aai pilots projects at the university of lausanne€¦ · pilot project: aai for students in...
TRANSCRIPT
![Page 1: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/1.jpg)
AAI Pilots projects at the Universityof Lausanne
February 2003
![Page 2: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/2.jpg)
Content of the presentation
l 2 pilots projectsl Present situation
– home organization (origin)– resource (target)
l Implementation of AAI at Unil– home organization (origin)– resource (target)
l Demol First conclusionl Open issuesl Next steps
![Page 3: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/3.jpg)
Pilot project: UNIL-EPFL CommonServices for Students
l Exchange of authentication data regarding students registered at UNIL and EPFL. Use an existingapplication: Offre d’emploi et logement
l Replace an existing « bricolage » with Gaspar between UNIL and EPFLl Resource owner: UNILl Home organizations: UNIL and EPFLl Technical aspects:
– application developed with Informix (Web datablade)– Web server is Iplanet (migration to Apache ?)– GASPAR at EPFL– Basic users attributes are exchanged
l Focus of pilot project– Resource integration (Shibboleth and Tequila)– Integration of gaspar (home org.)– Exchange user attributes between two organizations
l Advantage of this pilot project– no application development is needed– limited human resources is needed– may be started as soon as central AAI is available– collaboration between EPFL an UNIL on this application already exists
![Page 4: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/4.jpg)
Pilot project: AAI for students in medicine
l Provide an authenticated and controlled access to restricteddatabases @ HUG and to list of available courses
l Proposed by S. Spahni (HUG)l Resource owner: HUGl Home organization: UNIL and UNIGEl Focus of pilot project
– Integration of UNIL LDAP Authenticationl Advantage of this pilot project
– resource already exists– may be started as soon as central AAI is available– collaboration between HUG an UNIL on this pilot project has already
been discussed
![Page 5: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/5.jpg)
Gestion des utilisateurs (before AAI)
GESU - Groupes
GESULDAP auth
LDAP annuaire
Active Directory
Email server
![Page 6: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/6.jpg)
LDAP user
dn: uid=uone,ou=unil-users,ou=gesu,dc=unil,dc=chobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: posixAccountuid: uonesn: Onecn:User OnegivenName:Usermail: [email protected]: 10281gidNumber: 10010loginShell: /bin/kshgecos: User OnehomeDirectory: /users/uoneuserPassword:***************
![Page 7: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/7.jpg)
LDAP Group
cn=ci-g, ou=unil-groups,ou=gesu,dc=unil,dc=chobjectClass=topobjectClass=groupOfUniqueNamesobjectClass=posixGroupcn=ci-gdescription=ci-ggidNumber=20001uniqueMember=uid=uone,ou=unil-users,ou=gesu,dc=unil,dc=chuniqueMember=uid=utwo,ou=unil-users,ou=gesu,dc=unil,dc=chuniqueMember=uid=uthree,ou=unil-users,ou=gesu,dc=unil,dc=chmemberUid=uonememberUid=utwomemberUid=uthree
![Page 8: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/8.jpg)
Resource «Emploi et Logement» (beforeAAI)
Iplanet Web Server
Web DataBlade
Informix
Solaris
Emploi et Logement
Iplanet Web API
Authentication
Epfl User
REMOTE_USER
Authorization
LDAP auth
usernamepassword
Unil User
Gaspar
Attributes
![Page 9: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/9.jpg)
AAI : Home Organization
GESU - Groupes
GESULDAP auth
LDAP annuaire
Active Directory
Email server
LDAP attr
![Page 10: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/10.jpg)
LDAP attr
l All students and staff: ~15000 entriesl Implements the following attributes
eduPersonPrincipalName(not in the AAI Specification, userName)
swissEduPersonUniqueIDsurNamegivenNameswissEduPersonDateOfBirthswissEduPersonGendermailswissEduPersonHomeOrganizationswissEduPersonHomeOrganizationTypeeduPersonAffiliationswissEduPersonStudyBranch3swissEduPersonStudyLevelswissEduPersonStaffCategoryeduPersonEntitlement
![Page 11: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/11.jpg)
LDAP attr : a user entry (staff)
dn: uid=uone,ou=unil-users,ou=gesu,dc=unil,dc=chobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: swissEduPersoncn: User OneeduPersonPrincipalName: uoneswissEduPersonHomeOrganizationType: universityswissEduPersonGender: 1uid: uoneswissEduPersonHomeOrganization: unil.chswissEduPersonDateOfBirth: 19640821swissEduPersonUniqueID: 578067swissEduPersonStaffCategory: 300eduPersonAffiliation: staffsn: OneeduPersonEntitlement: [email protected]: [email protected]: [email protected]: [email protected]: [email protected]: [email protected]: [email protected]: [email protected]: User
![Page 12: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/12.jpg)
LDAP attr : a user entry (student)dn: uid=sone,ou=unil-users,ou=gesu,dc=unil,dc=chobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: swissEduPersoncn: Student OneeduPersonPrincipalName: soneswissEduPersonHomeOrganizationType: universityswissEduPersonGender: 1uid: soneswissEduPersonHomeOrganization: unil.chswissEduPersonDateOfBirth: 19831224swissEduPersonUniqueID: 589456eduPersonAffiliation: studentsn: oneeduPersonEntitlement: [email protected]: [email protected]: [email protected]: [email protected]: [email protected]: 1600-10swissEduPersonStudyLevel: 4905-10swissEduPersonStudyLevel: 1415-10mail: [email protected]: 1600swissEduPersonStudyBranch3: 1415swissEduPersonStudyBranch3: 4905givenName: Student
![Page 13: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/13.jpg)
Unil Login server : pubcookie
PubCookie server
Apache
Linux
PubCookie module
Apache
Linux
LDAP authUser
1
2redirect
3
usernamepassword
6 5 7cookie
9 web page8cookie
4usernamepassword
![Page 14: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/14.jpg)
Shibboleth : Origin site
Unil Login Server
PubCookie module
Tomcat + Apache
Linux
HS Url: https://teta.unil.ch/shibboleth/HS
AA Url: https://teta.unil.ch/shibboleth/AA
usernamepassword
LDAP attr
![Page 15: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/15.jpg)
Shibboleth
![Page 16: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/16.jpg)
Origin site: httpd.conf
<IfModule mod_jk.c>Include /usr/local/apache/conf/mod_jk.conf</IfModule>
# Pubcookie ConfigurationPubcookieAuthTypeNames EGNetIDPubcookieInactiveExpire -1PubcookieLogin https://teta.unil.ch/
<Location /shibboleth/HS>AuthType EGNetIDAuthName "shibboleth/HS"require valid-user</Location>
![Page 17: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/17.jpg)
Target side: first try
Shibboleth modules
Apache
Linux
User
Attributes
Authorization
Url of shib-protected pages:https://pcvidy207a.unil.ch/cgi-bin/printenvhttps://pcvidy207a.unil.ch/secure
WAYF
AA
SHAR
![Page 18: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/18.jpg)
Target side: httpd.conf
SHIREConfig /opt/shibboleth/etc/shibboleth/shibboleth.iniSHIREURL /shibboleth/SHIRE<Location /shibboleth/SHIRE>SetHandler shib-shire-post </Location>
ShibMapAttribute urn:mace:eduPerson:1.0:eduPersonPrincipalName REMOTE_USERShibMapAttribute urn:mace:eduPerson:1.0:eduPersonAffiliation Shib-EP-
Affiliation affiliationShibMapAttribute urn:mace:eduPerson:1.0:eduPersonEntitlement Shib-EP-
Entitlement entitlement
<Directory "/usr/local/apache/htdocs/secure"> AuthType shibboleth require affiliation [email protected]</Directory>
<Directory "/usr/local/apache/cgi-bin"> AuthType shibboleth require valid-user ShibExportAssertion On</Directory>
![Page 19: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/19.jpg)
DEMO
l User with affiliation = staff– https://pcvidy207a.unil.ch/cgi-bin/printenv
– https://pcvidy207a.unil.ch/secure
l User with affiliation = member– https://pcvidy207a.unil.ch/cgi-bin/printenv
– https://pcvidy207a.unil.ch/secure
![Page 20: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/20.jpg)
Resource «Emploi et Logement» (withAAI)
Apache
Web DataBlade
Informix
Linux ? (Solaris)
Emploi et Logement
Apache API
Authentication
User
Attributes
Authorization
Shibboleth modulesSHAR
WAYF
AA
Authorization
Attributes
![Page 21: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/21.jpg)
First conclusion
l No problems at installationl Resource integration is not a big deall Home organization needs more work (not due to Shibboleth)l Shibboleth is a great and promising product
– Stable– Fast– Flexible– Works on Solaris and Linux
l Good integration of PubCookie and Shibbolethl TLS : everything is OKl The choice of the attributes is good: easy to extract from DB
![Page 22: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/22.jpg)
Open issues
l Attributes– givenName mandatory
– attributes are associated with an account; accounts areassociated only to a real person?
– eduPersonAffiliation : choices of the home organization….
– eduPersonAffiliation needs a more detailedspecification
– eduPersonPrincipalName : REMOTE_USER
– swissEduPersonUniqueId
![Page 23: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/23.jpg)
Open issues
l Ressource side– problem: Linux – Apache – Web DataBlade – Informix
– try with Solaris instead of Linux -> not yet finished
![Page 24: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/24.jpg)
Open issues
l Shibboleth– only 3 attributes are implemented (eduPersonPrincipalName,
eduPersonAffiliation, eduPersonEntitlement)
– write a Java class (origin side) for each attribute -> easy– write a C++ class (target side) for each attribute -> easy– Shib add @unil.ch to some attributes– target implementation not yet available for IIS– release of attributes not yet controlled by the user– Attribute Release Policy is rudimentary– Resource Manager (Apache « require ») is rudimentary– How to bypass the WAYF
![Page 25: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/25.jpg)
Open issues
l Tequila– Not yet the time to try it: but now all the pieces are
ready -> easy
– Shibboleth-origin at EPFL for the pilot ?
![Page 26: AAI Pilots projects at the University of Lausanne€¦ · Pilot project: AAI for students in medicine lProvide an authenticated and controlled access to restricted databases @ HUG](https://reader033.vdocuments.site/reader033/viewer/2022051913/60041028fcd82704f727bbe1/html5/thumbnails/26.jpg)
Next steps
l Use Shibboleth with « Emploi et logement » inside Unill Implements the AAI attributes in Shibbolethl Wait for the next version of Shibboleth for a better ARPl Try Tequila with EPFLl Use Tequila and (or ?) Shibboleth to access « Emploi et logement »
from EPFLl Open the Shibbolized and (or ?) Tequilized application to the
students of Unil and EPFLl Wait the Shibboleth target implementation @ HUG (2nd pilots)