Preparing for a Shibbolized World - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Preparing for a Shibbolized World

Description:

Host UK national data services. JISC Information ... Image Gallery (Getty ... EDINA services: Education Image Gallery, which we've just seen, plus... – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 24
Provided by: fionac3
Category:

less

Transcript and Presenter's Notes

Title: Preparing for a Shibbolized World


1
Preparing for a Shibbolized World
  • Fiona Culloch, EDINA
  • http//sdss.ac.uk
  • JISC Joint Programme Meeting 7-8 July 2005

2
Talk overview
  • Shibboleth is here in the UK and growing
  • JISC Core Middleware Programme is enabling a
    critical mass of Shibbolized resources. EDINA is
    doing part of that work -- status report.
  • Shibboleth uses local institutional identities to
    access national resources. What are the
    implications for your institution?

3
EDINAs role
  • Host UK national data services
  • JISC Information Environment components
  • bibliographic abstracts and indexes
  • geographic data
  • LT resources
  • multimedia resources
  • curation and preservation
  • Based at Edinburgh but nationally funded by JISC
  • Previous JISC AAA projects on X.509 client
    certificates and Shibboleth (TIES)

4
Current EDINA services
  • Geographic and mapping
  • Digimap (Ordnance Survey data)
  • UKBORDERS (boundary info)
  • Multi-media
  • Education Image Gallery (Getty Images)
  • Education Media Online (films from Imperial War
    Museum etc.)
  • History Index to The Times, 1790-1980

5
Bibliographic data
  • Agriculture and life sciences
  • AGDEX, BIOSIS, CAB Abstracts, UPDATE
  • Engineering Inspec
  • Social science EconLit, PAIS (Politics),Statisti
    cal Accounts of Scotland 1790s1830s
  • Library catalogues SALSER

6
Platforms
  • Multiple enterprise-class Sun SMP systems
  • 16GB RAM each
  • Running Solaris (currently version 2.8)
  • gt 10TB mass storage
  • JANET connectivity

7
Current AAA regime
  • Athens (for academic users)
  • Single Sign-On (SSO) between EDINA and other
    Athens SSO resources
  • Local password file (commercial users)
  • Browser user sees front page with
  • buttons for Athens and local login
  • service status, planned outages
  • Coarse-grained authorisation most services are
    accessible to all users at institution X, Y

8
Current authorisation
  • Perl CGI script (per service)
  • Common, extensible AAA framework factored out
    into central LoginScript module
  • LoginScript handles local logins directly
  • Or calls Athens Agent perl API
  • and checks user has Athens resource for this
    service
  • Starts proxy HTTP session on production web
    server (using shared secret)
  • Logs access, both at Athens and in local log files

9
Shibbolizing a service
  • Add Shibboleth login button to front page
  • Button links to Shibboleth login script
  • Currently separate from Athens script but very
    similar in form
  • Common AAA requirements again factored into
    central ShibLogin module
  • Layer ShibLogin on existing LoginScript uses
    shared framework (e.g., for logging)

10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
Progress to date
  • Established the SDSS federation and a common
    ShibLogin framework for EDINA services
  • Contributed to Internet2 Shibboleth activity
  • Several bug reports, including security
    vulnerabilities
  • XSLT scripts to convert 1.3?1.2 1.1 metadata
    format
  • Code WAYF 1.3 metadata support, IdP NAT
    traversal
  • Signed up initial Identity Providers (IdPs) in
    SDSS federation
  • Edinburgh, Leeds, LSE, MIMAS, Newcastle, Oxford
  • Shibbolized four EDINA services Education Image
    Gallery, which weve just seen, plus

15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
Attributes used in SDSS
  • eduPersonScopedAffiliation
  • e.g., student_at_lse.ac.uk
  • eduPersonTargetedID
  • e.g., xdIe346Kb82hdJhzbhvje23wE_at_ncl.ac.uk
  • eduPersonEntitlement
  • e.g., urnmaceac.uksdss.ac.ukentitlementmed
  • eduPersonPrincipalName
  • e.g., jjones_at_uni.ac.uk

19
The bad news
  • All these attributes have to come from your
    institutions IdP
  • That presumes a central database, at least of
    user identities, hopefully of attributes too
  • Creating and maintaining this database is hard
    work, but a prerequisite to deploying Shibboleth
    IdP
  • Responsibilities change managing external
    identities shifts from librarians to computing
    services (should be a net gain)
  • Campus single sign-on system required
  • But JISC is funding Early Adopters to build
    experience and MATU is there to help

20
Current work
  • Support for medically restricted content in
    Education Media Online (liaise with IAMSECT,
    Newcastle)
  • to define eduPersonEntitlement attribute value
    corresponding to existing Athens
    EDINA_MEDIA_MEDICAL resource
  • Multi-federation WAYF
  • Migrate subscription database in-house from
    Athens
  • Investigate other commercial CAs (Thawte)
  • More services Digimap work started

21
Issues
  • EDINA resources are only in the SDSS federation
  • But multiple UK educational federations are
    evolving (SDSS, MATU, schools/Becta, KC-ROLO,)
  • And even if there werent, international working
    will be required
  • But Shibboleth multi-federation support is still
    immature
  • SDSS provides metadata in 1.3, 1.2 and 1.1
    formats
  • but no guarantee to support all formats in
    perpetuity

22
Future work
  • Broadening (service delivery)
  • AGDEX, Index to The Times, similar to the ones
    already done
  • Also deepening (harder cases)
  • Digimap, UKBORDERS (finer-grain authZ)
  • OpenURL, weblinks merge ShibLogin LoginScript
  • JISC have funded new work items
  • multi-federation working, including a meta-WAYF
  • virtual organisation use cases (e-Science person
    hired)
  • attribute release policy tools
  • more sophisticated resource registry

23
Highlights
  • Established SDSS federation and a common AAA
    framework across multiple EDINA services
  • Seven services already live (4 EDINA, 2 MIMAS,
    1 Internet2) with 4 institutional IdPs 6 others
  • IdP need only provide one standard attribute for
    login to most services (and optionally one for
    personalisation) requires institutional user DB
  • Rest of EDINA services to be converted over next
    year harder cases plus new tools
Write a Comment
User Comments (0)
About PowerShow.com