View
35
Download
0
Category
Preview:
DESCRIPTION
Shibboleth protected proxy servers. a case study from the Danish library sector. DEFF. Denmark's Electronic Research library Founded in 1998 to provide a joint IT strategy for the Danish research libraries Provides infrastructure and middleware for the libraries. AAI. - PowerPoint PPT Presentation
Citation preview
Jakob Gadegaard Bendixen, jgb@statsbiblioteket.dk
Shibboleth protected proxy servers
a case study from the Danish library sector
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
DEFFDenmark's Electronic Research library
Founded in 1998 to provide a joint IT strategy
for the Danish research libraries
Provides infrastructure and middleware for
the libraries
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
AAIOne of the original visions was to provide
a standardized way to handle user
administration and access control across
institutional borders
Did anyone say federation…
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
The DEF keyThis vision was attempted realized through
an ambitious project called ‘The DEF key’.
A lot of effort was done but the project was
dropped due to conflict of interest
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
DEFF ServicesDEFF negotiates licenses for accessing article
databases and electronic periodicals for the
research libraries
Most of these are campus wide licenses and
the access control is IP based
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
ChallengeHow do we provide home access for the
users such that
• Only registered users have access
• Access through ordinary web browser
• No need for changing browser settings (necessary with ordinary proxy servers)
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
LDAP 2001In 2001 a new project was launched to meetthis specific challenge• The lesson learned at the DEF key project
was that it failed because it tried to be as general as possible
• So this time one of the goals was to design a solution which met only this specific challenge
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
The SolutionA network of LDAP servers (one for each
involved institution) providing data for a
centralized login controlling the access to a
farm of rewriting proxy servers
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
Centrallogin
LDAP
LDAP
LDAP
Proxyserver
ServiceProvider
ServiceProvider
ServiceProvider
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
Some Statistics ZZZZZWe have a solution running in productionwith• 40+ user organizations• ~ 250.000 users• providing access to several hundred
databases• Configuration lists more than 7.000
domains
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
Is it perfectA short answer: no, but it is working
• 2 single points of failure (login and proxy)
• Centralized login = potential security issue
• Performance issue
• URL exchanging issue
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
Shibbolizing the setupIn 2005 we ran a pilot project to try to
put Shibboleth access control on our
proxy farm
The EZProxy has already been Shibbolized by
the vendor. This version does however not
meet our requirements fully
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
IdentityProvider
WAYF
Proxyserver
ServiceProvider
ServiceProvider
ServiceProvider
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
Have you implemented it The short answer: no
The building of a Danish federation DK-AAI
is in progress and we are awaiting the
outcome of this project
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
Why use proxies at allAllows to progress in building our federation
without having to wait for the resource-
providers to get Shibboleth ready
Some resource providers probably will not be
ready in this decade
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
IdentityProvider
WAYF Proxyserver
ServiceProvider
ServiceProvider
ServiceProvider
Jakob gadegaard bendixen, jgb@statsbiblioteket.dk
Questions and answersjgb@statsbiblioteket.dk
www.statsbiblioteket.dk
www.deff.dk
www.deff.dk/aai
Recommended