www.kent.ac.uk the kusp project kent university shibbolized portal bonnie ferguson...

www.kent.ac.uk

The KUSP Project

Kent University Shibbolized Portal

Bonnie Ferguson

b.ferguson@kent.ac.uk

2

Introduction

• Current situation - Athens• Federated Access Management• Shibboleth • Federations• KUSP project• Shibboleth Demo

3

Current situation

• Athens accounts are needed to access many resources

• Institutions must create and manage accounts• Duplicates some user information• Different usernames and passwords• AthensDA allows accounts to be handled locally• Move towards sharing resources… Jorum, etc.

4

Athens

• JISC currently subsidise Athens – free to Universities• July 2008 - JISC withdraws Athens subsidies• OpenAthens will be available but at a charge (£800 -

£9500 per year, depending on institutional size)• JISC will fund FAM as replacement

http://www.jisc.ac.uk/publications/publications/pub_shibboleth.aspx

5

Services using Athens

• Most Athens services should adopt Shibboleth by July 2008.

• Shibboleth-Athens and Athens-Shibboleth Gateways to bridge the gap.

http://www.jisc.ac.uk/publications/publications/pub_shibboleth.aspx

6

What is Federated Access Management (FAM)?

• Next generation access-management system• FAM builds a trust relationship between Identity

Providers and Service Providers.  • Authentication is devolved to a user’s home institution.• Attributes about the user (including roles) can be

exchanged.

http://www.jisc.ac.uk/news/stories/2006/03/access_qanda.aspx

7

Federated Access Management

http://www.switch.ch/aai/about/introduction/

8

Benefits (1)

• User registers only once – with home institution• Reduces time needed to manage multiple user

accounts • New tools for managing licenses and service

subscriptions.

http://www.switch.ch/aai/about/introduction/http://www.jisc.ac.uk/news/stories/2006/03/access_qanda.aspx

9

Benefits (2)

• Users won’t have to remember additional usernames and passwords.

• Simplified authentication process may lead to increased use of subscribed services.

• Interoperable with other SAML-based software  

10

Where does the word ‘Shibboleth’ come from?

• The word comes from the Old Testament (Judges 12:1-6).

• Two groups from different sides of the river Jordan who had different accents. One pronounced the ‘sh’ sound as ‘si’.

• To separate friend from foe, those crossing the river were asked to pronounce the word ‘shibboleth’ (it means an ear of corn).

• According to the bible, the 42,000 who pronounced it ‘sibboleth’ were killed. 

11

It’s also a band…

http://www.goshibbolethgo.com

12

But seriously, folks….

• A technology that enables FAM. • Functionality of Athens DA • Standards based - SAML (Security Assertion Markup

Language)• Open source middleware software • Privacy-preserving

http://shibboleth.internet2.edu/

13

Shibboleth Architecture

http://www.switch.ch/aai/about/introduction/

Identity Provider

Service Provider

Federation

14

Shibboleth identity Provider (IdP)

• Uses institutional user database• Provides authentication • Sends user attributes• (aka Shibboleth Origin)

15

Shibboleth Service Provider (SP)

• Shibboleth module protects web-based applications• Intercepts HTTP requests and redirects to WAYF (or a

specific Identity Provider) for authentication• Receives ticket/cookie• Optional additional call for attributes • (aka Shibboleth Target)

16

What is a Federation?

• A federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access and use of resources and services.

• Organisations that use Shibboleth to access resources must join or create a federation.

http://www.jisc.ac.uk/whatwedo/themes/access_management/federation/shibboleth.aspx

http://en.wikipedia.org/wiki/United_Federation_of_Planets

17

Federations

• WAYF (Where are you from?) service • UK Access Federation (http://www.ukfederation.org.uk/

)

https://spaces.internet2.edu/display/SHIB/ShibbolethFederations

18

Joining the UK Access Federation

• Apply in writing• Signed by Executive Liaison• Management Liaison must be named• Agree to be bound by federations Rules of Membership

http://www.ukfederation.org.uk/

19

The KUSP Project

• Funded by the JISC Core Middleware Infrastructure Early Adopter programme

• January 2006 – March 2007• 1 Developer full time for 1 year

20

What can Shibboleth do for us?

• Athens replacement• Single Sign on solution?• Manage authentication for both internal and external

applications?

21

The KUSP Project - Aims

• Creating a new Shibboleth infrastructure for the University of Kent

• Building a Shibbolized portal and VLE with Single Sign-on (SSO)

• Investigate PrivilEge and Role Management Infrastructure Standards (PERMIS) for portal authorisation

• Pushing the envelope• Providing support to the partners in the University of

Medway project to adopt Shibboleth

22

Shibboleth Test Environment

• Shibboleth Identity Provider• Connect to University LDAP• Shibboleth Service Provider• Protecting Static Web pages• Join InQueue Test Federation

23

Shibboleth – Where to start?

• Shibboleth Software is free and Open Source• Help is available!• Shibboleth Wiki (

https://spaces.internet2.edu/display/SHIB/)• MATU Installation guides (http://www.matu.ac.uk/docs/

)• Mailing lists

(shibboleth-users@internet2.edu)

24

Purchases

• Two Sun servers, running Solaris 9• Shibboleth Identity Provider• Shibboleth Service Provider

• Licenses for:• WebCT Powerlinks SDK • WebCT developers network

25

Identity Provider - Software

• Software comes packaged a java .war file. • We installed it on:

• Solaris OS• Apache Tomcat • Apache Web Server• mod_jk

26

Identity Provider - Configuration

• The configuration is stored in several XML files in /usr/local/shibboleth-idp/etc by default:

• idp.xml - Main configuration file contains providerId, information about the federation and links to other configuration files

• resolver.ldap.xml - Connection parameters for LDAP and list of attributes to retrieve

• arp.site.xml - Attribute release policy - list of attributes. Can be configured to release different sets of attributes to different applications.

• metadata.xml - holds metadata for all the IdPs and SPs in the federation and the SSL certificate chain. Must be updated regularly!

27

Service Provider

• Shibboleth does not provide its own authentication mechanism (out of scope for Shibboleth). It can be paired with a range of authentication systems:• Apache <Location> directives in httpd.conf (e.g. simple

HTML page) • JAAS module - for dynamic web applications like WebCT or

uPortal that use the attributes of the user to display information• Yale CAS (Central Authentication Service)

http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html

28

Service Providers – One or Many?

• SAML SSO is an end to end protocol between one SP and one IdP.

• If you are Shibbolizing multiple applications (like uPortal and WebCT), each one requires their own Service provider.

• However, Guanxi takes a different approach by allowing a single Shibboleth SP for an institution with associated ‘guards’ for each application.

29

Service Provider - Configuration

Configuration files in /opt/shibboleth-sp/etc/shibboleth

• shibboleth.xml - main configuration file with Federation information, SSL certificate , RequestMap of all applications being protected with parameters

• aap.xml - attribute acceptance policy - can set rules about the attributes you accept

• metadata.xml – same as identity provider

30

Service Provider - Configuration

• 2 files work together to provide Shibboleth protection to web resources:

• httpd.conf <Location> block

• Shibboleth.xml <RequestMap> elements

31

Shibbolizing applications – JAAS modules

• uPortal - SpieJaasModule developed by the SPIE project at Oxford University (http://spie.oucs.ox.ac.uk/)

• WebCT – Shibboleth inbound authentication module (http://devnet.webct.com/contrib/authentication/Shibboleth/)

• Many more: Blackboard, DSpace, Plone, EZProxy (https://wiki.internet2.edu/confluence/display/seas/Home)

32

Java Authentication and Authorization Service (JAAS)

http://devnet.webct.com/docs/ce6_documentation/WebCTVista400_sdk30_programmers_guide_2005_11_30.pdf

33

Authentication only

• uPortal and WebCT JAAS modules were basic• Triggered Shibboleth Authentication• Retrieved the username attribute• Set as current user in system• Used inbuilt (uPortal or WebCT) authorisation

34

PERMIS

• PrivilEge and Role Management Infrastructure Standards

• Authorisation (privilege management) system that complements existing authentication systems.

• PERMIS web interface -write PERMIS policies

35

PERMIS

• URLs need to be known in advance • uPortal URLs built on the fly

• http://shibsp.kent.ac.uk/uPortal/tag.f4d450cdb66bf1f5...• http://shibsp.kent.ac.uk/uPortal/tag.a3a580b2d384e523...

• Would require additional code to handle Authorisation• Develop JAAS module• Portal level – to call PERMIS when building portal pages

• Out of scope of KUSP project

36

Single Sign-On (SSO)

• Specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.

• Kerberos, CAS, CoSIgn, Web-SSO, etc.

http://en.wikipedia.org/wiki/Single_sign-on

37

SSO - Aims

• Integrate WebCT into portal• Sign into portal and get dashboard view of WebCT

data

38

SSO - Results

• Shibboleth uses Cookies so SSO happened automatically

39

Portal Integration

• IFrame• Session & Display problems

40

Portal Integration

• Vista MyWebCT portlet• Used proxy authentication module• Displayed limited dashboard

41

Portal Integration

• Home-grown portlet using web services• Allows fuller dashboard interface• Best to extend existing portlet

42

Shibboleth Demo

• http://shibsp.kent.ac.uk/uPortal

43

Findings - Authn not Authz

• Shibboleth for Authentication not authorization • Personalised systems like portals and VLEs need to

perform three types of user management:• Authentication• Authorization/Role management• Remembering user preferences

• Is it appropriate to externalise this?• Outside of scope of project to redevelop authorization

for personalised system such as portal or VLE

44

Findings – More potential

• Did not use Shibboleth’s full potential!• uPortal and WebCT still required user accounts• uPortal can create these at first login• Still need to manage these accounts• Did not use Shibboleth role-based attributes• Did not use privacy protecting functionality (always

relied on Username) instead of tickets and roles

45

Findings - WebCT

• The WebCT/Shibboleth module was not necessary for the Shibbolized portal

• Proxy module was sufficient since it was only passing a username instead of using the full Shibboleth functionality

46

Findings - SSO

• Shibboleth can handle SSO for web based applications• No extra software required (such as CAS)• Will investigate for future use

47

Lessons Learned

• Setting up the Shibboleth Identity provider and Service Provider was relatively straightforward. It is the integration of Shibboleth with existing applications that is much more difficult and time consuming, so leave plenty of time for this in your project plan.

• Keep a Blog or Wiki of the installation procedures, lessons learned and other issues.

• Make contact with other projects as early as possible.• Join all relevant mailing lists at the beginning of the

project and don’t be afraid to ask lots of stupid questions.

48

Resources

• Shibboleth Wiki (https://spaces.internet2.edu/display/SHIB/)• MATU Installation guides (http://www.matu.ac.uk/docs/)• SWITCH Installation guides (

http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/install-sp-1.3-debian.html)

• LSIP project (University of Liverpool) Implementation Documentation (http://www.liv.ac.uk/LSIP/Documentation/ DraftShib13ImplementationDocument.html)

• uPortal website http://www.uportal.org• WebCT (Blackboard) website and developer’s network : http://

www.webct.com/ and http://devnet.webct.com/• SPIE project (Oxford University) http://www.oucs.ox.ac.uk/rts/spie/• InQueue Shibboleth federation http://inqueue.internet2.edu/• FEAR project (Reid Kerr College) http://

www.reidkerr.ac.uk/fear/docs/ReloadContentPreview.htm

49

References

• http://shibboleth.internet2.edu• http://www.jisc.ac.uk/publications/publications/

pub_shibboleth.aspx• http://www.jisc.ac.uk/whatwedo/themes/access_management/

federation/shibboleth.aspx• http://www.switch.ch/aai/about/introduction• http://www.goshibbolethgo.com• http://en.wikipedia.org/wiki/United_Federation_of_Planets• https://spaces.internet2.edu/display/SHIB/ShibbolethFederations• http://www.ukfederation.org.uk/• http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requ

irements-01.html

• http://sec.isi.salford.ac.uk/permis/

50

Any questions?

• http://www.kent.ac.uk/is/kusp• b.ferguson@kent.ac.uk

51

Discussion

• How long will FAM take to implement?• How much will it cost?• What impact on service?• Changes to training and documentation required?• Support moved from Library to Computing Service?• Could OpenAthens be a cheaper option?• What about non-web based resources?