athens shibboleth interoperabilitybankscope on the internet bids education service bids ibss service...

Post on 13-Jul-2020

9 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

© EduServ Commercial in confidence

Athens Shibboleth Interoperability

Lyn Norris, Athens Manager

© EduServ Commercial in confidence

� Overview of Athens

� Overview of Shibboleth

� Interoperability

� Athens in action

© EduServ Commercial in confidence

Athens is:

� An Access Management System for web resources

� Managing access for approved individuals to approved content

� on behalf of content owner

� in accordance with licence conditions

� Primarily commercial academic research material �sold� under site licence conditions

© EduServ Commercial in confidence

Academic Research Material

� Many information sources

� metadata, full text, references

� Many content owners

� primary publishers

� secondary database owners

� Many ways to subscribe or register

� publisher, subs agent, consortia deals

� linking systems� Portals, VLEs, MetaLib, Encompass

© EduServ Commercial in confidence

IP Authentication

� Attractive

� seamless access for users

� ease of management for organisation & resource-provider

� one-off registration for whole site

� infrequent changes

� user doesn�t have to remember anything

© EduServ Commercial in confidence

IP Authentication

� Difficulties

� relatively easy to fake

� complicated access for people working off site

� no personalisation

� saved searches

� favourite journals

� accountability

© EduServ Commercial in confidence

Athens

� for the user

� provides single credential access to many online resources

� for the subscribing organisation

� provides a set of tools for managing potentially large number of users

� for the service provider

� makes service more attractive to users

� removes task of managing IP addresses or usernames and passwords for customers

Online Resources

offering Athens

protection

- ScienceDirect

- Wiley InterScience

- SwetsWise

- Oxford Reference

Online

- ExLibris Metalib

259 total resources

Ad

min

Inte

rface

Ath

en

sA

ge

ntCentral Repository� organisations� usernames� rights

Organisations

247 HE

270 FE

206 NHS

75 other

798 total

2 million + accounts

Athens

© EduServ Commercial in confidence

© EduServ Commercial in confidence

Athens

� Single sign-on across multiple services

� Cookie session maintained inside the Athens Authentication Domain (auth.athensams.net)

� Authentication transferred across domains

� Secure

� Password never leaves the Authentication Domain

� Tokens are time-limited & cryptographically signed

� AAP operates over SSL

� Authorisation negotiated between a service provider and Athens

� Agent technology, C or Java APIs or Apache/IIS modules

� SOAP web-services interface

Agent DSP

First Access

Authentication Point

Athens Account

Server

Login

Short Life Transfer Token

Long Term Token

Sign On

Check username token. Authenticate.

Username

HTTP refer to get authorisation

Username + transfer token

Authentication Domain

Cookie

CookieLong Term Token

12

4

3

56

7

8

9

© EduServ Commercial in confidence

Athens Client Base I

� Communities

� UK Higher & Further Education

� NHS National Health Service (NHS)

� British Council

� Organisations

� 250 Universities

� 250 Further Education Colleges

� 200 NHS organisations

� 100 assorted organisations world-wide

© EduServ Commercial in confidence

AMADEUS on the InternetAMICO libraryAPU Library ProxyBANKSCOPE on the InternetBIDS Education ServiceBIDS IBSS ServiceBIDS Silver Platter INSPEC serviceBIDS SilverPlatter PsycINFO ServiceBMJ JournalsBioMed CentralBlackwell-Synergy.comBritish Standards OnlineButterworths Accountancy DirectButterworths All England DirectButterworths Banking Law DirectButterworths Businesscompliancedirect.coButterworths CaseSearchButterworths Civil Procedure OnlineButterworths Commercial Property LawButterworths Corporate FinanceButterworths Corporate Law DirectButterworths Crime OnlineButterworths EBL Direct EssentialsButterworths EBL Direct PremiumButterworths EU DirectButterworths Employment OnlineButterworths Family and Child DirectButterworths Financial Regulations ServiButterworths Forms and Precedents DirectButterworths HSE DirectButterworths Halsbury's Laws of ...Butterworths Human Rights DirectButterworths Insolvency Law DirectButterworths Intellectual Property ...Butterworths International TaxButterworths Law DirectButterworths Law Reports DirectButterworths Legal UpdaterButterworths Legislation DirectButterworths Licensing DirectButterworths Local Government DirectButterworths PI OnlineButterworths PensionsProButterworths Property Tax DirectButterworths Scotland DirectButterworths Sergeant Sims Stamp DutyButterworths Stair Memorial

Butterworths Stone's Justices ManualButterworths Tax DirectButterworths Tax Planning ServiceButterworths Trusts and Estates DirectButterworths US Banking Editions OnlineCSA AqualineCSA Artbibliographies ModernCSA Internet Database ServiceCSA Linguistics & Language BehaviourCSA e-psycheCartalinxCavendish Publishing eLibraryCensus Dissemination UnitCensus Geography Data Unit (UKBORDERS)Census Interaction Data ServiceCensus Learning ResourcesCensus Microdata Unit at the CCSRCensus Registration ServiceChadwyck-Healey KnowEuropeChadwyck-Healey KnowUK DatabaseChadwyck-Healey LION for collegesChadwyck-Healey Literature OnlineChadwyck-Healey PCI Full Text DatabaseCity University Virtual LibraryCochrane LibraryCrossFire Service (AUTONOM)CrossFire Service (PLUSABGM)CrossFire self-teach modules (MIMAS-XFT)Dialog DataStarDialog@SiteEBSCO EJSEBSCO databasesEDINA AGDEXEDINA Art AbstractsEDINA Art Index RetrospectiveEDINA BIOSISEDINA BIOSIS Previews 1969 - 1984EDINA CAB AbstractsEDINA CompendexEDINA DigimapEDINA EconLitEDINA INSPECEDINA Index to The Times, 1790 - 1980EDINA MLAEDINA PAISEDINA Palmer's IndexEDINA UPDATE

EEBOEIU City Data on the InternetEIU Country Data on the InternetEIU Country Indicators on the InternetESDU DataESRI NTF ConvertersEducation Media OnLineEducation Media OnLine medical-restrictElectronic Surgeons in Training EducatioEmerald Computer AbstractsEmerald FulltextEmerald Int. Civ. Eng. AbstractsEmerald Management ReviewsExtenza e-Publishing ServiceFAME on the InternetGale Group InfoTracHEFCE ReviewISI JCR Science EditionISI JCR Social Sciences EditionISI Web of Science Service for UK Educn.IdrisiIngenta SelectIngentaJournals Full Text ServiceIsle of Man GIS dataJASPERJUSTIS CELEXJUSTIS Celex and OJCJUSTIS Daily CasesJUSTIS ECJ ProceedingsJUSTIS European ReferencesJUSTIS Family LawJUSTIS HermesJUSTIS Human RightsJUSTIS Industrial CasesJUSTIS Law Reports (eLR)JUSTIS Lloyd's Law ReportsJUSTIS Mental Health Law ReportsJUSTIS Official Journal CJUSTIS Prison Law ReportsJUSTIS UK Statutes and SIsJUSTIS Weekly LawJustCiteKeynoteLexisNexisMD ConsultMIMAS ISI BIOSIS PreviewsMIMAS ISI Chemistry Server

MIMAS ISI Current Contents ConnectMIMAS ISI Derwent Innovations IndexMIMAS InfoterraMIMAS LandmapMIMAS Landmap MediterraneanMIMAS TimeWeb OECD Main Economic IndicatMIRA Virtual Automotive Info CentreMartindale & Stockleys Drug InteractionsMintel ReportsMulberryNeLH Evidence-Based on CallNeLH Journal of Medical ScreeningNetLibraryNewsBank InfoWebOCLC FirstSearch ServiceOSIRIS on the InternetOvid OnlineOxford English Dictionary OnlineOxford Reference OnlinePapyrus software for DOSPapyrus software for the MacParlianetPrimal Pictures Basic Anatomy (NHS)Primal Pictures anatomy.tvProQuestProQuest Reference AsiaRCS Discussion ForaRCS Library Electronic JournalsRCS Members AreaRefWorksSCRAN Web SiteScienceDirectSilverPlatter ARC ServiceSilverPlatter Arc2SwetsWiseSynsoft HYDRA and HYDRA ONLINETRILTTechnical Indexes Info4EducationTechnical Indexes Info4HealthEstatesThe Times Law ReportsUK JSTOR Mirror ServiceWestlaw UKWiley InterScienceXpertHRZETOC - BL Electronic Table of ContentseSTEP administrators resourcexreferplus

Full list of services authenticated by Athens

© EduServ Commercial in confidence

Athens Devolved Authentication

� Authentication is devolved to an institutional authentication system

� Authentication is asserted to Athens by means of cryptographic trust

� Users are assigned a virtual account

� Permission set (role)

� Unique id

� Authorisation is still performed within Athens, but is role-based

© EduServ Commercial in confidence

Authentication System

� It could be

� LDAP Directory

� Kerberos

� Library OPAC, or ILS

� Portal authentication system

� VLE

� X.509 certificates

© EduServ Commercial in confidence

What Athens needs to know

� Permission set

� Created and held within Athens

� Must be at least one per organisation

� Defines role for user (eg. Staff, student)

� Unique identifier

� Must be numeric (32 bits)

� Must be persistently bound to an individual

� Eg. Student/staff number

© EduServ Commercial in confidence

What you need to do

� Run an XAP (login point)

� Perl and ActiveX/COM versions provided by Athens

� Develop a UAS (User Authority Service)

� UAS provides an abstract interface between the XAP and authentication service

� Authenticates user against local service

� Assigns user a permission set and unique identifier based on attributes

XAP Authentication

service (eg. LDAP)

UAS

Login

User

Credentials

Permission

set & UID

Credentials

User

attributes

Perm. set

mapping

AAP

Athens

© EduServ Commercial in confidence

Trust/Encryption

� Athens does not know about user

� Athens must trust organisation to only assert valid users (licence obligation)

� Athens must trust that it really is the organisation asserting user (cryptographic trust)

� Shared symmetric keys enforce trust relationship

Organisation A

Organisation B

Organisation C

Athens

A

B

CA

B

C

�0101101010111010�

Organisation ID

???

DSPUserUser

Return

Accounts Server

Accounts Server

Authentication

APAP

UASUAS

Athens

Authentication Referral

Institution

LocalAuth.

Service

LocalAuth.

Service

XAPXAP

Home Domain DiscoveryHome Domain Discovery

Athens Authentication

Domain

1

2

3

56

7Binding withPermission set

8

10

11

4

9

11

© EduServ Commercial in confidence

Modes of operation

� HDD (Home Domain Discovery)

� A user goes direct to a service provider

� We have to find out their institution

� LAA (Local Authentication Assertion)

� A user starts locally at their institution

� VLE, library portal, desktop login etc.

� AthensDA used to establish Athens session pre-emptively

HDDS � Phase 2

© EduServ Commercial in confidence

Shibboleth is:

� Emerging web authorisation architecture

� Internet2/MACE project

� Reference implementation software

� V0.8 released 8th March 2003

� V1.0 due end of May

� Key concepts

� Authentication federated to institution

� Pseudonymity for individuals

� Attribute Authority at institution

� Authorisation decision made by resource provider based on user attributes

Authentication System

Attribute Authority

University

WAYF

Joe surfs

the web

http://www.CoolResource.com

Handle Service

3a

3b

3

4

Shibboleth Handle Acquisition

Resource Provider

SHIRE

SHAR

HTTP Server

2

1

Authentication System

University

WAYF

Joe surfs

the web

http://www.CoolResource.com

Handle Service

3a

3b

3

Shibboleth Attribute Acquisition

Resource Provider

SHIRE

SHAR

HTTP Server

Attribute Authority

4

5

6

1

2

Online Services

offering Athens

protection

- ScienceDirect

- Wiley InterScience

- SwetsWise

- Oxford Reference

Online

- ExLibris Metalib

259 total services

Ad

min

Inte

rface

Ath

en

sA

ge

nt

Central Repository� organisations� usernames� rights

Organisations

247 HE

270 FE

206 NHS

75 other

798 total

2 million accounts

Devolved Authentication

Shibboleth Interface

Online Services offering Shibboleth protection

Athens

~10 Organisations using local authentication

- LDAP Directory Service

- kerberos

- X.509 certificates © EduServ Commercial in confidence

© EduServ Commercial in confidence

Inter-operability

� Allow Shibboleth institutions (origins) access to Athens-protected resources

� Allow Athens institutions access to Shibboleth protected resources (targets)

� Demonstrated Athens as origin on v0.7

� Allow any trusted authentication system access to Athens protected resources

� Establish peer-to-peer relationships

© EduServ Commercial in confidence

© EduServ Commercial in confidence

© EduServ Commercial in confidence

© EduServ Commercial in confidence

© EduServ Commercial in confidence

© EduServ Commercial in confidence

© EduServ Commercial in confidence

© EduServ Commercial in confidence

© EduServ Commercial in confidence

© EduServ Commercial in confidence

© EduServ Commercial in confidence

© EduServ Commercial in confidence

To Summarise

� Athens is a mature and evolving Access Management System

� Single Sign On access to many services

� Significant customer base of library resources

� Opportunities to inter-operate to mutual benefit

� with Shibboleth

� With other established authentication systems

top related