Upload
felicia-seymour
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Access management for repositories: challenges and
approaches for MAMS
James DalzielProfessor of Learning Technology and Director,
Macquarie E-Learning Centre Of Excellence (MELCOE) [email protected]
www.melcoe.mq.edu.au
Overview
• COLIS and access management
• COLIS and DRM
• Access management challenges
• MAMS
• Shibboleth and MAMS
• Repository federation – search and access
COLIS and access management
• Demonstrator project based on open standards– IMS CP, IMS DRI, IMS LRM, ODRL
• Five universities and five vendors– Many different conceptions of the problem
– Language difficulties
• The COLIS Demonstrator is not “the solution”– Work in progress to help uncover practical issues
– Functioning Demonstrator for discussion
Systems Chunks in COLIS Learning Space Application Integration
Content Management
Library E-Services
E-Reserve
E-Journals
Integration
Services
Learning Management
Digital Rights Management
Directory Services
Learning Content
Management
COLIS and access management
• Access management requirements– No modification to target systems
– SSO “Deep linking”
– Support multiple windows
• Different approaches to solving access management– Large scale “corporate” solution
– Small scale pragmatic approach, legacy systems
SS
O P
roxy +
Scrip
ting
COLIS SSO Model
User BrowserUser hasn’t
logged in
Application URL
Ap
plicatio
n W
eb S
erve
r
Authentication Challenge
Login Form
Authentication
Token
Web Page 1User has logged in
User hasn’t logged in
LDAP
Authentication
Authorisation DBase
Access management challenges
• Need for practical, incremental solutions• Recognition of university systems environment
– Legacy systems
• No single solution will be sufficient– Need more than one way of accessing targets– “Multi-modal Single Sign On”
• Intra-institutional and inter-institutional needs• Role of identity management
– Directories
MAMS
• MAMS - “Meta Access Management System”• An umbrella system with numerous modules for
access to different systems as required• Inter-institutional communication between MAMS
Current University Access Management Challenge
Access System (eg, Portal)
One type of SSO mechanism(eg, Kerberos)
ApplicationA
(requiresscripting)
ApplicationB
(requiresreverseproxy)
ApplicationC
(requiresIP addressrestriction)
ApplicationD
(requiresKerberos)
x x x
? Directories
Meta Access Management System (MAMS) Architecture
Access System (eg, Portal)
Local MAMS
ApplicationA
(requiresscripting)
ApplicationB
(requiresreverseproxy)
ApplicationC
(requiresIP addressrestriction)
ApplicationD
(requiresKerberos)
Scriptingmodule
Reverseproxy
modules
IP addressrestriction
module
Kerberosmodule
Other Institution
MAMS
Directories
Example MAMS Implementation (Type 4)
Access System
LibraryPremiumDatabases(Kerberosenabled)
Digital RightsManagement
System(Kerberosenabled)
KerberosCertificate
system
UniversityA
MAMS
University B MAMS
LDAPX.500Access System
LearningManagement
System(scriptingenabled)
LearningObject
ManagementSystem
(reverse proxyenabled)
LibraryPremiumDatabases
(IP restrictionsenabled)
Shibboleth and MAMS
• Shibboleth as best practice for cross-institutional connections
• Standards basis to Shibboleth, eg SAML• Common elements
– MAMS umbrella and Shibboleth
– Shibboleth “resource handlers” and MAMS modules
– Shibboleth inter-institutional federation
• Links to other Internet2 projects, eg eduPerson
Example MAMS Implementation (Type 4) + Recent Projects overlay
Access System
LibraryPremiumDatabases(Kerberosenabled)
Digital RightsManagement
System(Kerberosenabled)
KerberosCertificate
system
UniversityA
MAMS
University B MAMS
LDAPX.500Access System
LearningManagement
System(scriptingenabled)
LearningObject
ManagementSystem
(reverse proxyenabled)
LibraryPremiumDatabases
(IP restrictionsenabled)
MAMS (Resource Handlers) PKI or other Digital Certificates
Shibboleth
WALAP WALAP
MAMS Project Components
(1) Iterative demonstrations to help drive the gathering of user requirements
(2) Development of common services prototypes– Intra-institutional multi-modal SSO
– Inter-institutional access management
• Attribute exchange (Shibboleth)
• Automation of policy
– Federated and extensible identity
– Other common services: DRM, search, metadata
(3) Implementation advice and programs
Repository Federation - Search
• The problem of “portal envy”• Search as an “anonymous” service, rather than
building “one portal to rule them all”– No one may know of the existence of your repository
until they access a specific item from someone’s search gateway (based on harvesting/federation of your MD)
• The importance of Federated Search Gateways– COLIS experiences
LOM Metadata
LOM Metadata
OAI Server
SRW Server
OAI Server OAI
Harvest
OAI Harvest
Library Catalogues
Web Content
InfoSeefer
Z39.50
Z39.50
SRU
Z39.50
Search Interm
ediary
LOM Metadata CP
XML
XMLE-ReserveDC+ext
Metadata
Repository Federation - Search - COLIS
Repository Federation - Access
• If content is free to the world (including no restrictions on potential commercial use), then access restrictions are not normally a concern
Otherwise….• Traditional access restrictions across repositories
– Endless names and password, management nightmare
• Or…federated access using attribute exchange– The next generation - but requires important changes to
how repositories handle access issues– Non trivial technical challenges to repository
architecture
Conclusion
• Access management is a key element of research (and other) common services infrastructure
• Need for Demonstrator, incremental development, recognition of current university realities
• No single SSO method will be sufficient• Importance of open standards• Common ground between
– MAMS and Shibboleth– MAMS and repository projects– MAMS and vendors