Why are HEAnet in this space?– Collaborative, shared and cloud services– IP address access control and IPv6– Synergy with eduroam (single credential, eduGAIN)– NREN fulfils the role of federation operator

TerminologySingle Log On

• single point of authentication• synchronised account and credentials• authenticate to each application

Single Sign On (SSO)• single point of authentication • single credential, single account• authenticate once

Identity Provider• Authenticates user and provides user data • Personal, non-personal or none

Service Provider• Authorises access based on incoming data• Personalises experience based on incoming data• Persists the experience between sessions• Links application data with incoming data

Edugate

Identity Providers• Institutes of Technology• Universities• Research agencies on the HEAnet network• Expanded set in the future

Edugate

– Potential Services• Institutional services

» Any website requiring a login [for non-campus users]

• Shared services» HEAnet services, An Cheim services, IReL, NDLR

• Academic content » Publishers (EBSCO, Elsevier, JSTOR) and databases

• Research portals» Or any cross-institutional research group resource

• Organisations offering academic discount» Microsoft Dreamspark, o2, Travelcard

Edugate

– Potential Services

Edugate

* Bodington.org

* Condor

* Confluence Wiki

* Darwin Streaming

* Dokuwiki

* Drupal

* DSpace

* eAcademy

* Fedora Repository

* Google Apps

* GridSphere/GridShib

* Dawsonera

* Horde

* Joomla

* LionShare

* MediaWiki

* Mahara

* MyProxy

* Napster

* PHEAA

* Sharepoint

* SYMPA

* Symplicity

*TargetConnect

* TWiki

* uPortal

* WordPress

* Zope + Plone

* Live@edu

* ArtSTOR

* Elluminate

* CSA

* Digitalbrain

* EBSCO

* Elsvier

*Science Direct

* ExLibris

* JSTOR

* The Literary Encyclopedia

* Metapress

* Moodle

* OCLC

* Ovid.

* Project MUSE

* Thomson Reuters

* Proquest

* Serial Solutions

* SCRAN

* Thomson Gale

* EZproxy

* Blackboard

* CLIX

* Sakai

* WebAssign

* WebCT

* TurnItIn

*Zetoc

– InternationallyAT ACOnet-AAI AU Australian Access Federation AAF CA Canadian Access Federation CAF CH SWITCHaai CZ eduID.cz DE DFN-AAI DK WAYF ES SIR FI Haka FR Fédération Éducation-Recherche GR GRNET HR AAI@EduHr HU NIIF AAI IE Edugate

Edugate

IT IDEMLV LAIFENL SURFnetNO FEIDE PT RCTSaai SE SWAMID US InCommon UK UK Access Management Federation for Education and Research

eduGAIN to connect these federations

• Athens services was proprietary and library only• Open standards were used for non-library services• UK Access Management Federation provides alternative

to Athens that allows a single access platform services both library and non-library.

• 800 Members, All UK Higher Education Institutions have joined the UK Access Management Federation,

• 50% of those institutions use it gain access to library content using Shibboleth

• 50% use the Athens Gateway to federated access.• Publishers support Shibboleth is approximately 50%.

UK Access Mgmt. Fed.

Based on the SAML2 Protocol• Interoperable Web-SSO Profile (saml2int.org)

– Shibboleth 2, simpleSAMLphp– Oracle, IBM, Ping and Microsoft ADFS v2

Implementation– Service Provider

• Web server plug-in (optional application integration)– Identity Provider

• Web application with connection to campus directory

Edugate

Z39.50 Protocol• Search multiple targets at the same time• Retrieve

SAML Protocol• Authenticate with multiple targets as needed• Authorise

Edugate –SAML

Authentication• Responsibility of the institution• Usually LDAP, but other options available

Authorization– Controlled by the service provider– Institution can filter users before service provider– Based on the users attributes

Edugate

Attributes • GivenName, surname, email & Organisation

– Joseph, Bloggs, joe.bloggs@um.ie, University of Mullingar

• EduPersonPrincipalName – jblgs-stu133@um.ie

• EduPersonTargetedID– a44ffed231eda7b7a7d

• EduPersonScopedAffiliation– student@um.ie, library-walk-in@um.ie

• EduPersonEntitlement

urn:mace:heanet.ie:media:write

Edugate

Attributes eduPersonScopedAffiliation

student undergraduate or postgraduatestaff all stafffaculty to distinguish teaching staffemployee staff other than staff/faculty (e.g., contractor)member comprises all the categories named aboveaffiliate relationship short of full memberalum Alumnus (graduate)library-walk-in

Edugate

Why use Edugate...• Reduce account provisioning for walk-in and campus users• Reduce the number of passwords for your users• Reduce the number of prompts for those passwords• Filter user access to content by affiliation or special groups• Stop worrying about licences and users on your wifi network or open

terminals• Start to eliminate abuse of shared credentials/generic accounts• IPv4 to IPv6 migration (193.1.200.412 Vs 2002:c101:e4a5::c101:e4a5)• Enhanced personalisation, without loosing privacy.• No fee

Edugate on Campus

IT department sets up identity provider service (IdP)

Any other department can opt to accept a federated login (SP)– Library can opt to replace Ezproxy URL in the

catalogue.– Library can opt to enable federated login to the

library website, repositories– Library can opt to integrate ezproxy with the IdP

Edugate on Campus

IT department sets up identity provider service (IdP)

IADT,UCD,CIT,DKIT,TCD,NUIM,NUIG,ITT,

WIT,LIT,DCU,DIT,UL,DIAS,NCAD

Edugate on Campus

Catalogue with Ezproxy

Publisher content

LDAP

UserPublisher content

Publisher contentPublisher content

Edugate on Campus

Catalogue with Ezproxy

Publisher content

LDAP

User

Shibb

Publisher contentPublisher content

Publisher content

Edugate on Campus

Catalogue with Ezproxy

Publisher content

LDAP

User

Shibb

Publisher contentPublisher content

Publisher content

Publisher contentPublisher content

Publisher content non-library services

Edugate on Campus

Catalogue (With Shibb)

Publisher content

LDAP

User

Shibb

Publisher contentPublisher content

Publisher content

Publisher contentPublisher content

Publisher content non-library services

Edugate on Campus

Catalogue (Without Ezproxy)

Publisher content

LDAP

User

Shibb

Publisher contentPublisher content

Publisher content

Publisher contentPublisher content

Publisher content non-library services

Hybrid Edugate on Campus

Catalogue (some Ezproxysome Shibb)

Publisher content

LDAP

User

Shibb

Publisher contentPublisher content

Publisher content

Publisher contentPublisher content

Publisher content non-library services

Edugate on Campus

Repository(With Shibb)

Full upload or preferences

LDAP

User

Shibb

LDAP

Shibb

LDAP

Shibb

Edugate for non-academic libraries

Repository(With Shibb)

Full upload or preferences

LDAP

User

Shibb

LDAP

Shibb

LDAP

Shibb

When to use EZ, Shibb or other

Edugate on Campus

(Assuming a service supports Shibboleth)

Use Shibboleth...• if you intend to take advantage of fine grained access control

• If the service offers personalisation and persistent sessions  (e.g. search results, search preferences etc).

• if the content of the service is frequently  accessed as a result of a Google search rather than a search of your Opac (thus bypassing your EZproxy URLs).

• if Shibboleth is frequently used to access other services like student email and you want to avail of the single-sign-on with no re-authentication prompts

Edugate on Campus

Some services do not support a Shibboleth login yet. 

• Use EZproxy for services with no personalisation features and for services  that don’t feature in Google results, and for services that don’t support Shibboleth

• Use EZproxy with Shibboleth for these non personalised services if your campus uses Shibboleth for other frequently accessed  services (thus benefiting from single-sign-on)

• Use Shibboleth if any of the reasons listed on the previous slide fit

IdP Configuration

Edugate Resource Registry

Shibboleth IdP

IdP Admin

DB

Shibb config files

SP Admin

IdP AdminIdP

Admin

SP Admin

Non Shibb IdP