jakob gadegaard bendixen, shibboleth protected proxy servers a case study from the danish library...
DESCRIPTION
Jakob gadegaard bendixen, AAI One of the original visions was to provide a standardized way to handle user administration and access control across institutional borders Did anyone say federation…TRANSCRIPT
Jakob Gadegaard Bendixen, [email protected]
Shibboleth protected proxy servers
a case study from the Danish library sector
Jakob gadegaard bendixen, [email protected]
DEFFDenmark's Electronic Research library
Founded in 1998 to provide a joint IT strategyfor the Danish research libraries
Provides infrastructure and middleware for the libraries
Jakob gadegaard bendixen, [email protected]
AAIOne of the original visions was to providea standardized way to handle user administration and access control across institutional borders
Did anyone say federation…
Jakob gadegaard bendixen, [email protected]
The DEF keyThis vision was attempted realized throughan ambitious project called ‘The DEF key’.
A lot of effort was done but the project was dropped due to conflict of interest
Jakob gadegaard bendixen, [email protected]
DEFF ServicesDEFF negotiates licenses for accessing article databases and electronic periodicals for theresearch libraries
Most of these are campus wide licenses andthe access control is IP based
Jakob gadegaard bendixen, [email protected]
ChallengeHow do we provide home access for the users such that• Only registered users have access• Access through ordinary web browser• No need for changing browser settings
(necessary with ordinary proxy servers)
Jakob gadegaard bendixen, [email protected]
LDAP 2001In 2001 a new project was launched to meetthis specific challenge• The lesson learned at the DEF key project
was that it failed because it tried to be as general as possible
• So this time one of the goals was to design a solution which met only this specific challenge
Jakob gadegaard bendixen, [email protected]
The SolutionA network of LDAP servers (one for eachinvolved institution) providing data for acentralized login controlling the access to afarm of rewriting proxy servers
Jakob gadegaard bendixen, [email protected]
Centrallogin
LDAP
LDAP
LDAP
Proxyserver
ServiceProvider
ServiceProvider
ServiceProvider
Jakob gadegaard bendixen, [email protected]
Some Statistics ZZZZZWe have a solution running in productionwith• 40+ user organizations• ~ 250.000 users• providing access to several hundred
databases• Configuration lists more than 7.000
domains
Jakob gadegaard bendixen, [email protected]
Is it perfectA short answer: no, but it is working• 2 single points of failure (login and proxy)• Centralized login = potential security issue• Performance issue• URL exchanging issue
Jakob gadegaard bendixen, [email protected]
Shibbolizing the setupIn 2005 we ran a pilot project to try to put Shibboleth access control on ourproxy farm
The EZProxy has already been Shibbolized bythe vendor. This version does however notmeet our requirements fully
Jakob gadegaard bendixen, [email protected]
IdentityProvider
WAYF
Proxyserver
ServiceProvider
ServiceProvider
ServiceProvider
Jakob gadegaard bendixen, [email protected]
Have you implemented it The short answer: no
The building of a Danish federation DK-AAI is in progress and we are awaiting theoutcome of this project
Jakob gadegaard bendixen, [email protected]
Why use proxies at allAllows to progress in building our federationwithout having to wait for the resource-providers to get Shibboleth ready
Some resource providers probably will not beready in this decade
Jakob gadegaard bendixen, [email protected]
IdentityProvider
WAYF Proxyserver
ServiceProvider
ServiceProvider
ServiceProvider
Jakob gadegaard bendixen, [email protected]
Questions and [email protected]
www.deff.dkwww.deff.dk/aai