Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
EVERY CONNECTION has a starting point. EVERY CONNECTION has a starting point. WorldCat Navigator - Authentication Library Hosted Navigator EZproxy and.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
PDS User Management DigiTool Version 3.0. User Management 2 PDS Overview PDS Setup Single Sign On Agenda.
ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Building the Future: Millennium’s Relationship with Campus Systems and Services John Culshaw Faculty Director for Systems University of Colorado at Boulder.
Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Office of Library and Information Services Overview and Issues as of August 2008.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Shibboleth: Improving Access for Library Users InCommon Library/Shibboleth Project Holly Eggleston, UC San Diego.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
Single Sign-On Offerings Dustin MacIver EBSCO Publishing 6/4/2011.
UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt (
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
Shibboleth for Real Dave Kennedy
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project.
Shibboleth for Local Attribute Delivery 21 June 2007.
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
SFX Linking ORBIS/PORTALS, May 2002 Dave Stout Account Executive SFX Linking ORBIS/PORTALS, May 2002 Dave Stout Account Executive.
Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
© Ex Libris Ltd. All Rights Reserved. From Library Systems to Information SystemsMetaLib Jenny Walker ICOLC 2001.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Holly Eggleston, UCSD Beyond the IP Address: Shibboleth and Electronic Resources InCommon Library/Shibboleth Project.
Some thoughts on Authentication in general….and Shibboleth in particular James Mouw Asst. Director for Technical and Electronic Services The University.
Campuses New to Shibboleth: WebSSO Barry Johnson
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Exploring Access to External Content Providers with Digital Certificates University of Chicago Team Charles Blair James Mouw.
Jakob Gadegaard Bendixen, Shibboleth protected proxy servers a case study from the Danish library sector.
126/02/2016 META ACCESS MANAGEMENT SYSTEM A Ship on the Grid – Interoperability between Shibboleth and the Grid – Dr. Erik Vullings Programme Manager Macquarie.
Introduction to Terra Dotta Applications Integration with Campus Data Systems for institutions beginning their software implementation.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
The FederID project The First Identity Management and Federation Free Software.
David Millman—Columbia January 2005
Secure Single Sign-On Across Security Domains
Shibboleth Architecture
LIGO Identity and Access Management
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Federation made simple
Shibboleth Integration Fairfield University
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
CNI Spring 2006 Task Force Meeting
The Move to Hosted Ezproxy Experienced by Texas Tech University
Identity Federations - Installation and operation
Shibboleth Implementation in EZproxy
ESA Single Sign On (SSO) and Federated Identity Management
Some data about the CBIC Federation
Shibboleth for Real: USMAI and Ex Libris Collaborate
Presentation transcript:

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

USMAI Consortium of Libraries Univ. System of Maryland and Affiliated Institutions 16 Libraries from the 12 campuses of the USM & 2 affiliated Maryland higher ed institutions Began in 1982 with a subset of these institutions Over 7,000,000 items in catalog Approximately 200,000 patrons Built on a resource sharing model Hosted at the University of Maryland Governed by the Council of Library Directors (CLD)

USMAI Consortium of Libraries Shared IT products and services, e.g.: –Systems Administration, Development, & Help Desk –E-Resource licensing & procurement –Consortium-wide ID management (patron database) –Library Information Management System (Aleph) –OpenURL resolver (SFX) –E-Resource Portal (MetaLib) –Proxy services (EZproxy) –ILL (ILLiad) –Institutional Repository (DSpace) –E-Resource Management (Verde)

What is the problem? Separate login process for each service –IT Management: secure flow of data for each login process –User: multiple logins Different login credentials; library barcode, NetID, UID…

Why Shibboleth? Other SSO solutions: PDS, CAS, Pubcookie Shibboleth –Secure handling of user attributes –Flexibility to use different AuthZ criteria per service –Designed to function across domains –Ability to authenticate for different vendors’ products

Shib architecture Shibboleth – an architecture for handling authentication and attribute assertion in a secure and controlled manner Service Provider (SP) – resource Identity Provider (IdP) – AuthN source WAYF – Where Are You From WebISO – Web Initial Sign On

Shib architecture

Investigation Installed generic single institution IdP Installed generic service provider (script that prints out attributes) Proof of concept

Implementation Chose EZproxy and Ex Libris’ Metalib/PDS as initial SPs EZproxy was already shibboleth-enabled, so easily configured Had to implement multiple identity providers for institutions in the consortium

IdP Implementation Multiple identity providers, hosted centrally IdP designed for single institution Different IdP configurations per institution Modified WebISO – different directory per institution

Multiple Identity Providers – Virtually Separate Totally separate identity providers as far as service providers are concerned Unique access points Separate trust relationships

EZproxy Host EZproxy instances for 14 institutions Now shib-enabled Access to online resources by user attributes

Metalib/PDS Patron Directory Service Single Sign On between Ex Libris applications AuthN and AuthZ

Role of PDS in Shib Environment Dual role of WAYF and SP AuthN AuthZ at the application level (Metalib, in our case)

PDS as WAYF PDS to present list of institutions (WAYF) Choice of institutions redirects to an institution specific URL within PDS

PDS as SP Each URL protected by different institution’s Identity Provider IdP handles authentication and attribute assertion SP receives attributes back from IdP and establishes PDS session

Shib SP configuration Shibboleth.xml – settings for SP Multiple applications defined, each with a different Identity Provider RequestMap defined – map URLs to shib applications

Logout No logout provided in shibboleth architecture Created a logout for identity provider, with an optional redirect back to service provider

ILLiad InterLibrary Loan software, Atlas Systems Consortial implementation – 8 institutions ILLiad is now shib-aware, SSO Future – ILLiad development to take advantage of other shib attributes to facilitate user registration (v 7.2?)

Before

After

Project Details Began investigation – March staff member 16 IdPs, 3 SPs into production, April , ,000 logins per day Hardware: –Test – Sun Fire V480, 2x900MHz UltraSparc III, 8GB RAM (shared server) –Production – Sun Fire V880, 4x900MHz UltraSparc III+, 16GB RAM (shared server) Documentation

Challenges Technical –Consortium – virtually separate identity providers –Logout –LDAP – hook into our ldap, single ldap for all institutions, only use institution specific attributes Learning curve, needed concentrated chunks of staff time Making shibboleth a priority

What’s next? Persistent Identifiers We are rolling out more service providers Aleph as SP by year end Online resources, content providers Working within consortium –Library IdP using patron database –Library IdP using campus directory –Campus IdP using library service providers

David Kennedy Shib project page: