – Apache password-file Some web service Apache pw. file

ELAG Trondheim Result (ideal) Service A Service B Service C Service D Service E Common role based access control system

ELAG Trondheim Result (real) Implemented a new role based access control system We released new personalized services for patrons and librarians Low administration costs (machine-generated password by ) Still some systems use their old access control The wait and see strategy paid off – result: FEIDE

ELAG Trondheim Status of 2002 BIBSYS

ELAG Trondheim New challenge Offering our users access through the FEIDE system

ELAG Trondheim FEIDE (Federated Electronic Identity for Education) Goals of the FEIDE project: Establish a common, secure electronic identity for Norwegian academic users. Implement the academic sector's system for reliable user data handling, secure identification of internet-service users and assignment of user access-rights. Common data model for persons Standardization/development of user management systems Provide a central login server

ELAG Trondheim Integrating with the FEIDE system (I) One year ago we released a pilot using the FEIDE authentication Application: Personalized services for patrons and librarians Technology: Java Servlets, Tomcat server Objective: technical issues (not performance) Available for a limited group of users

ELAG Trondheim Integrating with the FEIDE system (II) Efforts to make it work Received a Java-library, a Servlet Filter and a certificate from FEIDE Configured Tomcat to use the Servlet Filter Configured the Servlet Filter

ELAG Trondheim Integrating with the FEIDE system (III) Experiences with the pilot Easy to implement No errors throughout the test period The users were satisfied

ELAG Trondheim Integrating with the FEIDE system (IV) One obstacle: How to map a FEIDE user to a BIBSYS user? Solution: The National Identity Number BIBSYS have to extend the user database to include The National Identity Number

ELAG Trondheim Overview of the logon process FEIDE BIBSYS (Tomcat servlet container) Filter User BIBSYS- services (servlet) MORIA AT (LDAP-server) AT (LDAP-server) AT (LDAP-servers) BIBSYS- services (servlets) BIBSYS users 8 9

ELAG Trondheim Future plans Let the pilot go into production within 3-4 months Try out the Single Sign On features of FEIDE Make use of other user attributes than only the National Identity Number. (For authorisation and for updating our own user data)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.