The KUSP Project

judgedrunkshipServers

Nov 17, 2013 (3 years and 8 months ago)

157 views

www.kent.ac.uk

The KUSP Project

Kent University Shibbolized Portal


Bonnie Ferguson

b.ferguson@kent.ac.uk


‹#›

Introduction


Current situation
-

Athens


Federated Access Management


Shibboleth


Federations


KUSP project


Shibboleth Demo


‹#›

Current situation


Athens accounts are needed to access many
resources


Institutions must create and manage accounts


Duplicates some user information


Different usernames and passwords


AthensDA allows accounts to be handled locally


Move towards sharing resources… Jorum, etc.

‹#›

Athens


JISC currently subsidise Athens


free to Universities


July 2008
-

JISC withdraws Athens subsidies


OpenAthens will be available but at a charge (£800
-

£9500 per year, depending on institutional size)


JISC will fund FAM as replacement




http://www.jisc.ac.uk/publications/publications/pub_shibboleth.aspx

‹#›

Services using Athens


Most Athens services should adopt Shibboleth by July
2008.


Shibboleth
-
Athens and Athens
-
Shibboleth Gateways to
bridge the gap.

http://www.jisc.ac.uk/publications/publications/pub_shibboleth.aspx

‹#›

What is Federated Access Management (FAM)?


Next generation access
-
management system


FAM builds a trust relationship between Identity
Providers and Service Providers.




Authentication is devolved to a user’s home institution.


Attributes about the user (including roles) can be
exchanged.

http://www.jisc.ac.uk/news/stories/2006/03/access_qanda.aspx

‹#›

Federated Access Management

http://www.switch.ch/aai/about/introduction/

‹#›

Benefits (1)


User registers only once


with home institution


Reduces time needed to manage multiple user
accounts


New tools for managing licenses and service
subscriptions.


http://www.switch.ch/aai/about/introduction/

http://www.jisc.ac.uk/news/stories/2006/03/access_qanda.aspx

‹#›

Benefits (2)


Users won’t have to remember additional usernames
and passwords.


Simplified authentication process may lead to
increased use of subscribed services.


Interoperable with other SAML
-
based software



‹#›

Where does the word ‘Shibboleth’ come from?


The word comes from the Old Testament (Judges
12:1
-
6).


Two groups from different sides of the river Jordan who
had different accents. One pronounced the ‘sh’ sound
as ‘si’.


To separate friend from foe, those crossing the river
were asked to pronounce the word ‘shibboleth’ (it
means an ear of corn).


According to the bible, the 42,000 who pronounced it
‘sibboleth’ were killed.



‹#›

It’s also a band…

http://www.goshibbolethgo.com


‹#›

But seriously, folks….


A technology that enables FAM.


Functionality of Athens DA


Standards based
-

SAML (Security Assertion Markup
Language)


Open source middleware software


Privacy
-
preserving


http://shibboleth.internet2.edu/

‹#›

Shibboleth Architecture

http://www.switch.ch/aai/about/introduction/

Identity

Provider

Service Provider

Federation

‹#›

Shibboleth identity Provider (IdP)


Uses institutional user database


Provides authentication


Sends user attributes


(aka Shibboleth Origin)

‹#›

Shibboleth Service Provider (SP)


Shibboleth module protects web
-
based applications


Intercepts HTTP requests and redirects to WAYF (or a
specific Identity Provider) for authentication


Receives ticket/cookie


Optional additional call for attributes


(aka Shibboleth Target)



‹#›

What is a Federation?


A federation is a group of institutions and organisations
that sign up to an agreed set of policies for exchanging
information about users and resources to enable
access and use of resources and services.


Organisations that use Shibboleth to access resources
must join or create a federation.

http://www.jisc.ac.uk/whatwedo/themes/access_management/federation/shibboleth.aspx

http://en.wikipedia.org/wiki/United_Federation_of_Planets

‹#›

Federations


WAYF (Where are you from?) service


UK Access Federation
(
http://www.ukfederation.org.uk/
)



https://spaces.internet2.edu/display/SHIB/ShibbolethFederations

‹#›

Joining the UK Access Federation


Apply in writing


Signed by Executive Liaison


Management Liaison must be named


Agree to be bound by federations Rules of
Membership



http://www.ukfederation.org.uk/

‹#›

The KUSP Project


Funded by the JISC Core Middleware Infrastructure
Early Adopter programme


January 2006


March 2007


1 Developer full time for 1 year



‹#›

What can Shibboleth do for us?


Athens replacement


Single Sign on solution?


Manage authentication for both internal and external
applications?


‹#›

The KUSP Project
-

Aims


Creating a new Shibboleth infrastructure for the
University of Kent


Building a Shibbolized portal and VLE with Single Sign
-
on (SSO)


Investigate PrivilEge and Role Management
Infrastructure Standards (PERMIS) for portal
authorisation


Pushing the envelope


Providing support to the partners in the University of
Medway project to adopt Shibboleth


‹#›

Shibboleth Test Environment


Shibboleth Identity Provider


Connect to University LDAP


Shibboleth Service Provider


Protecting Static Web pages


Join InQueue Test Federation

‹#›

Shibboleth


Where to start?


Shibboleth Software is free and Open Source


Help is available!


Shibboleth Wiki
(
https://spaces.internet2.edu/display/SHIB/
)


MATU Installation guides
(
http://www.matu.ac.uk/docs/
)


Mailing lists


(
shibboleth
-
users@internet2.edu
)


‹#›

Purchases


Two Sun servers, running Solaris 9


Shibboleth Identity Provider


Shibboleth Service Provider


Licenses for:


WebCT Powerlinks SDK


WebCT developers network


‹#›

Identity Provider
-

Software


Software comes packaged a
java .war

file.


We installed it on:


Solaris OS


Apache Tomcat


Apache Web Server


mod_jk



‹#›

Identity Provider
-

Configuration


The configuration is stored in several XML files in
/usr/local/shibboleth
-
idp/etc

by default:


idp.xml

-

Main configuration file contains providerId, information
about the federation and links to other configuration files


resolver.ldap.xml

-

Connection parameters for LDAP and list of
attributes to retrieve


arp.site.xml

-

Attribute release policy
-

list of attributes. Can be
configured to release different sets of attributes to different
applications.


metadata.xml

-

holds metadata for all the IdPs and SPs in the
federation and the SSL certificate chain. Must be updated
regularly!


‹#›

Service Provider


Shibboleth does not provide its own authentication
mechanism (out of scope for Shibboleth). It can be
paired with a range of authentication systems:


Apache <Location> directives

in httpd.conf (e.g. simple
HTML page)


JAAS module

-

for dynamic web applications like WebCT or
uPortal that use the attributes of the user to display information


Yale CAS

(Central Authentication Service)


http://shibboleth.internet2.edu/docs/draft
-
internet2
-
shibboleth
-
requirements
-
01.html

‹#›

Service Providers


One or Many?


SAML SSO is an end to end protocol between one SP
and one IdP.


If you are Shibbolizing multiple applications (like
uPortal and WebCT), each one requires their own
Service provider.


However, Guanxi takes a different approach by
allowing a single Shibboleth SP for an institution with
associated ‘guards’ for each application.

‹#›

Service Provider
-

Configuration

Configuration files in
/opt/shibboleth
-
sp/etc/shibboleth


shibboleth.xml

-

main configuration file with
Federation information, SSL certificate , RequestMap
of all applications being protected with parameters


aap.xml

-

attribute acceptance policy
-

can set rules
about the attributes you accept


metadata.xml



same as identity provider

‹#›

Service Provider
-

Configuration



2 files work together to provide Shibboleth protection to
web resources:


httpd.conf <Location> block




Shibboleth.xml <RequestMap> elements


‹#›

Shibbolizing applications


JAAS modules


uPortal

-

SpieJaasModule developed by the SPIE
project at Oxford University (
http://spie.oucs.ox.ac.uk/
)


WebCT



Shibboleth inbound authentication module
(
http://devnet.webct.com/contrib/authentication/Shibbol
eth/
)


Many more: Blackboard, DSpace, Plone, EZProxy
(https://wiki.internet2.edu/confluence/display/seas/Home)


‹#›

Java Authentication and Authorization
Service

(
JAAS
)


http://devnet.webct.com/docs/ce6_documentation/WebCTVi
sta400_sdk30_programmers_guide_2005_11_30.pdf

‹#›

Authentication only


uPortal and WebCT JAAS modules were
basic


Triggered Shibboleth Authentication


Retrieved the username attribute


Set as current user in system


Used inbuilt (uPortal or WebCT) authorisation

‹#›

PERMIS


PrivilEge and Role Management Infrastructure
Standards


Authorisation (privilege management) system that
complements existing authentication systems.


PERMIS web interface
-
write PERMIS policies


‹#›

PERMIS


URLs need to be known in advance


uPortal URLs built on the fly


http://shibsp.kent.ac.uk/uPortal
/tag.f4d450cdb66bf1f5...


http://shibsp.kent.ac.uk/uPortal/
tag.a3a580b2d384e523...


Would require additional code to handle Authorisation


Develop JAAS module


Portal level


to call PERMIS when building portal pages


Out of scope of KUSP project

‹#›

Single Sign
-
On (SSO)


Specialized form of software authentication that
enables a user to authenticate once and gain access to
the resources of multiple software systems.


Kerberos, CAS, CoSIgn, Web
-
SSO, etc.

http://en.wikipedia.org/wiki/Single_sign
-
on

‹#›

SSO
-

Aims


Integrate WebCT into portal


Sign into portal and get dashboard view of WebCT
data

‹#›

SSO
-

Results


Shibboleth uses Cookies so SSO happened
automatically


‹#›

Portal Integration


IFrame


Session & Display problems

‹#›

Portal Integration


Vista MyWebCT portlet


Used proxy authentication module


Displayed limited dashboard

‹#›

Portal Integration


Home
-
grown portlet using web services


Allows fuller dashboard interface


Best to extend existing portlet

‹#›

Shibboleth Demo


http://shibsp.kent.ac.uk/uPortal

‹#›

Findings
-

Authn not Authz


Shibboleth for Authentication not authorization


Personalised systems like portals and VLEs need to
perform three types of user management:


Authentication


Authorization/Role management


Remembering user preferences


Is it appropriate to externalise this?


Outside of scope of project to redevelop authorization
for personalised system such as portal or VLE


‹#›

Findings


More potential


Did not use Shibboleth’s full potential!


uPortal and WebCT still required user accounts


uPortal can create these at first login


Still need to manage these accounts


Did not use Shibboleth role
-
based attributes


Did not use privacy protecting functionality (always
relied on Username) instead of tickets and roles




‹#›

Findings
-

WebCT


The WebCT/Shibboleth module was not necessary for
the Shibbolized portal


Proxy module was sufficient since it was only passing
a username instead of using the full Shibboleth
functionality

‹#›

Findings
-

SSO



Shibboleth can handle SSO for web based applications


No extra software required (such as CAS)


Will investigate for future use



‹#›

Lessons Learned


Setting up the Shibboleth Identity provider and Service
Provider was relatively straightforward. It is the
integration of Shibboleth with existing applications that
is much more difficult and time consuming, so leave
plenty of time for this in your project plan.


Keep a Blog or Wiki of the installation procedures,
lessons learned and other issues.


Make contact with other projects as early as possible.


Join all relevant mailing lists at the beginning of the
project and don’t be afraid to ask lots of stupid
questions.

‹#›

Resources


Shibboleth Wiki (
https://spaces.internet2.edu/display/SHIB/
)


MATU Installation guides (
http://www.matu.ac.uk/docs/
)


SWITCH Installation guides
(
http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/install
-
sp
-
1.3
-
debian.html
)


LSIP project (University of Liverpool) Implementation
Documentation (
http://www.liv.ac.uk/LSIP/Documentation/
DraftShib13ImplementationDocument.html
)


uPortal website
http://www.uportal.org


WebCT (Blackboard) website and developer’s network

:
http://www.webct.com/

and
http://devnet.webct.com/


SPIE project (Oxford University)
http://www.oucs.ox.ac.uk/rts/spie/


InQueue Shibboleth federation
http://inqueue.internet2.edu/


FEAR project (Reid Kerr College)
http://www.reidkerr.ac.uk/fear/docs/ReloadContentPreview.htm


‹#›

References


http://shibboleth.internet2.edu


http://www.jisc.ac.uk/publications/publications/pub_shibboleth.asp
x


http://www.jisc.ac.uk/whatwedo/themes/access_management/fede
ration/shibboleth.aspx


http://www.switch.ch/aai/about/introduction


http://www.goshibbolethgo.com


http://en.wikipedia.org/wiki/United_Federation_of_Planets


https://spaces.internet2.edu/display/SHIB/ShibbolethFederations


http://www.ukfederation.org.uk/


http://shibboleth.internet2.edu/docs/draft
-
internet2
-
shibboleth
-
requirements
-
01.html


http://sec.isi.salford.ac.uk/permis/


‹#›

Any questions?


http://www.kent.ac.uk/is/kusp


b.ferguson@kent.ac.uk

‹#›

Discussion


How long will FAM take to implement?


How much will it cost?


What impact on service?


Changes to training and documentation required?


Support moved from Library to Computing Service?


Could OpenAthens be a cheaper option?


What about non
-
web based resources?