1 / 53

Implementing Shibboleth: A Publisher’s Perspective

Implementing Shibboleth: A Publisher’s Perspective. UKSG Briefing Session 3-4 April 2006. Chris Shillum Vice President, Product Technology Elsevier. Agenda. ScienceDirect background Authentication in general The Elsevier view Shibboleth specifics History of Shibboleth at ScienceDirect

doolittle
Télécharger la présentation

Implementing Shibboleth: A Publisher’s Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Shibboleth: A Publisher’s Perspective UKSG Briefing Session 3-4 April 2006 Chris Shillum Vice President, Product Technology Elsevier

  2. Agenda • ScienceDirect background • Authentication in general • The Elsevier view • Shibboleth specifics • History of Shibboleth at ScienceDirect • Where are we now? • Update from Terry Morrow: What is JISC Doing? • Open issues and the future • Questions

  3. ScienceDirect background • Elsevier’s primary online platform for full-text content • Originally only locally hosted content (1994 onwards) • 1999: commercial launch of online platform: www.sciencedirect.com Some facts: • >2,000 journals, >160 Book Series, 50 reference works • Advanced browse and search, personalized alerts, history • Extensive article and entity linking, federated searching • Supports institutional subscriptions and individual article purchases

  4. Authentication concepts in general Traditional authentication technologies • IP address checking • Username/password Shared authentication technologies • Centralized Authentication • Federated or Distributed Authentication

  5. Authentication in general IP Address Checking

  6. Authentication in general Username/Password Authentication

  7. Campus Vendor Campus Vendor Campus Vendor User Online Service Authentication System Auth. Server Auth. Client Campus Auth. Database Central Auth. Database Batch Upload Campus Administrator Admin Interface Authentication in general Centralised Authentication

  8. Authentication in general Centralised Authentication Example: “Classic” Athens (UK)

  9. Campus Vendor Campus Vendor Campus Vendor User Online Service Authentication System Discovery/ Binding Service Auth. Service Auth. Gateway Auth. Client Campus Auth Database Authentication in general Federated Authentication

  10. Authentication in general Federated Authentication Example: Shibboleth, Athens DA

  11. Elsevier’s view on Shared Authentication • Strong supporter of Shared/Federated Authentication schemes • Fulfils customer needs • Win/Win for customers and us (less admin) • Has implemented Athens and Shibboleth • We will continue to offer anonymous, campus-wide access whatever the technology • We will continue to offer personalisation (alerts, favourites, etc.) in exchange for basic end-user registration

  12. What is Shibboleth? • A federated authentication protocol which enables online resources to be accessed with local credentials • Developed by Middleware Architecture Committee for Education (MACE) of the Internet2 Consortium in the US • Based on standards such as SAML and PKI • More info at shibboleth.internet2.edu

  13. Shibboleth is many things… • A protocol specification • An architecture • Some open-source software which implements the architecture • A project which manages definition of the protocol, architecture and development of the software

  14. Identity Provider Service Provider User Online Service Shibboleth Federation WAYF Auth. Service Handle Server Assertion Consumer Service Campus Directory Attribute Authority Attribute Requester Shibboleth Software components

  15. Role of Shibboleth Federations • Act as naming authority for members • Gather, maintain and distribute operational metadata about members • Establish trust framework • in practice by acting as Certificate Authority for SAML and SSL signing certificates • Set common policies for members • Vet members • Provide infrastructure for identity provider discovery (WAYF) • Define vocabularies of attributes and semantics

  16. Shib benefits as we see them • Replacement for IP authentication for on-site access which: • Removes administrative burden of IP maintenance • Decouples customer’s network architecture from authentication, so allows departmental purchases, etc. • Allows personalized access to remote resources using local credentials • Removes the need for users to remember different usernames and passwords • Avoids problems of proxy servers for remote access • Bottom line:helps us provide the broadest possible access to our customers’ user communities

  17. Shib & SD history: ramp-up… • April 2002: Attended DLF/CNI workshop at NYU • Held workshops with to involve customers and Internet 2 in the design process: • Findings: • Anonymous non-personalized access a must • Provide option to personalize if an opaque, unique user identifier supplied (targeted ID) via normal end-user registration • Needed support for deep linking • May 2004: Initial Shib release • Support for a single Federation …initially InQueue • Based on Shib v1.1 software

  18. Shib & SD history: … testing… • May-Dec 2004: Pilot test • Participants: Dartmouth; Georgetown; NYU; UCSD; Penn State • Pilot aims: • To determine what it takes to get campuses up and running with authentication via Shibboleth. • To determine what end-user issues arise form the Shibboleth implementation on ScienceDirect. • No major problems getting up and running • Some issues with attributes, release policies, firewalls • None of the pilot participants rolled out access to broad user community

  19. Shib & SD history: … production! • Feb 2005: Moved in InCommon (US Production Federation) • First vendor to use InCommon in production • July 2005: Multi-federation support released • Main issue is branding and Identity Provider discovery in a multi-federation world • Held more design workshops with representatives from multiple federations around the world • Findings: • Need flexibility in which attribute assertions to request, according to Federation rules • Main issue is branding and IdP discovery in a multi-federation world • We have to know which WAYF to send user to…

  20. The WAYF issue • WAYF (Where Are You From) page: from what institution are you? • Normally operated by federation • Multi-federation support means: from what federation are you? • No-one runs a WAYF of WAYFs End users don’t understand the federation concept  … but federations are geographically oriented! • Elsevier’s solution: implement WAYF-functionality inside ScienceDirect • Label federations geographically

  21. Going forward… Elsevier status • Increasingly supporting US institutes via InQueue/ InCommon • SDSS (UK) - In production with LSE, preparing to roll out to all federation members  • Various various stages of pilot testing with five other European federations • SURFnet (Netherlands): completed pilot  - now discussion move to production • SwitchAAI (Switzerland) - currently conducting pilot • HEAL-Link (Greece) - About to enter into pilot • CRU (France) - About to enter into pilot • HAKA (Finland) - About to enter into pilot  • Interest shown from: Denmark, Sweden, etc.

  22. The example scenario… • Logging in to ScienceDirect with a local University of Tilburg username and password • Live in production!

  23. JISC Update Terry Morrow, JISC Consultant

  24. What is JISC doing? • Has written to institutions and suppliers explaining JISC’s strategy • Will create a UK Federation • Funding the Middleware Assisted Take-Up Service (MATU) • provides support for institutions - http://www.matu.ac.uk/ • Providing case studies, reports, toolkits and advice • based on work carried out in its ‘early adopter’ programmes • Making MIMAS, EDINA and other JISC services Shibboleth compliant • Encouraging suppliers to investigate and implement Shibboleth technologies • Funding the provision of the Athens service until July 2008 • Funding the development of the Athens Gateways • support inter-working between Shibboleth and Athens sites and service providers.

  25. Timescales • July 2006: Renewal of Athens contract for 2 years; launch of the Athens Gateways • August 2006: First early adopters to join UK Federation • September 2006: Formal launch of the UK Federation • July 2008: End of JISC contract for Athens • 2006 onwards:Nesli2 and other JISC contracts with suppliers will specify Shibboleth compliance

  26. Options for Publishers and other Service Providers

  27. Options for Institutions

  28. Closing Remarks Chris Shillum

  29. Driving Adoption - Federations • Standardisation across federations is needed to ease Service Provider implementation, especially • Attribute syntax and semantics • Certificates • Metadata distribution policy • IdP granularity • Advice: do what’s been done before, don’t reinvent the wheel

  30. Driving Adoption – Publishers and SPs • Act now! • Your customers will be asking you for this if they haven’t already • Get involved in the community – shibboleth-users listserv (shibboleth-users@internet2.edu) • Understand the concepts and architecture • Use the standard open-source implementation

  31. Driving Adoption - Institutions • Decide who owns Shibboleth • Central IT? • Library? • Administration? • Largest barrier to implementation in establishing central source of identity for all users • Central Admin/HR database? • Library patron database? • Computing centre/IT user database? • Once you have this, integrating the Shib software is relatively easy • Need a killer-app to drive take-up, e.g. Napster at USC.

  32. Open Issues and the Future… • Technology new, complex and rapidly changing • Federations are in very early stages • Uptake is key… we are in a critical phase • Need to make implementation easier for smaller customers and vendors • Elsevier is committed to making access easier for users and will continue to support Shibboleth

  33. Thank you – Any Questions!Further information: Technology: Chris Shillum (c.shillum@elsevier.com)Product Manager: Ale de Vries (ale@elsevier.com)

  34. End of presentation…

  35. Shibboleth Mechanics

  36. So what’s going on here? The Shibboleth framework allows Identity Providers (IdPs) to make Trusted Assertions about users to Service Providers (SPs)

  37. Identity Provider Service Provider User ScienceDirect Shibboleth Federation WAYF Auth. Service Handle Server Assertion Consumer Service Campus Directory Attribute Authority Attribute Requester Shibboleth Software components

  38. Shibboleth Flow - Step 1 Identity Provider Service Provider ScienceDirect User Assertion Consumer Service

  39. Shibboleth Flow – Step 2 Identity Provider Service Provider ScienceDirect User Shibboleth Federation WAYF Assertion Consumer Service

  40. Shibboleth Flow – Step 3 Identity Provider Service Provider ScienceDirect User Shibboleth Federation WAYF Auth. Service Handle Server Assertion Consumer Service

  41. Shibboleth Flow – Step 4 Identity Provider Service Provider ScienceDirect User Shibboleth Federation WAYF Auth. Service Handle Server Assertion Consumer Service

  42. Shibboleth Flow – Step 5 Identity Provider Service Provider ScienceDirect User Assertion Consumer Service Campus Directory Attribute Authority Attribute Requester

  43. How is trust established? • Assertions are signed using PKI certificates according to SAML standard (Security Assertion Markup Language) • Interactions are SSL encrypted • Trust is facilitated by “Federations” • Groups of organizations that agree to deploy Shibboleth according to certain operating principles, sharing common metadata and attribute definitions, etc.

More Related