Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
EVERY CONNECTION has a starting point. EVERY CONNECTION has a starting point. WorldCat Navigator - Authentication Library Hosted Navigator EZproxy and.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
PDS User Management DigiTool Version 3.0. User Management 2 PDS Overview PDS Setup Single Sign On Agenda.
1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.
ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
ICOLC October 4, 2001 OCLC Services. Purpose Libraries’ web-based information portal needs –Maximize consortia’s role in their members’ use of database.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Building the Future: Millennium’s Relationship with Campus Systems and Services John Culshaw Faculty Director for Systems University of Colorado at Boulder.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
New technologies in the libraries Stu Baker Library Management Systems Northwestern University Library.
Shibboleth: EBSCOhost implementation Lech Wojtowicz Director of Software Development EBSCO Publishing Access 2003 October 3, 2003.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Shibboleth: Improving Access for Library Users InCommon Library/Shibboleth Project Holly Eggleston, UC San Diego.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
Single Sign-On Offerings Dustin MacIver EBSCO Publishing 6/4/2011.
Tony Davies AARLIN, Metalib & SFX Streamlining information.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
NELLI - INFORMATION RETRIEVAL PORTAL. NELLI Information retrieval portal National ELectronic Library Interface One interface to all material –Licensed.
Relais Express Implementation in OCUL libraries in Canada ILL Discussion Group meeting, ALA Mary Lehane June 23, 2012.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
Shibboleth for Real Dave Kennedy
David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project.
Shibboleth for Local Attribute Delivery 21 June 2007.
Shibboleth at Columbia Update David Millman R&D July ’05
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
SFX Linking ORBIS/PORTALS, May 2002 Dave Stout Account Executive SFX Linking ORBIS/PORTALS, May 2002 Dave Stout Account Executive.
Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Shibboleth: Early Experience at OSU Scott Cantor October 28, 2002 Scott Cantor October 28, 2002.
© Ex Libris Ltd. All Rights Reserved. From Library Systems to Information SystemsMetaLib Jenny Walker ICOLC 2001.
Holly Eggleston, UCSD Beyond the IP Address: Shibboleth and Electronic Resources InCommon Library/Shibboleth Project.
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Some thoughts on Authentication in general….and Shibboleth in particular James Mouw Asst. Director for Technical and Electronic Services The University.
Campuses New to Shibboleth: WebSSO Barry Johnson
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Jakob Gadegaard Bendixen, Shibboleth protected proxy servers a case study from the Danish library sector.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.
Introduction to Terra Dotta Applications Integration with Campus Data Systems for institutions beginning their software implementation.
The FederID project The First Identity Management and Federation Free Software.
Shibboleth and eLibrary
David Millman—Columbia January 2005
Secure Single Sign-On Across Security Domains
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Federation made simple
Shibboleth Roadmap
Shibboleth Project at GSU
Shibboleth Integration Fairfield University
An authorization service for Virtual Organizations (VO)
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
CNI Spring 2006 Task Force Meeting
The Move to Hosted Ezproxy Experienced by Texas Tech University
Identity Federations - Installation and operation
ESA Single Sign On (SSO) and Federated Identity Management
Some data about the CBIC Federation
Shibboleth for Real: USMAI and Ex Libris Collaborate
Presentation transcript:

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

USMAI Consortium of Libraries Univ. System of Maryland and Affiliated Institutions 16 Libraries from the 12 campuses of the USM & 2 affiliated Maryland higher ed institutions Began in 1982 with a subset of these institutions Over 7,000,000 items in catalog Approximately 200,000 patrons Built on a resource sharing model Hosted at the University of Maryland Governed by the Council of Library Directors (CLD)

USMAI Consortium of Libraries Shared IT products and services, e.g.: –Systems Administration, Development, & Help Desk –E-Resource licensing & procurement –Consortium-wide ID management (patron database) –Library Information Management System (Aleph) –OpenURL resolver (SFX) –E-Resource Portal (MetaLib) –Proxy services (EZproxy) –ILL (ILLiad) –Institutional Repository (DSpace) –E-Resource Management (Verde)

What is the problem? Multiple logins for multiple services Need to secure flow of data for multiple logins for different applications Username/password embedded in URLs to give appearance of single sign on

Why Shibboleth? Other considered solutions: PDS, CAS, Pubcookie Shibboleth –Single sign on –Secure handling of user attributes –Flexibility to use different AuthZ criteria per service –Designed to function across domains –Ability to authenticate for different vendors’ products

Shib architecture Shibboleth – an architecture for handling authentication and attribute assertion in a secure and controlled manner Service Provider (SP) – resource Identity Provider (IdP) – AuthN source WAYF – Where Are You From WebISO – Web Initial Sign On

Shib architecture

Investigation Installed generic single institution IdP Installed generic service provider (script that prints out attributes) Proof of concept

Implementation Chose EZproxy and Ex Libris’ Metalib/PDS as initial SPs EZproxy was already shibboleth-enabled, so easily configured Had to implement multiple identity providers for institutions in the consortium

IdP Implementation Multiple institutions in one installation Multiple configurations for attributes and trust settings –Separate Tomcat servlets per institution Multiple ldap settings in WebISO for user verification

Multiple Identity Providers – Virtually Separate Totally separate identity providers as far as service providers are concerned Unique access points Separate trust relationships

EZproxy Host EZproxy instances for 14 institutions Now shib-enabled Access to online resources by user attributes

PDS Patron Directory Service Single Sign On between ExLibris applications AuthN and AuthZ

Role of PDS in Shib Environment Dual role of WAYF and SP AuthN AuthZ at the application level (Metalib, in our case)

PDS as WAYF PDS to present list of institutions (WAYF) Choice of institutions redirects to an institution specific URL within PDS

PDS as SP Each URL protected by different institution’s Identity Provider IdP handles authentication and attribute assertion SP receives attributes back from IdP and establishes PDS session

Shib SP configuration Shibboleth.xml – settings for SP Multiple applications defined, each with a different Identity Provider RequestMap defined – map URLs to shib applications

Logout No logout provided in shibboleth architecture Created a logout for identity provider, with an optional redirect back to service provider

ILLiad InterLibrary Loan software, Atlas Systems Consortial implementation – 8 institutions, 2 stand-alone installations to be shibbed ILLiad is now aware of 1 shib attribute, identifier Future – work with Atlas so that ILLiad can take advantage of other attributes (v 7.2?)

Before

After

Project Details Began investigation – March staff member 16 IdPs, 3 SPs into production, April 2006 Hardware: –Test – Sun Fire V480, 2x900MHz UltraSparc III, 8GB RAM (shared server) –Production – Sun Fire V880, 4x900MHz UltraSparc III+, 16GB RAM (shared server) Documentation

Challenges Technical –Consortia – virtually separate identity providers –Logout –LDAP – hook into our ldap, single ldap for all institutions, only use institution specific attributes Learning curve, needed concentrated chunks of staff time Making shibboleth a priority

What’s next? We are rolling out more service providers ILLiad going into production within the month Aleph to be shib service provider by year’s end Online resources Consortial members implementing their own identity providers

David Kennedy Shib project page:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.