Presentation is loading. Please wait.

Presentation is loading. Please wait.

2005 © SWITCH Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai Martin Sutter, Head of NetServices, SWITCH (Ueli Kienholz & Thomas.

Published byHorace Byrd Modified over 9 years ago

Similar presentations

Presentation on theme: "2005 © SWITCH Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai Martin Sutter, Head of NetServices, SWITCH (Ueli Kienholz & Thomas."— Presentation transcript:

1 2005 © SWITCH Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai Martin Sutter, Head of NetServices, SWITCH (Ueli Kienholz & Thomas Lenggenhager) UK e-Science Core Programme Town Meeting Monday 11 th April 2005

2 2005 © SWITCH 2AAI Deployment in Switzerland Project Timeline 200120022003200420052006 Implementation PilotOperation Study, Planning Study Architecture Evaluation  Shibboleth

3 2005 © SWITCH 3AAI Deployment in Switzerland University A Library B University C Without AAI Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials  Tedious user registration at all resources  Unreliable and outdated user data at resources  Different login processes  Many different passwords  Many resources not protected due to difficulties  Often IP-based authorization  Costly implementation of inter-institutional access e-Journals

4 2005 © SWITCH 4AAI Deployment in Switzerland University A Library B University C AAI With AAI Student Admin Web Mail e-Learning Literature DB e-Learning Research DB  No user registration and user data maintenance at resource needed  Single login process for the users  Many new resources available for the users  Enlarged user communities for resources  Authorization independent of location  Efficient implementation of inter-institutional access e-Journals Authorization User Administration Authentication Resource Credentials

5 2005 © SWITCH 5AAI Deployment in Switzerland SWITCHaai Building Blocks Identity Providers (Home Orgs) Service Providers (Resources) Organizational Framework Interoperation Central Services Finances

6 2005 © SWITCH 6AAI Deployment in Switzerland Organizational Framework SWITCH acts as SWITCHaai Federation service provider Federation membership based on signed service agreements Organization

7 2005 © SWITCH 7AAI Deployment in Switzerland Requires agreement on technical details like  Standards  SAML 1.1  Software versions  Shibboleth 1.1 for identity providers Shibboleth 1.2.1 for service providers  Accepted certificate authorities  SWITCHpki, plus Thawte, Trustcenter, VeriSign  Attribute specification  SwissEduPerson Interoperation

8 2005 © SWITCH 8AAI Deployment in Switzerland Criteria for attribute specification  Start simple, extend as required  Common understanding on interpretation  Already widely used SwissEduPerson Attribute usage by applications  Use minimal set required  Data protection principle Interoperation Interoperation: Attributes

9 2005 © SWITCH 9AAI Deployment in Switzerland Identity Provider Integration AAI-enabled Identity Provider User Directory Authentication System AAI Currently in use in SWITCHaai: Authentication Systems OpenLDAP with CAS or Pubcookie Kerberos AuthN with Active Directory Windows AuthN with IIS User Directory OpenLDAP Active Directory Identity Providers

10 2005 © SWITCH 10AAI Deployment in Switzerland Identity Providers in SWITCHaai Operational AAI Identity Provider SFIT Zurich University Zurich Virtual Home Org SWITCH Université de Genève 110’000 Swiss Higher Ed users have an AAI-Account (≈ 50% of all) Zürcher Hochschule Winterthur AAI Identity Provider getting ready University Hospital Zurich University Lucerne Université de Fribourg Prototype running University Bern Université de Lausanne Service Agreement Identity Providers

11 2005 © SWITCH 11AAI Deployment in Switzerland Virtual Home Organization – VHO Integrate end users without identity pprovider  Resource owner creates @VHO “AAI-enabled” accounts for users without an identity provider  A VHO account is only usable for the resource managed by the resource owner Federation Member Identity Provider Resource Owner End User Admin Some end users without identity provider VHO Service @SWITCH User Dir VHO Policy Identity Providers

12 2005 © SWITCH 12AAI Deployment in Switzerland SWITCHaai Building Blocks Identity Providers (Home Orgs) Service Providers (Resources) Organizational Framework Interoperation Central Services Finances

13 2005 © SWITCH 13AAI Deployment in Switzerland Types of Service Providers e-learninglibraries other web applications DOIT VITELS Vista@SVC AD Learn & Co Vconf-Reservation SMS-Gateway EZproxy commercial ScienceDirect WebCT@ETHZ OLAT Moodle BSCW Blackboard SwissLex IS-Academia Jobs@BWI ILIAS TWiki eShops Service Providers …

14 2005 © SWITCH 14AAI Deployment in Switzerland Service Provider Example: DOIT ETHZUniZH SWITCH UniL AAI Identity Provider UniGE UniBE VHO AAI Service Provider DOIT: Dermatology Online with Interactive Technology 500 AAI Users Access Rule IdP = UniZH | UniBE | UniL affiliation = student studyBranch = medicine studyLevel = 15 Service Providers

15 2005 © SWITCH 15AAI Deployment in Switzerland Service Provider Example: OLAT ETHZ UniZH SWITCH UniL AAI Identity Provider UniGE UniBE VHO AAI Service Provider OLAT: Online Learning an Training (open source e-learning platform of the University of Zurich) 5000 AAI Users 75 Courses Service Providers

16 2005 © SWITCH 16AAI Deployment in Switzerland Integration of „Blackboxes“  Authentication / authorization gateway  Portal functionalities (optional)  User management (optional)  Adaptors to blackbox applications:  WebCT Vista  WebCT CE …… AAIportal Shibboleth Sign On A1...... A2 Service Providers API Application

17 2005 © SWITCH 17AAI Deployment in Switzerland Central AAI Services  Strategy & marketing  International contacts  Support, consulting, training  Providing federation-specific files and configuration guides  Operating WAYF  Testing parties (identity provider  service provider)  Jump-start service Central Services

18 2005 © SWITCH 18AAI Deployment in Switzerland Funding 20002001200220032004200520062007200820092010 funding / costs pilot projectproject operational service funded by SWITCH & Universities funded by federal grants funded by tariffs Finances

19 2005 © SWITCH 19AAI Deployment in Switzerland Outlook  Projects with federal grants  Non-web service providers, e.g. grid  ECTS (Study)  AAA (Study)  Federation partners

20 2005 © SWITCH 20AAI Deployment in Switzerland Further Information  SWITCHaai Website http://www.switch.ch/aai  Shibboleth http://shibboleth.internet2.edu/  Shibboleth Demo http://www.switch.ch/aai/demo  Attribute Specification http://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf

21 2005 © SWITCH 21AAI Deployment in Switzerland Questions ? Q & A http://www.switch.ch/aai aai@switch.ch

22 2005 © SWITCH 22AAI Deployment in Switzerland Central Services SWITCHaai Team Supporting Universities Training Consulting General Support Shibbolizing Services Tools (AAIportal) Integrating Identity Providers Deployment Guides Federation Metadata Services Test Lab Jump Start Service WAYF VHO Test-Installations (Feasibility) Organisation and Policies Marketing Central Services

23 2005 © SWITCH 23AAI Deployment in Switzerland Central AAI Services Support (1) SWITCH’s AAI Services WAYF AAI Tools Consulting, Training, Test Lab Outsourcing Service Virtual Home Org Strategy, Marketing Optional AAI ServicesAAI Base PackageAAI-related Services Security Services RA / CA Integration Service Implementation / Integration Operation Implementation / Integration Operation Implementation / Integration Operation AAI Jump Start

24 2005 © SWITCH 24AAI Deployment in Switzerland Showcase: NET ETHZ SWITCH UniL AAI Home Organization UniGE UniBE VHO AAI Resource NET: Network for Educational Technology 300 AAI Users, 2 Courses ETHZ UniZH

25 2005 © SWITCH 25AAI Deployment in Switzerland Shibboleth Process: The Details Resource User’s Home Org Resource Owner HSHandle Server Handle 7 AAAttribute Authority SHARShibboleth Attribute Requestor WAYF‘Where Are You From’-Server SHIREShibboleth Indexical Reference Establisher ARPAAP HS SHIRE 3 2 RM 11 Attributes 8 8 RMResource Manager 6 Handle 6 4 5 Credentials 5 9 Attributes 10 User Dir Authen- tication Shibboleth AAI Components AA WAYF SHAR 1

26 2005 © SWITCH 26AAI Deployment in Switzerland Outlook 2005 2001200220032004200520062007 Impl. V1.0 Pilot Operation V1.0 Study, Pilot, Impl. Operation V2.0 Study, Pilot, Impl. Study resource registry Shibboleth 1.3 EZproxy BSCW IS-Academia Operations Committee TF Attributes ECTS-Study AAA-Study lead SUC projects redundant WAYF migration Pilot -> Prod service agreements more campuses more resources branding

27 2005 © SWITCH 27AAI Deployment in Switzerland WAYF Single Sign On Demo Resource 1 3 2 6 4 5 Credentials Home Org 8 9 wayf1.switch.ch kohala.switch.ch E-Learning Resource 7 http://aaidemo.alzheimerlearn.net/ aaidemo.alzheimerlearn.net 10

28 2005 © SWITCH 28AAI Deployment in Switzerland Unique Identifier Surname Given name E-mail Address(es) Phone number(s) Preferred language Date of birth Gender Name of Home Organization Type of Home Organization Affiliation (student, staff, faculty, …) Study branch Study level Staff category Group membership Organization Path Organizational Unit Path based on eduPerson specification study branch, study level, staff category are based on SHIS/SIUS username and password are missing  only used locally! commonName is missing no common understanding on how to use it ‘Matrikelnummer’ is missing for data protection reasons Personal attributes Group membership Attributes: SwissEduPerson

Download ppt "2005 © SWITCH Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai Martin Sutter, Head of NetServices, SWITCH (Ueli Kienholz & Thomas."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.

1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.
2005 © SWITCH Authentication and Authorization Infrastructure Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph.

2005 © SWITCH Authentication and Authorization Infrastructure Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
2003 © SWITCH Realization of a Vision: Authentication and Authorization Infrastructure for the Swiss Higher Education Community Copyright Martin Sutter,

2003 © SWITCH Realization of a Vision: Authentication and Authorization Infrastructure for the Swiss Higher Education Community Copyright Martin Sutter,

Similar presentations

Ads by Google