Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai Martin Sutter,
advertisement
Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai Martin Sutter, Head of NetServices, SWITCH (Ueli Kienholz & Thomas Lenggenhager) UK e-Science Core Programme Town Meeting Monday 11th April 2005 2005 © SWITCH Project Timeline 2001 2002 Study 2003 Pilot 2004 2005 Implementation 2006 Operation Study, Planning Architecture Evaluation Æ Shibboleth 2005 © SWITCH AAI Deployment in Switzerland 2 Without AAI Tedious user registration at all resources University A Student Admin Web Mail e-Learning e-Journals Literature DB Many resources not protected due to difficulties Research DB Often IP-based authorization University C e-Learning 2005 © SWITCH Different login processes Many different passwords Library B User Administration Authentication Unreliable and outdated user data at resources Authorization Resource AAI Deployment in Switzerland Costly implementation of inter-institutional access Credentials 3 With AAI University A AAI Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication 2005 © SWITCH Authorization Resource AAI Deployment in Switzerland No user registration and user data maintenance at resource needed Single login process for the users Many new resources available for the users Enlarged user communities for resources Authorization independent of location Efficient implementation of inter-institutional access Credentials 4 SWITCHaai Building Blocks Interoperation Organizational Framework Identity Providers (Home Orgs) Central Services 2005 © SWITCH Service Providers (Resources) Finances AAI Deployment in Switzerland 5 Organizational Framework Organization SWITCH acts as SWITCHaai Federation service provider Federation membership based on signed service agreements 2005 © SWITCH AAI Deployment in Switzerland 6 Interoperation Requires agreement on technical details like Standards SAML 1.1 Software versions Shibboleth 1.1 for identity providers Shibboleth 1.2.1 for service providers Accepted certificate authorities SWITCHpki, plus Thawte, Trustcenter, VeriSign Attribute specification SwissEduPerson 2005 © SWITCH Interoperation AAI Deployment in Switzerland 7 Interoperation: Attributes Criteria for attribute specification Start simple, extend as required Common understanding on interpretation Already widely used SwissEduPerson Attribute usage by applications Use minimal set required Interoperation Data protection principle 2005 © SWITCH AAI Deployment in Switzerland 8 Identity Provider Integration AAI-enabled Identity Provider Authentication System AAI User Directory Currently in use in SWITCHaai: • Authentication Systems • OpenLDAP with CAS or Pubcookie • Kerberos AuthN with Active Directory • Windows AuthN with IIS • User Directory • OpenLDAP • Active Directory Identity Providers 2005 © SWITCH AAI Deployment in Switzerland 9 Identity Providers in SWITCHaai Operational AAI Identity Provider University Hospital Zurich AAI Identity Provider getting ready Zürcher Hochschule Winterthur Prototype running University Zurich SWITCH Service Agreement University Bern Université de Fribourg SFIT Zurich University Lucerne Université de Lausanne Virtual Home Org Université de Genève Identity Providers 110’000 Swiss Higher Ed users have an AAI-Account (≈ 50% of all) 2005 © SWITCH AAI Deployment in Switzerland 10 Virtual Home Organization – VHO Integrate end users without identity pprovider Resource owner creates @VHO “AAI-enabled” accounts for users without an identity provider A VHO account is only usable for the resource managed by the resource owner Some end users without identity provider Federation Member Identity Provider Resource Owner End User Admin VHO Policy VHO Service @SWITCH 2005 © SWITCH User Dir AAI Deployment in Switzerland Identity Providers 11 SWITCHaai Building Blocks Interoperation Organizational Framework Identity Providers (Home Orgs) Central Services 2005 © SWITCH Service Providers (Resources) Finances AAI Deployment in Switzerland 12 Types of Service Providers e-learning OLAT libraries Vista@SVC EZproxy WebCT@ETHZ VITELS Blackboard DOIT Moodle AD Learn & Co ILIAS ScienceDirect … BSCW other web applications commercial Vconf-Reservation SwissLex TWiki SMS-Gateway eShops IS-Academia Service Providers Jobs@BWI 2005 © SWITCH AAI Deployment in Switzerland 13 Service Provider Example: DOIT DOIT: Dermatology Online with Interactive Technology Access Rule AAI Identity Provider AAI Service Provider UniZH ETHZ IdP = UniZH | UniBE | UniL affiliation = student studyBranch = medicine studyLevel = 15 SWITCH UniBE VHO UniL UniGE Service Providers 500 AAI Users 2005 © SWITCH AAI Deployment in Switzerland 14 Service Provider Example: OLAT OLAT: Online Learning an Training (open source e-learning platform of the University of Zurich) AAI Identity Provider AAI Service Provider UniZH ETHZ SWITCH UniBE VHO UniL UniGE Service Providers 5000 AAI Users 75 Courses 2005 © SWITCH AAI Deployment in Switzerland 15 Integration of „Blackboxes“ Authentication / authorization gateway Portal functionalities (optional) User management (optional) Adaptors to blackbox applications: WebCT Vista WebCT CE … A1 A2 AAIportal Sign On Application API .. . Shibboleth Service Providers 2005 © SWITCH AAI Deployment in Switzerland 16 Central AAI Services Strategy & marketing International contacts Support, consulting, training Providing federation-specific files and configuration guides Operating WAYF Testing parties (identity provider ←→ service provider) Jump-start service Central Services 2005 © SWITCH AAI Deployment in Switzerland 17 Funding funding / costs pilot project project funded by SWITCH & Universities 2000 2001 2002 2003 operational service funded by federal grants 2004 2005 2006 2007 funded by tariffs 2008 2009 2010 Finances 2005 © SWITCH AAI Deployment in Switzerland 18 Outlook Projects with federal grants Non-web service providers, e.g. grid ECTS (Study) AAA (Study) Federation partners 2005 © SWITCH AAI Deployment in Switzerland 19 Further Information SWITCHaai Website http://www.switch.ch/aai Shibboleth http://shibboleth.internet2.edu/ Shibboleth Demo http://www.switch.ch/aai/demo Attribute Specification http://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf 2005 © SWITCH AAI Deployment in Switzerland 20 Questions ? Q&A http://www.switch.ch/aai aai@switch.ch 2005 © SWITCH AAI Deployment in Switzerland 21 Central Services Training General Support Consulting Supporting Universities Shibbolizing Services Integrating Identity Providers SWITCHaai Team Jump Start Service Tools (AAIportal) Test-Installations (Feasibility) Marketing Organisation and Policies Services WAYF VHO Test Lab Deployment Guides Federation Metadata 2005 © SWITCH AAI Deployment in Switzerland Central Services 22 Support (1) SWITCH’s AAI Services AAI Base Package Implementation / Integration Operation Central AAI Services Strategy, Marketing Consulting, Training, Test Lab 2005 © SWITCH Optional AAI Services Implementation / Integration Operation AAI-related Services Implementation / Integration Operation Integration Service AAI Jump Start AAI Tools Outsourcing Service WAYF Virtual Home Org AAI Deployment in Switzerland Security Services RA / CA 23 Showcase: NET ETHZ NET: Network for Educational Technology AAI Home Organization AAI Resource UniZH ETHZ SWITCH UniBE VHO UniL 300 AAI Users, 2 Courses UniGE 2005 © SWITCH AAI Deployment in Switzerland 24 Shibboleth Process: The Details Credentials User’s Home Org 5 1 3 User Dir 8 HS 2 Handle 6 SHIRE 6 AA HS Handle Server AA Attribute Authority Attributes WAYF Attributes Handle SHAR 8 ‘Where Are You From’-Server Shibboleth AAI Components 2005 © SWITCH 10 Handle 7 ARP Resource 4 5 11 RM WAYF Authentication Resource Owner AAI Deployment in Switzerland RM 9 AAP Resource Manager SHIRE Shibboleth Indexical Reference Establisher SHAR Shibboleth Attribute Requestor 25 Outlook 2005 2001 2002 Study 2003 Pilot 2004 Impl. V1.0 redundant WAYF migration Pilot -> Prod service agreements more campuses more resources branding 2005 © SWITCH 2005 2006 2007 Operation V1.0 Operation Study, Pilot, Impl. V2.0 resource registry Shibboleth 1.3 EZproxy BSCW IS-Academia Operations Committee TF Attributes ECTS-Study AAA-Study lead SUC projects AAI Deployment in Switzerland Study, Pilot, Impl. 26 Single Sign On Credentials 5 1 Demo Resource 3 Home Org WAYF 4 2 6 9 wayf1.switch.ch kohala.switch.ch 8 7 E-Learning Resource 10 aaidemo.alzheimerlearn.net http://aaidemo.alzheimerlearn.net/ 2005 © SWITCH AAI Deployment in Switzerland 27 Attributes: SwissEduPerson Personal attributes • Unique Identifier • Surname • Given name Group membership membership Group • based on eduPerson specification • Name of Home Organization • study branch, study level, staff category are • Type of Home Organization based on SHIS/SIUS • Affiliation (student, staff, faculty, …) • username and password are missing ⇒ only used locally! • E-mail • Study branch • Address(es) • Study level • Phone number(s) • Staff category • Preferred language • Group membership • Date of birth • Organization Path • Gender • Organizational Unit Path 2005 © SWITCH • commonName is missing no common understanding on how to use it • ‘Matrikelnummer’ is missing for data protection reasons AAI Deployment in Switzerland 28
