access management for libraries by john paschoud & masha garibyan

Joint Information Systems Committee 29-May-2007 | | Slide 1

Access Management for Libraries

John Paschoud and Masha Garibyan

London School of Economics

Joint Information Systems Committee Supporting education and research

Access Management Programme meeting, May 2007

[AMP meeting title slide]


Why fix what ain’t broke?

Our Athens authentication system seems to work quite well, and has done so for several years. Why has JISC decided to change to something different?


Why “Federated Access Management”?

Moves closer to the single sign-on ideal - users need not remember so many passwords

Aligns with international convergence on Shibboleth/SAML compliant technology- wider market for suppliers

Avoids the need to maintain a central Athens-type database- by JISC/Eduserv and by participating libraries

Open Source and Open Standards –based- so tools can be developed by participants and shared

Supports internal applications, collaborative inter-institutional sharing of resources, and virtual organisations


Is that all?

Is that all?


Is that all!?!?

Improved security for resources, so publishers happy - they also don’t have to pay a licence fee (as they do for Athens), nor maintain campus IP address ranges

Because the access is role-based rather than identity-based there is improved privacy for users

Supports the trend towards a devolved / distributed model for access management

– Authentication by the end-users’ institution

– Authorisation by the resource owner

Suited to the demands for more mobile access – from home, travelling, or working at other institutions or libraries


So what is Shibboleth?

OK, sounds convincing, but what is Shibboleth?


What is Shibboleth?

Actually, “Shibboleth” is just an enabling technology that lets us do Federated Access Management

– but just to satisfy your curiosity…

An initiative (of Internet2) to develop an architecture and policy framework supporting the sharing – between domains – of secured web resources and services

A project delivering an open source implementation of the architecture and framework

Deliverables:– Software for Identity Providers

(universities, libraries)

– Software for Service Providers (publishers …and universities, libraries)

– Policy models for Federations (scalable trust)

…and they have a nice logo!


What are the costs and benefits?

What are the costs and benefits for our library of migrating to Federated Access Management?


Costs/Benefits of FAM?

Costs:

Institution’s directory must be in good shape and set up to support an Identity Provider (IdP)

Shibboleth (or compatible) middleware needs installing and maintaining

Benefits:

Reduced overheads in password support

No difference in on-campus and off-campus access

More flexible access control – e.g. different categories of users to different levels of access (or none) to a resource


Any other capabilities?

Are there things Shibboleth can do that Athens cannot?

…sorry! I meant “Federated Access Management”!What extra things can we do with it?


The Other Capabilities of FAM?

As well as acting as an Identity Provider, your institution would be able to set up its repository, e-learning or any other service as a Service Provider

– as LSE has done for Exam Papers and other ‘members only’ collections

This will facilitate sharing of resources within the academic community

– you can provide controlled access to users from other institutions, without needing to administer usernames/passwords for them

– as LSE and Columbia (NY) did for a collaborative Anthropology teaching project (DART)

The fine-tuning of access control possible (using directory attributes) can be used to restrict confidential or sensitive data to those whose roles allow this


(the LSE Exam Papers collection – secured with Shibboleth)


So how do we get Shibbolised?

What will our library need to have in place and do in order to migrate to Shibboleth?

What ‘infrastructure’ is required?


What infrastructure is required?

Within your Library / Institution:

IdentityProvider (IdP) site – Required Enterprise Infrastructure

– Authentication service (e.g. Yale-CAS, Pubcookie, or just webserver authentication)

– Attribute repository (directory)

– Shibboleth-compliant IdP service (e.g. Shibboleth, Guanxi or AthensIM software)

At your Publishers / Aggregators / e-Resource Providers:

ServiceProvider (SP) site - Required Enterprise Infrastructure

– Webserver (Apache or IIS)

– Shibboleth-compliant SP service (e.g. Shibboleth, Guanxi or AthensIM software)

– Logic to make Authorisation decisions based on user attributes collected by SP service (as simple or complex as the service / resources being provided)


IdP server

Shibboleth IdP architecture

8443 Shibboleth

SP

Webbrowser

(various communications)

443

LDAP server

MOD_SSL

Certificate check

MOD_LDAP_AUTHZ

MOD_JK

Apache

Tomcat

Shibboleth IdP AA (Attribute

Authority)

HS (Handle Server)

idp.xml

resolver.xml

arp.xml


Is there help out there?

What help and support will be available to our library as we set about installing and migrating to Federated Access Management?


What support is there?

JISC information resources at: http://www.jisc.ac.uk/federation

– Including material produced by the extensive programme ofCore Middleware and Early Adopters projects

The UK Federation has guidance for institutions and publishers wanting to join at: http://www.ukfederation.org.uk

JISC Regional Support Centres, CILIP, CPD25, UCISA, SCONUL and other organisations are running information events

Netskills is producing practical training courses for technical staff

Use [email protected] to contact the JISC Support Team


What resources are Shibbolised?

I understand that quite a lot of publishers have already joined the UK Federation…

But not all e-resources are going to be accessible via Shibboleth overnight. Will that be a problem for us?

…shouldn’t we wait for another year or so, until they’ve all converted from Athens?


Federation -enabled

resources

Athens authenticated

resources

Athens national

authentication service

Athens enabledusers

College IdP

FAM enabledusers University

IdP

FAM enabledusers

University IdP

FAM enabledusers

AthensFed

Fed Athens

Ah! There’s a Cunning Plan!

The Athens-Federation Gateways


And the Athens Administrator?

We have an Athens Administrator. What happens to that role after migrating to Shibboleth?


Athens Administrator role?

Initially to manage the changeover from ‘classic Athens’ to either ‘Shibbolised’ resources, or via the Gateways, and continue to maintain other ad hoc access methods where neither of these options is available

As things settle down, there will be the need to maintain the links in your library’s list of e-resources

Closer liaison with your own IT people (who manage your institutional directories) may be needed


What’s a Federation?

…and what exactly does one of these ‘Federations’ do?


What is a Federation?

A group of organisations with a common purpose (e.g. education and research) who trust each other

Not a subscription-purchasing consortium!

– but could be related to one or more of those

Federation members…

– sign up to a set of rules, including minimum standards for Identity Management practices

May have legal status

Needs the trust of suppliers

Runs the ‘Where Are You From’ (WAYF) service


What does Shibboleth access look like?

So what does access to an e-resource using Shibboleth look like to the end user?


Demonstration: What does FAM look like to an end-user?

Elsevier Science Direct – an ‘early-adopting’ publisher

– …dealing with a global customer base

– …needs-to-know only whether user is from a licensed institution

– http://www.sciencedirect.com/ (and use ‘Athens/Other Institution Login’)

LSE Projects wiki – a highly-restricted institutional resource

– …with users spread across 10+ HE institutions (current project partners)

– …needs to know personal identity and other user attributes

– https://gabriel.lse.ac.uk/twiki/bin/view/Projects/AboutJohnPaschoud

– (and then ‘Edit’ this page)

Shibboleth Wiki – a global discussion space

– https://spaces.internet2.edu/display/SHIB/WebHome (and use ‘Log In’)


Well Shibboleth can look like this:

User knows URL of resource and that Shibboleth is used

And where they are from


Or, Shibboleth works invisibly behind the library portal

Alternatively, on or off campus, you could just go to the list of e-resources in the library’s portal.

In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system:

…but it could just be a list on a ‘hand-crafted’ web page


Shibboleth behind the library portal

The expanded list shows a link direct to the Service Provider, in this case Elsevier


Shibboleth behind the library portal

After clicking link in library portal:

If users prefer the route through the library portal, e-resource usage statistics should become more representative


What do we tell our users?

What should we tell our staff and student library users about the change to Shibboleth?


What to tell your users?

As little as possible!

There is no Athens-type username and password to distribute (and remind of when forgotten or lost)

One strand of the change management will be to remove references to Athens passwords from user guides etc

– there should be no need to substitute Shibboleth in Athens’ place

During changeover, decreasing reliance will be made on Athens passwords

– some users may need reassuring the library has not lost access to a super-database called Athens!

LSE now tells users that “your LSE Login” is the default access for everything

– …and provides help with the diminishing number of exceptions


From LSE’s Electronic Library FAQs:

The FAQ shows how access to e-resources is getting easier, both on and off-campus.

Many LSE electronic resources can also be accessed off-campus via your LSE login (network username and password).


‘LSE for You’ provides diminishing passwords:

The ‘LSE for You’ page, protected by the LSE login, provides the remaining passwords still required for some e-resources.


How did the LSE do it?

You were the first installation of Shibboleth in the UK. How did the LSE Library manage the change to Shibboleth?


How did the LSE do it?

Installing the infrastructure was surprisingly easy

– (once we had the first working version of the software!)

We chose a ‘cautious’ changeover from Athens access, with careful quality assurance testing of each resource link

We were at the ‘bleeding edge’, with over 150 resource collections being accessed by ‘classic Athens’, Shibboleth, the Athens Gateway and EZproxy, and about 20% by all sorts of ad hoc methods

The methods used for these tests, a progress bar and a table of the Shibbolised status of those resources can be found on the Shibboleth@LSE website


Shibboleth@LSE Home


Shibboleth@LSE Shibbolisation Progress


Shibboleth@LSE Table of e-Resources


The End

Joint Information Systems Committee Supporting education and research

Access Management for Libraries

[JISC Conf title slide]


Links, Questions and Conclusions

JISC FAM Transition: www.jisc.ac.uk/federation.html

UK Federation: www.ukfederation.org.uk

Shibboleth: shibboleth.internet2.edu

Shibboleth@LSE: www.angel.ac.uk/ShibbolethAtLSE/

Other questions?

Other issues for libraries?

…you’ll think of them later? [email protected] or [email protected]

access management for libraries by john paschoud & masha garibyan

Business

campus access

things shibboleth

shibboleth idp architecture

controlled access

mobile access

tofederated access management

different levels of

service resources