GSU Shibboleth Case Study

Download Report

Transcript GSU Shibboleth Case Study 

Shibboleth Pilot
Local Authentication and Authorization
Control for Access to Remote Web Resources
Art Vandenberg
Director, Advanced Campus Services
Georgia State University
[email protected]
“Copyright Art Vandenberg 2003. This work is the intellectual property of the author.
Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials
and notice is given that the copying is by permission of the author. To disseminate
otherwise or to republish requires written permission from the author.”
3 Nov 2003
A. Vandenberg ©
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
1
Given that...
• Shibboleth – you know what it is...
• You know key concepts of privacy preserving trust
across federated domains...
• You understand it uses open source standards…
3 Nov 2003
A. Vandenberg ©
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
2
What’s the Problem Space at
Georgia State?
• Access to digital library resources (vendor databases)
• Current solution
– IP-based access
• spoofable, limiting
– Proxy server
– Group accounts
• some database passwords posted on public web!
– Additional accounts & passwords
•
•
•
•
3 Nov 2003
A. Vandenberg ©
management hassles, synchronization complexity
extra account for user
lag time setting up a new person (faculty, student, or employee)
low level assurance
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
3
Shibboleth Solution for
Georgia State’s Pullen Library
•
•
•
•
•
•
•
Access without proxy
Leverage local enterprise authentication
Access based on role attributes (finer grained)
Enables access from anywhere on web
Reduced logins
Stronger authentication (not just IP)
Addresses user privacy
3 Nov 2003
A. Vandenberg ©
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
4
Architecture components
• Sun Solaris for Georgia State Shibboleth Origin
• Apache, Tomcat, J2SE
• Origin site (enterprise) requirements
See NMI
– Handle Server
• single signon (SSO) or web initial signon (WebISO)
– Attribute Authority
• repository (mySQL or LDAP)
• Target site requirements
–
–
–
–
3 Nov 2003
A. Vandenberg ©
SHIRE
SHAR
WAYF
Resource Manager
See NMI
component
eduPerson
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
component
PubCookie
See NMI
component
LDAP recipe
5
Flow Diagram
https://www.site
1. http://www.site
Authentication
System
SHIRE
2.
WAYF (Where
are you from?)
4.
Handle
Service
6.
3.
5.
SHAR
7.
8.
Attribute
Authority
3 Nov 2003
A. Vandenberg ©
(Shibboleth
Handle Indexical
Reference
Establisher
9.
(Shibboleth
Attribute
Requester)
10.
Web resource
(http://www.site)
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
6
EZProxy Institutions
Georgia
Quite some
potential…
Especially
if we work
together
to convince
Vendors.
(Or do we
want to use
IP access and
still pay site
license rates
while only few
may need the
resource?)
3 Nov 2003
A. Vandenberg ©
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
7
Georgia State Shibboleth
October 2003
•
•
•
•
1. LDAP Recipe for
directory, ids
V 1.0 origin installed
Authenticate using CampusID
Attributes via eduPerson from Campus LDAP
2. eduPerson for
Pilot with EBSCO, OCLC, JSTOR
eduPersonAffiliation
eduPersonEntitlement
• Library Shibboleth pilot page
– http:// www.library.gsu.edu/shib/
• Let’s take a look...
3 Nov 2003
A. Vandenberg ©
3. Shibboleth for
access to web
resources
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
8
Access Web Resource – EBSCO
GSU Library
Shibboleth Pilot
info page
www.library.gsu.edu/shib/
1. EBSCO test URL
Redirect via WAYF
InQueue
Federation
(for pilot testing)
2. Pick your
Shib origin
(these are Inqueue
sites recognized
by target WAYF)
Local Authentication (GSU origin)
3. Don't worry about
certificate warning, say OK -- your
browser has not been configured
for certificates used by the
test environment
(Interim Certificate used at Target)
4. Ditto… say Yes
test certificates
Not known to
your browser
GSU Origin – Local Login
5. Use local authentication
(GSU CampusID/pw)
This page invoked by
Georgia State Origin
Successful Authentication
Authenticated user is
being directed to web site…
(with Authorization checking
behind the scenes)
EBSCO Web Resources
Accessing
EBSCO research
Databases.
6. Do your thing.
5 steps:
1. Pick url
2. Pick origin
3. Ok to cert
4. Yes to cert
5. Login
Use resource
Access Web Resource – JSTOR
1. Now Select
Browse JSTOR
(continuing current
browser session)
Access, no Re-login (Shib saves session)
Direct access to
next Shibboleth site –
(no WAFY,
no GSU local login)
2. Do your thing.
1 (NOT 5) steps:
1. Pick url
[2. NA]
[3. NA]
[4. NA]
[5. NA]
Use resource
JSTOR site knows it’s GSU
“Your access to JSTOR
is provided by
Georgia State University”
(identity not passed,
but attributes may be)
OCLC / authorization attributes
OCLC needs no further authentication,
but does require specific attributes
eduPersonAffiliation = [email protected]
eduPersonEntitlement= urn:mace:oclc:org…
OCLC web resources
Appropriate attributes
permit access...
OCLC recognizes
Georgia State member
(and contract)
Ongoing Work
• Federations
– InQueue (pilot) to InCommon (incorporated Board of Directors…)
– Policy framework
• Production Server (Origin Service)
– Enterprise level hardware
– Full SSL on all components
– Production certificates (not test certs…)
• Provisioning services & management of attributes/roles
– IBM Directory Integrator component
3 Nov 2003
A. Vandenberg ©
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
21
Ongoing NMI Working Groups...
• Shibboleth Academic Sig
– Focus group: Library SysAdmin of vendor licenses
– Drafting second set of vendors
• Other vendors? Georgia State needs
– 200+ Library Vendors
– WebCT
– Galileo (Georgia Statewide Library)
• Research & deployment opportunities?
– Vaishnavi & Stucke (CIS) & Atlanta Airport
3 Nov 2003
A. Vandenberg ©
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
22
More info & links you can test drive
• Shibboleth – Internet2
– http://shibboleth.internet2.edu/
• Switch - Swiss Education and Research Network (demo)
– http://www.switch.ch/aai/demo/
– Demos using Example State University
• WebCT press release Shibboleth
– http://www.webct.com/service/ViewContent?contentID=13718085
•
etymology
– http://shibboleth.sourceforge.net/
3 Nov 2003
A. Vandenberg ©
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
23
Contact
Art Vandenberg
[email protected]
Thank you
3 Nov 2003
A. Vandenberg ©
Second NMI Integration Testbed Workshop on
Experiences in Middleware Deployment, Anaheim, CA
24
Second NMI Integration Testbed Workshop
on
Experiences in Middleware Deployment
Anaheim, CA
Monday November 3, 2003
8:30 am – 5:00 pm