Why are HEAnet in this space? –Collaborative, shared and cloud services –IP address access control and IPv6 –Synergy with eduroam (single credential, eduGAIN)

Slides:



Advertisements
Similar presentations
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Advertisements

Federated Access implementation: experience of AUCA Library - Kyrgyzstan 4 th -7 th June, 2008, Aberdeen, Scotland Sania Battalova, EIFL Country and FOSS.
Lousy Introduction into SWITCHaai
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Building the Future: Millennium’s Relationship with Campus Systems and Services John Culshaw Faculty Director for Systems University of Colorado at Boulder.
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
WebFTS as a first WLCG/HEP FIM pilot
Shibboleth: Improving Access for Library Users InCommon Library/Shibboleth Project Holly Eggleston, UC San Diego.
Refeds federation survey update Theme of the day: Campus Identity Management TF-EMC2 Umeå 9th Jul 2008 CSC, the Finnish IT Center.
Feide is a identity management system on a national level for the educational sector in Norway. Federated Electronic Identity for Norwegian Education Tromsø,
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Single Sign-On Offerings Dustin MacIver EBSCO Publishing 6/4/2011.
Aoife Lawton Systems Librarian HSE. Outline eLibrary models of authentication Library/Librarian visibility – some tips Mobile technologies Federated Search.
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project.
The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.
Openness and Extending Blackboard Software Asbed Bedrossian Otto Khera USC.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet
Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
Kalmar Union lessons: Findings in federation harmonisation REFEDS Mikael Linden, CSC.
SAML a mature six year old? Glenn Wearen, Paul Caskey & Josh Howlett.
Innovation through participation eduGAIN interfederation service for research and education Cern FedID workshop in RAL, UK 2-3 Nov 2011 Mikael Linden,
Refeds update TF-EMC2 Utrecht 3-Dec 2008 Mikael Linden CSC – the Finnish IT Center for Science.
Holly Eggleston, UCSD Beyond the IP Address: Shibboleth and Electronic Resources InCommon Library/Shibboleth Project.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
Shib Enable: Taming the beast Ken Klingenstein Director, Internet2 Middleware and Security.
126/02/2016 META ACCESS MANAGEMENT SYSTEM A Ship on the Grid – Interoperability between Shibboleth and the Grid – Dr. Erik Vullings Programme Manager Macquarie.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)
ALPSP Effective Customer Authentication 15-Jul The (now… then…) next of Authentication: Shibboleth John Paschoud SECURe Project, LSE Library.
Status and plans of AARC SA1 Libraries pilots Pete Birkinshaw, Martin Haase, Peter Gietz / DAASI Lalla Mantovani, Barbara Monticini,
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
The FederID project The First Identity Management and Federation Free Software.
Web SSO with Cloud Resources using AD Federation Services
Using Your Own Authentication System with ArcGIS Online
Federated Identity Management at Virginia Tech
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
John O’Keefe Director of Academic Technology & Network Services
e-Infrastructure Workshop 28th March 2006, University of Leeds
Shibboleth Implementation in EZproxy
TF-EMC Mikael Linden, REFEDs update TF-EMC Mikael Linden,
Cloud Connect Seamlessly
ESA Single Sign On (SSO) and Federated Identity Management
Overview and Development Plans
Shibboleth as Attribute Delivery for Authorization
CSC, the Finnish IT Center for Science
Community AAI with Check-In
The OpenAthens Admin Dashboard provides a high-level snapshot of account activity and resource usage, along with shortcuts to other areas of the Admin.
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Why are HEAnet in this space? –Collaborative, shared and cloud services –IP address access control and IPv6 –Synergy with eduroam (single credential, eduGAIN) –NREN fulfils the role of federation operator

Terminology Single Log On single point of authentication synchronised account and credentials authenticate to each application Single Sign On (SSO) single point of authentication single credential, single account authenticate once

Identity Provider Authenticates user and provides user data Personal, non-personal or none Service Provider Authorises access based on incoming data Personalises experience based on incoming data Persists the experience between sessions Links application data with incoming data Edugate

Identity Providers Institutes of Technology Universities Research agencies on the HEAnet network Expanded set in the future Edugate

– Potential Services Institutional services » Any website requiring a login [for non-campus users] Shared services » HEAnet services, An Cheim services, IReL, NDLR Academic content » Publishers (EBSCO, Elsevier, JSTOR) and databases Research portals » Or any cross-institutional research group resource Organisations offering academic discount » Microsoft Dreamspark, o2, Travelcard Edugate

– Potential Services Edugate * Bodington.org * Condor * Confluence Wiki * Darwin Streaming * Dokuwiki * Drupal * DSpace * eAcademy * Fedora Repository * Google Apps * GridSphere/GridShib * Dawsonera * Horde * Joomla * LionShare * MediaWiki * Mahara * MyProxy * Napster * PHEAA * Sharepoint * SYMPA * Symplicity *TargetConnect * TWiki * uPortal * WordPress * Zope + Plone * * ArtSTOR * Elluminate * CSA * Digitalbrain * EBSCO * Elsvier *Science Direct * ExLibris * JSTOR * The Literary Encyclopedia * Metapress * Moodle * OCLC * Ovid. * Project MUSE * Thomson Reuters * Proquest * Serial Solutions * SCRAN * Thomson Gale * EZproxy * Blackboard * CLIX * Sakai * WebAssign * WebCT * TurnItIn *Zetoc

– Internationally AT ACOnet-AAI AU Australian Access Federation AAF CA Canadian Access Federation CAF CH SWITCHaai CZ eduID.cz DE DFN-AAI DK WAYF ES SIR FI Haka FR Fédération Éducation-Recherche GR GRNET HR HU NIIF AAI IE Edugate Edugate IT IDEM LV LAIFE NL SURFnet NO FEIDE PT RCTSaai SE SWAMID US InCommon UK UK Access Management Federation for Education and ResearchUK Access Management Federation for Education and Research eduGAIN to connect these federations

Athens services was proprietary and library only Open standards were used for non-library services UK Access Management Federation provides alternative to Athens that allows a single access platform services both library and non-library. 800 Members, All UK Higher Education Institutions have joined the UK Access Management Federation, 50% of those institutions use it gain access to library content using Shibboleth 50% use the Athens Gateway to federated access. Publishers support Shibboleth is approximately 50%. UK Access Mgmt. Fed.

Based on the SAML2 Protocol Interoperable Web-SSO Profile (saml2int.org) – Shibboleth 2, simpleSAMLphp – Oracle, IBM, Ping and Microsoft ADFS v2 Implementation – Service Provider Web server plug-in (optional application integration) – Identity Provider Web application with connection to campus directory Edugate

Z39.50 Protocol Search multiple targets at the same time Retrieve SAML Protocol Authenticate with multiple targets as needed Authorise Edugate –SAML

Authentication Responsibility of the institution Usually LDAP, but other options available Authorization – Controlled by the service provider – Institution can filter users before service provider – Based on the users attributes Edugate

Attributes GivenName, surname, & Organisation – Joseph, Bloggs, University of EduPersonPrincipalName – EduPersonTargetedID – a44ffed231eda7b7a7d EduPersonScopedAffiliation – EduPersonEntitlement urn:mace:heanet.ie:media:write Edugate

Attributes eduPersonScopedAffiliation student undergraduate or postgraduate staff all staff faculty to distinguish teaching staff employee staff other than staff/faculty (e.g., contractor) member comprises all the categories named above affiliate relationship short of full member alum Alumnus (graduate) library-walk-in Edugate

Why use Edugate... Reduce account provisioning for walk-in and campus users Reduce the number of passwords for your users Reduce the number of prompts for those passwords Filter user access to content by affiliation or special groups Stop worrying about licences and users on your wifi network or open terminals Start to eliminate abuse of shared credentials/generic accounts IPv4 to IPv6 migration ( Vs 2002:c101:e4a5::c101:e4a5) Enhanced personalisation, without loosing privacy. No fee

Edugate on Campus IT department sets up identity provider service (IdP) Any other department can opt to accept a federated login (SP) –Library can opt to replace Ezproxy URL in the catalogue. –Library can opt to enable federated login to the library website, repositories –Library can opt to integrate ezproxy with the IdP

Edugate on Campus IT department sets up identity provider service (IdP) IADT,UCD,CIT,DKIT,TCD,NUIM,NUIG,ITT, WIT,LIT,DCU,DIT,UL,DIAS,NCAD

Edugate on Campus Catalogue with Ezproxy Publisher content LDAP User Publisher content

Edugate on Campus Catalogue with Ezproxy Publisher content LDAP User Shibb Publisher content

Edugate on Campus Catalogue with Ezproxy Publisher content LDAP User Shibb Publisher content non-library services

Edugate on Campus Catalogue (With Shibb) Publisher content LDAP User Shibb Publisher content non-library services

Edugate on Campus Catalogue (Without Ezproxy) Publisher content LDAP User Shibb Publisher content non-library services

Hybrid Edugate on Campus Catalogue (some Ezproxy some Shibb) Publisher content LDAP User Shibb Publisher content non-library services

Edugate on Campus Repository (With Shibb) Full upload or preferences LDAP User Shibb LDAP Shibb LDAP Shibb

Edugate for non-academic libraries Repository (With Shibb) Full upload or preferences LDAP User Shibb LDAP Shibb LDAP Shibb

When to use EZ, Shibb or other Shibb- enabled IPAthens

Edugate on Campus (Assuming a service supports Shibboleth) Use Shibboleth... if you intend to take advantage of fine grained access control If the service offers personalisation and persistent sessions (e.g. search results, search preferences etc). if the content of the service is frequently accessed as a result of a Google search rather than a search of your Opac (thus bypassing your EZproxy URLs). if Shibboleth is frequently used to access other services like student and you want to avail of the single-sign-on with no re-authentication prompts

Edugate on Campus Some services do not support a Shibboleth login yet. Use EZproxy for services with no personalisation features and for services that don’t feature in Google results, and for services that don’t support Shibboleth Use EZproxy with Shibboleth for these non personalised services if your campus uses Shibboleth for other frequently accessed services (thus benefiting from single-sign-on) Use Shibboleth if any of the reasons listed on the previous slide fit

IdP Configuration Edugate Resource Registry Shibboleth IdP IdP Admin DB Shibb config files SP Admin IdP Admin SP Admin Non Shibb IdP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.