Presentation is loading. Please wait.

Presentation is loading. Please wait.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

Published byWinfred McCormick Modified over 8 years ago

Similar presentations

Presentation on theme: "3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication."— Presentation transcript:

1 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication and Authorization Control for Access to Remote Web Resources Art Vandenberg Director, Advanced Campus Services Georgia State University avandenberg@gsu.edu “Copyright Art Vandenberg 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.”

2 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 2 Given that... Shibboleth – you know what it is... You know key concepts of privacy preserving trust across federated domains... You understand it uses open source standards…

3 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 3 What’s the Problem Space at Georgia State? Access to digital library resources (vendor databases) Current solution –IP-based access spoofable, limiting –Proxy server –Group accounts some database passwords posted on public web! –Additional accounts & passwords management hassles, synchronization complexity extra account for user lag time setting up a new person (faculty, student, or employee) low level assurance

4 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 4 Shibboleth Solution for Georgia State’s Pullen Library Access without proxy Leverage local enterprise authentication Access based on role attributes (finer grained) Enables access from anywhere on web Reduced logins Stronger authentication (not just IP) Addresses user privacy

5 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 5 Architecture components Sun Solaris for Georgia State Shibboleth Origin Apache, Tomcat, J2SE Origin site (enterprise) requirements –Handle Server single signon (SSO) or web initial signon (WebISO) –Attribute Authority repository (mySQL or LDAP) Target site requirements –SHIRE –SHAR –WAYF –Resource Manager See NMI component PubCookie See NMI component LDAP recipe See NMI component eduPerson

6 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 6 Flow Diagram Handle Service SHIRE (Shibboleth Handle Indexical Reference Establisher Authentication System Attribute Authority WAYF (Where are you from?) Web resource (http://www.site) 1. http://www.site 2. 3. 4. 5. 6. 9. 8. 7. 10. SHAR (Shibboleth Attribute Requester) https://www.site

7 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 7 EZProxy Institutions Georgia Quite some potential… Especially if we work together to convince Vendors. (Or do we want to use IP access and still pay site license rates while only few may need the resource?)

8 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 8 Georgia State Shibboleth October 2003 V 1.0 origin installed Authenticate using CampusID Attributes via eduPerson from Campus LDAP Pilot with EBSCO, OCLC, JSTOR Library Shibboleth pilot page –http:// www.library.gsu.edu/shib/http:// www.library.gsu.edu/shib/ Let’s take a look... 1. LDAP Recipe for directory, ids 2. eduPerson for eduPersonAffiliation eduPersonEntitlement 3. Shibboleth for access to web resources

9 Access Web Resource – EBSCO GSU Library Shibboleth Pilot info page www.library.gsu.edu/shib/ 1. EBSCO test URL

10 Redirect via WAYF InQueue Federation (for pilot testing) 2. Pick your Shib origin (these are Inqueue sites recognized by target WAYF)

11 Local Authentication (GSU origin) 3. Don't worry about certificate warning, say OK -- your browser has not been configured for certificates used by the test environment

12 (Interim Certificate used at Target) 4. Ditto… say Yes test certificates Not known to your browser

13 GSU Origin – Local Login 5. Use local authentication (GSU CampusID/pw) This page invoked by Georgia State Origin

14 Successful Authentication Authenticated user is being directed to web site… (with Authorization checking behind the scenes)

15 EBSCO Web Resources Accessing EBSCO research Databases. 6. Do your thing. 5 steps: 1. Pick url 2. Pick origin 3. Ok to cert 4. Yes to cert 5. Login Use resource

16 Access Web Resource – JSTOR 1. Now Select Browse JSTOR (continuing current browser session)

17 Access, no Re-login (Shib saves session) Direct access to next Shibboleth site – (no WAFY, no GSU local login) 2. Do your thing. 1 (NOT 5) steps: 1. Pick url [2. NA] [3. NA] [4. NA] [5. NA] Use resource

18 JSTOR site knows it’s GSU “Your access to JSTOR is provided by Georgia State University” (identity not passed, but attributes may be)

19 OCLC / authorization attributes OCLC needs no further authentication, but does require specific attributes eduPersonAffiliation = member@gsu.edu eduPersonEntitlement= urn:mace:oclc:org…

20 OCLC web resources Appropriate attributes permit access... OCLC recognizes Georgia State member (and contract)

21 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 21 Ongoing Work Federations –InQueue (pilot) to InCommon (incorporated Board of Directors…) –Policy framework Production Server (Origin Service) –Enterprise level hardware –Full SSL on all components –Production certificates (not test certs…) Provisioning services & management of attributes/roles –IBM Directory Integrator component

22 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 22 Ongoing NMI Working Groups... Shibboleth Academic Sig –Focus group: Library SysAdmin of vendor licenses –Drafting second set of vendors Other vendors? Georgia State needs –200+ Library Vendors –WebCT –Galileo (Georgia Statewide Library) Research & deployment opportunities? –Vaishnavi & Stucke (CIS) & Atlanta Airport

23 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 23 More info & links you can test drive Shibboleth – Internet2 –http://shibboleth.internet2.edu/http://shibboleth.internet2.edu/ Switch - Swiss Education and Research Network (demo) –http://www.switch.ch/aai/demo/http://www.switch.ch/aai/demo/ –Demos using Example State University WebCT press release Shibboleth –http://www.webct.com/service/ViewContent?contentID=13718085http://www.webct.com/service/ViewContent?contentID=13718085 etymology –http://shibboleth.sourceforge.net/http://shibboleth.sourceforge.net/

24 3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 24 Contact Art Vandenberg avandenberg@gsu.edu Thank you

25 Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment Anaheim, CA Monday November 3, 2003 8:30 am – 5:00 pm

Download ppt "3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication."

Similar presentations

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
EDUCAUSE Security Professionals Conference 2007 Monkey-in-the-Middle Attacks on Campus Networks Andrew J. KortySean KrulewitchIndiana University April.

EDUCAUSE Security Professionals Conference 2007 Monkey-in-the-Middle Attacks on Campus Networks Andrew J. KortySean KrulewitchIndiana University April.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.

Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.

The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
Identity Management: The Legacy and Real Solutions Project Overview.

Identity Management: The Legacy and Real Solutions Project Overview.
Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Art VandenbergNMI Integration Testbed – “Finale” Results Workshop, Sept 30-Oct 1, 2004 Austin, Texas 1 Georgia State University Sharing Resources – Sharing.

Art VandenbergNMI Integration Testbed – “Finale” Results Workshop, Sept 30-Oct 1, 2004 Austin, Texas 1 Georgia State University Sharing Resources – Sharing.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
Columbia Educational Resources Online: A Shib-Enabling Case Study Carol Kassel Columbia University Digital Knowledge Ventures (DKV) Copyright Carol Kassel.

Columbia Educational Resources Online: A Shib-Enabling Case Study Carol Kassel Columbia University Digital Knowledge Ventures (DKV) Copyright Carol Kassel.
2003 © SWITCH Realization of a Vision: Authentication and Authorization Infrastructure for the Swiss Higher Education Community Copyright Martin Sutter,

2003 © SWITCH Realization of a Vision: Authentication and Authorization Infrastructure for the Swiss Higher Education Community Copyright Martin Sutter,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.

Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Georgia State University Case.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Georgia State University Case.

Similar presentations

Ads by Google