1 / 30

Why are HEAnet in this space? Collaborative, shared and cloud services

Why are HEAnet in this space? Collaborative, shared and cloud services IP address access control and IPv6 Synergy with eduroam (single credential, eduGAIN) NREN fulfils the role of federation operator. Terminology. Single Log On single point of authentication

emera
Télécharger la présentation

Why are HEAnet in this space? Collaborative, shared and cloud services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Why are HEAnet in this space? • Collaborative, shared and cloud services • IP address access control and IPv6 • Synergy with eduroam (single credential, eduGAIN) • NREN fulfils the role of federation operator

  2. Terminology • Single Log On • single point of authentication • synchronised account and credentials • authenticate to each application • Single Sign On (SSO) • single point of authentication • single credential, single account • authenticate once

  3. Edugate • Identity Provider • Authenticates user and provides user data • Personal, non-personal or none • Service Provider • Authorises access based on incoming data • Personalises experience based on incoming data • Persists the experience between sessions • Links application data with incoming data

  4. Edugate • Identity Providers • Institutes of Technology • Universities • Research agencies on the HEAnet network • Expanded set in the future

  5. Edugate • Potential Services • Institutional services • Any website requiring a login [for non-campus users] • Shared services • HEAnet services, An Cheim services, IReL, NDLR • Academic content • Publishers (EBSCO, Elsevier, JSTOR) and databases • Research portals • Or any cross-institutional research group resource • Organisations offering academic discount • Microsoft Dreamspark, o2, Travelcard

  6. Edugate • Potential Services * Bodington.org * Condor * Confluence Wiki * Darwin Streaming * Dokuwiki * Drupal * DSpace * eAcademy * Fedora Repository * Google Apps * GridSphere/GridShib * Dawsonera * Horde * Joomla * LionShare * MediaWiki * Mahara * MyProxy * Napster * PHEAA * Sharepoint * SYMPA * Symplicity *TargetConnect * TWiki * uPortal * WordPress * Zope + Plone * Live@edu * ArtSTOR * Elluminate * CSA * Digitalbrain * EBSCO * Elsvier *Science Direct * ExLibris * JSTOR * The Literary Encyclopedia * Metapress * Moodle * OCLC * Ovid. * Project MUSE * Thomson Reuters * Proquest * Serial Solutions * SCRAN * Thomson Gale * EZproxy * Blackboard * CLIX * Sakai * WebAssign * WebCT * TurnItIn *Zetoc

  7. Edugate • Internationally • AT ACOnet-AAI • AU Australian Access Federation AAF • CA Canadian Access Federation CAF • CH SWITCHaai • CZ eduID.cz • DE DFN-AAI • DK WAYF • ES SIR • FI Haka • FR Fédération Éducation-Recherche • GR GRNET • HR AAI@EduHr • HU NIIF AAI • IE Edugate IT IDEM LV LAIFE NL SURFnet NO FEIDE PT RCTSaai SE SWAMID US InCommon UK UK Access Management Federation for Education and Research eduGAIN to connect these federations

  8. UK Access Mgmt. Fed. • Athens services was proprietary and library only • Open standards were used for non-library services • UK Access Management Federation provides alternative to Athens that allows a single access platform services both library and non-library. • 800 Members, All UK Higher Education Institutions have joined the UK Access Management Federation, • 50% of those institutions use it gain access to library content using Shibboleth • 50% use the Athens Gateway to federated access. • Publishers support Shibboleth is approximately 50%.

  9. Edugate • Based on the SAML2 Protocol • Interoperable Web-SSO Profile (saml2int.org) • Shibboleth 2, simpleSAMLphp • Oracle, IBM, Ping and Microsoft ADFS v2 • Implementation • Service Provider • Web server plug-in (optional application integration) • Identity Provider • Web application with connection to campus directory

  10. Edugate –SAML • Z39.50 Protocol • Search multiple targets at the same time • Retrieve • SAML Protocol • Authenticate with multiple targets as needed • Authorise

  11. Edugate • Authentication • Responsibility of the institution • Usually LDAP, but other options available • Authorization • Controlled by the service provider • Institution can filter users before service provider • Based on the users attributes

  12. Edugate • Attributes • GivenName, surname, email & Organisation • Joseph, Bloggs, joe.bloggs@um.ie, University of Mullingar • EduPersonPrincipalName • jblgs-stu133@um.ie • EduPersonTargetedID • a44ffed231eda7b7a7d • EduPersonScopedAffiliation • student@um.ie, library-walk-in@um.ie • EduPersonEntitlement • urn:mace:heanet.ie:media:write

  13. Edugate Attributes eduPersonScopedAffiliation student undergraduate or postgraduate staff all staff faculty to distinguish teaching staff employee staff other than staff/faculty (e.g., contractor) member comprises all the categories named above affiliate relationship short of full member alum Alumnus (graduate) library-walk-in

  14. Why use Edugate... • Reduce account provisioning for walk-in and campus users • Reduce the number of passwords for your users • Reduce the number of prompts for those passwords • Filter user access to content by affiliation or special groups • Stop worrying about licences and users on your wifi network or open terminals • Start to eliminate abuse of shared credentials/generic accounts • IPv4 to IPv6 migration (193.1.200.412 Vs 2002:c101:e4a5::c101:e4a5) • Enhanced personalisation, without loosing privacy. • No fee

  15. Edugate on Campus IT department sets up identity provider service (IdP) Any other department can opt to accept a federated login (SP) • Library can opt to replace Ezproxy URL in the catalogue. • Library can opt to enable federated login to the library website, repositories • Library can opt to integrate ezproxy with the IdP

  16. Edugate on Campus IT department sets up identity provider service (IdP) IADT,UCD,CIT,DKIT,TCD,NUIM,NUIG,ITT, WIT,LIT,DCU,DIT,UL,DIAS,NCAD

  17. Edugate on Campus Catalogue with Ezproxy Publisher content Publisher content Publisher content Publisher content User LDAP

  18. Edugate on Campus Catalogue with Ezproxy Publisher content Publisher content Publisher content Publisher content User Shibb LDAP

  19. Edugate on Campus Catalogue with Ezproxy Publisher content Publisher content Publisher content Publisher content User Shibb Publisher content Publisher content Publisher content non-library services LDAP

  20. Edugate on Campus Catalogue (With Shibb) Publisher content Publisher content Publisher content Publisher content User Shibb Publisher content Publisher content Publisher content non-library services LDAP

  21. Edugate on Campus Catalogue (WithoutEzproxy) Publisher content Publisher content Publisher content Publisher content User Shibb Publisher content Publisher content Publisher content non-library services LDAP

  22. Hybrid Edugate on Campus Catalogue (some Ezproxy some Shibb) Publisher content Publisher content Publisher content Publisher content User Shibb Publisher content Publisher content Publisher content non-library services LDAP

  23. Edugate on Campus Repository (With Shibb) Full upload or preferences User Shibb Shibb Shibb LDAP LDAP LDAP

  24. Edugate for non-academic libraries Repository (With Shibb) Full upload or preferences User Shibb Shibb Shibb LDAP LDAP LDAP

  25. When to use EZ, Shibb or other

  26. Edugate on Campus (Assuming a service supports Shibboleth) Use Shibboleth... • if you intend to take advantage of fine grained access control • If the service offers personalisation and persistent sessions  (e.g. search results, search preferences etc). • if the content of the service is frequently  accessed as a result of a Google search rather than a search of your Opac (thus bypassing your EZproxy URLs). • if Shibboleth is frequently used to access other services like student email and you want to avail of the single-sign-on with no re-authentication prompts

  27. Edugate on Campus Some services do not support a Shibboleth login yet.  • Use EZproxy for services with no personalisation features and for services  that don’t feature in Google results, and for services that don’t support Shibboleth • Use EZproxy with Shibboleth for these non personalised services if your campus uses Shibboleth for other frequently accessed  services (thus benefiting from single-sign-on) • Use Shibboleth if any of the reasons listed on the previous slide fit

  28. IdP Configuration SP Admin SP Admin Edugate Resource Registry Shibboleth IdP Non ShibbIdP IdP Admin IdP Admin IdP Admin DB Shibbconfig files

More Related