lir glenn wearen

Download Lir glenn wearen

Post on 04-Jun-2015




3 download

Embed Size (px)


  • 1. Why are HEAnet in this space? Collaborative, shared and cloud services IP address access control and IPv6 Synergy with eduroam (single credential, eduGAIN) NREN fulfils the role of federation operator

2. TerminologySingle Log On single point of authentication synchronised account and credentials authenticate to each applicationSingle Sign On (SSO) single point of authentication single credential, single account authenticate once 3. Edugate Identity Provider Authenticates user and provides user data Personal, non-personal or noneService Provider Authorises access based on incoming data Personalises experience based on incoming data Persists the experience between sessions Links application data with incoming data 4. EdugateIdentity Providers Institutes of Technology Universities Research agencies on the HEAnet network Expanded set in the future 5. Edugate Potential Services Institutional services Any website requiring a login [for non-campus users] Shared services HEAnet services, An Cheim services, IReL, NDLR Academic content Publishers (EBSCO, Elsevier, JSTOR) and databases Research portals Or any cross-institutional research group resource Organisations offering academic discount Microsoft Dreamspark, o2, Travelcard 6. Edugate Potential Services* * Horde* TWiki*Science Direct * Proquest* Condor* Joomla * uPortal* ExLibris* Serial Solutions* Confluence Wiki * LionShare* WordPress* JSTOR * SCRAN* Darwin Streaming* MediaWiki* Zope + Plone * The Literary* Thomson Gale* Dokuwiki* Mahara * Live@eduEncyclopedia * EZproxy* Drupal* MyProxy* ArtSTOR* Metapress * Blackboard* DSpace* Napster* Elluminate * Moodle* CLIX* eAcademy* PHEAA* CSA* OCLC* Sakai* Fedora Repository * Sharepoint * Digitalbrain * Ovid. * WebAssign* Google Apps * SYMPA* EBSCO* Project MUSE* WebCT* GridSphere/GridShib * Symplicity * Elsvier* Thomson * TurnItInReuters *Zetoc* Dawsonera *TargetConnect 7. Edugate InternationallyAT ACOnet-AAI IT IDEMAU Australian Access Federation AAF LV LAIFECA Canadian Access Federation CAF NL SURFnetCH SWITCHaaiNO FEIDECZ PT RCTSaaiDE DFN-AAISE SWAMIDDK WAYF US InCommonES SIRUK UK Access Management Federation forFI Haka Education and ResearchFR Fdration ducation-RechercheGR GRNETeduGAIN to connect these federationsHR AAI@EduHrHU NIIF AAIIE Edugate 8. UK Access Mgmt. Fed. Athens services was proprietary and library only Open standards were used for non-library services UK Access Management Federation provides alternativeto Athens that allows a single access platform servicesboth library and non-library. 800 Members, All UK Higher Education Institutions havejoined the UK Access Management Federation, 50% of those institutions use it gain access to librarycontent using Shibboleth 50% use the Athens Gateway to federated access. Publishers support Shibboleth is approximately 50%. 9. Edugate Based on the SAML2 Protocol Interoperable Web-SSO Profile ( Shibboleth 2, simpleSAMLphp Oracle, IBM, Ping and Microsoft ADFS v2Implementation Service Provider Web server plug-in (optional application integration) Identity Provider Web application with connection to campus directory 10. Edugate SAMLZ39.50 Protocol Search multiple targets at the same time RetrieveSAML Protocol Authenticate with multiple targets as needed Authorise 11. EdugateAuthentication Responsibility of the institution Usually LDAP, but other options availableAuthorization Controlled by the service provider Institution can filter users before service provider Based on the users attributes 12. EdugateAttributes GivenName, surname, email & Organisation Joseph, Bloggs,, University of Mullingar EduPersonPrincipalName EduPersonTargetedID a44ffed231eda7b7a7d EduPersonScopedAffiliation, EduPersonEntitlement 13. Edugate Attributes eduPersonScopedAffiliationstudent undergraduate or postgraduatestaff all stafffaculty to distinguish teaching staffemployee staff other than staff/faculty (e.g., contractor)member comprises all the categories named aboveaffiliate relationship short of full memberalumAlumnus (graduate)library-walk-in 14. Why use Edugate... Reduce account provisioning for walk-in and campus users Reduce the number of passwords for your users Reduce the number of prompts for those passwords Filter user access to content by affiliation or special groups Stop worrying about licences and users on your wifi network or open terminals Start to eliminate abuse of shared credentials/generic accounts IPv4 to IPv6 migration ( Vs 2002:c101:e4a5::c101:e4a5) Enhanced personalisation, without loosing privacy. No fee 15. Edugate on CampusIT department sets up identity providerservice (IdP)Any other department can opt to accept afederated login (SP) Library can opt to replace Ezproxy URL in thecatalogue. Library can opt to enable federated login to thelibrary website, repositories Library can opt to integrate ezproxy with the IdP 16. Edugate on CampusIT department sets up identity providerservice (IdP)IADT,UCD,CIT,DKIT,TCD,NUIM,NUIG,ITT,WIT,LIT,DCU,DIT,UL,DIAS,NCAD 17. Edugate on Campus Catalogue withEzproxyPublisher content Publisher contentUserPublisher contentPublisher contentLDAP 18. Edugate on Campus Catalogue withEzproxyPublisher content Publisher contentUserPublisher contentPublisher content Shibb LDAP 19. Edugate on Campus Catalogue withEzproxyPublisher content Publisher contentUserPublisher contentPublisher content ShibbPublisher content Publisher content LDAP Publisher contentnon-libraryservices 20. Edugate on Campus Catalogue(With Shibb) Publisher contentPublisher contentUser Publisher content Publisher contentShibb Publisher contentPublisher contentLDAP Publisher content non-library services 21. Edugate on CampusCatalogue (Without Ezproxy)Publisher content Publisher contentUserPublisher contentPublisher content ShibbPublisher content Publisher contentLDAPPublisher contentnon-libraryservices 22. Hybrid Edugate on Campus Catalogue (some Ezproxysome Shibb) Publisher contentPublisher contentUser Publisher content Publisher content Shibb Publisher contentPublisher content LDAPPublisher content non-library services 23. Edugate on Campus Repository(With Shibb) Full upload orpreferencesUserShibb Shibb Shibb LDAPLDAP LDAP 24. Edugate for non-academic libraries Repository(With Shibb) Full upload orpreferencesUserShibb Shibb Shibb LDAP LDAPLDAP 25. When to use EZ, Shibb or other 26. Edugate on Campus(Assuming a service supports Shibboleth)Use Shibboleth... if you intend to take advantage of fine grained access control If the service offers personalisation and persistent sessions (e.g. searchresults, search preferences etc). if the content of the service is frequently accessed as a result of a Googlesearch rather than a search of your Opac (thus bypassing your EZproxyURLs). if Shibboleth is frequently used to access other services like student email andyou want to avail of the single-sign-on with no re-authentication prompts 27. Edugate on CampusSome services do not support a Shibboleth login yet. Use EZproxy for services with no personalisation features and for services that dont feature in Google results, and for services that dont supportShibboleth Use EZproxy with Shibboleth for these non personalised services if yourcampus uses Shibboleth for other frequently accessed services (thusbenefiting from single-sign-on) Use Shibboleth if any of the reasons listed on the previous slide fit 28. IdP Configuration SPSPAdmin Admin Edugate ResourceNon RegistryShibboleth IdP Shibb IdPIdP IdPAdminIdP Admin AdminDBShibb config files