Distributed Access Control
- BIBSYS and the FEIDE solution
Sigbjørn Holmslet, BIBSYS, Norway
Ingrid Melve, UNINET, Norway
1
ELAG Trondheim 2004
Some definitions
Authentication - Process of providing the identity of a user. (Who are you?)
Authorization - Process of granting or denying access rights for a resource to
an authenticated user. (What are you allowed to do?)
Credentials - Information that includes identification and proof of
identification that is used to gain access to resources. Examples of
credentials are user names and passwords, smart cards, and certificates.
2
ELAG Trondheim 2004
Problems in a distributed
environment
• Lots of credentials
• Lots of registration and logon procedures
3
ELAG Trondheim 2004
Distributed Access Control
4
ELAG Trondheim 2004
Single Sign On (SSO)
SSO = challenges
• Technological issues
• proxies
• cookies
• timeout
• Security issues
• shared credentials
• different security levels
• trust
5
ELAG Trondheim 2004
The trend in distributed access
control
6
ELAG Trondheim 2004
Some BIBSYS-facts
BIBSYS is an integrated library system used by all Norwegian
University Libraries, the National Library, all College Libraries, and
a number of research libraries
The BIBSYS users
Primary users:
Ca 2.500 librarians
End users:
Ca 600.000 – patrons (not all active)
Ca 4000 – academic users (research document database)
1000+ – users of other different systems
7
ELAG Trondheim 2004
BIBSYS history of access control
(the late eighties)
A1 = Authentication
A2 = Authorization
UNIX pw. file
Legacy System
(cataloguing, search, etc)
Access Control:
A1 – Unix
A2 – User file
8
Users
ELAG Trondheim 2004
BIBSYS history of access control
(mid. nineties)
A1 = Authentication
A2 = Authorization
Legacy System
Web search
ISI search
UNIX pw. file
Users
Access Control:
A1 – Unix
A2 – User file
Access Control:
A1 – Patron-ID, last name
A2 –
Patrons
IP-list
Access Control:
A1 – IP-filtering
A2 –
9
ELAG Trondheim 2004
BIBSYS history of access control
(late nineties)
A1 = Authentication
A2 = Authorization
Legacy System
Web search
ISI search
UNIX pw. file
Users
Access Control:
A1 – Unix
A2 – User file
Access Control:
A1 – Patron-ID, last name
A2 –
Access Control:
A1 – IP-filtering
A2 –
Some web service
Access Control:
A1 – Apache password-file
Some web service
Access Control:
A1 – Apache password-file
10
Patrons
IP-list
Apache pw. file
Apache pw. file
ELAG Trondheim 2004
BIBSYS in the late nineties
BIBSYS
11
ELAG Trondheim 2004
BIBSYS Access Control Project
Goal:
• Provide interoperability between internal systems
• Offer access control to our patrons.
• Avoid administration overhead.
• Consider cross-organizational access control.
12
ELAG Trondheim 2004
BIBSYS Access Control Project
We considered two commercial access control systems,
• Candle/Cactus
• ISOS/Athens.
Conclusion:
• Too expensive
• BIBSYS is not the right institution to host a crossorganizational access control system for our end users.
Decisions:
• Develop our own access control for internal use
• Wait and see for an cross-organizational solution.
13
ELAG Trondheim 2004
A common role based access
control system
UNIX pw. file
Users
Patrons
IP-list
Only access-relevant
information:
credentials, roles, IPs
Apache pw. file
Common
role based access
control system
Apache pw. file
14
ELAG Trondheim 2004
Starting point
A1 = Authentication
A2 = Authorization
Legacy System
Web search
ISI search
UNIX pw. file
Users
Access Control:
A1 – Unix
A2 – User file
Access Control:
A1 – Patron-ID, last name
A2 –
Access Control:
A1 – IP-filtering
A2 –
Some web service
Access Control:
A1 – Apache password-file
Some web service
Access Control:
A1 – Apache password-file
15
Patrons
IP-list
Apache pw. file
Apache pw. file
ELAG Trondheim 2004
Result (ideal)
Service A
Common
role based access
control system
Service B
Service C
Service D
Service E
16
ELAG Trondheim 2004
Result (real)
• Implemented a new role based access control system
• We released new personalized services for patrons and librarians
• Low administration costs (machine-generated password by email)
• Still some systems use their old access control
• The wait and see strategy paid off – result: FEIDE
17
ELAG Trondheim 2004
Status of 2002
BIBSYS
18
ELAG Trondheim 2004
New challenge
• Offering our users access through the FEIDE system
19
ELAG Trondheim 2004
FEIDE
(Federated Electronic Identity for Education)
Goals of the FEIDE project:
• Establish a common, secure electronic identity for Norwegian
academic users.
• Implement the academic sector's system for reliable user data
handling, secure identification of internet-service users and
assignment of user access-rights.
• Common data model for persons
• Standardization/development of user management systems
• Provide a central login server
20
ELAG Trondheim 2004
Integrating with the FEIDE system (I)
One year ago we released a pilot using the FEIDE authentication
• Application: Personalized services for patrons and librarians
• Technology: Java Servlets, Tomcat server
• Objective: technical issues (not performance)
• Available for a limited group of users
21
ELAG Trondheim 2004
Integrating with the FEIDE system (II)
Efforts to make it work
• Received a Java-library, a Servlet Filter and a certificate from FEIDE
• Configured Tomcat to use the Servlet Filter
• Configured the Servlet Filter
22
ELAG Trondheim 2004
Integrating with the FEIDE system (III)
Experiences with the pilot
• Easy to implement
• No errors throughout the test period
• The users were satisfied
23
ELAG Trondheim 2004
Integrating with the FEIDE system (IV)
One obstacle:
How to map a FEIDE user to a BIBSYS user?
Solution:
The National Identity Number
BIBSYS have to extend the user database to include The National
Identity Number
24
ELAG Trondheim 2004
Overview of the logon process
FEIDE
5
MORIA
4
User
AT
AT
(LDAP-server)
AT
(LDAP-server)
(LDAP-servers)
6
3
1
2
7
BIBSYS (Tomcat servlet container)
Filter
8
25
BIBSYSBIBSYSservices
services
(servlet)
(servlets)
9
BIBSYS users
ELAG Trondheim 2004
Future plans
• Let the pilot go into production within 3-4 months
• Try out the Single Sign On features of FEIDE
• Make use of other user attributes than only the National Identity
Number. (For authorisation and for updating our own user data)
26
ELAG Trondheim 2004