Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Road Ahead Jon Dowland, Cal Racey, University of Newcastle upon Tyne.

Published byArianna Roberts Modified over 10 years ago

Similar presentations

Presentation on theme: "1 The Road Ahead Jon Dowland, Cal Racey, University of Newcastle upon Tyne."— Presentation transcript:

1 http://iamsect.ncl.ac.uk/ 1 The Road Ahead Jon Dowland, Cal Racey, University of Newcastle upon Tyne

2 http://iamsect.ncl.ac.uk/ Shibboleth Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand. Judges 12:5-7

3 http://iamsect.ncl.ac.uk/ Shibboleth Shibboleth, is a bit like the duck which moves serenely through the water, but is paddling furiously beneath the surface. - Derek Morrison, the Auricle

4 http://iamsect.ncl.ac.uk/ Overview Who are we? Technical issues Managerial issues Future Developments

5 http://iamsect.ncl.ac.uk/ Inter-institutional Authorisation Management to Support eLearning with reference to Clinical Teaching Who are we?

6 http://iamsect.ncl.ac.uk/ 6 Inter-institutional Newcastle –FMSC –ISS Durham –ISS

7 http://iamsect.ncl.ac.uk/ Who are we? Core-middleware project since ~July 04 Relationships with: –SAPIR (early adopters) –EPICS (distributed e-learning)

8 http://iamsect.ncl.ac.uk/ 8 Technical Issues

9 http://iamsect.ncl.ac.uk/ First experiences Technical angle / software installation Hard.

10 http://iamsect.ncl.ac.uk/ Technical documents From first experiences –Installing Shibboleth on Redhat AS 3.0 and using pubcookie –Installing Pubcookie on Redhat AS 3.0 and authenticating against Windows Active Directory

11 http://iamsect.ncl.ac.uk/ Creative Commons

12 http://iamsect.ncl.ac.uk/ Authorisation, Clinical Teaching a proverbial goldmine of privacy and confidentiality issues Involvement of Newcastle FMSC

13 http://iamsect.ncl.ac.uk/ Shared students: Durham/Newcastle Authorisation, Clinical Teaching

14 http://iamsect.ncl.ac.uk/ Authorisation, Clinical Teaching In-house medical-oriented virtual learning environment (VLE) Shibbolized

15 http://iamsect.ncl.ac.uk/ MClinEd Medical Schools VLE Zope Shibboleth + Apache Local IdP Connected with Fast CGI –deprecated

16 http://iamsect.ncl.ac.uk/

17 Blackboard VLE Durhams Blackboard VLE Shibbolized –used with local IdP

18 http://iamsect.ncl.ac.uk/

19 19 Technical Issues Shibboleth Administration

20 http://iamsect.ncl.ac.uk/ Shibboleth administration The process of setting up an attribute: Aggregation Release Acceptance

21 http://iamsect.ncl.ac.uk/ Complexity <JDBCDataConnector id=" db6 " dbURL="jdbc:mysql://thing.ncl.ac.uk/OilDrum?user=thing &amp ;password=thing" dbDriver=" com.mysql.jdbc.Driver " maxActive="10" maxIdle="5"> SELECT course_code, CASE course_code WHEN 'A101' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN 'A106' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN 'O106' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN '3019P' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN '3384P' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN '5826P' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' ELSE 'none' END as sdssentitlement FROM CMstudentdata WHERE loginid = ?

22 http://iamsect.ncl.ac.uk/ Complexity ARP.xml EMOL service at EDINA urn:mace:ac.uk:sdss.ac.uk:provider:service:emol.sdss.ac.uk urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.u k:restricted

23 http://iamsect.ncl.ac.uk/ Complexity AAP.xml ^[M|m][E|e][M|m][B|b][E|e][R|r]$

24 http://iamsect.ncl.ac.uk/ Complexity No tools to help the admin (yet) Editing verbose opaque xml files by hand Looking in verbose opaque log files Asking others to look in verbose opaque log files at their end Security gets in the way Magic is cool flexible but hard to grasp.

25 http://iamsect.ncl.ac.uk/ 25 Technical Issues Where to get help?

26 http://iamsect.ncl.ac.uk/ Technical help Us –http://iamsect.ncl.ac.uk/deliverables/http://iamsect.ncl.ac.uk/deliverables/ Internet2 – –http://shibboleth.internet2.edu/guides/idp/http://shibboleth.internet2.edu/guides/idp/ –http://shibboleth.internet2.edu/guides/sphttp://shibboleth.internet2.edu/guides/sp –https://authdev.it.ohio- state.edu/twiki/bin/view/Shibboleth/WebHomehttps://authdev.it.ohio- state.edu/twiki/bin/view/Shibboleth/WebHome SDSS federation – –http://sdss.ac.uk/wiki/wiki.pl?SdssWikihttp://sdss.ac.uk/wiki/wiki.pl?SdssWiki

27 http://iamsect.ncl.ac.uk/ 27 Managerial Issues Complex Attributes

28 http://iamsect.ncl.ac.uk/ Complex attributes Use case Generation Problems Lessons learned

29 http://iamsect.ncl.ac.uk/ Complex attributes: Example Medic restrict Accessing medical content at EMOL Subset of resources e.g. Autopsy content Requires entitlement attribute: edupersonEntitlement urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted

30 http://iamsect.ncl.ac.uk/ Complex attributes: students Relatively easy for students- SimpleAttributeDefinition id="urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk sourceName="sdssentitlement SELECT course_code, CASE course_code WHEN 'A101' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' WHEN 'A106' THEN 'urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted' ELSE 'none' END as sdssentitlement FROM CMstudentdata WHERE loginid = ? Find out if student is on one of three medical courses

31 http://iamsect.ncl.ac.uk/ Complex attributes: Staff Staff, registered manually over years Pick their own usernames, own email address – most didnt use @ncl.ac.uk address No connection between Athens id and Newcastle id NHS staff have ncl usernames Solution?

32 http://iamsect.ncl.ac.uk/

33

34 Lessons learned Complex attributes are hard All solutions assume you have good information to hand Medical user base is extremely complicated Need better information: Chicken and egg –No one will put system in place to record attribute until needed –No one will require an attribute unless already stored

35 http://iamsect.ncl.ac.uk/ Solution Need for a information reorganisation Registration and expiry to all different systems is unmanageable: Management system (ERPs) - SAP VLEs- blackboard, zope, moodle, Ness Library – metalib, reading lists, Athens Mail, Active directory, network, Proposal 1 central repository feeding many consumers:

36 http://iamsect.ncl.ac.uk/ Potential Tools to help Nexus and Open Metadirectory(OM) - tools for provisioning user accounts into different systems, -Potential to get good attributes. Grouper: aggregates existing group info -relies on having that info Signet: tool for managing and assigning privileges

37 http://iamsect.ncl.ac.uk/ 37 Managerial Issues Supporting users

38 http://iamsect.ncl.ac.uk/ Support Issues Testing The need for testing How to test Access Problems: -why they will happen -what they look like -what should they look like

39 http://iamsect.ncl.ac.uk/ The need for testing The fantasy Shibboleth relies on accurate easily locatable institutional information The reality Information stores are: dispersed, inaccessible, incomplete, out of sync, conflicting. Attributes accuracy is a best effort not a certainty Things will go wrong

40 http://iamsect.ncl.ac.uk/ Examples EdupersonScoped Affiliation Ability to login should = ncl affiliation - NHS staff -101 edge cases EdupersonEntitlement medic restrict urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted Identifying medics is hard, There will be plenty of problems

41 http://iamsect.ncl.ac.uk/ The problem of testing How do you test access control setup for all the different user types? Test users are difficult to setup, In multiple attribute store scenario they have to be in all stores. some stores dont understand fake users

42 http://iamsect.ncl.ac.uk/ When things go wrong Middleware is invisible: - when it works - when it doesnt - users unaware of what success looks like, therefore unaware of failure -federated content means federated errors Similar to networking problems

43 http://iamsect.ncl.ac.uk/ Access to EMOL Access without proper scopedAffiliation

44 http://iamsect.ncl.ac.uk/ Access without medical entitlement Tells you something is wrong However no obvious route to rectify it Access to EMOL

45 http://iamsect.ncl.ac.uk/ Local VLE Access by non med school user What improperly registered medics see

46 http://iamsect.ncl.ac.uk/ 46 Managerial Issues Legal Issues

47 http://iamsect.ncl.ac.uk/ Legal Issues Liability Initially assessed as medium-severity, low probability risk Could be a project in itself

48 http://iamsect.ncl.ac.uk/ 48 Managerial Issues Where to get help?

49 http://iamsect.ncl.ac.uk/ Managerial Documents Drafts up –Introduction to Shibboleth Federations –Practical access to electronic journals using Shibboleth –Attribute identification and storage for Shibboleth http://iamsect.ncl.ac.uk/deliverables/

50 http://iamsect.ncl.ac.uk/ Managerial help Us – http://iamsect.ncl.ac.uk/deliverables/http://iamsect.ncl.ac.uk/deliverables/ JISC –http://www.jisc.ac.uk/uploaded_documents/C MRoadmap03_05.doc - Connecting People to Resourceshttp://www.jisc.ac.uk/uploaded_documents/C MRoadmap03_05.doc ?

51 http://iamsect.ncl.ac.uk/ 51 Future developments

52 http://iamsect.ncl.ac.uk/ Standardisation OS Integration –apt-get install shibboleth-service-provider –(or whatever) Application support National federation

53 http://iamsect.ncl.ac.uk/ Odd ones out Identity Provider Industry/Academic/Clinical collaborations –Those without home institutions –Home institutions without Shibboleth

54 http://iamsect.ncl.ac.uk/ 54 Conclusion

55 http://iamsect.ncl.ac.uk/ Optimism There are problems, however: Once setup it just works (!) Robust Recipes easy Building tools should be easy It enables cool stuff

56 http://iamsect.ncl.ac.uk/ 56 Questions

Download ppt "1 The Road Ahead Jon Dowland, Cal Racey, University of Newcastle upon Tyne."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Moodle@Kidderminster College An insight Into the College VLE Graham Mason gmason@kidderminster.ac.uk.

College An insight Into the College VLE Graham Mason
Joint Information Systems Committee 01/04/2014 | | Slide 1 Single Sign-On Solutions Nicole Harris Programme Manager – JISC.

Joint Information Systems Committee 01/04/2014 | | Slide 1 Single Sign-On Solutions Nicole Harris Programme Manager – JISC.
Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.

Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Grouper Training End Users Lite UI – External Users

Grouper Training End Users Lite UI – External Users
Preserving and Sharing Digital Data Greg Colati, Director, Archives and Special Collections May 11, 2012.

Preserving and Sharing Digital Data Greg Colati, Director, Archives and Special Collections May 11, 2012.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
April 22nd 2008 Internet2 Spring member meeting Caleb Racey Newcastle University UK Studies in Advanced Access Management.

April 22nd 2008 Internet2 Spring member meeting Caleb Racey Newcastle University UK Studies in Advanced Access Management.
Introduction to Shibboleth and the IAMSECT Project.

Introduction to Shibboleth and the IAMSECT Project.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
2006 © SWITCH Group Management Tool Lukas Haemmerle

2006 © SWITCH Group Management Tool Lukas Haemmerle
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.

Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Similar presentations

Ads by Google