deployment of a shibboleth-based infrastructure in switzerland: switchaai
Post on 01-Jan-2016
31 Views
Preview:
DESCRIPTION
TRANSCRIPT
2005 © SWITCH
Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai
Martin Sutter, Head of NetServices, SWITCH(Ueli Kienholz & Thomas Lenggenhager)
UK e-Science Core Programme Town Meeting
Monday 11th April 2005
2005 © SWITCH 2AAI Deployment in Switzerland
Project Timeline
2001 2002 2003 2004 2005 2006
ImplementationPilot Operation
Study, Planning
Study
ArchitectureEvaluation
Shibboleth
2005 © SWITCH 3AAI Deployment in Switzerland
University A
Library B
University C
Without AAI
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
Tedious user registration at all resources
Unreliable and outdated user data at resources
Different login processes
Many different passwords
Many resources not protected due to difficulties
Often IP-based authorization
Costly implementation of inter-institutional access
e-Journals
2005 © SWITCH 4AAI Deployment in Switzerland
University A
Library B
University C
AAI
With AAI
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
No user registration and user data maintenance at resource needed
Single login process for the users
Many new resources available for the users
Enlarged user communities for resources
Authorization independent of location
Efficient implementation of inter-institutional access
e-Journals
AuthorizationUser Administration
AuthenticationResource Credentials
2005 © SWITCH 5AAI Deployment in Switzerland
SWITCHaai Building Blocks
IdentityProviders
(Home Orgs)
Service Providers
(Resources)
OrganizationalFramework
Interoperation
CentralServices
Finances
2005 © SWITCH 6AAI Deployment in Switzerland
Organizational Framework
SWITCH acts as SWITCHaai Federation service provider
Federation membership based on signed service agreements
Organization
2005 © SWITCH 7AAI Deployment in Switzerland
Requires agreement on technical details like
Standards SAML 1.1
Software versions Shibboleth 1.1 for identity providers
Shibboleth 1.2.1 for service providers
Accepted certificate authorities SWITCHpki, plus Thawte, Trustcenter, VeriSign
Attribute specification SwissEduPerson Interoperation
Interoperation
2005 © SWITCH 8AAI Deployment in Switzerland
Criteria for attribute specification
Start simple, extend as required
Common understanding on interpretation
Already widely used
SwissEduPerson
Attribute usage by applications
Use minimal set required Data protection principle
Interoperation
Interoperation: Attributes
2005 © SWITCH 9AAI Deployment in Switzerland
Identity Provider Integration
AAI-enabled Identity Provider
UserDirectory
AuthenticationSystem
AAI
Currently in use in SWITCHaai:• Authentication Systems
• OpenLDAP with CAS or Pubcookie• Kerberos AuthN with Active Directory • Windows AuthN with IIS
• User Directory• OpenLDAP• Active Directory
Identity Providers
2005 © SWITCH 10AAI Deployment in Switzerland
Identity Providers in SWITCHaai
Operational AAI Identity Provider
SFIT Zurich
UniversityZurich
VirtualHomeOrg
SWITCH
Université de Genève
110’000 Swiss Higher Ed usershave an AAI-Account (≈ 50% of all)
Zürcher HochschuleWinterthur
AAI Identity Provider getting readyUniversity Hospital
Zurich
UniversityLucerneUniversité de
Fribourg
Prototype running
University Bern
Université deLausanne
Service Agreement
Identity Providers
2005 © SWITCH 11AAI Deployment in Switzerland
Virtual Home Organization – VHO
Integrate end users without identity pprovider Resource owner creates @VHO “AAI-enabled” accounts for
users without an identity provider
A VHO account is only usable for the resource managed by the resource owner
Federation Member
IdentityProvider
ResourceOwner
End UserAdmin
Some end userswithout
identity provider
VHO Service @SWITCH User Dir
VHO PolicyIdentity Providers
2005 © SWITCH 12AAI Deployment in Switzerland
SWITCHaai Building Blocks
IdentityProviders
(Home Orgs)
Service Providers
(Resources)
OrganizationalFramework
Interoperation
CentralServices
Finances
2005 © SWITCH 13AAI Deployment in Switzerland
Types of Service Providers
e-learning libraries
other web applications
DOITDOIT
VITELSVITELS
Vista@SVCVista@SVC
AD Learn & CoAD Learn & Co
Vconf-ReservationVconf-Reservation
SMS-GatewaySMS-Gateway
EZproxyEZproxy
commercial
ScienceDirectScienceDirectWebCT@ETHZWebCT@ETHZ
OLATOLAT
MoodleMoodleBSCWBSCW
BlackboardBlackboard
SwissLexSwissLex
IS-AcademiaIS-AcademiaJobs@BWIJobs@BWI
ILIASILIAS
TWikiTWiki
eShopseShops
Service Providers
……
2005 © SWITCH 14AAI Deployment in Switzerland
Service Provider Example: DOIT
ETHZUniZH
SWITCH
UniL
AAI Identity Provider
UniGE
UniBE
VHO
AAI Service Provider
DOIT: Dermatology Online with Interactive Technology
500 AAI Users
Access RuleIdP = UniZH | UniBE | UniLaffiliation = studentstudyBranch = medicinestudyLevel = 15
Service Providers
2005 © SWITCH 15AAI Deployment in Switzerland
Service Provider Example: OLAT
ETHZUniZH
SWITCH
UniL
AAI Identity Provider
UniGE
UniBE
VHO
AAI Service Provider
OLAT: Online Learning an Training (open source e-learning platform of the University of Zurich)
5000 AAI Users75 Courses
Service Providers
2005 © SWITCH 16AAI Deployment in Switzerland
Integration of „Blackboxes“
Authentication / authorization gateway
Portal functionalities (optional) User management (optional) Adaptors to
blackbox applications: WebCT Vista WebCT CE …
AAIportal
Shibboleth
SignOnA1
...
A2
Service Providers
API
Application
2005 © SWITCH 17AAI Deployment in Switzerland
Central AAI Services
Strategy & marketing International contacts Support, consulting, training Providing federation-specific files and
configuration guides Operating WAYF Testing parties (identity provider service provider) Jump-start service
Central Services
2005 © SWITCH 18AAI Deployment in Switzerland
Funding
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
funding / costs
pilot project project operational service
funded by SWITCH & Universities funded by federal grants funded by tariffs
Finances
2005 © SWITCH 19AAI Deployment in Switzerland
Outlook
Projects with federal grants Non-web service providers, e.g. grid ECTS (Study) AAA (Study) Federation partners
2005 © SWITCH 20AAI Deployment in Switzerland
Further Information
SWITCHaai Websitehttp://www.switch.ch/aai
Shibbolethhttp://shibboleth.internet2.edu/
Shibboleth Demohttp://www.switch.ch/aai/demo
Attribute Specificationhttp://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf
2005 © SWITCH 21AAI Deployment in Switzerland
Questions ?
Q & A
http://www.switch.ch/aai
aai@switch.ch
top related