Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case Study: Newcastle University

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Case Study: Newcastle University"— Presentation transcript:

1 Case Study: Newcastle University
Caleb Racey

2 Overview who I am Newcastle background Drivers Business case Policy
Introduction who I am Newcastle background Experiences deploying shib Drivers Business case Policy Architecture Lessons learned

3 Who am I Web development officer in Newcastle University
6 years experience of Systems Admin for Web 4 years working on SSO issues 3 years with shibboleth Systems Developer: Adapt Open Source software to provide solution Not hard core programmer Not PKI guru Deploy Services not systems

4 Newcastle University UK University 4,700 staff 17,000 students
Research Intensive Medical School Centralised IT service Celebrating 50 years computing

5 Shib @ Newcastle 3 years Shibboleth experience
Early Adopter funded by JISC IAMSECT project Shibboleth transitioned from pilot to fully supported central service Entering identity enhancement stage Present = usable core attributes - want better Group management Provisioning

6 Technical Background Distributed ad hoc identity infrastructure
No Single Authoritative directory of user info Identity information spread across diverse systems Attributes Aggregated from multiple sources Mixed Infrastructure: Unix: Solaris + Redhat EL Windows SAP Mixed web application platforms: The 3 P’s: Php, Perl, Python Java ASP + ASP.net

7 Newcastle Requirements
Usable across multiple platforms: Apache (PHP, Perl) IIS (ASP ASP.NET) Tomcat (java) Zope (python) Works with complex identity infrastructure Ability to integrate data from many sources Different access technologies LDAP SQL SSO = single username, not “sign on once” Robust, Scalable, Manageable

8 Drivers for Shibboleth
1/2 Enormous diversity of usernames 3 VLEs Unix systems Adhoc online systems Library Management (exlibris) Athens Windows Active Directory Login Web based Services growing Enormously bargain for individual data feeds data feed “guardians” scarce resource Need for SSO drive obvious

9 Business Case Core Password infrastructure badly under utilized
Mainly Desktop login Support cost of multiple password stores Poor user acceptance of systems SAP admin staff time bottleneck Poor security Insecure Password transfer (http) Insecure connection to back ends Increasing Risk with each system One system compromise = change all passwords User confusion = Easy phishing

10 Policy Implications Agree to federation policies
User “tracking” No account recycling for 2 years Only Newcastle users will have accounts Attribute Data Format (eduPerson) Service Provider policies Only medics get to see medical content Who are we? .ncl.ac.uk or .newcastle.ac.uk ncr18 not NCR18 User account policies All users will have Active Directory accounts Users have to agree to terms and conditions distance learning, medics

11 Architectural Considerations
Need real time access to institutional attribute stores Firewalls + secure connections Mindset change: Central Attribute broker = good idea Active directory compatibility: Secure “pooled” LDAPs support Kerberos Firewall rules Port 8443 opened (conflicts with printer vulnerability) Shibbed kit has to be directly routable. Infrastructure should be robust Multiple boxes Separate locations Monitored

12 Required Skill sets Working knowledge of own identity infrastructure:
Where to get data + how What is usable Who to talk to Working knowledge of using SSL Not hard protocol knowledge Getting signed SSL certs Configuring servers Working knowledge of Apache httpd + tomcat Installation Use in production (robustness, monitoring, updating) Very little java programming 3 years, no lines of code written or required

13 Problems PKI providers are not easy to deal with Upgrading complex
Once you have one you don’t want another There is a reason Thawte etc. charge 10x smaller providers Certs are cheap, procedure and staff time is not Upgrading complex Limited ability to test new installs before swapping Federation removes end to end control SSL means you can’t fake it easily Breaks in attribute aggregation hard to detect Federation imposes: Paperwork Policy Procedure Data Formats (eduPerson)

14 Lessons learned (1) Federated Use = unique selling point of shib
Federation has done much of hard thinking for you Internal use = Much more demanding Greater set of attributes Identity Enrichment drive needed Grouper Review of account management Enabling new lightweight approaches Provisioning on first use 1 technology = auth + data provision Much lower barrier to application deployment

15 Lessons learned (2) Identity management is not a technology
It’s processes + procedures + policies Regardless of technology the lessons are the same It’s the keystone of future development Shibboleth can deal with messy composite Identity Infrastructures It is much better not to need to Driver for identity review, improvement Democratizes platform choice Java based calendaring Php based wiki Perl based Mailing lists

16 Future Need for identity management review Enhanced use cases
Identity enrichment needed Democratise identity information = Grouper? Enhanced use cases Google Apps Collaborative research platforms Shared “regional” services Outsourced identity providers?

17 Questions?

Download ppt "Case Study: Newcastle University"

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Moodle@Kidderminster College An insight Into the College VLE Graham Mason gmason@kidderminster.ac.uk.

College An insight Into the College VLE Graham Mason
The technical side of Portals and ePortfolios Bonnie Ferguson Michael Wilcox.

The technical side of Portals and ePortfolios Bonnie Ferguson Michael Wilcox.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
April 22nd 2008 Internet2 Spring member meeting Caleb Racey Newcastle University UK Studies in Advanced Access Management.

April 22nd 2008 Internet2 Spring member meeting Caleb Racey Newcastle University UK Studies in Advanced Access Management.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Technical Framework Charl Roberts University of the Witwatersrand Source: Repositories Support Project (JISC)

Technical Framework Charl Roberts University of the Witwatersrand Source: Repositories Support Project (JISC)
Outsourcing IAM in North Carolina

Outsourcing IAM in North Carolina
Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.

Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Identity Management: Services, Tools and Processes Cal Racey

Identity Management: Services, Tools and Processes Cal Racey
Tech Track: Attribute Delivery Newcastle University Caleb Racey

Tech Track: Attribute Delivery Newcastle University Caleb Racey
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Interpret Application Specifications

Interpret Application Specifications
Identity and Access Management

Identity and Access Management
Cloud computing Tahani aljehani.

Cloud computing Tahani aljehani.
Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group

Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group

Similar presentations

Ads by Google