shibboleth at usmai david kennedy [email protected] spring 2006 internet2 member meeting, april...
TRANSCRIPT
![Page 1: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/1.jpg)
Shibboleth at USMAI
David Kennedy
http://usmai.umd.edu/auth
Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA
![Page 2: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/2.jpg)
USMAI Consortium of Libraries
Univ. System of Maryland and Affiliated Institutionshttp://usmai.umd.edu/
• 16 Libraries from the 12 campuses of the USM & 2 affiliated Maryland higher ed institutions
• Began in 1982 with a subset of these institutions• Over 7,000,000 items in catalog• Approximately 200,000 patrons• Built on a resource sharing model• Hosted at the University of Maryland• Governed by the Council of Library Directors (CLD)
![Page 3: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/3.jpg)
USMAI Consortium of Libraries
• Shared IT products and services, e.g.:– Systems Administration, Development, & Help Desk– E-Resource licensing & procurement– Consortium-wide ID management (patron database)– Library Information Management System (Aleph)– OpenURL resolver (SFX)– E-Resource Portal (MetaLib)– Proxy services (EZproxy)– ILL (ILLiad)– Institutional Repository (DSpace)– E-Resource Management (Verde)
![Page 4: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/4.jpg)
What is the problem?
• Multiple logins for multiple services
• Need to secure flow of data for multiple logins for different applications
• Username/password embedded in URLs to give appearance of single sign on
![Page 5: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/5.jpg)
Why Shibboleth?
• Other considered solutions: PDS, CAS, Pubcookie
• Shibboleth– Single sign on– Secure handling of user attributes– Flexibility to use different AuthZ criteria per service– Designed to function across domains– Ability to authenticate for different vendors’ products
![Page 6: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/6.jpg)
Shib architecture
• Shibboleth – an architecture for handling authentication and attribute assertion in a secure and controlled manner
• Service Provider (SP) – resource
• Identity Provider (IdP) – AuthN source
• WAYF – Where Are You From
• WebISO – Web Initial Sign On
![Page 7: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/7.jpg)
Shib architecture
![Page 8: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/8.jpg)
Investigation
• Installed generic single institution IdP
• Installed generic service provider (script that prints out attributes)
• Proof of concept
![Page 9: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/9.jpg)
Implementation
• Chose EZproxy and Ex Libris’ Metalib/PDS as initial SPs
• EZproxy was already shibboleth-enabled, so easily configured
• Had to implement multiple identity providers for institutions in the consortium
![Page 10: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/10.jpg)
IdP Implementation
• Multiple institutions in one installation
• Multiple configurations for attributes and trust settings– Separate Tomcat servlets per institution
• Multiple ldap settings in WebISO for user verification
![Page 11: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/11.jpg)
Multiple Identity Providers – Virtually Separate
• Totally separate identity providers as far as service providers are concerned
• Unique access points
• Separate trust relationships
![Page 12: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/12.jpg)
EZproxy
• Host EZproxy instances for 14 institutions
• Now shib-enabled
• Access to online resources by user attributes
![Page 13: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/13.jpg)
PDS
• Patron Directory Service
• Single Sign On between ExLibris applications
• AuthN and AuthZ
![Page 14: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/14.jpg)
Role of PDS in Shib Environment
• Dual role of WAYF and SP
• AuthN
• AuthZ at the application level (Metalib, in our case)
![Page 15: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/15.jpg)
PDS as WAYF
• PDS to present list of institutions (WAYF)
• Choice of institutions redirects to an institution specific URL within PDS
![Page 16: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/16.jpg)
PDS as SP
• Each URL protected by different institution’s Identity Provider
• IdP handles authentication and attribute assertion
• SP receives attributes back from IdP and establishes PDS session
![Page 17: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/17.jpg)
Shib SP configuration
• Shibboleth.xml – settings for SP
• Multiple applications defined, each with a different Identity Provider
• RequestMap defined – map URLs to shib applications
![Page 18: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/18.jpg)
Logout
• No logout provided in shibboleth architecture
• Created a logout for identity provider, with an optional redirect back to service provider
![Page 19: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/19.jpg)
ILLiad
• InterLibrary Loan software, Atlas Systems
• Consortial implementation – 8 institutions, 2 stand-alone installations to be shibbed
• ILLiad is now aware of 1 shib attribute, identifier
• Future – work with Atlas so that ILLiad can take advantage of other attributes (v 7.2?)
![Page 20: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/20.jpg)
Before
![Page 21: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/21.jpg)
After
![Page 22: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/22.jpg)
Project Details
• Began investigation – March 2005• 1 staff member• 16 IdPs, 3 SPs into production, April 2006• Hardware:
– Test – Sun Fire V480, 2x900MHz UltraSparc III, 8GB RAM (shared server)
– Production – Sun Fire V880, 4x900MHz UltraSparc III+, 16GB RAM (shared server)
• Documentation
![Page 23: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/23.jpg)
Challenges
• Technical– Consortia – virtually separate identity providers– Logout– LDAP – hook into our ldap, single ldap for all
institutions, only use institution specific attributes
• Learning curve, needed concentrated chunks of staff time
• Making shibboleth a priority
![Page 24: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/24.jpg)
What’s next?
• We are rolling out more service providers
• ILLiad going into production within the month
• Aleph to be shib service provider by year’s end
• Online resources
• Consortial members implementing their own identity providers
![Page 25: Shibboleth at USMAI David Kennedy davekenn@umd.edu Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfa41a28abf838c97289/html5/thumbnails/25.jpg)
David Kennedy
Shib project page: http://usmai.umd.edu/auth