Access management for repositories: challenges and

approaches for MAMS

James DalzielProfessor of Learning Technology and Director,

Macquarie E-Learning Centre Of Excellence (MELCOE) james@melcoe.mq.edu.au

www.melcoe.mq.edu.au

Overview

• COLIS and access management

• COLIS and DRM

• Access management challenges

• MAMS

• Shibboleth and MAMS

• Repository federation – search and access

COLIS and access management

• Demonstrator project based on open standards– IMS CP, IMS DRI, IMS LRM, ODRL

• Five universities and five vendors– Many different conceptions of the problem

– Language difficulties

• The COLIS Demonstrator is not “the solution”– Work in progress to help uncover practical issues

– Functioning Demonstrator for discussion

Systems Chunks in COLIS Learning Space Application Integration

Content Management

Library E-Services

E-Reserve

E-Journals

Integration

Services

Learning Management

Digital Rights Management

Directory Services

Learning Content

Management

COLIS and access management

• Access management requirements– No modification to target systems

– SSO “Deep linking”

– Support multiple windows

• Different approaches to solving access management– Large scale “corporate” solution

– Small scale pragmatic approach, legacy systems

SS

O P

roxy +

Scrip

ting

COLIS SSO Model

User BrowserUser hasn’t

logged in

Application URL

Ap

plicatio

n W

eb S

erve

r

Authentication Challenge

Login Form

Authentication

Token

Web Page 1User has logged in

User hasn’t logged in

LDAP

Authentication

Authorisation DBase

Access management challenges

• Need for practical, incremental solutions• Recognition of university systems environment

– Legacy systems

• No single solution will be sufficient– Need more than one way of accessing targets– “Multi-modal Single Sign On”

• Intra-institutional and inter-institutional needs• Role of identity management

– Directories

MAMS

• MAMS - “Meta Access Management System”• An umbrella system with numerous modules for

access to different systems as required• Inter-institutional communication between MAMS

Current University Access Management Challenge

Access System (eg, Portal)

One type of SSO mechanism(eg, Kerberos)

ApplicationA

(requiresscripting)

ApplicationB

(requiresreverseproxy)

ApplicationC

(requiresIP addressrestriction)

ApplicationD

(requiresKerberos)

x x x

? Directories

Meta Access Management System (MAMS) Architecture

Access System (eg, Portal)

Local MAMS

ApplicationA

(requiresscripting)

ApplicationB

(requiresreverseproxy)

ApplicationC

(requiresIP addressrestriction)

ApplicationD

(requiresKerberos)

Scriptingmodule

Reverseproxy

modules

IP addressrestriction

module

Kerberosmodule

Other Institution

MAMS

Directories

Example MAMS Implementation (Type 4)

Access System

LibraryPremiumDatabases(Kerberosenabled)

Digital RightsManagement

System(Kerberosenabled)

KerberosCertificate

system

UniversityA

MAMS

University B MAMS

LDAPX.500Access System

LearningManagement

System(scriptingenabled)

LearningObject

ManagementSystem

(reverse proxyenabled)

LibraryPremiumDatabases

(IP restrictionsenabled)

Shibboleth and MAMS

• Shibboleth as best practice for cross-institutional connections

• Standards basis to Shibboleth, eg SAML• Common elements

– MAMS umbrella and Shibboleth

– Shibboleth “resource handlers” and MAMS modules

– Shibboleth inter-institutional federation

• Links to other Internet2 projects, eg eduPerson

Example MAMS Implementation (Type 4) + Recent Projects overlay

Access System

LibraryPremiumDatabases(Kerberosenabled)

Digital RightsManagement

System(Kerberosenabled)

KerberosCertificate

system

UniversityA

MAMS

University B MAMS

LDAPX.500Access System

LearningManagement

System(scriptingenabled)

LearningObject

ManagementSystem

(reverse proxyenabled)

LibraryPremiumDatabases

(IP restrictionsenabled)

MAMS (Resource Handlers) PKI or other Digital Certificates

Shibboleth

WALAP WALAP

MAMS Project Components

(1) Iterative demonstrations to help drive the gathering of user requirements

(2) Development of common services prototypes– Intra-institutional multi-modal SSO

– Inter-institutional access management

• Attribute exchange (Shibboleth)

• Automation of policy

– Federated and extensible identity

– Other common services: DRM, search, metadata

(3) Implementation advice and programs

Repository Federation - Search

• The problem of “portal envy”• Search as an “anonymous” service, rather than

building “one portal to rule them all”– No one may know of the existence of your repository

until they access a specific item from someone’s search gateway (based on harvesting/federation of your MD)

• The importance of Federated Search Gateways– COLIS experiences

LOM Metadata

LOM Metadata

OAI Server

SRW Server

OAI Server OAI

Harvest

OAI Harvest

Library Catalogues

Web Content

InfoSeefer

Z39.50

Z39.50

SRU

Z39.50

Search Interm

ediary

LOM Metadata CP

XML

XMLE-ReserveDC+ext

Metadata

Repository Federation - Search - COLIS

Repository Federation - Access

• If content is free to the world (including no restrictions on potential commercial use), then access restrictions are not normally a concern

Otherwise….• Traditional access restrictions across repositories

– Endless names and password, management nightmare

• Or…federated access using attribute exchange– The next generation - but requires important changes to

how repositories handle access issues– Non trivial technical challenges to repository

architecture

Conclusion

• Access management is a key element of research (and other) common services infrastructure

• Need for Demonstrator, incremental development, recognition of current university realities

• No single SSO method will be sufficient• Importance of open standards• Common ground between

– MAMS and Shibboleth– MAMS and repository projects– MAMS and vendors