Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library."— Presentation transcript:

1 ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library

2 ICDL 2004, New Delhi2 Introduction InfoSystems Engineer at the LSE Library - The British Library of Political & Economic Science (“the World’s largest library dedicated to the social sciences”) …responsible for applied research projects, with external funding (JISC, EC, SURF, NSF…) I am not a “Dr.”, but an “Eng.”(ineer) …so I have no competence to decide what should be in the digital library …but I do know how to build the shelves!

3 ICDL 2004, New Delhi3 Summary Access Management – key to DL security Principles of Access Management What the UK has now: Athens, GRID PKI What the UK is moving towards Distributed technology: Shibboleth & SAML Demands on libraries & universities

4 ICDL 2004, New Delhi4 Why is Access Management so important? Library users (and where they want to study from) more diverse Library resources (and where they are physically, legally held) more diverse Resource owners want to maximise $$$ Users (researchers) need to maximise currency of their knowledge Libraries have limited $$$!

5 ICDL 2004, New Delhi5 Principles of Access Management 4 processes: –Registration, AutheNtication, AuthoriZation, Accounting Membership institutions (university, library, etc) must control Reg and AuthN Resource hosts must control AuthZ Users must control own privacy (of attributes, identity) Security must be appropriate (for value of resources protected) Scalability must be cross-domain, global (mostly) after Clifford Lynch, Coalition for Networked Information

6 ICDL 2004, New Delhi6 UK Current Assets Athens: username/password based service for unifying access to digital library resources –Mainly licensed via JISC consortium deals –Over 2 million current usernames –Username/password database; maintenance devolved to institutions –Around 500 HE and FE institutions use the Athens service –Around 200 licensed resources are controlled via Athens –A high proportion of the major academic publishers have now implemented Athens UK e-Science CA: service for issuing digital certificates for access to Grid-type resources –Based on OpenCA software (with local modifications) –Verification of user identities carried out by trusted RAs around the community –Current scale of operation a few hundred certificates per year

7 ICDL 2004, New Delhi7 UK current challenges Athens uses single centralised database of users, and its own, proprietary protocols –Little international take-up as yet –Design lacks the flexibility and scalability of more recent approaches e-Science CA is similarly centrally administered, and hard to scale up

8 ICDL 2004, New Delhi8 UK current actions AAA Programme (2002-2004) –Experiments with newer AM technologies and architectural models –(SECURe Project was the main vehicle to test and liaise with Shibboleth development) Foundation studies (2004): –Digital Rights management –Institutional Profiling –Single sign-on technologies –Feasibility of a national certificate issuing service –Policy management with PERMIS –Assessment of eduPerson & similar schemas Core Middleware Programme (2004-2006) –Invites larger-scale experiments, tackling problems like “virtual organisations” of users, and secure resource access via university or library portals New Shibboleth-based service infrastructure (2004-2006)

9 ICDL 2004, New Delhi9 What is Shibboleth? (ancient) A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See: Judges xii (Jewish or Christian Bible) Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. Webster's Revised Unabridged Dictionary (1913) after Michael Gettes, Duke University & Shibboleth Project Team

10 ICDL 2004, New Delhi10 What is Shibboleth? (modern) An initiative to develop an architecture and policy framework supporting the sharing - between domains - of secured web resources and services A project delivering an open source implementation of the architecture and framework Deliverables: –Software for Origins (campuses) –Software for Targets (vendors) –Operational Federations (scalable trust) after Michael Gettes, Duke University & Shibboleth Project Team

11 ICDL 2004, New Delhi11 Shibboleth Goals Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Provide security while not degrading privacy. –Attribute-based Access Control Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogenity and open standards (SAML++) after Michael Gettes, Duke University & Shibboleth Project Team

12 ICDL 2004, New Delhi12 Attribute-based Authorization Identity-based approach –The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. –This approach requires the user to trust the target to protect privacy. Attribute-based approach –Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. –This approach does not degrade privacy. after Michael Gettes, Duke University & Shibboleth Project Team

13 ICDL 2004, New Delhi13 How does it work? Hmmmm…. It’s magic. (or: You can ask me later) after Michael Gettes, Duke University & Shibboleth Project Team

14 ICDL 2004, New Delhi14 How does it work? after SWITCH, Switzerland

15 ICDL 2004, New Delhi15 Who else is interested? US NSF (they have paid for most of it) JISC, UK SWITCH, Switzerland (they have a whole- country Shibboleth Federation already) SURF, Netherlands Many resource owners (they need to follow what their market is doing) Many software suppliers (WebCT, Blackboard, uPortal)

16 ICDL 2004, New Delhi16 Challenges for Libraries Reliable Access Management will be a requirement “installing Shibboleth” is easy, but… To do Access Management, a university or library also needs: –Identity Management: directories of users and attributes (and all the technical infrastructure) –Policies on user privacy and vendor licences –To collaborate, forming national or international federations for access to resources Middleware is invisible (when it works!) – so justifying costs to management is not easy

17 ICDL 2004, New Delhi17 Questions? Project info: www.angel.ac.uk/SECURewww.angel.ac.uk/SECURe Contact: j.paschoud@lse.ac.ukj.paschoud@lse.ac.uk

18 ICDL 2004, New Delhi18 after Michael Gettes, Duke University & Shibboleth Project Team Shibboleth AA Process Resource WAYF Users Home OrgResource Owner 1 SHIRE I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. SHAR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

Download ppt "ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.

Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
2003 © SWITCH Realization of a Vision: Authentication and Authorization Infrastructure for the Swiss Higher Education Community Copyright Martin Sutter,

2003 © SWITCH Realization of a Vision: Authentication and Authorization Infrastructure for the Swiss Higher Education Community Copyright Martin Sutter,
Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.

Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Implications for UK infrastructure No more dependency on the VERY LARGE centralised database of Athens Need for implementation of a national WAYF service.

Implications for UK infrastructure No more dependency on the VERY LARGE centralised database of Athens Need for implementation of a national WAYF service.
F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

Similar presentations

Ads by Google