1 herbert van de sompel CS 502 Computing Methods for Digital Libraries Cornell University – Computer Science Herbert Van de Sompel

Slides:



Advertisements
Similar presentations
How to Set Up a System for Teaching Files, Conferences, and Clinical Trials Medical Imaging Resource Center.
Advertisements

HINARI – Accessing Articles: Problems and Solutions.
Enabling Secure Internet Access with ISA Server
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Remote User Authentication in Digital Libraries
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Ray Denenberg Ralph LeVan Workshop 20 March 25, 2006; Washington Metasearch - the NISO Initiative.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
1 CS 502: Computing Methods for Digital Libraries Lecture 22 Web browsers.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
University of Kentucky Proxy Service Presentation By Kelly Vickery
1 herbert van de sompel CS 502 Computing Methods for Digital Libraries Cornell University – Computer Science Herbert Van de Sompel
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
70-411: Administering Windows Server 2012
OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Introduction to Web ScienceSlide 1 of 51 What turns an area into a science?  Why is it „Web Science“ and not „Web practice“
Sympa Mailing List Server
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
1 CS 502: Computing Methods for Digital Libraries Lecture 19 Interoperability Z39.50.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 8 Omar Meqdadi Department of Computer Science and Software Engineering University of.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
The Intranet.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.
Saving State on the WWW. The Issue  Connections on the WWW are stateless  Every time a link is followed is like the first time to the server — it has.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
1 herbert van de sompel CS 502 Computing Methods for Digital Libraries Cornell University – Computer Science Herbert Van de Sompel
Mairéad Martin The University of Tennessee December 16, 2015 Federated Digital Rights Management.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Web Server.
CS 502 Computing Methods for Digital Libraries Cornell University – Computer Science Herbert Van de Sompel Lecture 15,16 reference.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell 2/18/2011.
Event-Based Model for Reconciling Digital Entities Ahmet Fatih Mustacoglu Ahmet E. Topcu Aurel Cami Geoffrey C. Fox Indiana University Computer Science.
1 CS 430: Information Discovery Lecture 26 Architecture of Information Retrieval Systems 1.
Shibboleth for Middle Schools James Burger -
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
PROXY SERVER Kalyani Ravi. A proxy server is essentially an electronic gatekeeper, residing between an organization's internal network and the Internet,
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Presented by Deepak Varghese Reg No: Introduction Application S/W for server load balancing Many client requests make server congestion Distribute.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Libraries Organizations & Users Updated: 18-Jun-2006.
University of North Carolina School of Information & Library Science
The Intranet.
Mechanisms of Interfederation
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Authentication and Access:
Introduction to Digital Libraries Week 13: Reference Linking & OpenURL
The new EDAMIS and its security
Presentation transcript:

1 herbert van de sompel CS 502 Computing Methods for Digital Libraries Cornell University – Computer Science Herbert Van de Sompel Lecture 18 Cross-organizational authentication & authorization

2 herbert van de sompel Users Digital objects Identification & authenticity Attributes Authentication Roles Permitted Operations Laws and agreements Policies Authorization Information Managers Access

3 herbert van de sompel Users and roles: theory authentication roles-dbase attributes policy related limitations roles policy related privileges X access permitted operations

4 herbert van de sompel Users and roles: practice authentication roles-dbase attributes policy related limitations roles policy related privileges collection

5 herbert van de sompel Users and roles: practice authentication attributes policy related limitations roles policy related privileges collectionauthentication = = role

6 herbert van de sompel Users and roles: practice authen & author attributes policy related limitations policy related privileges collection

7 herbert van de sompel Library: Interoperability nightmare re access management A&IimageFTXTOPACe-print multiple authorization authentication processes implicit explicit

8 herbert van de sompel Library: Interoperability nightmare re access management A&IimageFTXTOPACe-print authen & author library authorizations related to library’s subscriptions libraries try to make the process opaque to users

9 herbert van de sompel Library: Interoperability nightmare re access management A&IimageFTXTOPACe-print

10 herbert van de sompel Common access control approaches by Info Providers IP-address based: IP address of the user requesting access is checked with IP range of subscribing institutions browser-side authentication Info Provider’s web server prompts the user’s browser for username/password

11 herbert van de sompel WWW-Authenticate see

12 herbert van de sompel Common access control approaches by Info Providers IP-address based: IP address of the user requesting access is checked with IP range of subscribing institutions browser-side authentication Info Provider’s web server prompts the user’s browser for username/password application-based authentication Info Provider’s web application prompts the user’s browser for username/password sometimes a combination of IP address and authentication

13 herbert van de sompel Common access control approaches by Libraries if Info Provider application-based authentication Info Provider’s web application prompts the user’s browser for username/password then Library (and user) is in big trouble list passwords in “library gateway” protect the passwords from outsiders but what if user’s try and access the resource directly (not via library gateway)? considered very bad practice only for “added-value” services (personalization)

14 herbert van de sompel Common access control approaches by Libraries if Info Provider browser-side authentication Info Provider’s web server prompts the user’s browser for username/password then Library can include username password in connecting URL in the “library gateway” or linking server (SFX) but what if user’s try and access the resource directly? top-level links can be bookmarked

15 herbert van de sompel Common access control approaches by Libraries if Info Provider IP-address based: IP address of the user requesting access is checked with IP range of subscribing institutions then Library is somehow OK regarding local (campus-based) access but: communication of IP address range to info providers conflict with “regional” caching proxies dynamic IP addressing off-campus access: proxies (in IP-range) proxy configuration in user’s browser rewriting proxy proxy will require authentication

16 herbert van de sompel it’s a big mess

17 herbert van de sompel Cross-organizational authentication and authorization efforts users from multiple higher education institutions users accessing multiple information providers Shibboleth (Internet 2) - Digital Library Authentication and Authorization Architecture (DLA3) (Digital Library Federation, David Millman 1999) Solution?

18 herbert van de sompel DLA3: general institution a institution b institution z A&IimageFTXTOPACe-print single approach for authentication (certificates) authorization (instit. LDAP)

19 herbert van de sompel DLA3: design principles privacy: no information identifying an individual should be exchanged with the information provider it is enough for the information provider to know that an pseudo-anonymous individual is an authorized user from a subscribing institution partitioning of information: maintain admin information where it belongs – at the institution (cf SFX/OpenURL): minimize institution-specific information at info provider institution knows its users, knows which types of users have which level of access, … separate authentication from authorization: different members of institution can have different access rights

20 herbert van de sompel DLA3: key architectural components authentication: user has X509 certificate (delivered by Certification Authority) (see user will be requested to submit certificate to information provider when trying to access X509 certificate certificate contains: information to reveal the user’s institution to the information provider an extension field: query URL which leads into a record for the accessing user within the institutional authorization LDAP server (cf. SFX)

21 herbert van de sompel DLA3: authentication institution a FTXT 1. request content HTTP 2. request certificate authent 3. send certificate 4. check certificate valid CA? user member of sub inst? valid certificate?

22 herbert van de sompel DLA3: key architectural components authorization: the institutional authorization LDAP server an entry in the LDAP server contains triples ServiceClass: Vendor – defined by IP ~ jstor.org, oclc.org, … Service Name – defined by IP ~ jstor/, FirstSearch, … ServiceType – defined by IP, accorded to user by institution ~ berkeley.edu,

23 herbert van de sompel DLA3: key architectural components authorization: continued information provider: reads query URL from certificate extension queries the institutional LDAP authorization server this query requires the information provider to authenticate itself with the LDAP server the institutional LDAP server: knows accessing user (query URL) knows the information provider the user is trying to access (authentication) sends back ServiceClass entries for current user, corresponding with the information provider the user is accessing information provider compares ServiceClass with policies restricting access to information the users wants to access

24 herbert van de sompel DLA3: authorization institution a FTXT 4. ServiceClass HTTP 3. Query URL authent 1. certificate LDAP 2. check certificate valid CA? valid certificate? 5. access

25 herbert van de sompel DLA3: some considerations pro: generic model privacy administration of authorization in distributed resources done by institution definition of authorization levels by information providers tie in with SFX/OpenURL: BASE-URL of service component con: deployment seems problematic due to use of certificates: for servers for clients (users): administration portability shared workstations

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.