beyond library eresources: using openathens for enterprise security
TRANSCRIPT
Beyond Library eResources: Using OpenAthens for enterprise security
Jonathan Richardson – Assistant CIS Director
Robin Keith – Head of Web Development
April 18, 2023
Who are we?
300 acre campus university on the outskirts of Norwich
23, 000 students
Rated in the top 3 of main stream universities in the NSS
fourth greatest concentration of ‘most highly cited researchers’ in the UK, after London, Oxford and Cambridge.
April 18, 2023
Athens @ UEA
Pre 2006 used Classic Athens
High cost of management
Non user friendly – multiple passwords
2006 Implemented Athens DA
Is linked in to the UEA Identity Management System for roles, and Active Directory for authentication
Uses Athens/Shibboleth gateway.
We only access others/external resources – no UEA Service Provider.
We need to move forwards…
April 18, 2023
Why?What’s changed?
Climate Science Hack has focused UEA on the security of our systems.
UEA is a target for hackers and phishing attacks.
Authentication and role based access from mobile devices needs addressing.
Need to provide means to place UEA content in the users space
Need to develop a seamless, flexible and consistent authentication environment.
Need a way of putting more of our content into a federated environment.
April 18, 2023
What we want to do:Our Objective…
To have a single, seamless environment, that supports internal and external authentication, supporting automatic single sign on, via multiple protocols, to internal and external resources, based on the attributes of the user and level of confidence in the authentication and device being used.
There are many providers of Federated Access products
Only OpenAthens allows SAML, Shibboleth and Athens
What we want to do:Components…
April 18, 2023
Identity Management Authentication
Federated Access
April 18, 2023
Personnel
Components:Identity Management…
Visitors
Students
Applicants
AD Groups
Dept
Grade
Course
FT/PT
Contractor,
Honorary, etc Blackboard
Groups
Library Rights
Physical AccessStatus
E:resourcesPartners
Oracle Roles
Alumni
April 18, 2023
Eliminates complexity by allowing Unix, Linux, and Mac systems to participate
as “full citizens” in Active Directory
Provides centralized authentication and single sign-on
Allows smart card authentication for Unix and Linux systems
Facilitates migration to a single Active Directory-based infrastructure for all
systems and users
Simplifies security and compliance Group Policy for Unix, Linux, and Mac OS X
systems
Vintella Services for Java enable AD authentication at the application level
Components:
Authentication
Vintella Authentication Services
OpenAthens LASupport multiple protocols so gives us the best flexibility
OpenAthens SP
For UEA collections provides the route for us to become a publisher.
SimpleSAML
Provides a lightweight route for us to SAML enable many internal resources
Working with suppliers to enable SAML/Shibboleth authentication
April 18, 2023
Components:Federated Access…
Automatic Login AuthenticationLoginAnti Phishing
UEA IDMS ( SPOT )
VAS
AuthenticationYES
Login ScreenLDAP
( via LDAP Proxy )
Custom Auth
Provider
Alternative
Login Screen
( Facebook etc )
3rd
party Idp
Mapping
Attribute Provider
SPNEGO
Authenticated
, etc
N
Return Reason
Password Expired
O
Y
E
S
Anti Phishing
Screen
NO
Request In
ATHENS
SHIBOLETH
SAML
Response Out
ATHENS
SHIBOLETH
SAML
Level of
confidence
Browser
Capability
Attributes
Roles
ID
Level of
Confidence
Putting it together:Extending OpenAthens…
OpenAthens IdP UEA Active Directory
Single Sign On Route
BlackboardUEA Alumni
UEA CRM Contacts
UEA Research Partners
Always Authenticated Route
SPOT GUI
Polopoly
(intranet)
Polopoly
(admin)
ePrints
External
Journals
Athens OpenId
InfoCard
How?Enabling a variety of access…
April 18, 2023
Progress:What we have done so far…
Custom install of OpenAthens LA 2.1 – the basic install was not secure!
https infrastructure
Implemented automatic login via SPNEGO
Integration with QAS (Quest/Vintella Product)
Return authentication sub errors via php auth module, enabling password expiry management
Implemented SimpleSAML Service Provider
April 18, 2023
Progress:What we have learnt so far..
SAML setups are HARD - especially with pki's
OpenAthens makes it a bit easier - but docs could be more detailed.
Need better public documentation of setting up various Service Providers.
Eduserve support has been really helpful.
April 18, 2023
What’s Next?This is not a short term project!
Configure internal apps for SAML
Blackboard, Aleph, SITS e:Vision, etc.
Research OpenAthens as a keystone for collaborative working tools
Enable trusting the home institution.
Not just UKHEIs but globally, plus NHS and UK/EU governments.
Address policy issues (ToCU etc)
Address Teaching and Learning, Admin, Student Experience
- SU eVoting
- Placements - Medical + PGCE courses, collaboration with placement partners
Link external IDs like Facebook to internal accounts, with reduced levels of confidence.
Questions?
April 18, 2023