1 The Road Ahead Jon Dowland, Cal Racey, University of Newcastle upon Tyne.

Slides:



Advertisements
Similar presentations
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Advertisements

Lousy Introduction into SWITCHaai
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
College An insight Into the College VLE Graham Mason
Joint Information Systems Committee 01/04/2014 | | Slide 1 Single Sign-On Solutions Nicole Harris Programme Manager – JISC.
Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Grouper Training End Users Lite UI – External Users
Preserving and Sharing Digital Data Greg Colati, Director, Archives and Special Collections May 11, 2012.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
April 22nd 2008 Internet2 Spring member meeting Caleb Racey Newcastle University UK Studies in Advanced Access Management.
Introduction to Shibboleth and the IAMSECT Project.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
2006 © SWITCH Group Management Tool Lukas Haemmerle
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Tech Track: Attribute Delivery Newcastle University Caleb Racey
Dr Tony McDonald - FMSC Breaking Boundaries Dr Tony McDonald - FMSC
Case Study: Newcastle University
Peter Deutsch Director, I&IT Systems July 12, 2005
Web based single sign on Caleb Racey Web development officer Webteam, customer services, ISS.
Iamsect.ncl.ac.u k IAMSECT Inter-institutional Authorisation Management to Support eLearning with reference to Clinical Teaching Core Middleware Programme.
Web based single sign on Caleb Racey, Web development officer, Webteam, customer services, ISS IAMSECT project officer, Systems.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
Middleware challenges to service providers, the Nordic view TERENA, Ingrid Melve, UNINETT.
New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.
EDU MANAGER Presented By : us at :
Integrating with UCSF’s Shibboleth system
Honeypot and Intrusion Detection System
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
What is an MLE? “Software tools and digital content that support learning” Comprised of many different modules, such as an SMS, LMS, eportfolio tool, blog,
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.
Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.
The UK Access Management Federation John Chapman Project Adviser – Becta.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
Shibboleth for Middle Schools James Burger -
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.
MIS Integration Set out expectations – overview of concepts. This isn’t a technical how-to guide – is too platform specific. Will be looking at the concepts.
e-Infrastructure Workshop 28th March 2006, University of Leeds
Network Services.
ESA Single Sign On (SSO) and Federated Identity Management
Getting Started.
Overview and Development Plans
Getting Started.
Supporting Institutions Towards a Shibbolized Infrastructure
Shibboleth 2.0 IdP Training: Introduction
KC-ROLO Project Kidderminster College – Repository Of Learning Objects
Presentation transcript:

1 The Road Ahead Jon Dowland, Cal Racey, University of Newcastle upon Tyne

Shibboleth Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand. Judges 12:5-7

Shibboleth Shibboleth, is a bit like the duck which moves serenely through the water, but is paddling furiously beneath the surface. - Derek Morrison, the Auricle

Overview Who are we? Technical issues Managerial issues Future Developments

Inter-institutional Authorisation Management to Support eLearning with reference to Clinical Teaching Who are we?

6 Inter-institutional Newcastle –FMSC –ISS Durham –ISS

Who are we? Core-middleware project since ~July 04 Relationships with: –SAPIR (early adopters) –EPICS (distributed e-learning)

8 Technical Issues

First experiences Technical angle / software installation Hard.

Technical documents From first experiences –Installing Shibboleth on Redhat AS 3.0 and using pubcookie –Installing Pubcookie on Redhat AS 3.0 and authenticating against Windows Active Directory

Creative Commons

Authorisation, Clinical Teaching a proverbial goldmine of privacy and confidentiality issues Involvement of Newcastle FMSC

Shared students: Durham/Newcastle Authorisation, Clinical Teaching

Authorisation, Clinical Teaching In-house medical-oriented virtual learning environment (VLE) Shibbolized

MClinEd Medical Schools VLE Zope Shibboleth + Apache Local IdP Connected with Fast CGI –deprecated

Blackboard VLE Durhams Blackboard VLE Shibbolized –used with local IdP

19 Technical Issues Shibboleth Administration

Shibboleth administration The process of setting up an attribute: Aggregation Release Acceptance

Complexity <JDBCDataConnector id=" db6 " dbURL="jdbc:mysql://thing.ncl.ac.uk/OilDrum?user=thing &amp ;password=thing" dbDriver=" com.mysql.jdbc.Driver " maxActive="10" maxIdle="5"> SELECT course_code, CASE course_code WHEN 'A101' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN 'A106' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN 'O106' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN '3019P' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN '3384P' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN '5826P' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' ELSE 'none' END as sdssentitlement FROM CMstudentdata WHERE loginid = ?

Complexity ARP.xml EMOL service at EDINA urn:mace:ac.uk:sdss.ac.uk:provider:service:emol.sdss.ac.uk urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.u k:restricted

Complexity AAP.xml ^[M|m][E|e][M|m][B|b][E|e][R|r]$

Complexity No tools to help the admin (yet) Editing verbose opaque xml files by hand Looking in verbose opaque log files Asking others to look in verbose opaque log files at their end Security gets in the way Magic is cool flexible but hard to grasp.

25 Technical Issues Where to get help?

Technical help Us – Internet2 – – – – state.edu/twiki/bin/view/Shibboleth/WebHomehttps://authdev.it.ohio- state.edu/twiki/bin/view/Shibboleth/WebHome SDSS federation – –

27 Managerial Issues Complex Attributes

Complex attributes Use case Generation Problems Lessons learned

Complex attributes: Example Medic restrict Accessing medical content at EMOL Subset of resources e.g. Autopsy content Requires entitlement attribute: edupersonEntitlement urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted

Complex attributes: students Relatively easy for students- SimpleAttributeDefinition id="urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk sourceName="sdssentitlement SELECT course_code, CASE course_code WHEN 'A101' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN 'A106' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' ELSE 'none' END as sdssentitlement FROM CMstudentdata WHERE loginid = ? Find out if student is on one of three medical courses

Complex attributes: Staff Staff, registered manually over years Pick their own usernames, own address – most didnt address No connection between Athens id and Newcastle id NHS staff have ncl usernames Solution?

Lessons learned Complex attributes are hard All solutions assume you have good information to hand Medical user base is extremely complicated Need better information: Chicken and egg –No one will put system in place to record attribute until needed –No one will require an attribute unless already stored

Solution Need for a information reorganisation Registration and expiry to all different systems is unmanageable: Management system (ERPs) - SAP VLEs- blackboard, zope, moodle, Ness Library – metalib, reading lists, Athens Mail, Active directory, network, Proposal 1 central repository feeding many consumers:

Potential Tools to help Nexus and Open Metadirectory(OM) - tools for provisioning user accounts into different systems, -Potential to get good attributes. Grouper: aggregates existing group info -relies on having that info Signet: tool for managing and assigning privileges

37 Managerial Issues Supporting users

Support Issues Testing The need for testing How to test Access Problems: -why they will happen -what they look like -what should they look like

The need for testing The fantasy Shibboleth relies on accurate easily locatable institutional information The reality Information stores are: dispersed, inaccessible, incomplete, out of sync, conflicting. Attributes accuracy is a best effort not a certainty Things will go wrong

Examples EdupersonScoped Affiliation Ability to login should = ncl affiliation - NHS staff -101 edge cases EdupersonEntitlement medic restrict urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted Identifying medics is hard, There will be plenty of problems

The problem of testing How do you test access control setup for all the different user types? Test users are difficult to setup, In multiple attribute store scenario they have to be in all stores. some stores dont understand fake users

When things go wrong Middleware is invisible: - when it works - when it doesnt - users unaware of what success looks like, therefore unaware of failure -federated content means federated errors Similar to networking problems

Access to EMOL Access without proper scopedAffiliation

Access without medical entitlement Tells you something is wrong However no obvious route to rectify it Access to EMOL

Local VLE Access by non med school user What improperly registered medics see

46 Managerial Issues Legal Issues

Legal Issues Liability Initially assessed as medium-severity, low probability risk Could be a project in itself

48 Managerial Issues Where to get help?

Managerial Documents Drafts up –Introduction to Shibboleth Federations –Practical access to electronic journals using Shibboleth –Attribute identification and storage for Shibboleth

Managerial help Us – JISC – MRoadmap03_05.doc - Connecting People to Resourceshttp:// MRoadmap03_05.doc ?

51 Future developments

Standardisation OS Integration –apt-get install shibboleth-service-provider –(or whatever) Application support National federation

Odd ones out Identity Provider Industry/Academic/Clinical collaborations –Those without home institutions –Home institutions without Shibboleth

54 Conclusion

Optimism There are problems, however: Once setup it just works (!) Robust Recipes easy Building tools should be easy It enables cool stuff

56 Questions