Spring 2012 Internet2 Member Meeting April 25, 2012 Russell Beall, University of Southern California Brendan Bellina, University of Southern California.

Slides:



Advertisements
Similar presentations
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Advertisements

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity.
1 Collaborators at the Gates of Troy: Extending eServices at USC.
Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.
Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.
CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.
Widely Distributed Access Management Tom Barton University of Chicago.
Using Shibboleth as Your WebSSO Authentication System CAMP Shibboleth: Enabling Campus and Federated Single Sign-On June 27, 2006 Brendan Bellina Identity.
Shibboleth Service Providers: Ohio State Experiences Scott Cantor The Ohio State University Internet2/MACE © Scott Cantor This work.
GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure
Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
UW Windows Authentication Group Multiple forest scenario task force - Testing report and recommendations.
SWITCHaai Team Federated Identity Management.
Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Group Management at Brown James Cramton Brown University April 24, 2007.
Shibboleth IdP Training: Productionalization January, 2009.
Tyler Schultz L&S Administration 1 Welcome to the presentation: “Cloud Storage – Welcome to UW Box,” this presentation was included in the “Campus IT Tools”
PCGRID ‘08 Workshop, Miami, FL April 18, 2008 Preston Smith Implementing an Industrial-Strength Academic Cyberinfrastructure at Purdue University.
Integrating with UCSF’s Shibboleth system
Penn Groups PennGroups Central Authorization System June 2009.
1 G A A new Document Control System “A new system to manage LIGO documents” Stuart Anderson Melody Araya David Shoemaker 29 September, 2008
NMI-EDIT CAMP Synopsis, ISCSI Storage Solution, Linux Blade Cluster, And Current State Of NetID By Jonathan Higgins Presentation Template available from.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
Shibboleth for Real Dave Kennedy
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Openness and Extending Blackboard Software Asbed Bedrossian Otto Khera USC.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
Outsourcing Student at USC Institute for Computer Policy and Law Cornell University, August 2008 Asbed Bedrossian Director of Enterprise Applications.
Identity and Access Management Roadmap Presentations for Committee on Technology and Architecture March 21, 2012 Amy Day, MBA Director of GME IAM Committee.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Shibboleth: Early Experience at OSU Scott Cantor October 28, 2002 Scott Cantor October 28, 2002.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Shibboleth: OSU Early Adoption Scenarios Scott Cantor April 10, 2003 Scott Cantor April 10, 2003.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
1 Pinnacle Telephone Billing System Upgrade Open Forum I February 27, 2009.
Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
Introduction to Terra Dotta Applications Integration with Campus Data Systems for institutions beginning their software implementation.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
UCTrust Integration for UC Grid David Walker University of California, Davis ucdavis.edu Kejian Jin University of California, Los Angeles kjin.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,
University of Southern California Identity and Access Management (IAM)
Shibboleth Identity Provider Version 3
Sakai ID & Access Management
LIGO Identity and Access Management
Applying Data Governance in Identity Management: To Serve and Protect
John O’Keefe Director of Academic Technology & Network Services
Federating with NIH, NSF, and the National Student Clearinghouse
ESA Single Sign On (SSO) and Federated Identity Management
University of Southern California Identity and Access Management (IAM)
Guests and Collaborators
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Presentation transcript:

Spring 2012 Internet2 Member Meeting April 25, 2012 Russell Beall, University of Southern California Brendan Bellina, University of Southern California Scott Cantor, The Ohio State University Rob Carter, Duke University Supporting a Widely Deployed Campus Shibboleth Implementation

A modern fable… 2 – © 2012

3 – © 2012 In the Beginning there was the Shibboleth IdP… And it was Good. And readily supported. Shibboleth IdP

4 – © 2012 And some Central Services came to be integrated with the Shibboleth IdP… And it was Good. And Support was small and managed. IdP Portal LMS Wiki Developed Apps

Central Services 5 – © 2012 And then many Department Services were integrated with the Shibboleth IdP… And it was still Good. Though Support was strained. IdP Library Medical Law Registration HR More Developed Apps

Department Services Central Services 6 – © 2012 And then even External Providers were integrated with the IdP… And it was Still Good. And then Support … IdP Google Lynda.com Sharepoint Digital Measures And many, many more CollegeNet ExLibris Aetna EzProxy SciQuest TeraGrid

7 – © 2012

8 – © 2012 This could be you.

Applications may be central, departmental, or externally hosted Applications may be internally developed, open source, or vendor developed. Applications may require user provisioning just-in-time or ahead of time. Applications may not handle identifier changes well or at all. Applications may not allow merges. Departments may lack permanent staff for SP Support and expertise. Staff may leave and they may have relied upon contractors to establish the service. Expectation of 24x7x365 support for web applications accessible from any time zone. The technology scales, but does your support infrastructure? Some (not all) Things to Consider 9 – © 2012

The Ohio State University 10 – © 2012

University Environment 65,000 students, 28,000 employees 160,000 unique accounts Various “traditional” populations like alumni not given access to most campus services IT functions highly distributed Minimal funding/support of centralized infrastructure Shibboleth in production since 2004

IdP Environment Upgraded to 2.x last summer, also moved from Apache+Tomcat to Jetty Two Linux servers at separate data center locations, lots of CPU, low on RAM No clustering, deployed with extensions for attribute query handling and SSO via cookie IdP sessions are short-lived, traffic is pinned during user login sequence ~150,000 – 350,000 logins per day

SP Environment off-campus SPs, mostly InCommon members ~250 on-campus SPs Largely manual, -based registration and change management process “Trusted” customers with larger deployments maintaining their own signed metadata files for import by IdP

Support Model Had.25 FTE dedicated to operating the IdP and supporting SPs, bumped to.75 FTE for staffing redundancy Minimal local support for SP deployment, most questions directed to public lists Initial configuration files tailored to OSU environment provided with custom documentation on what to change

University of Southern California Shibboleth Support Model Russell Beall Senior Programmer/Analyst Information Technology Services University of Southern California Los Angeles, California, USA Brendan Bellina Manager Enterprise Identity Management Information Technology Services University of Southern California Los Angeles, California, USA

16  42,000 students; 17,500 employees; 4800 affiliates  92,000 Shibboleth-enabled accounts  Includes legacy student accounts retained for Google Apps  IT infrastructure:  moderately funded for centralized services  Highly distributed departmental IT functions as well University Environment

17  2.x since late 2007  Terracotta clustering since late 2008  Two Sun v440 machines in the cluster  Two zones on Sun 5240 machines in DR  IdP sessions last 8 hours  Some services using short SP sessions and forceAuthn  30K-60K authentications per day  40K-100K service logins per day IdP Environment

18  100+ on-campus SPs, soon to be 130+  29 off-campus SPs  Governance process required for registration  Requirements meeting(s) to document requirements  Formal campus IT-leader committee approval required  Blanket attribute release disallowed (perhaps until uApprove)  Each SP generally has different access groups and attributes anyway SP Environment

19  0.5 FTE dedicated to IdP support and managing SP integration into the IdP  SP admin group (small fraction of their time) for support of centralized SPs  Departments and vendors responsible for supporting their SP deployments  2 FTE outside of central ITS assist in managing and documenting requests and governance  Most user issues handled directly by CSC Support Model - Resources

20  Full-fledged “start-here” document with configuration generator application specialized to USC environment.   USC lists for Shibboleth IdP Admins, SP Admins, and Announcements. SP Admins are required to be on the lists.  Internally developed tool for displaying what attributes are released for a specific user to a specific SP. Helps when troubleshooting access issues. Support Model – Docs and Tools

21  Entitlement based authorization rather than attribute based. Entitlement assigned based on group memberships with a delegated tool for group administration for exceptions.  Require department applications that consume USCID to also consume Historical USCID.  Restrict release of non-persistent identifiers such as NetID, and instead release persistent identifiers.  No undocumented changes are made. Support Model - Policies

Duke University 22 – © 2012

Tourist Information ❖ University + Academic Health System + hospitals & clinics ❖ 6500 ugrad, 8500 grad, 3200 faculty, 30,000 staff (mostly in Health System) ❖ Counting alumni & affiliates, over 78,000 active accounts, 490,000 total identities (active & inactive)

IT Environment ❖ Roughly 50/50 central/departmental IT staff ❖ Central IT incorporates both OIT (spanning entire enterprise) and DHTS (Health System Central IT) ❖ PeopleSoft Student system & SAP HR/Payroll ❖ Traditional “free for all” in web space -- all clients/servers welcome

IAM Environment ❖ Kerberos since early 1990s ❖ LDAP since ca ❖ ERP linkages since early 2000s ❖ WebISO since early 2000s, starting with homegrown Webauth, transitioned to Shibboleth ca ❖ Grouper site since ca. 2005, now with >> 350,000 groups ❖ OIM since ca. 2008

Shibboleth IDP Environment ❖ IDP 2.x running atop Centos Linux systems w/ Apache + Tomcat + Terracotta ❖ 4 production primary IDPs w/ hw load balancing ❖ 2 Terracotta clusters -- one pair active at a time ❖ Dedicated LDAP attribute repository (3-way multimaster Oracle/Sun LDAP server farm) ❖ Back-end authN via Kerberos 5, integrated OpenID gateway, optional multifactor interface

Shibboleth IDP Environment ❖ Additional, unfederated dedicated IDPs for some internal purposes ❖ 50, ,000 logins per day (mean: 60,000) in primary IDPs, far less in unfederated internal IDPs

Shibboleth SP Environment ❖ 850 distinct SPs entity IDs registered (in local-sites.xml) ❖ 750 in full production, ca. 100 in test or ppt ❖ all but 40 are local -- roughly 1/3 of those are “cloud” services (SaaS) ❖ Growth rate has increased dramatically since late 2010, when we deployed current SP support tools SPs registered between 2005 and 2011, 400 in so far...

SP Owner Support Infrastructure ❖ Shibbolized web site for managing local SP registrations ❖ Owners authN with their NetIDs then see the SPs they’ve registered (or been designated as admins for) and can edit or add new registrations ❖ Optionally produces SP configuration XML based on basic information and some reasonable defaults ❖ Registrations complete in real-time -- usually up and running within a minute or two of clicking “create”

IDP Support Web Site

SP Infrastructure (cont’d) ❖ SP owners can register/deregister entirely via self-service in most cases; many can get their entire SP config from the tool ❖ Default ARP passes ePPN and ePA (for unfederated SPs); handful of attributes considered “public” can be added in real-time through the self-service interface; others require approval ❖ If a registration involves restricted attributes, the request is processed without, then when approved, ARP is updated ❖ Note: This ONLY applies to local, not InCommon, SPs

Questions 38 – © 2012

Contacting the Authors: Brendan Bellina, USC Russell Beall, USC Scott Cantor, OSU Rob Carter, Duke 39 – © 2012

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.