Further Education Institutional Access Management Support FEIAMS - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Further Education Institutional Access Management Support FEIAMS

Description:

CPU: Low - Mid range Dual Core XEON. RAM: 2GB. Hard Disk: 2x73GB (15,000rpm if possible, Raid 1) ... UK Federation 'Core' Attributes. eduPersonScopedAffiliation ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 25
Provided by: ebed
Category:

less

Transcript and Presenter's Notes

Title: Further Education Institutional Access Management Support FEIAMS


1
Further Education Institutional Access Management
Support (FEIAMS)
  • Collaboration between Kidderminster College and
    Cardiff University
  • Supporting FE and small HEIs to join the UK
    Access Management Federation as Identity
    Providers (IdP)
  • Delivering technical support for steps 3 4 of
    the JISC roadmap

2
Joining the UK Access Management Federation
3
Steps 3 4
  • Install Shibboleth pre-requisite software
  • Setup Shibboleth configuration files
  • Install SSL certificates
  • Link Shibboleth with
  • existing authentication store
  • correct attributes in attribute store
  • Setup attribute release policy
  • Join UK Access Management Federation
  • Provide documentation and training.

4
Institutional Preparedness
  • Before a Shibboleth Identity Provider (IdP) can
    be installed at your Institution, the
    pre-requisites for a successful implementation
    must have been completed.

5
Institutional Audit
AGENDA
  • Server Requirements
  • Directory Development
  • Attribute Requirements
  • Authentication Development
  • Firewall Access
  • SSL Certificate
  • UKAMF Membership
  • IdP Deployment Timeline

Strategic Meeting
6
Server Requirements
  • CPU Low - Mid range Dual Core XEON
  • RAM 2GB
  • Hard Disk 2x73GB (15,000rpm if possible, Raid
    1)
  • ! Note
  • Clock speed is more important than number of CPUs
  • The operating system must have a valid license
    where appropriate.

7
Directory Development
  • Web applications require authorisation before a
    user can access the site
  • Essential when site subscriptions and individual
    user features are involved
  • Shibboleth framework keeps the users anonymity
    where possible
  • No web applications should see values about the
    user that are not necessary.

8
  • Directory Development

User Attributes Common attributes in LDAP cn
common name givenName sn surname

Example givenName is "Edward" cn attribute value
"ebeddows"
9
Directory Development
  •  
  • If extending schema, implement eduPerson
  • Create (or update existing) mechanism to add user
    accounts with correct values
  • Keep values up to date to avoid
    security/authorisation issues
  • ! Note Must be unique and not reassigned to a
    user for 24 months after the account has been
    removed

10
UK Federation "Core" Attributes
  • eduPersonScopedAffiliation - controlled
    vocabulary
  • e.g., student_at_mydomain.ac.uk eduPersonEntitle
    ment - SP-specific values describing user
    privileges
  • e.g., "kidbasic1" eduPersonTargetedID -
    a pseudonymous identifier for the user, specific
    to the SP
  • e.g., s3VjcGuNrzKaeu69/QRfh73hNjU_at_mydomain.a
    c.uk eduPersonPrincipalName - a global "
    persistent " identifier for the user
  • e.g., jsmith_at_mydomain.ac.uk
  • Other attributes e.g., from the eduPerson schema
    may also be used, if necessary

11
Attributes Requirements
Examples
Source JANET
12
Where do I set these values?
  • Core attributes
  • not present in LDAP by default
  • add eduPerson class to LDAP directory schema
  • - Only recommended if experienced with adding
    new schema
  • extensions into directories
  • eduPersonPrincipalName already in place cn of
    the user
  • eduPersonTargetedID created in Shibboleth
    dynamically
  • eduPersonScopedAffiliation and eduPersonEntitlemen
    t

13
Name Mapping
  •  
  • Map the value of existing attribute as required
  • Mapping is done in Shibboleth
  • Multi-valued attributes in Active Directory

14
Map Existing Attributes

15
How do I set these attributes?
  • Existing processes
  • To create users
  • - update to include new attribute values
  • e.g., add "student " and " staff " to the url
    attribute on all new student and staff accounts.
  • - update existing accounts with new attribute
    values
  • Other options
  • Full Identity Management solutions
  • Custom scripts
  • Active Directory - free tool ADModify
  • http//www.codeplex.com/admodify
  • ! Note Regularly update attributes for accuracy
    e.g., nightly

16
Authentication Development
  • Review existing authentication systems
  • Can they be hooked into by Shibboleth with an
    existing authentication mechanism?
  • LDAP
  • Kerberos
  • IIS integrated authentication
  • Or do you need to develop a new system?

17
Authentication Development
  • Choosing an authentication method
  • Shibboleth is not an authentication mechanisms
  • Hooks into existing method
  • Easily implemented
  • Single Sign-On Software
  • PubCookie
  • CAS
  • iChain
  • ISA
  • Extra development time

18
Firewall Access
Firewall rules, connect to authentication
attribute stores - TCP/UDP ports 389 or 636
from Shibboleth server to relevant LDAP
servers - Access to port 443 (https) from all
external hosts to Shibboleth server Remote
Installation - Port 22 for SSH (or RDP for
Microsoft servers) from FEIAMS Project
(Kidderminster College) on IP 194.83.68.131/13
6
19
Certificates
  • Determine where to obtain your trust
    certifcate(s)
  • - JANET (UK) Server Certificate Service
  • http//webarchive.ja.net/services/scs/scs-proce
    ss.html
  • - X.509 must be issued by an accredited
    certificate authority
  • ? GlobalSign
  • ? JANET SCS
  • ? TERENA SCS
  • ? Thawte
  • ? UK e-Science CA
  • ? VeriSign

20
Join UK Access Management Federation
  • An overview of the joining process
  • Management Staff
  • - "Rules of Membership"
  • - "Recommendations for use of personal data"
  • - "Federation operator procedures".
  • Technical Staff
  • - Technical Recommendations for Participants
  • - Technical Specifications.

21
Application Letter
  • Signed by a senior officer of the organisation
  • Agree to the UK Federations Rules of Membership
  • Contain
  • - name job title of signatory i.e. Executive
    Liaison
  • - full name and postal address of the
    organisation
  • - name and contact details of Management
    Liaisons.
  • ! Note
  • Additional Management Liaisons require further
    authorisation

22
Conclusion
  • Join the UK Federation
  • Audit your existing infrastructure
  • - Identfy and address deficiencies
  • Acquire certificates register entities
  • Implement your IdP

23
Useful Links
  • UK Access Management Federation
  • http//www.ukfederation.org.uk/
  • http//www.ukfederation.org.uk/content/Documents/F
    edDocs
  • http//www.ukfederation.org.uk/content/Documents/A
    ttributeUsage
  • http//www.ukfederation.org.uk/content/Documents/J
    oinFederation
  • JANET (UK) Server Certificate Service
  • http//webarchive.ja.net/services/scs/scs-process.
    html
  • Educause
  • http//www.educause.edu/eduperson

24
Contact Us
  • Project Enquiries 01562 744348
  • Help Desk 01562 512099
  • E-mail feiams_at_kidderminster.ac.uk
  • Website feiams.kidderminster.ac.uk

Kidderminster College, Market Street,
Kidderminster, DY10 1LX
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Further Education Institutional Access Management Support FEIAMS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!