Presentation is loading. Please wait.

Presentation is loading. Please wait.

ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Similar presentations


Presentation on theme: "ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway."— Presentation transcript:

1 ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway

2 ELAG Trondheim Some definitions Authentication - Process of providing the identity of a user. (Who are you?) Authorization - Process of granting or denying access rights for a resource to an authenticated user. (What are you allowed to do?) Credentials - Information that includes identification and proof of identification that is used to gain access to resources. Examples of credentials are user names and passwords, smart cards, and certificates.

3 ELAG Trondheim Problems in a distributed environment Lots of credentials Lots of registration and logon procedures

4 ELAG Trondheim Distributed Access Control

5 ELAG Trondheim Single Sign On (SSO) SSO = challenges Technological issues proxies cookies timeout Security issues shared credentials different security levels trust

6 ELAG Trondheim The trend in distributed access control

7 ELAG Trondheim Some BIBSYS-facts BIBSYS is an integrated library system used by all Norwegian University Libraries, the National Library, all College Libraries, and a number of research libraries The BIBSYS users Primary users: Ca librarians End users: Ca – patrons (not all active) Ca 4000 – academic users (research document database) – users of other different systems

8 ELAG Trondheim Access Control: A1 – Unix A2 – User file BIBSYS history of access control (the late eighties) Legacy System (cataloguing, search, etc) A1 = Authentication A2 = Authorization Users UNIX pw. file

9 ELAG Trondheim BIBSYS history of access control (mid. nineties) A1 = Authentication A2 = Authorization Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file Legacy System Web search Patrons IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file

10 ELAG Trondheim Access Control: A1 – Apache password-file Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file BIBSYS history of access control (late nineties) Legacy System Web search A1 = Authentication A2 = Authorization Some web service Patrons Apache pw. file IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file Access Control: A1 – Apache password-file Some web service Apache pw. file

11 ELAG Trondheim BIBSYS in the late nineties BIBSYS

12 ELAG Trondheim BIBSYS Access Control Project Goal: Provide interoperability between internal systems Offer access control to our patrons. Avoid administration overhead. Consider cross-organizational access control.

13 ELAG Trondheim BIBSYS Access Control Project We considered two commercial access control systems, Candle/Cactus ISOS/Athens. Conclusion: Too expensive BIBSYS is not the right institution to host a cross- organizational access control system for our end users. Decisions: Develop our own access control for internal use Wait and see for an cross-organizational solution.

14 ELAG Trondheim Common role based access control system A common A common role based access control system Only access-relevant information: credentials, roles, IPs Patrons Apache pw. file IP-list Users UNIX pw. file Apache pw. file

15 ELAG Trondheim Starting point A1 = Authentication A2 = Authorization Access Control: A1 – Apache password-file Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file Legacy System Web search Some web service Patrons Apache pw. file IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file Access Control: A1 – Apache password-file Some web service Apache pw. file

16 ELAG Trondheim Result (ideal) Service A Service B Service C Service D Service E Common role based access control system

17 ELAG Trondheim Result (real) Implemented a new role based access control system We released new personalized services for patrons and librarians Low administration costs (machine-generated password by ) Still some systems use their old access control The wait and see strategy paid off – result: FEIDE

18 ELAG Trondheim Status of 2002 BIBSYS

19 ELAG Trondheim New challenge Offering our users access through the FEIDE system

20 ELAG Trondheim FEIDE (Federated Electronic Identity for Education) Goals of the FEIDE project: Establish a common, secure electronic identity for Norwegian academic users. Implement the academic sector's system for reliable user data handling, secure identification of internet-service users and assignment of user access-rights. Common data model for persons Standardization/development of user management systems Provide a central login server

21 ELAG Trondheim Integrating with the FEIDE system (I) One year ago we released a pilot using the FEIDE authentication Application: Personalized services for patrons and librarians Technology: Java Servlets, Tomcat server Objective: technical issues (not performance) Available for a limited group of users

22 ELAG Trondheim Integrating with the FEIDE system (II) Efforts to make it work Received a Java-library, a Servlet Filter and a certificate from FEIDE Configured Tomcat to use the Servlet Filter Configured the Servlet Filter

23 ELAG Trondheim Integrating with the FEIDE system (III) Experiences with the pilot Easy to implement No errors throughout the test period The users were satisfied

24 ELAG Trondheim Integrating with the FEIDE system (IV) One obstacle: How to map a FEIDE user to a BIBSYS user? Solution: The National Identity Number BIBSYS have to extend the user database to include The National Identity Number

25 ELAG Trondheim Overview of the logon process FEIDE BIBSYS (Tomcat servlet container) Filter User BIBSYS- services (servlet) MORIA AT (LDAP-server) AT (LDAP-server) AT (LDAP-servers) BIBSYS- services (servlets) BIBSYS users 8 9

26 ELAG Trondheim Future plans Let the pilot go into production within 3-4 months Try out the Single Sign On features of FEIDE Make use of other user attributes than only the National Identity Number. (For authorisation and for updating our own user data)


Download ppt "ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway."

Similar presentations


Ads by Google