Presentation is loading. Please wait.

Presentation is loading. Please wait.

ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Similar presentations


Presentation on theme: "ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway."— Presentation transcript:

1 ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway

2 ELAG Trondheim 2004 2 Some definitions Authentication - Process of providing the identity of a user. (Who are you?) Authorization - Process of granting or denying access rights for a resource to an authenticated user. (What are you allowed to do?) Credentials - Information that includes identification and proof of identification that is used to gain access to resources. Examples of credentials are user names and passwords, smart cards, and certificates.

3 ELAG Trondheim 2004 3 Problems in a distributed environment Lots of credentials Lots of registration and logon procedures

4 ELAG Trondheim 2004 4 Distributed Access Control

5 ELAG Trondheim 2004 5 Single Sign On (SSO) SSO = challenges Technological issues proxies cookies timeout Security issues shared credentials different security levels trust

6 ELAG Trondheim 2004 6 The trend in distributed access control

7 ELAG Trondheim 2004 7 Some BIBSYS-facts BIBSYS is an integrated library system used by all Norwegian University Libraries, the National Library, all College Libraries, and a number of research libraries The BIBSYS users Primary users: Ca 2.500 librarians End users: Ca 600.000 – patrons (not all active) Ca 4000 – academic users (research document database) 1000+ – users of other different systems

8 ELAG Trondheim 2004 8 Access Control: A1 – Unix A2 – User file BIBSYS history of access control (the late eighties) Legacy System (cataloguing, search, etc) A1 = Authentication A2 = Authorization Users UNIX pw. file

9 ELAG Trondheim 2004 9 BIBSYS history of access control (mid. nineties) A1 = Authentication A2 = Authorization Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file Legacy System Web search Patrons IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file

10 ELAG Trondheim 2004 10 Access Control: A1 – Apache password-file Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file BIBSYS history of access control (late nineties) Legacy System Web search A1 = Authentication A2 = Authorization Some web service Patrons Apache pw. file IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file Access Control: A1 – Apache password-file Some web service Apache pw. file

11 ELAG Trondheim 2004 11 BIBSYS in the late nineties BIBSYS

12 ELAG Trondheim 2004 12 BIBSYS Access Control Project Goal: Provide interoperability between internal systems Offer access control to our patrons. Avoid administration overhead. Consider cross-organizational access control.

13 ELAG Trondheim 2004 13 BIBSYS Access Control Project We considered two commercial access control systems, Candle/Cactus ISOS/Athens. Conclusion: Too expensive BIBSYS is not the right institution to host a cross- organizational access control system for our end users. Decisions: Develop our own access control for internal use Wait and see for an cross-organizational solution.

14 ELAG Trondheim 2004 14 Common role based access control system A common A common role based access control system Only access-relevant information: credentials, roles, IPs Patrons Apache pw. file IP-list Users UNIX pw. file Apache pw. file

15 ELAG Trondheim 2004 15 Starting point A1 = Authentication A2 = Authorization Access Control: A1 – Apache password-file Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file Legacy System Web search Some web service Patrons Apache pw. file IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file Access Control: A1 – Apache password-file Some web service Apache pw. file

16 ELAG Trondheim 2004 16 Result (ideal) Service A Service B Service C Service D Service E Common role based access control system

17 ELAG Trondheim 2004 17 Result (real) Implemented a new role based access control system We released new personalized services for patrons and librarians Low administration costs (machine-generated password by email) Still some systems use their old access control The wait and see strategy paid off – result: FEIDE

18 ELAG Trondheim 2004 18 Status of 2002 BIBSYS

19 ELAG Trondheim 2004 19 New challenge Offering our users access through the FEIDE system

20 ELAG Trondheim 2004 20 FEIDE (Federated Electronic Identity for Education) Goals of the FEIDE project: Establish a common, secure electronic identity for Norwegian academic users. Implement the academic sector's system for reliable user data handling, secure identification of internet-service users and assignment of user access-rights. Common data model for persons Standardization/development of user management systems Provide a central login server

21 ELAG Trondheim 2004 21 Integrating with the FEIDE system (I) One year ago we released a pilot using the FEIDE authentication Application: Personalized services for patrons and librarians Technology: Java Servlets, Tomcat server Objective: technical issues (not performance) Available for a limited group of users

22 ELAG Trondheim 2004 22 Integrating with the FEIDE system (II) Efforts to make it work Received a Java-library, a Servlet Filter and a certificate from FEIDE Configured Tomcat to use the Servlet Filter Configured the Servlet Filter

23 ELAG Trondheim 2004 23 Integrating with the FEIDE system (III) Experiences with the pilot Easy to implement No errors throughout the test period The users were satisfied

24 ELAG Trondheim 2004 24 Integrating with the FEIDE system (IV) One obstacle: How to map a FEIDE user to a BIBSYS user? Solution: The National Identity Number BIBSYS have to extend the user database to include The National Identity Number

25 ELAG Trondheim 2004 25 Overview of the logon process FEIDE BIBSYS (Tomcat servlet container) Filter User BIBSYS- services (servlet) MORIA AT (LDAP-server) AT (LDAP-server) AT (LDAP-servers) BIBSYS- services (servlets) 1 23 4 5 6 7 BIBSYS users 8 9

26 ELAG Trondheim 2004 26 Future plans Let the pilot go into production within 3-4 months Try out the Single Sign On features of FEIDE Make use of other user attributes than only the National Identity Number. (For authorisation and for updating our own user data)


Download ppt "ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway."

Similar presentations


Ads by Google