Upload
jiscam
View
3.076
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Subtitled: "key concepts you need to become your institution’s local expert", this presentation outlines the concepts and terminology of Federated Access Management, and how it works. Prepared and presented at CPD25 seminar Access to e-resources: are you aready for Shibboleth?, 21 May 07, London
Citation preview
Federated Access Management 102key concepts you need to become your institution’s local expert
John Paschoud
InfoSystems Engineer, LSE Library
London School of Economics & Political Science, UK
Copyright John Paschoud 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on
the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
The intellectual property of others in all contributed and referenced material is acknowledged.
Joint Information Systems Committee 2
Animation: even 2-dimensional people need Access Management
Joint Information Systems Committee 3
What do our Users want from Access Management?
Nothing! - they just want to get stuff. Now!
Single Sign-On (as far as possible)
– to our own services, and to all the resources we subscribe on their behalf
– no need to remember so many passwords for different services
Access from Anywhere
– from home, travelling, or working at other institutions or libraries
Improved Privacy
– of personal information, and of research being pursued
Joint Information Systems Committee 4
What do We want from Access Management?
(“We” being the people whose job is to provide institutional information services)
Improved security for licensed resources, so publishers we deal with are happy (and generous!)
Good privacy-protection for users, to meet our legal obligations
Low-hassle support for our on-campus and mobile users
Opportunity for ‘fine-grain’ authorization control, so we can know (and manage) Who-Has-Access-to-What
Access for visiting users to whatever they are entitled
– by their home institutions
– …which we don’t need to know about!
Joint Information Systems Committee 5
Objectives of Federated Access Management
Effective Single Sign-On to non-public online resources…
…across many domains
Distribution of Authentication, Authorisation and Accounting functions in the AM process to appropriate parties
Improved security for resources that are non-public due to:
– Licensing restrictions / Commercial intellectual property
– Confidentiality
Improved privacy of end-user personal information
Reduced duplicated administration of user identities & passwords
(Cite Clifford Lynch and the Coalition for Networked Information, 1998, for where these principles were seminally defined)
Joint Information Systems Committee 6
Appropriate Division of Labour (Labor)
With Federated Access Management, functions are carried out by appropriate parties:
Identity Provider (typically a university/college/library) does Authentication (of it’s own registered users)
– “IdP” -- “AuthN”
Service Provider (typically a publisher) does Authorization ideally based on a common role (“student”) and affiliation (“lse.ac.uk”)
– “SP” -- “AuthZ”– (the “z” shows how you frequently have to discuss this with Americans, who can’t spell
properly)
A Federation provides a trust framework between parties, operates ‘Where Are You From’ (“WAYF”) service
– Needed where users from many IdPs are accessing many SPs
– (Athens, and some other people, may call this a ‘Home Domain Discovery Service’)
– Athens isn’t a federation
Joint Information Systems Committee 7
The Institution as Service Provider (too)
We can share resources in collaborations within the academic community
– providing controlled access to users from other institutions, without needing to administer usernames/passwords for them
– as LSE and Columbia (NY) did for a collaborative Anthropology teaching project (DART)
We can set up our repository, e-learning or any other service as a Service Provider
– as LSE has done for Exam Papers and other ‘members only’ collections
Joint Information Systems Committee 8
Access to internal resources: LSE Exam Papers collection
Joint Information Systems Committee 9
Costs and Benefits of adopting Federated Access Management?
Costs (for an institution):
Institution’s directory must be in good shape and set up to support an Identity Provider (IdP) service
– (just as it does for “AthensDA”)
IdP middleware needs installing and maintaining
– (or subscribed-to from an external provider)
Benefits (for an institution):
Reduced overheads in password support
No difference in on-campus and off-campus access
More flexible access control – e.g. different categories of users to different levels of access (or none) to a resource
Access control maintenance for different internal services (most with role-based access) is eliminated!
Joint Information Systems Committee 10
Access via a library portal to external resources
A user can just go to the list of e-resources in the library’s portal.
In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system:
…but it could just be a list of links on a ‘hand-crafted’ web page
Joint Information Systems Committee 11
Access via a library portal to external resources
The expanded list shows a link direct to the Service Provider, in this case Elsevier
Joint Information Systems Committee 12
Access via a library portal to external resources
After clicking link in library portal:
Joint Information Systems Committee 13
Demonstration: What does FAM look like to an end-user?
Elsevier Science Direct – an ‘early-adopting’ publisher
– …dealing with a global customer base
– …needs-to-know only whether user is from a licensed institution
– http://www.sciencedirect.com/ (and use ‘Athens/Other Institution Login’)
LSE Projects wiki – a highly-restricted institutional resource
– …with users spread across 10+ HE institutions (current project partners)
– …needs to know personal identity and other user attributes
– https://gabriel.lse.ac.uk/twiki/bin/view/Projects/AboutJohnPaschoud
– (and then ‘Edit’ this page)
Shibboleth Wiki – a global discussion space
– https://spaces.internet2.edu/display/SHIB/WebHome (and use ‘Log In’)
Joint Information Systems Committee 14
How does FAM (using Shibboleth) work?R
eso
urc
e
WAYF
Identity ProviderService Provider
Web Site
1
ACS
I don’t know you.Not even which home
org you are from.I redirect your request
to the WAYF32
Please tell me where are you from?
HS
5
6
I don’t know you.Please authenticateUsing WEBLOGIN
7
User DB
Credentials
OK, I know you now.I redirect your requestto the target, together
with a handle
4
OK, I redirect yourrequest now to
the Handle Service of your home org.
AR
Handle
Handle8
I don’t know theattributes of this user.Let’s ask the Attribute
Authority
Handle9AA
Let’s pass over the attributes the userhas allowed me to
release
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
OK, based on theattributes, I grant
access to the resource
Joint Information Systems Committee 15
Relevant Standards to FAM
SAML: Security Assertion Markup Language (OASIS)
– http://xml.coverpages.org/saml.html
Shibboleth: an open source profile SAML implementation for federated access management (Internet2 Network Middleware Initiative)
– http://shibboleth.internet2.edu/
…most current country-level and international initiatives in FAM are ‘Shibboleth-compliant’, or converging on interoperability with Shibboleth
…but many other implementations of SAML now exist across other business sectors, and Guanxi and AthensIM are two implementations that have been developed within the UK community
eduPerson: an LDAP object class to describe people in (higher) education (EDUCAUSE / Internet2)
– http://www.educause.edu/eduperson/
Joint Information Systems Committee 16
Attributes in Common use
eduPersonScopedAffiliation
– indicates the user’s relationship (e.g., staff, student, etc.) with the organisation (IdP). For many applications, examination of this attribute is sufficient to determine whether the user has sufficient privilege to access the resource.
eduPersonTargetedID
– If a service provider is presented only with the affiliation of an anonymous subject, as provided by eduPersonScopedAffiliation, it cannot provide service personalisation or usage monitoring across sessions. These capabilities are enabled by the eduPersonTargetedID attribute, which provides a persistent user pseudonym, distinct for each service provider.
eduPersonPrincipalName
– used where a persistent user identifier, consistent across different services, is required. It often corresponds to the user’s single sign-on (SSO) name, and may be useful for securing both internal institutional services and external services where access control lists are used.
eduPersonEntitlement
– enables an organisation to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource. A user may possess different values of the eduPersonEntitlement attribute relevant to different resources.
Joint Information Systems Committee 17
Worldwide -- Federated SAML Adoption within Higher Education
Australia
Belgium
Canada
China
Denmark
Finland
France
Germany
Greece
New Zealand
Norway
Spain
Spain
Sweden
Switzerland
The Netherlands
United Kingdom
United States
Joint Information Systems Committee 18
The job’s not over!
Recognising gaps in support for institutions, as experience is gained
– Better presentation of practical guides
– Identity Management by institutions
– Levels of Assurance for different resources
The Identity Project
– Undertaking a national survey of (all 641) institutions
– Producing a model for institutional IdM audits
– Reporting on issues for Health, National Grid Service and others
(Make sure your institution has completed the Identity Management survey at www.identity-project.info !)
The ES-LoA Project
– Analysing levels of AuthN and AuthZ required for different services
– Recommending how these can be expressed in Federation-approved attributes
Joint Information Systems Committee 19
www.ukfederation.org.ukwww.jisc.ac.uk/federation.html
http://www.angel.ac.uk/ShibbolethAtLSEwww.identity-project.info
[email protected]@JISCMAIL.AC.UK