UNI-Login - a national single sign on solution
Download
Report
Transcript UNI-Login - a national single sign on solution
UNI-login
– a national educational single sign on solution
Standards and Interoperability
Expert workshop 4.2
February 26th, 2009
Michael Viskum
UNI•C
Denmark´s IT-Centre for Education and Research
• UNI•C, The Danish IT Centre for Education and
Research, offers a broad spectrum of ICT services for the
educational and research community, and more than 500,000
users are in frequent contact with UNI•C’s products and IT
services.
• UNI•C is an agency to the Danish Ministry of Education.
Our core competencies are comprehensive IT solutions for the
educational sector
- right from the technical connection to pedagogical tools.
• UNI•C has around 300 employees at 3 locations in Denmark.
2
UNI•C’s services to education
•
•
•
•
•
Sektornet - including e.g. security solutions
UNI•Login
Educational websites (EMU and its many services)
Intranet / local learning environments
Professional development of teachers in the field of ICT
integration in education
• Pupils’ ICT licence
•
•
•
•
•
•
Administrative systems
Statistics and analyses for the Ministry of Education
Hosting and facility management
The Danish Research Network
IT - Security (e.g. DK•CERT)
International collaboration
3
UNI-Login – a Single Sign On Vision
• To provide a unified login for all IT-services in the Danish
educational sector.
• Current goal is to build a national authentication and
authorization framework and provide unified login for webbased services.
4
Towards UNI-Login
SkoDa and
SkoleKom
services
adapted by
UNI-C
Year
Users
1995
1997
UNI•C
central user
database
HUGO was
founded
1999
UNI-Login
was born
Single login
only
2001
250.000
2003
UNI-Login
As a general
SSO service
2005
500.000
Extended
integration
with various
systems
2007
2009
700.000 800.000
SkoDa – database service for schools in Denmark
SkoleKom – mail and conferencing system for schools in Denmark
HUGO – UNI•Cs central user database
5
HUGO – Central user database
•
Centralized user administration for the Danish educational sector.
•
Delegated administration ensures quality of data.
•
Forms the immediate basis for authentication and authorization control
for the unified login
•
2.600 primary and secondary schools
•
2.600 other institutions (Vocational schools, publishers, museums,
municipalities, ministries, etc. )
•
740.000 children/students
•
91.000 teachers/employees
6
First step: Single Login
• HUGO populates a central LDAP-database with
passwords and access rights (service codes).
• Provides the authentication and authorization service
called Single Login.
• Users must login to each service.
• Basic access rights: user groups
• Advanced access rights: service codes
7
Single Sign-On – Pubcookie solution
• Solution at UNI-C is based on Pubcookie from University
of Washington. (www.pubcookie.org)
• a central login-server.
• Cookies and passwords are protected by SSL and host
domains.
• No browser extensions required.
• Platform neutral, both on client and server side.
• Plug-in modules available for Apache and IIS webservers.
8
Integration of external applications
• In some cases it is not possible or desirable to use
Pubcookie directly with a given application (SSL not
wanted, external DNS domain).
• UNI-C has developed an SSO proxy solution.
• Authentication info is communicated in a short-lived URLencoded fingerprint.
• Security model is based on a shared secret.
9
Overview
Providers webbased
service
Providers webbased
log on page
UserID
Log on
yes
Yes
Alread
y
logged
on?
SSO Proxy
No
UNI•Logins
log on page
UserID
School
Name
Class
etc.
Infotjenesten (a set
of well defined
webservices)
Do
userID
and
passwor
dmatche
s?
No
10
Workflow
11
UNI-Login – what can it be used for?
More than 800.000 administrators, teachers and students has a unique id
and password. :
•
•
•
•
All children and teachers in the primary schools
All publishers of educational content in Denmark
All museums
Many students and teachers in other educations institutions
The UNI-Login gives access to:
• national tests by the ministry,
• online subscriptions by private publishers,
• video streaming from the National Broadcasting Company (DR),
• local intranets at school level,
• local network access at schools and
• all services at UNI-C.
12
EMU and other
services from UNI-C
Private publishers
Local
intranets at
schools
Video
streaming (DR)
UNI-Login
National
tests
Optagelse.dk
Other content
providers
Local network
access at
schools
13
13
External UNI-Login applications
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
abc.dk - [http://abc.gyldendal.dk/]
Aschehougs Leksikon - [http://www.ashleks.dk/]
Danske dyr - [http://danske-dyr.dk/]
Dansk Historie - [http://danskhistorie.dk/]
Ekstra Bladet Skole - [http://ekstrabladet.dk/skole]
Elevplaner - [http://elevplan.mikrov.dk/]
Elevunivers - [http://elevunivers.dk/]
Evaluerings System - [http://www.evalueringssystem.dk/]
Forlag Malling Beck, Materialehylden - [http://www.materialehylden.dk/]
Forlag Malling Beck, MPO - [http://www.mpo.matematik.dk/]
Forlag Malling Beck, Vækstpunkter - [https://vpunkt.emu.dk/vpunkt/WStartPage.aspx]
Filmstriben - [http://www.filmstriben.dk/skole/]
FriLaesning.dk - [http://frilaesning.dk/]
Hval - [http://hval.dk/]/
Matematikkens Univers - [http://www.matematikkensunivers.dk/]
Mingoville - [http://www.dk.mingoville.com/]
Praktik+ - [http://www.pplus.dk/]
Skole - [http://dr.dk/skole]
Skolegloben - [http://www.skolegloben.dk/]
SkoleIntra - [http://skoleintra.dk/]
Skolenetværket - [http://secure.skolenetvaerket.dk/]
Trafiktjekket - [http://trafiktjekket.dk/]
UddannelsesGuiden - [http://ug.dk/]
Undervisningsbanken - [http://www.undervisningsbanken.dk/]
It’s Learning VLE
SkoleIntra
14
Next steps
• Improved synchronization of data between HUGO/Data
store and external applications
• Integration of more external applications.
• Development of a more sophisticated logout model for
SSO.
15
Summary
• UNI-C has with the UNI-Login deployed a web-based SSO
infrastructure for the educational sector
• Most of our own web-based services are using UNI-Login.
• Made possible by the central HUGO user database with
delegated administration.
• Has been widely accepted by the educational sector.
16