Notes from the JISC Access Management Showcase Event of 18 July 2006

Held at One Great George Street, Westminster, London. (Institute of Civil Engineering, ICE).

All slides available on the JISC web site, shortly. Go to this URL and you should see them soon:

From OUCS, there were Mark Norman (author of these notes), Beth Crutch, Alun Edwards and Christian Fernau. (There was also Matthew Garrood from UCISA and David Spence from CCLRC - relevant to ShibGrid).

Sarah Porter - Opening Keynote

[Sarah, necessarily, went pretty quickly through her slides so I did not capture it all - there was lots of intersting detail there though, so you should look at the slides when they are posted on the site].

JISC to continue funding Athens only to July 2008.

UK Access Management Federation to launch in November 2006

Introduced PERSEUS, SPIE and KC-ROLO projects as examples (well done Christian!).

What does it mean for institutions?

Institutional effort is needed to put in place the elements to facilitate devolved authN.

Why has JISC chosen this route?

Research has proved that this seems to be the most appropriate technology.

Meets the defined criteria for AM systems in UK:

Fed access management required to meet other national requirements

The Federation

To be run by UKERNA on behalf of JISC and BECTA

Federation Gateway

Run by Eduserv through UK Access Man Federation (currently piloting through SDSS)

Outreach

JISC leading extensive programme in UK (for institutes and service providers)

Have been doing an 'Institutional Preparedness Study'

Establishing named contacts

http://www.jisc.ac.uk/federation_events.html

Assisted Take up

MATU service from Eduserv


Most of the rest of the meeting was parallel sessions, so these notes only cover those which I (Mark) attended.


Best Practice for Directory Services

(Attended by Mark and Beth Crutch.)

Introduced by Karin Maslen from MATU.

Talked a bit in general about the Middleware Assisted Take Up Service.

Nigel Bruce - Active Directory and Shibboleth

ISS, University of Leeds

Leeds move to AD from NDS and eDirectory 4 years ago.

LURCIS

Leeds University Registration and Certificate Issuing Service (Not used to issue certificates very much now), but is the meta-directory.

Accounts in AD generated from the meta-dir LURCIS via LDAP

LURCIS is the attribute store, instead of Active Directory.

If Leeds had not already had LURCIS, they may have used something like Microsoft IIS.

IdP

Currently use AthensIM implementation of Shibboleth as their IdP. Runs on a Win 2003 server under Tomcat.

Use LDAP to authenticate users to the Handle Service.

Intend to move to Internet2 release when v.2 comes out.

General Points

Nigel doesn't believe that AD is the right place to store large amounts of data on users (e.g enrolment)

If you have to use AD then AD Application mode (ADAM) might be more appropriate.

Relational RDBMS such as SQL Server or Oracle are more flexible tools.

Be pragmatic! Do what is right for your institution. Depends on where you are starting from (and where you're going).

Rhys Smith, Cardiff's use of Directory Services

(For Identity Management).

Data must be accurate (data authorities - who 'own' the data) and timely (good links to data authorities).

Need for good controls over who can change the data.

Structure of directories

Separate Identity Vault, Production Tree and AuthN/Z tree (put the right stuff in the right place).

At Cardiff:

POBLOGI tree (e-Dir, holds identities, flat structure) feeds in and out to the registration databases etc. Also links to Services (e.g. Groupwise, file services).

UK-AC-JCCS structured tree (e-Dir production tree, accounts etc.)

HARMONICA tree (e-Dir for CITRIX)

FARAWAY tree (eDir lightweight tree for AuthN to web apps etc).

Consider very carefully how to structure your trees (if you haven't started yet). Cardiff's is structured by Department/School. The directory isn't the (business) hierarchy, but people often think that it is.

Schemas

e.g. eduPerson, POSIXUser schemas

Instead of adding a schema to a tree, each as new object...

Conclusions

Accurate, timely data needs good links with data authorities and control over who can edit it.

Consider multiple trees (but not too many!).

Implement eduPerson (or not)? If you can show eduPerson attributes to the outside world, then that's the main thing. You may not need to implement the whole schema in LDAP. They didn't need to do it in Cardiff.

For federated AM, it's a good idea to create a lightweight AuthN/AuthZ tree.

Salford Software, Simon Bilton

Fully owned by Salford University.

Why do we need user management?

Identity management - Simon thinks that 70% of the effort is in getting the business model understood. The remaining 30% is in the technical effort.

Single Sign on Solutions

Nicole Harris.

Brian Gilmore - much of the material for the slides. See Brian's report on the JISC web site

Types of SSO?

Risk Analysis - to determine the balance between usability and security. (If credentials stolen, a rogue user is into everything).

Federated AM tends to concentrate on web-based remote access.

Pre-requisites

You have to know who all your users are. This gives some problems:

Techs reviewed by Gilmore's 2004 doc

Doc is a little out of date, as there have been a few changes, but here are the main technologies reviewed:

Edinburgh decided to implement Cosign (based on Kerberos). Reflections:

Graham Mason, KC-ROLO project, Kidderminster College

Usual story of documentation not being completely adequate in setting Shibboleth up. Platform and version specific.

Handle Service connected to Active Directory via Apache auth_ldap.

Pubcookie SSO.

Mostly using Shibb to share internal VLEs (mostly Moodle) with different sections and partner institutions (and also to share learning objects with partner institutions).

Demonstrations

Delegation with DyVOSE and PERMIS, David Chadwick

Problem with simplistic delegation - the person appears to be you. Delegation should be intelligent and the delegation should be a subset of the authZ powers.

Trying to reproduce the access control permission model that exists in the paper based business world (in the IT/electronic environment).

Users are given attributes and attributes are given permissions.

Bill could be a source of authority (SOA). He issues an Attribute Certificate to Alice (the Attribute Authority), who allows Bob (the end entity) to occasionally use the attribute.

Delegation Issuing Service (DIS) is able to AuthN the users but can issue signed assertions. Policies are also held there (i.e. limiting who can delegate to whom).

David showed the web interface where Simon (a researcher) was able to delegate the role 'researcher' to Sarah. This had a simple web-based interface and Simon delegated this to Sarah, and then revoked it.

David also showed where Simon tried to delegate something to someone but where Simon did not have the rights to delegate this. It failed to work (rightly).

FAME-PERMIS, Alexandra Nenadic, University of Manchester

Flexible Authentication Middleware Extension to PERMIS

FAME looking at Authentication method and Level of Assurance/Authentication (she seems to use LoA to mean a combination of levels of assurance or authN!?!)

It can combine several AuthN methods to gain a higher LoA.

Hard token Certificate (e.g. Smart Card) = Levels 1 to 4
Soft certificate token = Levels 1-3
One time password device = Levels 1-3
Strong password = Level 1 and 2
Passwords and PINs = Level 1

The FAME component is a small extension to the Handle Server.

GridSite - uses X.509 certificates to AuthN users accessing Grid services and subsequently granting/denying read and write authZ on this basis.

FAME allows users to authN via certificate or username and password (they get reduced privileges when logged in via un/pw).

Alexandra gave a demo where she authenticated via Shibboleth and chose a radio button with the above types of tokens. This allowed her to see different images at higher and higher resolutions (low res for just un/pw and very high res when she used her smart card).

SPIE, Christian Fernau, Oxford

URL filtering approach. Internet user with entitlementLibrary (can get to http://uni.ac.uk/library).

Filters not so good with dynamic applications - when URLs need to change it is too problematic. (But filters are OK for very static applications). Bad for portals.

SPIE developed a re-usable JAAS module to Shibbolise Java applications. Very simple interface. Have got the following to work:

SpieJaasModule is ready to use.

Christian showed some screens with it working with uPortal and JSPWiki.

JISC Collections and Services

Liam Erney and Caren Milloy

[No disrespect to Liam and Caren, but this wasn't the best use of my time. I really should have been attending the 'Future Developments' meeting. No idea why I attended this one!]

The talk was predominantly about the JISC licence.

www.jisc.ac.uk/collections/

JISC Collections negotiates with publishers for electronic resources on behalf of HE, FE and the Research Councils.

Looking into online learning materials (both from the community and Universities etc. as well as commercial publishers)

JISC Model Licence

Basis of all agreements is the JISC Model Licence

Very liberal licence but one which is designed to protect the publisher and the institution. Idea being that educational use - you can use the material and modify it etc. as long as the source is cited.

Walk in users always included (i.e. within the library premises) but not allowed to have remote access.

"Access must be via a secure network".

Access management systems

Athens access has always been a core requirement - this will shift to Shibboleth and content providers will be mandated/encouraged to join the federation.

New challenges

New licencing models. New charging models (must complement the existing JISC banding structure that we have). New models must be practical and avoid increased cost of admin for institutions, JISC collections and content providers.

Will be November workshops to gather information on the new models.

ESPGRIDwiki: JISC_AM_Showcase_18July06 (last edited 2013-05-17 16:26:45 by localhost)