Notes from the JISC Access Management Showcase Event of 18 July 2006
Held at One Great George Street, Westminster, London. (Institute of Civil Engineering, ICE).
All slides available on the JISC web site, shortly. Go to this URL and you should see them soon:
From OUCS, there were Mark Norman (author of these notes), Beth Crutch, Alun Edwards and Christian Fernau. (There was also Matthew Garrood from UCISA and David Spence from CCLRC - relevant to ShibGrid).
Sarah Porter - Opening Keynote
[Sarah, necessarily, went pretty quickly through her slides so I did not capture it all - there was lots of intersting detail there though, so you should look at the slides when they are posted on the site].
JISC to continue funding Athens only to July 2008.
- Athens to be subscription-only after this point.
UK Access Management Federation to launch in November 2006
Introduced PERSEUS, SPIE and KC-ROLO projects as examples (well done Christian!).
What does it mean for institutions?
Institutional effort is needed to put in place the elements to facilitate devolved authN.
- but there will be a choice of technologies
- you can even outsource Identity Provision (so it would be like using Athens)
Why has JISC chosen this route?
Research has proved that this seems to be the most appropriate technology.
Meets the defined criteria for AM systems in UK:
- can be used internally and externally (to institutions)
- Mgmt of access to 3rd party digital library resources as now
- Inter-institutional use - stable, long term resource sharing
- ad hoc collaborations - e.g VOs
- also useful to consider international perspective
- can establish international collaborations etc.
Fed access management required to meet other national requirements
- DfES e-Strategy and e-Learning (e.g. e-Portfolios)
- HEFCE e-learning strategies
- Science and Innovation
- Schools - BECTA using Shib too.
- may be useful for NHS.
The Federation
To be run by UKERNA on behalf of JISC and BECTA
- Launch Nov 2006.
- Support throught Janet Helpdesk
- WAYF to exist and to be run from UKERNA
Federation Gateway
Run by Eduserv through UK Access Man Federation (currently piloting through SDSS)
Outreach
JISC leading extensive programme in UK (for institutes and service providers)
Have been doing an 'Institutional Preparedness Study'
- please participate if contacted!!
Establishing named contacts
- please fill in forms at reception desk (here at meeting)!!
http://www.jisc.ac.uk/federation_events.html
Assisted Take up
MATU service from Eduserv
- courses on Shib
- Documentation
- help on institutional audit (needed for IDM etc.)
- Advice
Most of the rest of the meeting was parallel sessions, so these notes only cover those which I (Mark) attended.
Best Practice for Directory Services
(Attended by Mark and Beth Crutch.)
Introduced by Karin Maslen from MATU.
Talked a bit in general about the Middleware Assisted Take Up Service.
- workshops and seminars
- looking at Eduserv etc. I'd imagine that these would be good, so we should recommend these
Nigel Bruce - Active Directory and Shibboleth
ISS, University of Leeds
Leeds move to AD from NDS and eDirectory 4 years ago.
- AD contains 32,500 students and 7,500 staff accounts
- used to access PCs on the network etc.
- lynchpin of the University's SSO strategy
- also to a variety of non Microsoft services (e.g. portal, wireless LAN etc.)
LURCIS
Leeds University Registration and Certificate Issuing Service (Not used to issue certificates very much now), but is the meta-directory.
Accounts in AD generated from the meta-dir LURCIS via LDAP
LURCIS is the attribute store, instead of Active Directory.
If Leeds had not already had LURCIS, they may have used something like Microsoft IIS.
IdP
Currently use AthensIM implementation of Shibboleth as their IdP. Runs on a Win 2003 server under Tomcat.
Use LDAP to authenticate users to the Handle Service.
Intend to move to Internet2 release when v.2 comes out.
General Points
Nigel doesn't believe that AD is the right place to store large amounts of data on users (e.g enrolment)
If you have to use AD then AD Application mode (ADAM) might be more appropriate.
Relational RDBMS such as SQL Server or Oracle are more flexible tools.
Be pragmatic! Do what is right for your institution. Depends on where you are starting from (and where you're going).
Rhys Smith, Cardiff's use of Directory Services
(For Identity Management).
Data must be accurate (data authorities - who 'own' the data) and timely (good links to data authorities).
Need for good controls over who can change the data.
- And appropriate delegation of control
Structure of directories
Separate Identity Vault, Production Tree and AuthN/Z tree (put the right stuff in the right place).
- They synch these through DirXML
At Cardiff:
POBLOGI tree (e-Dir, holds identities, flat structure) feeds in and out to the registration databases etc. Also links to Services (e.g. Groupwise, file services).
UK-AC-JCCS structured tree (e-Dir production tree, accounts etc.)
HARMONICA tree (e-Dir for CITRIX)
FARAWAY tree (eDir lightweight tree for AuthN to web apps etc).
used Faraway tree to connect to the Shib IdP
- picks up entitlement etc. from POBLOGI
- all DirXML driven
Consider very carefully how to structure your trees (if you haven't started yet). Cardiff's is structured by Department/School. The directory isn't the (business) hierarchy, but people often think that it is.
Schemas
e.g. eduPerson, POSIXUser schemas
Instead of adding a schema to a tree, each as new object...
- register a schema prefix for your org
- allows you to keep track of the local stuff you've added
- easier to clean the tree
- no need to change DirXML driver every time you add a new class to the tree
Conclusions
Accurate, timely data needs good links with data authorities and control over who can edit it.
Consider multiple trees (but not too many!).
Implement eduPerson (or not)? If you can show eduPerson attributes to the outside world, then that's the main thing. You may not need to implement the whole schema in LDAP. They didn't need to do it in Cardiff.
For federated AM, it's a good idea to create a lightweight AuthN/AuthZ tree.
Salford Software, Simon Bilton
Fully owned by Salford University.
Why do we need user management?
- Need this up ahead of things like Shib.
- Esp. for automatic and dynamic account provisioning
Identity management - Simon thinks that 70% of the effort is in getting the business model understood. The remaining 30% is in the technical effort.
Single Sign on Solutions
Nicole Harris.
Brian Gilmore - much of the material for the slides. See Brian's report on the JISC web site
Types of SSO?
- LDAP look up
- (not strictly true SSO)
- Shared name/password between services
- True SSO - SSO service
Risk Analysis - to determine the balance between usability and security. (If credentials stolen, a rogue user is into everything).
Federated AM tends to concentrate on web-based remote access.
Pre-requisites
You have to know who all your users are. This gives some problems:
- alumni
- casual staff visitors
- external PhD students
- NHS cross-over people
- etc.
Techs reviewed by Gilmore's 2004 doc
Doc is a little out of date, as there have been a few changes, but here are the main technologies reviewed:
- CAS (Yale)
- Pubcookie (Washington)
WebAuth (Stanford)
- Cosign (Michigan)
- KX.509 (Michigan)
- A-Select (not fully)
Edinburgh decided to implement Cosign (based on Kerberos). Reflections:
- users love it
- choose the technology depending upon your institutional requirements
- you need to know who all of your users are.
Graham Mason, KC-ROLO project, Kidderminster College
Usual story of documentation not being completely adequate in setting Shibboleth up. Platform and version specific.
Handle Service connected to Active Directory via Apache auth_ldap.
Pubcookie SSO.
Mostly using Shibb to share internal VLEs (mostly Moodle) with different sections and partner institutions (and also to share learning objects with partner institutions).
Demonstrations
Delegation with DyVOSE and PERMIS, David Chadwick
Problem with simplistic delegation - the person appears to be you. Delegation should be intelligent and the delegation should be a subset of the authZ powers.
Trying to reproduce the access control permission model that exists in the paper based business world (in the IT/electronic environment).
Users are given attributes and attributes are given permissions.
Bill could be a source of authority (SOA). He issues an Attribute Certificate to Alice (the Attribute Authority), who allows Bob (the end entity) to occasionally use the attribute.
Delegation Issuing Service (DIS) is able to AuthN the users but can issue signed assertions. Policies are also held there (i.e. limiting who can delegate to whom).
- The PERMIS Decision Engine is used alongside the DIS to make those decisions
- When a role has been delegated it is usually given a time limit, and/or the delegator can go in and revoke the delegated role.
David showed the web interface where Simon (a researcher) was able to delegate the role 'researcher' to Sarah. This had a simple web-based interface and Simon delegated this to Sarah, and then revoked it.
David also showed where Simon tried to delegate something to someone but where Simon did not have the rights to delegate this. It failed to work (rightly).
FAME-PERMIS, Alexandra Nenadic, University of Manchester
Flexible Authentication Middleware Extension to PERMIS
- Access management with PERMIS
- AuthN (FAME)
- AuthZ (PERMIS)
FAME looking at Authentication method and Level of Assurance/Authentication (she seems to use LoA to mean a combination of levels of assurance or authN!?!)
It can combine several AuthN methods to gain a higher LoA.
Hard token Certificate (e.g. Smart Card) = Levels 1 to 4 Soft certificate token = Levels 1-3 One time password device = Levels 1-3 Strong password = Level 1 and 2 Passwords and PINs = Level 1
The FAME component is a small extension to the Handle Server.
GridSite - uses X.509 certificates to AuthN users accessing Grid services and subsequently granting/denying read and write authZ on this basis.
FAME allows users to authN via certificate or username and password (they get reduced privileges when logged in via un/pw).
Alexandra gave a demo where she authenticated via Shibboleth and chose a radio button with the above types of tokens. This allowed her to see different images at higher and higher resolutions (low res for just un/pw and very high res when she used her smart card).
SPIE, Christian Fernau, Oxford
URL filtering approach. Internet user with entitlementLibrary (can get to http://uni.ac.uk/library).
Filters not so good with dynamic applications - when URLs need to change it is too problematic. (But filters are OK for very static applications). Bad for portals.
SPIE developed a re-usable JAAS module to Shibbolise Java applications. Very simple interface. Have got the following to work:
- uPortal 2.5, Stringbeans portal
- xPlanner, JSPWiki
- CAS
- Christian thinks it could cover most (if not all) JAAS use cases.
SpieJaasModule is ready to use.
Christian showed some screens with it working with uPortal and JSPWiki.
JISC Collections and Services
Liam Erney and Caren Milloy
[No disrespect to Liam and Caren, but this wasn't the best use of my time. I really should have been attending the 'Future Developments' meeting. No idea why I attended this one!]
The talk was predominantly about the JISC licence.
www.jisc.ac.uk/collections/
JISC Collections negotiates with publishers for electronic resources on behalf of HE, FE and the Research Councils.
- e-journals
- journal backfiles
A&I databases (e.g. Web of Science etc.)
- electronic reference matierial - (e.g. Oxford Reference online, Britannica)
- primary research material (data etc.)
- image, film and sound
Looking into online learning materials (both from the community and Universities etc. as well as commercial publishers)
JISC Model Licence
Basis of all agreements is the JISC Model Licence
- developed about 15 years ago in partnership with the publishing community.
- has changing needs and therefore the licence has evolved
Very liberal licence but one which is designed to protect the publisher and the institution. Idea being that educational use - you can use the material and modify it etc. as long as the source is cited.
Walk in users always included (i.e. within the library premises) but not allowed to have remote access.
"Access must be via a secure network".
- I asked them about this statement at the end. It seems like "secure network" is a very vague concept. For example, it doesn't mean VPN when you're off campus (as Athens access has not usually been via VPN). Further, it would appear that Shibboleth access (via your campus SSO) while at an Internet cafe is OK.
Access management systems
Athens access has always been a core requirement - this will shift to Shibboleth and content providers will be mandated/encouraged to join the federation.
New challenges
New licencing models. New charging models (must complement the existing JISC banding structure that we have). New models must be practical and avoid increased cost of admin for institutions, JISC collections and content providers.
Will be November workshops to gather information on the new models.