Upload
eduserv
View
1.327
Download
5
Tags:
Embed Size (px)
Citation preview
OpenAthens LA 2.0:A joined-up approach to identity
OpenAthens workshops, May 2009
David Orrell, [email protected]
www.eduserv.org.uk
• Local authentication• Product background and goals• Architecture• Configuration processes
• Roadmap and future developments
Overview
Federated identity
Identity ProviderService Providers
(resources)
Control PolicySubscriptions
Management
Running an identity provider
Identity provider
User-repository
System administrator
LibrarianConfiguration
IT Services
1) Ease of installation, configuration & maintenance
• Web-based administration
• Built-in diagnostics and statistics
OpenAthens LA 2.0: administration
ModelRuntime
Runtime server(s)Administration server
User-repository
System administrator
Librarian
Staff / students
OpenAthens LA 2.0: modules
Platform
Webserver
• Authentication
• Data-store connectors
• Identity protocols (SAML, OpenID etc)
• Attribute release policies
• Custom attributes
• …
OpenAthens LA runtime
Runtime installation
• Runtime connects to administration server• Multiple runtimes can point to the same
server and model– Load-balancing– High availability
ModelApache runtime
Runtime server(s)Administration server
Runtime installation
• Install Apache module (mod_openathens)• Point runtime at administration console
– ...in httpd.confOAConfig http://admin.example.ac.uk/OalaAdmin/Publish/0/Apache
Authentication
• Built-in– LDAP– OpenAthens MD
• Custom– Apache (eg. mod_authnz_ldap)– Kerberos– Windows domain– PHP, Perl...– ...or multiple methods
Built-in authentication
1) Configure authentication providers in GUI2) Configure runtime to use named provider
<Location /oala/sso>
AuthType OpenAthens:ldap
require valid-user
</Location>
Custom authentication
1) Configure runtime to use custom provider– eg. mod_auth_..., PHP, mod_perl
2) Write authentication provider
<Location /oala/sso>
AuthType OpenAthens:php
require valid-user
</Location>
...
$auth = new OALACustomAuth($userId);
$auth->establishSession();
Data handling
User data
Staff,students...
Affiliates,alumni...
User-categories:
Organisationboundary
Attributes
Releasepolicy
Authenticateduser
Services,Federations,Partners
Data-stores and user-categories
• Enable organisation and description of users• Users may grouped be in multiple categories
– ...but must be in at least one
• Categories may be assigned by rules– ...or may be assigned explicitly
• Attributes are assigned to categories
Attribute types
• LDAP• SQL database
– MySQL– Microsoft SQL Server
• Fixed value• Derived
– eg. eduPersonTargetedID
• Scripted
Attribute release
• Control flow of data leaving organisation
• Control which attributes are sent to which service providers
• Should only disclose minimum required
“Release attribute x to everyone”“Release attribute y to service z”
OpenAthens LA 2.0: release schedule
March 2009:Initial Alpha
June 2009:Beta release
end July 2009:OpenAthens LA 2.0Apache GA release
July 2009:.NET runtimealpha release
Oct/Nov 2009:2.1 advisory
group
Jan 2010:2.1 release
July 2009:Test VM images
Sept 2009:.NET runtimeGA release