Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.

Slides:



Advertisements
Similar presentations
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Advertisements

Lousy Introduction into SWITCHaai
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.
Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Joint Information Systems Committee 01/04/2014 | slide 1 Support e-Research at JISC Access Management and Security Joint Information Systems CommitteeSupporting.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
MATU: Middleware Assisted Take Up Service For JISC Funded Early Adopters Steve Edwards - MATU - Windermere 14 – 15 November 2005.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Joint Information Systems Committee Supporting Higher and Further Education Information Security: Policy and Culture Introduction and Background Annette.
Electronic Detection of Plagiarism By Catherine Ogilvie.
The Economic and Social Data Service (ESDS) Kevin Schürer ESDS/UKDA ESDS Awareness Day 5 December 2003.
The Economic and Social Data Service (ESDS) Karen Dennison, Support Services Manager, UK Data Archive April 2008.
Access to Economic and Social Data via the UK Data Archive Jack Kneeshaw UKDA.
ESDS - a new service Kevin Schürer, Director, ESDS/UKDA.
An Introduction to the UK Data Archive and the Economic and Social Data Service November 2007 Jack Kneeshaw, UKDA.
The Economic and Social Data Service (ESDS) Karen Dennison UK Data Archive Improving access to government datasets 18 January 2007.
Joint Information Systems Committee The JISCs Core Middleware Programme Terry Morrow JISC Consultant.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
UPortal Workshop The Deep 19 th November The University of Hull Portal and the Digital University Project Ian Dolphin Head of Interactive Media,
Learning and Teaching with Real Data. Today Organised by Economic and Social Data Service (ESDS) –ESDS Government –ESDS Longitudinal –ESDS International.
Housekeeping Constant loud alarm –Head out by the main stairwell –Gather on grass outside Toilets –On corridor outside This afternoon –Basement 2 laboratory.
WAM25 – Walk-in access to e-resources in the M25 Consortium The M25 Consortium of Academic Libraries was formed in 1993 with the aim of.
Joint Information Systems Committee 25/08/2014 | slide 1 JISC Core Middleware Programme Meeting Middleware in Development Joint Information Systems CommitteeSupporting.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Let us Bring You to Your Census: Recent Developments in UK Census Data Provision Lucy Bell Census Registration Service Co-ordinator UK Data Archive
1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.
Copyright Information Here Junaid Arshad 1, Wei Jie 2, Andy Turner 1 University of Leeds 1, University of Manchester 2, UK Securing.
The Special Licence model for access to more detailed micro data IASSIST 2006 Thursday 25 May Karen Dennison UK Data Archive.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Implications for UK infrastructure No more dependency on the VERY LARGE centralised database of Athens Need for implementation of a national WAYF service.
CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science
Single Sign-On Offerings Dustin MacIver EBSCO Publishing 6/4/2011.
Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.
Norman Wiseman JISC Head of Programmes Presentation to JISC Authentication Concertation Day March 1999 International Authentication Activities Joint Information.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.
Northern Ireland Substitute Teacher Register (NISTR) Key Events in Development of NISTR June 2015.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
Supporting Are we ready? REFEDS, Oct 2013 Ann Harding
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Delegation of Authority David Chadwick
UK Access Management Federation Matthew Dovey Programme Director, Digital Infrastructures (Research) 10 June 2011 CERN.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
ITSRM Content Management Infrastructure Coordination David Foster IT June 2010.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.
Jakob Gadegaard Bendixen, Shibboleth protected proxy servers a case study from the Danish library sector.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
e-Infrastructure Workshop 28th March 2006, University of Leeds
O. Otenko PERMIS Project Salford University © 2002
UK Federation 101 Ian A. Young EDINA, University of Edinburgh (and the UK Federation) Internet2 Fall Member Meeting, 7 Dec Shibboleth Development.
Supporting Institutions Towards a Shibbolized Infrastructure
GN2 JRA5 Roaming and Authorisation Jürgen Rauschenbach, DFN-Verein
The JISC Core Middleware Call
Presentation transcript:

Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005

Today Our project: SAFARI Background: the one-stop registration service Introducing Shibboleth A model of target-to-target communication Comparisons What next?

SAFARI UKDA Shibboleth Authentication For Access to the Resource Infrastructures of the UKDA JISC-funded, 1-year project (April 2005 – March 2006) Aims: –to apply Shibboleth middleware to 3 UKDA resources –to embed Shibboleth technology within the one-stop registration system which is used by MIMAS, EDINA, AHDS History – all geographically dispersed this should provide greater flexibility for the resource owners and, consequently, for the users

One-stop registration Established 2001/2002 –Single registration for 7 resources Centralised registration but distributed logins Uses centralised Athens authentication / authorisation Communication occurs between resources, using strings written to users Athens profiles to identify: –Registered users –Users who have agreed to certain special conditions –Big disadvantage: this information cannot be over-written

Registration Athens user logs in DSU Athens Users details are stored in the UKDA database UKDA Question: has the user registered? Answer: yes, user logs in to use the data Answer: no, user is taken to the registration form User is directed back to the DSU/ESDS after successful registration Athens is updated with the information that the user has registered so they are not prompted for the form a second time DSU With AthensSSO the user can move between resources without logging on again The current system

The key issue How to enable the dispersed resources to recognise registered users using Shibboleth (and in a way that can be over-written)?

Introducing Shibboleth Middleware which provides protocols for transferring user attributes from origin to target User authenticates locally –Method used is up to the origin User is authorised at the target –Method used is up to the resource, but using the attributes supplied by the origin – these attributes will be the key for us –Tools are available to help, such as PERMIS

Shibboleth login Picture courtesy of SWITCH, Swiss Education & Research Network, _intro.html _intro.html

Issues relating to Shibboleth Centralised registration = making a cat bark –Shibboleth emphasises user privacy –However, data owners require more controls –Others have approached similar resource-related identity issues Other advantages: –More fine-grained authorisation –Bring access control back to the resource owner –Complementary to Athens system, an alternative route into the data

DSU Shibboleth user approaches resource Answer: yes, user logs in to use the data DSU Question: has the user registered? UKDA Users details are stored in the UKDA database; registration information is a) stored somewhere and b) communicated to the DSU Answer: no, user is taken to the registration form DSU User is directed back to the DSU after successful registration The potential system User is authenticated at their originating institution Origin provides a handle, used by Resource (DSU) to obtain users attributes Registration Resource uses attributes to determine users access rights AND / OR interrogates registration system These are the key parts with which SAFARI is grappling

Target-to-target communication Possible solutions: –A separate call to Essex Would ensure control was within the systems hands But not necessarily standards-based Doubles the risk of failure Could employ session variables to allow single-sign on within one browser session –Establish a proxy Identity Provider (IdP) Attractive alternative, but untested Apply additional attributes for each resource, when logged into Standards-based and recommended by Scott Cantor Would still require an extra call to Essex at each authentication, which doubles the risk of failure

Comparisons already in place VOSP (University of Alabama) –Similar to the idea of a proxy IdP –VO = Service Provider within a federation –User is directed to their local IdP and the VOSP to gather up all the attributes required before being authorised by the resource –Central attribute repository service for the VO SWITCHaai, Switzerland –Registration devolved to each organisation (7 signed up so far) Registered User = an attribute which origin supplies –Ideal but currently impractical in the UK (700+ organisations, as opposed to 7) –Problems of updating a registration module plug-in: special conditions would need to be stable etc. Shibboleth also in production standard via HAKA Federation, Finland

What next? Finalise and implement the system specification –Complete the establishment of the 3 targets (underway) –Introduce the system of target-to-target communication (Sept 05) –Embed within the one-stop registration system (Dec 05) Evaluate, via user testing/survey (Jan/Feb 06), and refine Write up as a case study (Feb/Mar 06) If model created successfully, roll out to the remaining services (post Mar 06)

More information Project Manager: Lucy Bell Project web site: (available June 05)