© eduserv commercial in confidence athens shibboleth interoperability lyn norris, athens manager

© EduServ Commercial in confidence

Athens Shibboleth Interoperability

Lyn Norris, Athens Manager


• Overview of Athens• Overview of Shibboleth• Interoperability• Athens in action


Athens is:

• An Access Management System for web resources– Managing access for approved individuals to

approved content• on behalf of content owner• in accordance with licence conditions

• Primarily commercial academic research material ‘sold’ under site licence conditions


Academic Research Material

• Many information sources– metadata, full text, references

• Many content owners– primary publishers– secondary database owners

• Many ways to subscribe or register– publisher, subs agent, consortia deals

• linking systems• Portals, VLEs, MetaLib, Encompass


IP Authentication

• Attractive– seamless access for users– ease of management for organisation &

resource-provider• one-off registration for whole site• infrequent changes • user doesn’t have to remember anything


IP Authentication

• Difficulties– relatively easy to fake– complicated access for people working off

site– no personalisation

• saved searches• favourite journals• accountability


Athens

• for the user– provides single credential access to many

online resources• for the subscribing organisation

– provides a set of tools for managing potentially large number of users

• for the service provider– makes service more attractive to users– removes task of managing IP addresses or

usernames and passwords for customers

Online Resourcesoffering Athensprotection- ScienceDirect- Wiley InterScience- SwetsWise- Oxford Reference Online- ExLibris Metalib

259 total resources

Adm

in Inte

rface

Athens A

gen

tCentral Repository• organisations• usernames• rights

Organisations247 HE270 FE

206 NHS75 other

798 total2 million + accounts

Athens



Athens

• Single sign-on across multiple services• Cookie session maintained inside the Athens

Authentication Domain (auth.athensams.net)• Authentication transferred across domains• Secure

– Password never leaves the Authentication Domain– Tokens are time-limited & cryptographically signed– AAP operates over SSL

• Authorisation negotiated between a service provider and Athens– Agent technology, C or Java APIs or Apache/IIS modules– SOAP web-services interface

Agent DSP

First Access

Authentication Point

Athens Account Server

Login

Short Life Transfer Token

Long Term Token

Sign On

Check username token. Authenticate.

Username

HTTP refer to get authorisation

Username + transfer token

Authentication Domain

Cookie

CookieLong Term Token

12

4

3

56

7

8

9


Athens Client Base I

• Communities– UK Higher & Further Education– NHS National Health Service (NHS)– British Council

• Organisations– 250 Universities– 250 Further Education Colleges– 200 NHS organisations– 100 assorted organisations world-wide


AMADEUS on the InternetAMICO libraryAPU Library ProxyBANKSCOPE on the InternetBIDS Education ServiceBIDS IBSS ServiceBIDS Silver Platter INSPEC serviceBIDS SilverPlatter PsycINFO ServiceBMJ JournalsBioMed CentralBlackwell-Synergy.comBritish Standards OnlineButterworths Accountancy DirectButterworths All England DirectButterworths Banking Law DirectButterworths Businesscompliancedirect.coButterworths CaseSearchButterworths Civil Procedure OnlineButterworths Commercial Property LawButterworths Corporate FinanceButterworths Corporate Law DirectButterworths Crime OnlineButterworths EBL Direct EssentialsButterworths EBL Direct PremiumButterworths EU DirectButterworths Employment OnlineButterworths Family and Child DirectButterworths Financial Regulations ServiButterworths Forms and Precedents DirectButterworths HSE DirectButterworths Halsbury's Laws of ...Butterworths Human Rights DirectButterworths Insolvency Law DirectButterworths Intellectual Property ...Butterworths International TaxButterworths Law DirectButterworths Law Reports DirectButterworths Legal UpdaterButterworths Legislation DirectButterworths Licensing DirectButterworths Local Government DirectButterworths PI OnlineButterworths PensionsProButterworths Property Tax DirectButterworths Scotland DirectButterworths Sergeant Sims Stamp DutyButterworths Stair Memorial

Butterworths Stone's Justices ManualButterworths Tax DirectButterworths Tax Planning ServiceButterworths Trusts and Estates DirectButterworths US Banking Editions OnlineCSA AqualineCSA Artbibliographies ModernCSA Internet Database ServiceCSA Linguistics & Language BehaviourCSA e-psycheCartalinxCavendish Publishing eLibraryCensus Dissemination UnitCensus Geography Data Unit (UKBORDERS)Census Interaction Data ServiceCensus Learning ResourcesCensus Microdata Unit at the CCSRCensus Registration ServiceChadwyck-Healey KnowEuropeChadwyck-Healey KnowUK DatabaseChadwyck-Healey LION for collegesChadwyck-Healey Literature OnlineChadwyck-Healey PCI Full Text DatabaseCity University Virtual LibraryCochrane LibraryCrossFire Service (AUTONOM)CrossFire Service (PLUSABGM)CrossFire self-teach modules (MIMAS-XFT)Dialog DataStarDialog@SiteEBSCO EJSEBSCO databasesEDINA AGDEXEDINA Art AbstractsEDINA Art Index RetrospectiveEDINA BIOSISEDINA BIOSIS Previews 1969 - 1984EDINA CAB AbstractsEDINA CompendexEDINA DigimapEDINA EconLitEDINA INSPECEDINA Index to The Times, 1790 - 1980EDINA MLAEDINA PAISEDINA Palmer's IndexEDINA UPDATE

EEBOEIU City Data on the InternetEIU Country Data on the InternetEIU Country Indicators on the InternetESDU DataESRI NTF ConvertersEducation Media OnLineEducation Media OnLine medical-restrictElectronic Surgeons in Training EducatioEmerald Computer AbstractsEmerald FulltextEmerald Int. Civ. Eng. AbstractsEmerald Management ReviewsExtenza e-Publishing ServiceFAME on the InternetGale Group InfoTracHEFCE ReviewISI JCR Science EditionISI JCR Social Sciences EditionISI Web of Science Service for UK Educn.IdrisiIngenta SelectIngentaJournals Full Text ServiceIsle of Man GIS dataJASPERJUSTIS CELEXJUSTIS Celex and OJCJUSTIS Daily CasesJUSTIS ECJ ProceedingsJUSTIS European ReferencesJUSTIS Family LawJUSTIS HermesJUSTIS Human RightsJUSTIS Industrial CasesJUSTIS Law Reports (eLR)JUSTIS Lloyd's Law ReportsJUSTIS Mental Health Law ReportsJUSTIS Official Journal CJUSTIS Prison Law ReportsJUSTIS UK Statutes and SIsJUSTIS Weekly LawJustCiteKeynoteLexisNexisMD ConsultMIMAS ISI BIOSIS PreviewsMIMAS ISI Chemistry Server

MIMAS ISI Current Contents ConnectMIMAS ISI Derwent Innovations IndexMIMAS InfoterraMIMAS LandmapMIMAS Landmap MediterraneanMIMAS TimeWeb OECD Main Economic IndicatMIRA Virtual Automotive Info CentreMartindale & Stockleys Drug InteractionsMintel ReportsMulberryNeLH Evidence-Based on CallNeLH Journal of Medical ScreeningNetLibraryNewsBank InfoWebOCLC FirstSearch ServiceOSIRIS on the InternetOvid OnlineOxford English Dictionary OnlineOxford Reference OnlinePapyrus software for DOSPapyrus software for the MacParlianetPrimal Pictures Basic Anatomy (NHS)Primal Pictures anatomy.tvProQuestProQuest Reference AsiaRCS Discussion ForaRCS Library Electronic JournalsRCS Members AreaRefWorksSCRAN Web SiteScienceDirectSilverPlatter ARC ServiceSilverPlatter Arc2SwetsWiseSynsoft HYDRA and HYDRA ONLINETRILTTechnical Indexes Info4EducationTechnical Indexes Info4HealthEstatesThe Times Law ReportsUK JSTOR Mirror ServiceWestlaw UKWiley InterScienceXpertHRZETOC - BL Electronic Table of ContentseSTEP administrators resourcexreferplus

Full list of services authenticated by Athens


Athens Devolved Authentication

• Authentication is devolved to an institutional authentication system

• Authentication is asserted to Athens by means of cryptographic trust

• Users are assigned a virtual account– Permission set (role)– Unique id

• Authorisation is still performed within Athens, but is role-based


Authentication System

• It could be– LDAP Directory– Kerberos– Library OPAC, or ILS– Portal authentication system– VLE– X.509 certificates


What Athens needs to know

• Permission set– Created and held within Athens– Must be at least one per organisation– Defines role for user (eg. Staff, student)

• Unique identifier– Must be numeric (32 bits)– Must be persistently bound to an individual– Eg. Student/staff number


What you need to do

• Run an XAP (login point)– Perl and ActiveX/COM versions provided by

Athens• Develop a UAS (User Authority Service)

– UAS provides an abstract interface between the XAP and authentication service

– Authenticates user against local service– Assigns user a permission set and unique

identifier based on attributes

XAP Authentication service (eg. LDAP)

UAS

Login

User

Credentials

Permission set & UID

Credentials

User attributes

Perm. set mapping

AAP

Athens


Trust/Encryption

• Athens does not know about user– Athens must trust organisation to only assert valid

users (licence obligation)– Athens must trust that it really is the organisation

asserting user (cryptographic trust)– Shared symmetric keys enforce trust relationship

Organisation A

Organisation B

Organisation C

Athens

A

B

CA

B

C

…0101101010111010…

Organisation ID

???

DSPUserUser

Return

Accounts Server

Accounts Server

Authentication

APAP

UASUAS

Athens

Authentication Referral

Institution

LocalAuth.

Service

LocalAuth.

Service

XAPXAP

Home Domain DiscoveryHome Domain Discovery

Athens AuthenticationDomain

1

2

3

56

7Binding withPermission set

8

10

11

4

9

11


Modes of operation

• HDD (Home Domain Discovery)– A user goes direct to a service provider– We have to find out their institution

• LAA (Local Authentication Assertion)– A user starts locally at their institution– VLE, library portal, desktop login etc.– AthensDA used to establish Athens session

pre-emptively

HDDS – Phase 2


Shibboleth is:

• Emerging web authorisation architecture• Internet2/MACE project• Reference implementation software

– V0.8 released 8th March 2003– V1.0 due end of May

• Key concepts– Authentication federated to institution– Pseudonymity for individuals– Attribute Authority at institution– Authorisation decision made by resource provider

based on user attributes


Attribute Authority

University

WAYF

Joe surfs the web

http://www.CoolResource.com

Handle Service

3a

3b

3

4

Shibboleth Handle Acquisition

Resource Provider

SHIRE

SHAR

HTTP Server

2

1


University

WAYF

Joe surfs the web

http://www.CoolResource.com

Handle Service

3a

3b

3

Shibboleth Attribute Acquisition

Resource Provider

SHIRE

SHAR

HTTP Server

Attribute Authority

4

5

6

1

2

Online Servicesoffering Athensprotection- ScienceDirect- Wiley InterScience- SwetsWise- Oxford Reference Online- ExLibris Metalib

259 total services

Adm

in Inte

rface

Athens A

gen

tCentral Repository• organisations• usernames• rights

Organisations247 HE270 FE

206 NHS75 other

798 total2 million accounts

Devolved Authentication

Shibboleth Interface

Online Services offering Shibboleth protection

Athens

~10 Organisations using local authentication- LDAP Directory Service- kerberos- X.509 certificates © EduServ

Commercial in confidence


Inter-operability

• Allow Shibboleth institutions (origins) access to Athens-protected resources

• Allow Athens institutions access to Shibboleth protected resources (targets)– Demonstrated Athens as origin on v0.7

• Allow any trusted authentication system access to Athens protected resources

• Establish peer-to-peer relationships


To Summarise

• Athens is a mature and evolving Access Management System

• Single Sign On access to many services• Significant customer base of library

resources• Opportunities to inter-operate to mutual

benefit– with Shibboleth– With other established authentication

systems

© eduserv commercial in confidence athens shibboleth interoperability lyn norris, athens manager

Documents