Embed Size (px)
Citation preview
www.kent.ac.uk
The KUSP Project
Kent University Shibbolized Portal
Bonnie Ferguson
2
Introduction
• Current situation - Athens• Federated Access Management• Shibboleth • Federations• KUSP project• Shibboleth Demo
3
Current situation
• Athens accounts are needed to access many resources
• Institutions must create and manage accounts• Duplicates some user information• Different usernames and passwords• AthensDA allows accounts to be handled locally• Move towards sharing resources… Jorum, etc.
4
Athens
• JISC currently subsidise Athens – free to Universities• July 2008 - JISC withdraws Athens subsidies• OpenAthens will be available but at a charge (£800 -
£9500 per year, depending on institutional size)• JISC will fund FAM as replacement
http://www.jisc.ac.uk/publications/publications/pub_shibboleth.aspx
5
Services using Athens
• Most Athens services should adopt Shibboleth by July 2008.
• Shibboleth-Athens and Athens-Shibboleth Gateways to bridge the gap.
http://www.jisc.ac.uk/publications/publications/pub_shibboleth.aspx
6
What is Federated Access Management (FAM)?
• Next generation access-management system• FAM builds a trust relationship between Identity
Providers and Service Providers. • Authentication is devolved to a user’s home institution.• Attributes about the user (including roles) can be
exchanged.
http://www.jisc.ac.uk/news/stories/2006/03/access_qanda.aspx
7
Federated Access Management
http://www.switch.ch/aai/about/introduction/
8
Benefits (1)
• User registers only once – with home institution• Reduces time needed to manage multiple user
accounts • New tools for managing licenses and service
subscriptions.
http://www.switch.ch/aai/about/introduction/http://www.jisc.ac.uk/news/stories/2006/03/access_qanda.aspx
9
Benefits (2)
• Users won’t have to remember additional usernames and passwords.
• Simplified authentication process may lead to increased use of subscribed services.
• Interoperable with other SAML-based software
10
Where does the word ‘Shibboleth’ come from?
• The word comes from the Old Testament (Judges 12:1-6).
• Two groups from different sides of the river Jordan who had different accents. One pronounced the ‘sh’ sound as ‘si’.
• To separate friend from foe, those crossing the river were asked to pronounce the word ‘shibboleth’ (it means an ear of corn).
• According to the bible, the 42,000 who pronounced it ‘sibboleth’ were killed.
11
It’s also a band…
http://www.goshibbolethgo.com
12
But seriously, folks….
• A technology that enables FAM. • Functionality of Athens DA • Standards based - SAML (Security Assertion Markup
Language)• Open source middleware software • Privacy-preserving
http://shibboleth.internet2.edu/
13
Shibboleth Architecture
http://www.switch.ch/aai/about/introduction/
Identity Provider
Service Provider
Federation
14
Shibboleth identity Provider (IdP)
• Uses institutional user database• Provides authentication • Sends user attributes• (aka Shibboleth Origin)
15
Shibboleth Service Provider (SP)
• Shibboleth module protects web-based applications• Intercepts HTTP requests and redirects to WAYF (or a
specific Identity Provider) for authentication• Receives ticket/cookie• Optional additional call for attributes • (aka Shibboleth Target)
16
What is a Federation?
• A federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access and use of resources and services.
• Organisations that use Shibboleth to access resources must join or create a federation.
http://www.jisc.ac.uk/whatwedo/themes/access_management/federation/shibboleth.aspx
http://en.wikipedia.org/wiki/United_Federation_of_Planets
17
Federations
• WAYF (Where are you from?) service • UK Access Federation (http://www.ukfederation.org.uk/
)
https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
18
Joining the UK Access Federation
• Apply in writing• Signed by Executive Liaison• Management Liaison must be named• Agree to be bound by federations Rules of Membership
http://www.ukfederation.org.uk/
19
The KUSP Project
• Funded by the JISC Core Middleware Infrastructure Early Adopter programme
• January 2006 – March 2007• 1 Developer full time for 1 year
20
What can Shibboleth do for us?
• Athens replacement• Single Sign on solution?• Manage authentication for both internal and external
applications?
21
The KUSP Project - Aims
• Creating a new Shibboleth infrastructure for the University of Kent
• Building a Shibbolized portal and VLE with Single Sign-on (SSO)
• Investigate PrivilEge and Role Management Infrastructure Standards (PERMIS) for portal authorisation
• Pushing the envelope• Providing support to the partners in the University of
Medway project to adopt Shibboleth
22
Shibboleth Test Environment
• Shibboleth Identity Provider• Connect to University LDAP• Shibboleth Service Provider• Protecting Static Web pages• Join InQueue Test Federation
23
Shibboleth – Where to start?
• Shibboleth Software is free and Open Source• Help is available!• Shibboleth Wiki (
https://spaces.internet2.edu/display/SHIB/)• MATU Installation guides (http://www.matu.ac.uk/docs/
)• Mailing lists
24
Purchases
• Two Sun servers, running Solaris 9• Shibboleth Identity Provider• Shibboleth Service Provider
• Licenses for:• WebCT Powerlinks SDK • WebCT developers network
25
Identity Provider - Software
• Software comes packaged a java .war file. • We installed it on:
• Solaris OS• Apache Tomcat • Apache Web Server• mod_jk
26
Identity Provider - Configuration
• The configuration is stored in several XML files in /usr/local/shibboleth-idp/etc by default:
• idp.xml - Main configuration file contains providerId, information about the federation and links to other configuration files
• resolver.ldap.xml - Connection parameters for LDAP and list of attributes to retrieve
• arp.site.xml - Attribute release policy - list of attributes. Can be configured to release different sets of attributes to different applications.
• metadata.xml - holds metadata for all the IdPs and SPs in the federation and the SSL certificate chain. Must be updated regularly!
27
Service Provider
• Shibboleth does not provide its own authentication mechanism (out of scope for Shibboleth). It can be paired with a range of authentication systems:• Apache <Location> directives in httpd.conf (e.g. simple
HTML page) • JAAS module - for dynamic web applications like WebCT or
uPortal that use the attributes of the user to display information• Yale CAS (Central Authentication Service)
http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html
28
Service Providers – One or Many?
• SAML SSO is an end to end protocol between one SP and one IdP.
• If you are Shibbolizing multiple applications (like uPortal and WebCT), each one requires their own Service provider.
• However, Guanxi takes a different approach by allowing a single Shibboleth SP for an institution with associated ‘guards’ for each application.
29
Service Provider - Configuration
Configuration files in /opt/shibboleth-sp/etc/shibboleth
• shibboleth.xml - main configuration file with Federation information, SSL certificate , RequestMap of all applications being protected with parameters
• aap.xml - attribute acceptance policy - can set rules about the attributes you accept
• metadata.xml – same as identity provider
30
Service Provider - Configuration
• 2 files work together to provide Shibboleth protection to web resources:
• httpd.conf <Location> block
• Shibboleth.xml <RequestMap> elements
31
Shibbolizing applications – JAAS modules
• uPortal - SpieJaasModule developed by the SPIE project at Oxford University (http://spie.oucs.ox.ac.uk/)
• WebCT – Shibboleth inbound authentication module (http://devnet.webct.com/contrib/authentication/Shibboleth/)
• Many more: Blackboard, DSpace, Plone, EZProxy (https://wiki.internet2.edu/confluence/display/seas/Home)
32
Java Authentication and Authorization Service (JAAS)
http://devnet.webct.com/docs/ce6_documentation/WebCTVista400_sdk30_programmers_guide_2005_11_30.pdf
33
Authentication only
• uPortal and WebCT JAAS modules were basic• Triggered Shibboleth Authentication• Retrieved the username attribute• Set as current user in system• Used inbuilt (uPortal or WebCT) authorisation
34
PERMIS
• PrivilEge and Role Management Infrastructure Standards
• Authorisation (privilege management) system that complements existing authentication systems.
• PERMIS web interface -write PERMIS policies
35
PERMIS
• URLs need to be known in advance • uPortal URLs built on the fly
• http://shibsp.kent.ac.uk/uPortal/tag.f4d450cdb66bf1f5...• http://shibsp.kent.ac.uk/uPortal/tag.a3a580b2d384e523...
• Would require additional code to handle Authorisation• Develop JAAS module• Portal level – to call PERMIS when building portal pages
• Out of scope of KUSP project
36
Single Sign-On (SSO)
• Specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.
• Kerberos, CAS, CoSIgn, Web-SSO, etc.
http://en.wikipedia.org/wiki/Single_sign-on
37
SSO - Aims
• Integrate WebCT into portal• Sign into portal and get dashboard view of WebCT
data
38
SSO - Results
• Shibboleth uses Cookies so SSO happened automatically
39
Portal Integration
• IFrame• Session & Display problems
40
Portal Integration
• Vista MyWebCT portlet• Used proxy authentication module• Displayed limited dashboard
41
Portal Integration
• Home-grown portlet using web services• Allows fuller dashboard interface• Best to extend existing portlet
42
Shibboleth Demo
• http://shibsp.kent.ac.uk/uPortal
43
Findings - Authn not Authz
• Shibboleth for Authentication not authorization • Personalised systems like portals and VLEs need to
perform three types of user management:• Authentication• Authorization/Role management• Remembering user preferences
• Is it appropriate to externalise this?• Outside of scope of project to redevelop authorization
for personalised system such as portal or VLE
44
Findings – More potential
• Did not use Shibboleth’s full potential!• uPortal and WebCT still required user accounts• uPortal can create these at first login• Still need to manage these accounts• Did not use Shibboleth role-based attributes• Did not use privacy protecting functionality (always
relied on Username) instead of tickets and roles
45
Findings - WebCT
• The WebCT/Shibboleth module was not necessary for the Shibbolized portal
• Proxy module was sufficient since it was only passing a username instead of using the full Shibboleth functionality
46
Findings - SSO
• Shibboleth can handle SSO for web based applications• No extra software required (such as CAS)• Will investigate for future use
47
Lessons Learned
• Setting up the Shibboleth Identity provider and Service Provider was relatively straightforward. It is the integration of Shibboleth with existing applications that is much more difficult and time consuming, so leave plenty of time for this in your project plan.
• Keep a Blog or Wiki of the installation procedures, lessons learned and other issues.
• Make contact with other projects as early as possible.• Join all relevant mailing lists at the beginning of the
project and don’t be afraid to ask lots of stupid questions.
48
Resources
• Shibboleth Wiki (https://spaces.internet2.edu/display/SHIB/)• MATU Installation guides (http://www.matu.ac.uk/docs/)• SWITCH Installation guides (
http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/install-sp-1.3-debian.html)
• LSIP project (University of Liverpool) Implementation Documentation (http://www.liv.ac.uk/LSIP/Documentation/ DraftShib13ImplementationDocument.html)
• uPortal website http://www.uportal.org• WebCT (Blackboard) website and developer’s network : http://
www.webct.com/ and http://devnet.webct.com/• SPIE project (Oxford University) http://www.oucs.ox.ac.uk/rts/spie/• InQueue Shibboleth federation http://inqueue.internet2.edu/• FEAR project (Reid Kerr College) http://
www.reidkerr.ac.uk/fear/docs/ReloadContentPreview.htm
49
References
• http://shibboleth.internet2.edu• http://www.jisc.ac.uk/publications/publications/
pub_shibboleth.aspx• http://www.jisc.ac.uk/whatwedo/themes/access_management/
federation/shibboleth.aspx• http://www.switch.ch/aai/about/introduction• http://www.goshibbolethgo.com• http://en.wikipedia.org/wiki/United_Federation_of_Planets• https://spaces.internet2.edu/display/SHIB/ShibbolethFederations• http://www.ukfederation.org.uk/• http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requ
irements-01.html
• http://sec.isi.salford.ac.uk/permis/
51
Discussion
• How long will FAM take to implement?• How much will it cost?• What impact on service?• Changes to training and documentation required?• Support moved from Library to Computing Service?• Could OpenAthens be a cheaper option?• What about non-web based resources?
