25
Shibboleth at USMAI David Kennedy [email protected] http://usmai.umd.edu/auth Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Shibboleth at USMAI David Kennedy [email protected] Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Embed Size (px)

Citation preview

Page 1: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Shibboleth at USMAI

David Kennedy

[email protected]

http://usmai.umd.edu/auth

Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Page 2: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

USMAI Consortium of Libraries

Univ. System of Maryland and Affiliated Institutionshttp://usmai.umd.edu/

• 16 Libraries from the 12 campuses of the USM & 2 affiliated Maryland higher ed institutions

• Began in 1982 with a subset of these institutions• Over 7,000,000 items in catalog• Approximately 200,000 patrons• Built on a resource sharing model• Hosted at the University of Maryland• Governed by the Council of Library Directors (CLD)

Page 3: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

USMAI Consortium of Libraries

• Shared IT products and services, e.g.:– Systems Administration, Development, & Help Desk– E-Resource licensing & procurement– Consortium-wide ID management (patron database)– Library Information Management System (Aleph)– OpenURL resolver (SFX)– E-Resource Portal (MetaLib)– Proxy services (EZproxy)– ILL (ILLiad)– Institutional Repository (DSpace)– E-Resource Management (Verde)

Page 4: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

What is the problem?

• Multiple logins for multiple services

• Need to secure flow of data for multiple logins for different applications

• Username/password embedded in URLs to give appearance of single sign on

Page 5: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Why Shibboleth?

• Other considered solutions: PDS, CAS, Pubcookie

• Shibboleth– Single sign on– Secure handling of user attributes– Flexibility to use different AuthZ criteria per service– Designed to function across domains– Ability to authenticate for different vendors’ products

Page 6: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Shib architecture

• Shibboleth – an architecture for handling authentication and attribute assertion in a secure and controlled manner

• Service Provider (SP) – resource

• Identity Provider (IdP) – AuthN source

• WAYF – Where Are You From

• WebISO – Web Initial Sign On

Page 7: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Shib architecture

Page 8: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Investigation

• Installed generic single institution IdP

• Installed generic service provider (script that prints out attributes)

• Proof of concept

Page 9: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Implementation

• Chose EZproxy and Ex Libris’ Metalib/PDS as initial SPs

• EZproxy was already shibboleth-enabled, so easily configured

• Had to implement multiple identity providers for institutions in the consortium

Page 10: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

IdP Implementation

• Multiple institutions in one installation

• Multiple configurations for attributes and trust settings– Separate Tomcat servlets per institution

• Multiple ldap settings in WebISO for user verification

Page 11: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Multiple Identity Providers – Virtually Separate

• Totally separate identity providers as far as service providers are concerned

• Unique access points

• Separate trust relationships

Page 12: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

EZproxy

• Host EZproxy instances for 14 institutions

• Now shib-enabled

• Access to online resources by user attributes

Page 13: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

PDS

• Patron Directory Service

• Single Sign On between ExLibris applications

• AuthN and AuthZ

Page 14: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Role of PDS in Shib Environment

• Dual role of WAYF and SP

• AuthN

• AuthZ at the application level (Metalib, in our case)

Page 15: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

PDS as WAYF

• PDS to present list of institutions (WAYF)

• Choice of institutions redirects to an institution specific URL within PDS

Page 16: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

PDS as SP

• Each URL protected by different institution’s Identity Provider

• IdP handles authentication and attribute assertion

• SP receives attributes back from IdP and establishes PDS session

Page 17: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Shib SP configuration

• Shibboleth.xml – settings for SP

• Multiple applications defined, each with a different Identity Provider

• RequestMap defined – map URLs to shib applications

Page 18: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Logout

• No logout provided in shibboleth architecture

• Created a logout for identity provider, with an optional redirect back to service provider

Page 19: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

ILLiad

• InterLibrary Loan software, Atlas Systems

• Consortial implementation – 8 institutions, 2 stand-alone installations to be shibbed

• ILLiad is now aware of 1 shib attribute, identifier

• Future – work with Atlas so that ILLiad can take advantage of other attributes (v 7.2?)

Page 20: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Before

Page 21: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

After

Page 22: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Project Details

• Began investigation – March 2005• 1 staff member• 16 IdPs, 3 SPs into production, April 2006• Hardware:

– Test – Sun Fire V480, 2x900MHz UltraSparc III, 8GB RAM (shared server)

– Production – Sun Fire V880, 4x900MHz UltraSparc III+, 16GB RAM (shared server)

• Documentation

Page 23: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

Challenges

• Technical– Consortia – virtually separate identity providers– Logout– LDAP – hook into our ldap, single ldap for all

institutions, only use institution specific attributes

• Learning curve, needed concentrated chunks of staff time

• Making shibboleth a priority

Page 24: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

What’s next?

• We are rolling out more service providers

• ILLiad going into production within the month

• Aleph to be shib service provider by year’s end

• Online resources

• Consortial members implementing their own identity providers

Page 25: Shibboleth at USMAI David Kennedy davekenn@umd.edu  Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA

David Kennedy

[email protected]

Shib project page: http://usmai.umd.edu/auth