Embed Size (px)
Citation preview
OpenAthens LA 2.0:A joined-up approach to identity
OpenAthens workshops, May 2009
David Orrell, [email protected]
www.eduserv.org.uk
• Local authentication• Product background and goals• Architecture• Configuration processes
• Roadmap and future developments
Overview
What is OpenAthens LA?
Software to enable federated access to internal and external Web resources
Federated identity
Identity ProviderService Providers
(resources)
Federated identity
Identity ProviderService Providers
(resources)
Control PolicySubscriptions
Management
Running an identity provider
Identity provider
User-repository
System administrator
LibrarianConfiguration
IT Services
Our top 3 priorities for OpenAthens LA 2.0...
Our top 3 priorities for OpenAthens LA 2.0...
1) Ease of installation, configuration & maintenance
• Web-based administration
• Built-in diagnostics and statistics
2) Support for multiple, Open Standards
3) Adaptable and extendable• Modular architecture
• Open APIs – write your own extensions
OpenAthens LA 2.0
• Administration control...
OpenAthens LA 2.0: administration
ModelRuntime
Runtime server(s)Administration server
User-repository
System administrator
Librarian
Staff / students
OpenAthens LA 2.0: administration
Admin application(s) Model
Administration server
Model history
OpenAthens LA 2.0
• Runtime flexibility...
OpenAthens 'Atacama' platform
Protocol modules
OpenAthens LA 2.0: modules
Platform
Webserver
• Authentication
• Data-store connectors
• Identity protocols (SAML, OpenID etc)
• Attribute release policies
• Custom attributes
• …
OpenAthens LA runtime
Runtime installation
• Runtime connects to administration server• Multiple runtimes can point to the same
server and model– Load-balancing– High availability
ModelApache runtime
Runtime server(s)Administration server
Runtime installation
• Install Apache module (mod_openathens)• Point runtime at administration console
– ...in httpd.confOAConfig http://admin.example.ac.uk/OalaAdmin/Publish/0/Apache
Authentication
• Built-in– LDAP– OpenAthens MD
• Custom– Apache (eg. mod_authnz_ldap)– Kerberos– Windows domain– PHP, Perl...– ...or multiple methods
Built-in authentication
1) Configure authentication providers in GUI2) Configure runtime to use named provider
<Location /oala/sso>
AuthType OpenAthens:ldap
require valid-user
</Location>
Custom authentication
1) Configure runtime to use custom provider– eg. mod_auth_..., PHP, mod_perl
2) Write authentication provider
<Location /oala/sso>
AuthType OpenAthens:php
require valid-user
</Location>
...
$auth = new OALACustomAuth($userId);
$auth->establishSession();
Data handling
User data
Staff,students...
Affiliates,alumni...
User-categories:
Organisationboundary
Attributes
Releasepolicy
Authenticateduser
Services,Federations,Partners
Data-stores and user-categories
• Enable organisation and description of users• Users may grouped be in multiple categories
– ...but must be in at least one
• Categories may be assigned by rules– ...or may be assigned explicitly
• Attributes are assigned to categories
Attribute types
• LDAP• SQL database
– MySQL– Microsoft SQL Server
• Fixed value• Derived
– eg. eduPersonTargetedID
• Scripted
Attribute release
• Control flow of data leaving organisation
• Control which attributes are sent to which service providers
• Should only disclose minimum required
“Release attribute x to everyone”“Release attribute y to service z”
OpenAthens LA 2.0: release schedule
March 2009:Initial Alpha
June 2009:Beta release
end July 2009:OpenAthens LA 2.0Apache GA release
July 2009:.NET runtimealpha release
Oct/Nov 2009:2.1 advisory
group
Jan 2010:2.1 release
July 2009:Test VM images
Sept 2009:.NET runtimeGA release
2.1 release
• Librarian console• Integrated statistics/diagnostics• More built-in authn options
– including OpenID
• More supported federations
