Presentation is loading. Please wait.

Presentation is loading. Please wait.

ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Published byNasir Garner Modified over 9 years ago

Similar presentations

Presentation on theme: "ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway."— Presentation transcript:

1 ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway

2 ELAG Trondheim 2004 2 Some definitions Authentication - Process of providing the identity of a user. (Who are you?) Authorization - Process of granting or denying access rights for a resource to an authenticated user. (What are you allowed to do?) Credentials - Information that includes identification and proof of identification that is used to gain access to resources. Examples of credentials are user names and passwords, smart cards, and certificates.

3 ELAG Trondheim 2004 3 Problems in a distributed environment Lots of credentials Lots of registration and logon procedures

4 ELAG Trondheim 2004 4 Distributed Access Control

5 ELAG Trondheim 2004 5 Single Sign On (SSO) SSO = challenges Technological issues proxies cookies timeout Security issues shared credentials different security levels trust

6 ELAG Trondheim 2004 6 The trend in distributed access control

7 ELAG Trondheim 2004 7 Some BIBSYS-facts BIBSYS is an integrated library system used by all Norwegian University Libraries, the National Library, all College Libraries, and a number of research libraries The BIBSYS users Primary users: Ca 2.500 librarians End users: Ca 600.000 – patrons (not all active) Ca 4000 – academic users (research document database) 1000+ – users of other different systems

8 ELAG Trondheim 2004 8 Access Control: A1 – Unix A2 – User file BIBSYS history of access control (the late eighties) Legacy System (cataloguing, search, etc) A1 = Authentication A2 = Authorization Users UNIX pw. file

9 ELAG Trondheim 2004 9 BIBSYS history of access control (mid. nineties) A1 = Authentication A2 = Authorization Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file Legacy System Web search Patrons IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file

10 ELAG Trondheim 2004 10 Access Control: A1 – Apache password-file Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file BIBSYS history of access control (late nineties) Legacy System Web search A1 = Authentication A2 = Authorization Some web service Patrons Apache pw. file IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file Access Control: A1 – Apache password-file Some web service Apache pw. file

11 ELAG Trondheim 2004 11 BIBSYS in the late nineties BIBSYS

12 ELAG Trondheim 2004 12 BIBSYS Access Control Project Goal: Provide interoperability between internal systems Offer access control to our patrons. Avoid administration overhead. Consider cross-organizational access control.

13 ELAG Trondheim 2004 13 BIBSYS Access Control Project We considered two commercial access control systems, Candle/Cactus ISOS/Athens. Conclusion: Too expensive BIBSYS is not the right institution to host a cross- organizational access control system for our end users. Decisions: Develop our own access control for internal use Wait and see for an cross-organizational solution.

14 ELAG Trondheim 2004 14 Common role based access control system A common A common role based access control system Only access-relevant information: credentials, roles, IPs Patrons Apache pw. file IP-list Users UNIX pw. file Apache pw. file

15 ELAG Trondheim 2004 15 Starting point A1 = Authentication A2 = Authorization Access Control: A1 – Apache password-file Access Control: A1 – Patron-ID, last name A2 – Access Control: A1 – Unix A2 – User file Legacy System Web search Some web service Patrons Apache pw. file IP-list Access Control: A1 – IP-filtering A2 – ISI search Users UNIX pw. file Access Control: A1 – Apache password-file Some web service Apache pw. file

16 ELAG Trondheim 2004 16 Result (ideal) Service A Service B Service C Service D Service E Common role based access control system

17 ELAG Trondheim 2004 17 Result (real) Implemented a new role based access control system We released new personalized services for patrons and librarians Low administration costs (machine-generated password by email) Still some systems use their old access control The wait and see strategy paid off – result: FEIDE

18 ELAG Trondheim 2004 18 Status of 2002 BIBSYS

19 ELAG Trondheim 2004 19 New challenge Offering our users access through the FEIDE system

20 ELAG Trondheim 2004 20 FEIDE (Federated Electronic Identity for Education) Goals of the FEIDE project: Establish a common, secure electronic identity for Norwegian academic users. Implement the academic sector's system for reliable user data handling, secure identification of internet-service users and assignment of user access-rights. Common data model for persons Standardization/development of user management systems Provide a central login server

21 ELAG Trondheim 2004 21 Integrating with the FEIDE system (I) One year ago we released a pilot using the FEIDE authentication Application: Personalized services for patrons and librarians Technology: Java Servlets, Tomcat server Objective: technical issues (not performance) Available for a limited group of users

22 ELAG Trondheim 2004 22 Integrating with the FEIDE system (II) Efforts to make it work Received a Java-library, a Servlet Filter and a certificate from FEIDE Configured Tomcat to use the Servlet Filter Configured the Servlet Filter

23 ELAG Trondheim 2004 23 Integrating with the FEIDE system (III) Experiences with the pilot Easy to implement No errors throughout the test period The users were satisfied

24 ELAG Trondheim 2004 24 Integrating with the FEIDE system (IV) One obstacle: How to map a FEIDE user to a BIBSYS user? Solution: The National Identity Number BIBSYS have to extend the user database to include The National Identity Number

25 ELAG Trondheim 2004 25 Overview of the logon process FEIDE BIBSYS (Tomcat servlet container) Filter User BIBSYS- services (servlet) MORIA AT (LDAP-server) AT (LDAP-server) AT (LDAP-servers) BIBSYS- services (servlets) 1 23 4 5 6 7 BIBSYS users 8 9

26 ELAG Trondheim 2004 26 Future plans Let the pilot go into production within 3-4 months Try out the Single Sign On features of FEIDE Make use of other user attributes than only the National Identity Number. (For authorisation and for updating our own user data)

Download ppt "ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway."

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Distributed Access Control System

Distributed Access Control System
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
Identity Management, what does it solve By Gautham Mudra.

Identity Management, what does it solve By Gautham Mudra.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
Public Key Infrastructure Ammar Hasayen 2013. ….

Public Key Infrastructure Ammar Hasayen ….
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

Similar presentations

Ads by Google