The KUSP Project Kent University Shibbolized Portal Bonnie Ferguson

Download Report

Transcript The KUSP Project Kent University Shibbolized Portal Bonnie Ferguson

The KUSP Project
Kent University Shibbolized Portal
Bonnie Ferguson
[email protected]
www.kent.ac.uk
Introduction
•
•
•
•
•
•
Current situation - Athens
Federated Access Management
Shibboleth
Federations
KUSP project
Shibboleth Demo
‹#›
Current situation
• Athens accounts are needed to access many
resources
• Institutions must create and manage accounts
• Duplicates some user information
• Different usernames and passwords
• AthensDA allows accounts to be handled locally
• Move towards sharing resources… Jorum, etc.
‹#›
Athens
• JISC currently subsidise Athens – free to Universities
• July 2008 - JISC withdraws Athens subsidies
• OpenAthens will be available but at a charge (£800 £9500 per year, depending on institutional size)
• JISC will fund FAM as replacement
http://www.jisc.ac.uk/publications/publications/pub_shibboleth.aspx
‹#›
Services using Athens
• Most Athens services should adopt Shibboleth by July
2008.
• Shibboleth-Athens and Athens-Shibboleth Gateways to
bridge the gap.
http://www.jisc.ac.uk/publications/publications/pub_shibboleth.aspx
‹#›
What is Federated Access Management (FAM)?
• Next generation access-management system
• FAM builds a trust relationship between Identity
Providers and Service Providers.
• Authentication is devolved to a user’s home institution.
• Attributes about the user (including roles) can be
exchanged.
http://www.jisc.ac.uk/news/stories/2006/03/access_qanda.aspx
‹#›
Federated Access Management
http://www.switch.ch/aai/about/introduction/
‹#›
Benefits (1)
• User registers only once – with home institution
• Reduces time needed to manage multiple user
accounts
• New tools for managing licenses and service
subscriptions.
http://www.switch.ch/aai/about/introduction/
http://www.jisc.ac.uk/news/stories/2006/03/access_qanda.aspx
‹#›
Benefits (2)
• Users won’t have to remember additional usernames
and passwords.
• Simplified authentication process may lead to
increased use of subscribed services.
• Interoperable with other SAML-based software
‹#›
Where does the word ‘Shibboleth’ come from?
• The word comes from the Old Testament (Judges 12:16).
• Two groups from different sides of the river Jordan who
had different accents. One pronounced the ‘sh’ sound
as ‘si’.
• To separate friend from foe, those crossing the river
were asked to pronounce the word ‘shibboleth’ (it
means an ear of corn).
• According to the bible, the 42,000 who pronounced it
‘sibboleth’ were killed.
‹#›
It’s also a band…
http://www.goshibbolethgo.com
‹#›
But seriously, folks….
• A technology that enables FAM.
• Functionality of Athens DA
• Standards based - SAML (Security Assertion Markup
Language)
• Open source middleware software
• Privacy-preserving
http://shibboleth.internet2.edu/
‹#›
Shibboleth Architecture
Federation
Identity Provider
Service Provider
http://www.switch.ch/aai/about/introduction/
‹#›
Shibboleth identity Provider (IdP)
•
•
•
•
Uses institutional user database
Provides authentication
Sends user attributes
(aka Shibboleth Origin)
‹#›
Shibboleth Service Provider (SP)
• Shibboleth module protects web-based applications
• Intercepts HTTP requests and redirects to WAYF (or a
specific Identity Provider) for authentication
• Receives ticket/cookie
• Optional additional call for attributes
• (aka Shibboleth Target)
‹#›
What is a Federation?
• A federation is a group of institutions and organisations
that sign up to an agreed set of policies for exchanging
information about users and resources to enable
access and use of resources and services.
• Organisations that use Shibboleth to access resources
must join or create a federation.
http://www.jisc.ac.uk/whatwedo/themes/access_management/federation/shibboleth.aspx
http://en.wikipedia.org/wiki/United_Federation_of_Planets
‹#›
Federations
• WAYF (Where are you from?) service
• UK Access Federation
(http://www.ukfederation.org.uk/)
https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
‹#›
Joining the UK Access Federation
•
•
•
•
Apply in writing
Signed by Executive Liaison
Management Liaison must be named
Agree to be bound by federations Rules of
Membership
http://www.ukfederation.org.uk/
‹#›
The KUSP Project
• Funded by the JISC Core Middleware Infrastructure
Early Adopter programme
• January 2006 – March 2007
• 1 Developer full time for 1 year
‹#›
What can Shibboleth do for us?
• Athens replacement
• Single Sign on solution?
• Manage authentication for both internal and external
applications?
‹#›
The KUSP Project - Aims
• Creating a new Shibboleth infrastructure for the
University of Kent
• Building a Shibbolized portal and VLE with Single Signon (SSO)
• Investigate PrivilEge and Role Management
Infrastructure Standards (PERMIS) for portal
authorisation
• Pushing the envelope
• Providing support to the partners in the University of
Medway project to adopt Shibboleth
‹#›
Shibboleth Test Environment
•
•
•
•
•
Shibboleth Identity Provider
Connect to University LDAP
Shibboleth Service Provider
Protecting Static Web pages
Join InQueue Test Federation
‹#›
Shibboleth – Where to start?
• Shibboleth Software is free and Open Source
• Help is available!
• Shibboleth Wiki
(https://spaces.internet2.edu/display/SHIB/)
• MATU Installation guides (http://www.matu.ac.uk/docs/)
• Mailing lists
([email protected])
‹#›
Purchases
• Two Sun servers, running Solaris 9
• Shibboleth Identity Provider
• Shibboleth Service Provider
• Licenses for:
• WebCT Powerlinks SDK
• WebCT developers network
‹#›
Identity Provider - Software
• Software comes packaged a java .war file.
• We installed it on:
•
•
•
•
Solaris OS
Apache Tomcat
Apache Web Server
mod_jk
‹#›
Identity Provider - Configuration
• The configuration is stored in several XML files in
/usr/local/shibboleth-idp/etc by default:
• idp.xml - Main configuration file contains providerId, information
about the federation and links to other configuration files
• resolver.ldap.xml - Connection parameters for LDAP and list of
attributes to retrieve
• arp.site.xml - Attribute release policy - list of attributes. Can be
configured to release different sets of attributes to different
applications.
• metadata.xml - holds metadata for all the IdPs and SPs in the
federation and the SSL certificate chain. Must be updated
regularly!
‹#›
Service Provider
• Shibboleth does not provide its own authentication
mechanism (out of scope for Shibboleth). It can be
paired with a range of authentication systems:
• Apache <Location> directives in httpd.conf (e.g. simple
HTML page)
• JAAS module - for dynamic web applications like WebCT or
uPortal that use the attributes of the user to display information
• Yale CAS (Central Authentication Service)
http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html
‹#›
Service Providers – One or Many?
• SAML SSO is an end to end protocol between one SP
and one IdP.
• If you are Shibbolizing multiple applications (like
uPortal and WebCT), each one requires their own
Service provider.
• However, Guanxi takes a different approach by
allowing a single Shibboleth SP for an institution with
associated ‘guards’ for each application.
‹#›
Service Provider - Configuration
Configuration files in /opt/shibboleth-sp/etc/shibboleth
• shibboleth.xml - main configuration file with
Federation information, SSL certificate , RequestMap
of all applications being protected with parameters
• aap.xml - attribute acceptance policy - can set rules
about the attributes you accept
• metadata.xml – same as identity provider
‹#›
Service Provider - Configuration
• 2 files work together to provide Shibboleth protection to
web resources:
• httpd.conf <Location> block
• Shibboleth.xml <RequestMap> elements
‹#›
Shibbolizing applications – JAAS modules
• uPortal - SpieJaasModule developed by the SPIE
project at Oxford University (http://spie.oucs.ox.ac.uk/)
• WebCT – Shibboleth inbound authentication module
(http://devnet.webct.com/contrib/authentication/Shibbol
eth/)
• Many more: Blackboard, DSpace, Plone, EZProxy
(https://wiki.internet2.edu/confluence/display/seas/Home)
‹#›
Java Authentication and Authorization
Service (JAAS)
http://devnet.webct.com/docs/ce6_documentation/WebCTVi
sta400_sdk30_programmers_guide_2005_11_30.pdf
‹#›
Authentication only
•
•
•
•
•
uPortal and WebCT JAAS modules were basic
Triggered Shibboleth Authentication
Retrieved the username attribute
Set as current user in system
Used inbuilt (uPortal or WebCT) authorisation
‹#›
PERMIS
• PrivilEge and Role Management Infrastructure
Standards
• Authorisation (privilege management) system that
complements existing authentication systems.
• PERMIS web interface -write PERMIS policies
‹#›
PERMIS
• URLs need to be known in advance
• uPortal URLs built on the fly
• http://shibsp.kent.ac.uk/uPortal/tag.f4d450cdb66bf1f5...
• http://shibsp.kent.ac.uk/uPortal/tag.a3a580b2d384e523...
• Would require additional code to handle Authorisation
• Develop JAAS module
• Portal level – to call PERMIS when building portal pages
• Out of scope of KUSP project
‹#›
Single Sign-On (SSO)
• Specialized form of software authentication that
enables a user to authenticate once and gain access to
the resources of multiple software systems.
• Kerberos, CAS, CoSIgn, Web-SSO, etc.
http://en.wikipedia.org/wiki/Single_sign-on
‹#›
SSO - Aims
• Integrate WebCT into portal
• Sign into portal and get dashboard view of WebCT
data
‹#›
SSO - Results
• Shibboleth uses Cookies so SSO happened
automatically
‹#›
Portal Integration
• IFrame
• Session & Display problems
‹#›
Portal Integration
• Vista MyWebCT portlet
• Used proxy authentication module
• Displayed limited dashboard
‹#›
Portal Integration
• Home-grown portlet using web services
• Allows fuller dashboard interface
• Best to extend existing portlet
‹#›
Shibboleth Demo
• http://shibsp.kent.ac.uk/uPortal
‹#›
Findings - Authn not Authz
• Shibboleth for Authentication not authorization
• Personalised systems like portals and VLEs need to
perform three types of user management:
• Authentication
• Authorization/Role management
• Remembering user preferences
• Is it appropriate to externalise this?
• Outside of scope of project to redevelop authorization
for personalised system such as portal or VLE
‹#›
Findings – More potential
•
•
•
•
•
•
Did not use Shibboleth’s full potential!
uPortal and WebCT still required user accounts
uPortal can create these at first login
Still need to manage these accounts
Did not use Shibboleth role-based attributes
Did not use privacy protecting functionality (always
relied on Username) instead of tickets and roles
‹#›
Findings - WebCT
• The WebCT/Shibboleth module was not necessary for
the Shibbolized portal
• Proxy module was sufficient since it was only passing a
username instead of using the full Shibboleth
functionality
‹#›
Findings - SSO
• Shibboleth can handle SSO for web based applications
• No extra software required (such as CAS)
• Will investigate for future use
‹#›
Lessons Learned
• Setting up the Shibboleth Identity provider and Service
Provider was relatively straightforward. It is the
integration of Shibboleth with existing applications that
is much more difficult and time consuming, so leave
plenty of time for this in your project plan.
• Keep a Blog or Wiki of the installation procedures,
lessons learned and other issues.
• Make contact with other projects as early as possible.
• Join all relevant mailing lists at the beginning of the
project and don’t be afraid to ask lots of stupid
questions.
‹#›
Resources
• Shibboleth Wiki (https://spaces.internet2.edu/display/SHIB/)
• MATU Installation guides (http://www.matu.ac.uk/docs/)
• SWITCH Installation guides
(http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/installsp-1.3-debian.html)
• LSIP project (University of Liverpool) Implementation
Documentation (http://www.liv.ac.uk/LSIP/Documentation/
DraftShib13ImplementationDocument.html)
• uPortal website http://www.uportal.org
• WebCT (Blackboard) website and developer’s network :
http://www.webct.com/ and http://devnet.webct.com/
• SPIE project (Oxford University) http://www.oucs.ox.ac.uk/rts/spie/
• InQueue Shibboleth federation http://inqueue.internet2.edu/
• FEAR project (Reid Kerr College)
http://www.reidkerr.ac.uk/fear/docs/ReloadContentPreview.htm
‹#›
References
• http://shibboleth.internet2.edu
• http://www.jisc.ac.uk/publications/publications/pub_shibboleth.asp
x
• http://www.jisc.ac.uk/whatwedo/themes/access_management/fede
ration/shibboleth.aspx
• http://www.switch.ch/aai/about/introduction
• http://www.goshibbolethgo.com
• http://en.wikipedia.org/wiki/United_Federation_of_Planets
• https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
• http://www.ukfederation.org.uk/
• http://shibboleth.internet2.edu/docs/draft-internet2-shibbolethrequirements-01.html
• http://sec.isi.salford.ac.uk/permis/
‹#›
Any questions?
• http://www.kent.ac.uk/is/kusp
• [email protected]
‹#›
Discussion
•
•
•
•
•
•
•
How long will FAM take to implement?
How much will it cost?
What impact on service?
Changes to training and documentation required?
Support moved from Library to Computing Service?
Could OpenAthens be a cheaper option?
What about non-web based resources?
‹#›