Beyond Library eResources: Using OpenAthens for enterprise security

Jonathan Richardson – Assistant CIS Director

Robin Keith – Head of Web Development

April 18, 2023

Who are we?

300 acre campus university on the outskirts of Norwich

23, 000 students

Rated in the top 3 of main stream universities in the NSS

fourth greatest concentration of ‘most highly cited researchers’ in the UK, after London, Oxford and Cambridge.

April 18, 2023

Athens @ UEA

Pre 2006 used Classic Athens

High cost of management

Non user friendly – multiple passwords

2006 Implemented Athens DA

Is linked in to the UEA Identity Management System for roles, and Active Directory for authentication

Uses Athens/Shibboleth gateway.

We only access others/external resources – no UEA Service Provider.

We need to move forwards…

April 18, 2023

Why?What’s changed?

Climate Science Hack has focused UEA on the security of our systems.

UEA is a target for hackers and phishing attacks.

Authentication and role based access from mobile devices needs addressing.

Need to provide means to place UEA content in the users space

Need to develop a seamless, flexible and consistent authentication environment.

Need a way of putting more of our content into a federated environment.

April 18, 2023

What we want to do:Our Objective…

To have a single, seamless environment, that supports internal and external authentication, supporting automatic single sign on, via multiple protocols, to internal and external resources, based on the attributes of the user and level of confidence in the authentication and device being used.

There are many providers of Federated Access products

Only OpenAthens allows SAML, Shibboleth and Athens

What we want to do:Components…

April 18, 2023

Identity Management Authentication

Federated Access

April 18, 2023

Personnel

Components:Identity Management…

Visitors

Students

Applicants

AD Groups

Dept

Grade

Course

FT/PT

Contractor,

Honorary, etc Blackboard

Groups

Library Rights

Physical AccessStatus

E:resourcesPartners

Oracle Roles

Alumni

April 18, 2023

Eliminates complexity by allowing Unix, Linux, and Mac systems to participate

as “full citizens” in Active Directory

Provides centralized authentication and single sign-on

Allows smart card authentication for Unix and Linux systems

Facilitates migration to a single Active Directory-based infrastructure for all

systems and users

Simplifies security and compliance Group Policy for Unix, Linux, and Mac OS X

systems

Vintella Services for Java enable AD authentication at the application level

Components:

Authentication

Vintella Authentication Services

OpenAthens LASupport multiple protocols so gives us the best flexibility

OpenAthens SP

For UEA collections provides the route for us to become a publisher.

SimpleSAML

Provides a lightweight route for us to SAML enable many internal resources

Working with suppliers to enable SAML/Shibboleth authentication

April 18, 2023

Components:Federated Access…

Automatic Login AuthenticationLoginAnti Phishing

UEA IDMS ( SPOT )

VAS

AuthenticationYES

Login ScreenLDAP

( via LDAP Proxy )

Custom Auth

Provider

Alternative

Login Screen

( Facebook etc )

3rd

party Idp

Mapping

Attribute Provider

SPNEGO

Authenticated

, etc

N

Return Reason

Password Expired

O

Y

E

S

Anti Phishing

Screen

NO

Request In

ATHENS

SHIBOLETH

SAML

Response Out

ATHENS

SHIBOLETH

SAML

Level of

confidence

Browser

Capability

Attributes

Roles

ID

Level of

Confidence

Putting it together:Extending OpenAthens…

OpenAthens IdP UEA Active Directory

Single Sign On Route

BlackboardUEA Alumni

UEA CRM Contacts

UEA Research Partners

Always Authenticated Route

SPOT GUI

Polopoly

(intranet)

Polopoly

(admin)

ePrints

External

Journals

Athens OpenId

InfoCard

How?Enabling a variety of access…

April 18, 2023

Progress:What we have done so far…

Custom install of OpenAthens LA 2.1 – the basic install was not secure!

https infrastructure

Implemented automatic login via SPNEGO

Integration with QAS (Quest/Vintella Product)

Return authentication sub errors via php auth module, enabling password expiry management

Implemented SimpleSAML Service Provider

April 18, 2023

Progress:What we have learnt so far..

SAML setups are HARD - especially with pki's

OpenAthens makes it a bit easier - but docs could be more detailed.

Need better public documentation of setting up various Service Providers.

Eduserve support has been really helpful.

April 18, 2023

What’s Next?This is not a short term project!

Configure internal apps for SAML

Blackboard, Aleph, SITS e:Vision, etc.

Research OpenAthens as a keystone for collaborative working tools

Enable trusting the home institution.

Not just UKHEIs but globally, plus NHS and UK/EU governments.

Address policy issues (ToCU etc)

Address Teaching and Learning, Admin, Student Experience

- SU eVoting

- Placements - Medical + PGCE courses, collaboration with placement partners

Link external IDs like Facebook to internal accounts, with reduced levels of confidence.

Questions?

April 18, 2023