Supporting education and research Access Management: the Campus Issues Alan Robiette, JISC Development Group.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Joint Information Systems Committee 01/04/2014 | slide 1 Support e-Research at JISC Access Management and Security Joint Information Systems CommitteeSupporting.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Contrail and Federated Identity Management
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager,
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Connecting People to Resources The UK Access Management Federation Nicole Harris Programme Manager.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
Widely Distributed Access Management Tom Barton University of Chicago.
Developments in Access and Identity Management Phil Leahy – Athens Product Manager.
Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.
Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.
Implications for UK infrastructure No more dependency on the VERY LARGE centralised database of Athens Need for implementation of a national WAYF service.
PERSEU S : Portal-enabled Resources via Shibbolized End-user Security 3 May 05Spring 2005 Internet2 Member meeting 1 News from the ‘misty’ Albion: Shibboleth.
Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.
New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Supporting further and higher education UK Middleware Update TF-EMC2 Meeting, 4 November 2004 Alan Robiette, JISC Development Group.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005
Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Comité Réseau des Universités News from CRU activities: Identity federation, eduroam, PKI, SCS, Sympa, security policies cru.fr 7th.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Athens – integrated AMS services Ed Zedlewski JISC/CNI Conference Edinburgh, June 2002.
LIN and Shibboleth: Where do application and network access control systems meet? Tim Chown University of Southampton (UK) JISC Core.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.
© Copyright AARNet Pty Ltd PRAGMA Update & some personal observations James Sankar Network Engineer - Middleware.
Technology-enhanced Learning: EU research and its role in current and future ICT based learning environments Pat Manson Head of Unit Technology Enhanced.
Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
ALPSP Effective Customer Authentication 15-Jul The (now… then…) next of Authentication: Shibboleth John Paschoud SECURe Project, LSE Library.
System Software Laboratory Databases and the Grid by Paul Watson University of Newcastle Grid Computing: Making the Global Infrastructure a Reality June.
Overview and Development Plans
Supporting Institutions Towards a Shibbolized Infrastructure
The JISC Core Middleware Call
Presentation transcript:

Supporting education and research Access Management: the Campus Issues Alan Robiette, JISC Development Group

18 June 2004RUGIT Meeting, LSE2 Topics Single sign-on on campus Via portal or otherwise Integration with external resources Athens, AthensDA and Shibboleth UKERNA wireless roaming project Implications for campus infrastructure planning [And what about the Grid...?]

18 June 2004RUGIT Meeting, LSE3 The JISC vision A next-generation AAA infrastructure must support the following scenarios: Internal (intra-institutional) applications as well as use between organisations Management of access to third-party digital library-type resources (as now) Inter-institutional use – stable, long-term resource sharing between defined groups (e.g. shared e-learning scenarios) Inter-institutional use – ad hoc collaborations, potentially dynamic in nature (virtual organisations or VOs)

18 June 2004RUGIT Meeting, LSE4 VO characteristics A VO's members typically belong to more than one real organisation Wishing to share resources across real- world organisational boundaries (often problematic in security terms) VO membership – which may be more or less formal – could be based on numerous criteria (discipline, project, course enrolment, personal interests...) The authority regulating VO membership could equally take many forms And timescales may be very varied also

18 June 2004RUGIT Meeting, LSE5 Principles (1) Authentication is the responsibility of the user's home site Requests to authenticate the user should be routed back to the home site and take place there National infrastructure will require institutionally-managed authentication services Plus interfacing of these to other components to link to national services

18 June 2004RUGIT Meeting, LSE6 Principles (2) Authorisation is the responsibility of the resource owner Based on attributes supplied by the home site (and/or possibly other authorities) Workable systems depend on agreed attribute naming and sources of authority Progress towards more sophisticated management of digital rights (DRM) requires increased intelligence in the resource's decision engine

18 June 2004RUGIT Meeting, LSE7 Other factors Internet2 and the NMI-EDIT programme Funded by the US National Science Foundation to develop middleware in much the same areas Initial award 2001 – funding renewed in Autumn 2003 NSF and Internet2 both welcome complementary programme of work by JISC (NMI-EDIT has deferred work on digital rights management and VO authorisation)

18 June 2004RUGIT Meeting, LSE8 SSO on campus Single logon for wide range of (usually nowadays) web based services? JISC study reporting shortly Looked at usability, portability, support, portal integration, etc. etc.... CAS (Yale), Webauth3 (Stanford), Pubcookie (Washington/CMU), Cosign (Michigan) A-Select (SURFnet) Quick look at certificates and KX509

18 June 2004RUGIT Meeting, LSE9 Some conclusions US universities' web-login systems: no clear winner All had strengths and weaknesses A-Select: interesting newcomer meriting further work Authentication “broker” Front-ends many (optionally multiple) authentication methods Wide range of applications Commercial support available

18 June 2004RUGIT Meeting, LSE10 External resources: Athens Now well embedded in UK HE Also well supported by publishers AthensDA offers integration with campus authentication schemes Overcomes the dual namespace problem Proof of concept using certificates as user credentials also demonstrated Shibboleth gateway capability is planned (and included in JISC service contract)

18 June 2004RUGIT Meeting, LSE11 So why change? Athens today is still a single- supplier product/service Software owned, maintained and developed by EduServ Little international take-up as yet Athens design lacks the flexibility of more recent approaches Not well adapted to intra-institutional or VO scenarios

18 June 2004RUGIT Meeting, LSE12 Intention to support “roaming” – authenticated guest connection on visited campuses Mainly targeted at wireless use (though in principle also applicable to wired networks – e.g. UK Computers Plus?) Pilot begins Summer 2004 Will require RADIUS infrastructure on participating campuses Eventual international capability UKERNA LIN project

18 June 2004RUGIT Meeting, LSE13 How will it work? User at visited site attempts to authenticate Via login as Guest status recognised and request passed up to national RADIUS proxy Proxy recognises home.domain and passes request on to there Authentication validated by home domain RADIUS server Success/failure code passed back through the chain If “success”, visitor dropped into Guest VLAN

18 June 2004RUGIT Meeting, LSE14 Requirements so far AthensDA requires: A campus authentication regime which supports the AthensDA interface Management of Athens “permission sets” to effect authorisation for Athens resources UKERNA LIN requires: A RADIUS server (RADIATOR recommended) with prescribed form of link to the national-level RADIUS proxy

18 June 2004RUGIT Meeting, LSE15 Shibboleth An architecture developed by the Internet2 middleware community NOT an authentication scheme (relies on home site infrastructure to do this) NOT an authorisation scheme (leaves this to the resource owner) BUT an open, standards-based protocol for securely transferring attributes between home site and resource site Also provided as an open-source reference software implementation

18 June 2004RUGIT Meeting, LSE16 How does it work?

18 June 2004RUGIT Meeting, LSE17 Technical details Currently works via http redirects (but is being extended to other contexts) Assertions in SAML, digitally signed to ensure integrity Open source reference implementation Apache/BSD-style licence Apache, Tomcat, Java, OpenSAML...

18 June 2004RUGIT Meeting, LSE18 Shibboleth pros Good international acceptance US, Australia, some European countries Basic software now well tested Around 30 US universities working with it seriously, plus several content vendors Swiss national HE system deployment Satisfies the main requirements “out of the box” Addresses digital library, shared e- learning and internal use scenarios

18 June 2004RUGIT Meeting, LSE19 Shibboleth cons Software still lacks user-friendly management tools In its present state, still quite demanding to install and run Might require outsourced or packaged services for smaller institutions? Relatively unsophisticated authorisation model Single attribute authority No generalised decision engine

18 June 2004RUGIT Meeting, LSE20 How does it work?

18 June 2004RUGIT Meeting, LSE21 What needs to be done? Implement Shibboleth on JISC services Provides a critical mass of Shibboleth- enabled resources Gain experience on campuses In a variety of institutions Build the national components Which are very few Charm offensive with publishers Plus development work to extend to VOs and more sophisticated DRM

18 June 2004RUGIT Meeting, LSE22 Implications for campuses Shibboleth requires: A campus authentication regime which supports the Shibboleth interface An “attribute authority” holding the user attributes required for authorisation for the resource base served [Standard Shib software distribution allows for this to be SQL database or LDAP directory] N.B. All this strongly reminiscent of the Athens DA requirements

18 June 2004RUGIT Meeting, LSE23 Migration Athens and Shibboleth can co-exist Two-way Athens-Shib gateway is in the EduServ contract; work begins 2004 Some institutions (particularly the smaller ones) could opt to stay with Athens long term? As could smaller publishers... JISC could encourage migration by reducing the central subsidy Though financial models would have to be carefully thought through

18 June 2004RUGIT Meeting, LSE24 Certificates and the Grid End-user certificates likely to remain the basis of Grid security Even considering evolution to mainstream web services However: Trend is to remove certificates from user environment (MyProxy, GridLogin) Various projects (NSF/NMI, JISC) to link Grid authentication and identity management back into campuses – including Shibboleth integration

18 June 2004RUGIT Meeting, LSE25 Summary Everything discussed depends on a comprehensive directory/user DB A-Select (for example) can authenticate against a wide range of technologies, e.g. RADIUS, LDAP, userID/pwd files RADIATOR can also use external user databases in many formats AthensDA requires the same infrastructure (today) Much the same infrastructure will migrate to Shibboleth if/when desired

Supporting education and research Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.