Upload File

Download - Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

Transcript
Page 1: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SHIBBLE-ME-THISONE LIBRARIAN’S FORAY INTO

SHIBBOLETH FOR BETTER ACCESSAN ILLUSTRATED NARRATIVE

ATHENA HOEPPNERELECTRONIC RESOURCES LIBRARIAN

UNIVERSITY OF CENTRAL FLORIDA

@CYBRGRL #INTERNETLIBRARIAN

Page 2: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

CAMPUSSERVICE

RESEARCHER AT HOME

Page 3: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

DREADED PAYWALL

PUBLISHERSITE

CAMPUSSERVICE

Page 4: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

THE LONG CONFUSING SLOGLIBRARYSERVER

PUBLISHERSITE

Page 5: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

YET ANOTHER LOGINPROXYSERVER

MEDIATEDREQUESTS

PUBLISHERSITE

LIBRARYSERVER

Page 6: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

PERSPECITVE…VPN!

SECURITY.ACCESS!

Page 7: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SHIBBOLETH DAYDREAMS

• SHIBBOLETH IS WIDELY USED BYLIBRARIES AND LIBRARY VENDORS.

• TURN SHIBBOLETH ON AND OFF INVENDOR ADMIN

• LOTS OF USER ATTRIBUTES SHARED

• SIGNED IN USERS WILL BE ABLE TOUSE WILD-WEB LINKS

• MOVE BETWEEN UCF SYSTEMSWITHOUT SIGNING IN

• PERSONALIZED EXPERIENCE

• GRANULAR ACCESS CONTROL

Page 8: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

DIFFERENT PRIORITIESENTERPRISE

SINGLE SIGN ON.MANAGED IDS.

SECURITY.

BUT, LIBRARY

ACCESS…

Page 9: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

THINGS I LEARNED…SHIBBOLETH IS

• STANDARDS BASED

• OPEN SOURCE

• MIDDLEWARE

• SINGLE SIGN-ONACROSS OR WITHINORGANIZATIONALBOUNDARIES.

• CREATED BYINCOMMON, A SUB-PROJECT OF INTERNET2

HTTPS://SHIBBOLETH.NET/ABOUT/

https://shibboleth.net/about/
Page 10: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SHIBBOLETH IN CONTEXT• NOT-FOR-PROFIT

NETWORKING CONSORTIUM

• FOR U.S. RESEARCH ANDEDUCATION COMMUNITIES

HTTPS://SHIBBOLETH.NET/CONSORTIUM/

https://shibboleth.net/consortium/
Page 11: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

UNITED FEDERATION OF PLANETS

• OPERATES THE IDENTITYFEDERATION FOR INTERNET2

• IDENTITY PROVIDERS GETSINGLE SIGN-ON AND PRIVACYPROTECTION

• SERVICE PROVIDERS GETACCESS CONTROL

HTTP://WWW.INTERNET2.EDU/PRODUCTS-SERVICES/TRUST-IDENTITY-MIDDLEWARE/INCOMMON-FEDERATION

http://www.internet2.edu/products-services/trust-identity-middleware/incommon-federation
Page 12: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

THINGS I LEARNED…• SECURITY ASSERTION MARKUPLANGUAGE (SAML)

• XML-BASED COMMUNICATIONOF USER AUTHENTICATION, ENTITLEMENT, ANDATTRIBUTES.

• SAML ALLOWS ENTITIES TOMAKE ASSERTIONS ABOUTUSERS TO OTHER ENTITIES, SUCH AS A PARTNER COMPANYOR ANOTHER ENTERPRISEAPPLICATION.

HTTPS://WWW.OASIS-OPEN.ORG/COMMITTEES/TC_HOME.PHP?WG_ABBREV=SECURITY

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
Page 13: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

CAMPUSSERVICE

TEACHER AT HOME

USERCREDENTIALS

LDAP

AUTHENTI-CATION

Page 14: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

CAMPUSSERVICE

INTERNAL DIALOG

LDAP

AUTHENTI-CATION / USER INFO

USERCREDENTIALS

HE IS A UCF EDU-PERSON

CHECK ON THIS GUY FOR ME…

YEAH. HERE’S HIS NAME AND

OTHER DATA.

ATTRIBUTESASSERTATIONS

OK. HE IS ENTITLED

TO MY SERVICE,

USERCRED

DO YOU KNOW THIS

GUY?

HE GETS A COOKIE

Page 15: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

MENEWHILE IN I.T. …

ENTERPRISE-WIDE FEDERATED ID AND SSO:

• LEANING MANAGEMENT SYSTEM

• OPAC/LIBRARY ACCOUNTS

• ILLIAD

• EZPROXY

SINGLE SIGN ON!!

Page 16: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

ON TO THE LIBRARY…LIBRARYSERVER HE HAS A

COOKIE.

HERE ARE HIS ATTRIBUTES

Page 17: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

EXTERNAL SERVICEPROVIDERS

LIBRARY VENDORS IN INCOMMONFEDERATATION:

• HATHI TRUST

• EBSCOHOST

• PROQUEST

• EBL• ELSEVIER

• JSTOR• …HTTPS://SPACES.INTERNET2.EDU/DISPLAY

/INCLIBRARY/TARGETRESOURCES

HTTPS://SPACES.INTERNET2.EDU/DISPLAY/INCLIBRARY/REGISTRYOFRESOURCES

OK

ENABLE, PLEASE!!

THEY GET OUR

ENTITYid, AND WE’LL ASSERT

eduPERSON

https://spaces.internet2.edu/display/inclibrary/targetresources
https://spaces.internet2.edu/DISPLAY/INCLIBRARY/REGISTRYOFRESOURCES
Page 18: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

PAYWALL REDUXPUBLISHER

SITE

??!

Page 19: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

WAYF – WHERE ARE YOUFROM PUBLISHER

SITE

Page 20: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SINGLE SIGN-ON!HE HAS A COOKIE.

I ASSERT HE IS A UCF eduPERSON.

PUBLISHERSITE

Page 21: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

INCOMMON BESTPRACTICES FOR LIBRARIES• AUTHORIZATION VIA EDUPERSON

ATTRIBUTES

• IMPLEMENT WAYFLESS URLS

• IMPLEMENT AUTHENTICATED DIRECTLINKS TO RESOURCES.

• SHIBBOLETH ENABLE EZPROXY

• USE SHIBBOLETH-READY EZPROXYSTARTING POINT URLS

HTTPS://SPACES.INTERNET2.EDU/DISPLAY/INCLIBRARY/BEST+PRACTICES

SINGLE SIGN ON ACCESS!

https://spaces.internet2.edu/display/inclibrary/Best+Practices
Page 22: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

EZPROXY SHIBB URLS

• EZPROXY STARTING POINT URLSHTTPS://LOGIN.EZPROXY.UCF.EDU/LOGIN&URL=

• SHIBBOLIZEDHTTPS://LOGIN.EZPROXY.UCF.EDU/LOGIN?AUTH=SHIBB&URL=

• WORKS WELL WITH LIBX TO PROXY ON THE FLY

• UCF DEPLOYED IN: SFX, EBSCOHOSTDISCOVERY… WAITING TO USE IN OTHER SERVICES

CAVEATS: • SOME EXTERNAL SYSTEMS ARE READY FOR THIS. • GOES STRAIGHT TO THE FEDERATED ID LOGIN -

BYPASSES OLD LIBRARY ID LOGIN,

https://login.ezproxy.ucf.edu/login&url=
https://login.ezproxy.ucf.edu/login?auth=shibb&url=
Page 23: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

INEVITABLE PAYWALLS

LibX

Page 24: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

ONE LOGINHE HAS A COOKIE.

HERE ARE HIS

ATTRIBUTES

PUBLISHERSITE

PROXYSERVER

MEDIATEDREQUESTS

PUBLISHERSITE

LibX

Page 25: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

LIBRARIAN SHIBBOLETHSUMMARY• CAMPUS SINGLE SIGN-ON WITH FEDERATED ID• LOTS OF ENTRY POINTS FROM MANY UCF SERVICES

• LOG IN FROM ONE SYSTEM MAY ALLOWS ACCESS TOTHE OTHER FEDERATION SHIBBOLETH-ENABLEDSERVICES

•WAYF ON SHIBBOLETH-ENABLED VENDOR SITES

•STILL NEED EZPROXIED LINKS FOR MOST LIBRARYCONTENT

•SHIBBOLETH ENABLED STARTINGPOINT URLS ANDLIBX ARE A PARTIAL SOLUTION FOR SEAMLESSACCESS

Page 26: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

PRACTICAL STEPS FORLIBRARIANSASK I.T. TO ENABLE LIBRARYPARTNERS

SHIBBOLIZE EZPROXY

EXPLAIN VPN LIMITATIONS TOFACULTY

PROMOTE A CUSTOM LIBX

ASK VENDORS TO PARTICIPATE ININCOMMON

Page 27: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

THANK YOU!ATHENA HOEPPNER

[email protected]

@CYBRGRL

mailto:[email protected]
Page 28: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SELECTED GLOSSARY

• ASSERTION - THE IDENTITY INFORMATION PROVIDED BY AN IDENTITY PROVIDER TO A SERVICE PROVIDER.• ATTRIBUTE - A SINGLE PIECE OF INFORMATIO. SOME ATTRIBUTES ARE GENERAL; OTHERS ARE PERSONAL. SOME

SUBSET OF ALL ATTRIBUTES DEFINES A UNIQUE INDIVIDUAL. EXAMPLES OF AN ATTRIBUTE ARE NAME ANDENROLLMENT.

• ATTRIBUTE STATEMENT: ASSERTS THAT A SUBJECT IS ASSOCIATED WITH CERTAIN ATTRIBUTES. AN ATTRIBUTE

IS SIMPLY A NAME-VALUE PAIR. RELYING PARTIES USE ATTRIBUTES TO MAKE ACCESS-CONTROL DECISIONS.• AUTHENTICATION STATEMENTS: STATEMENT THAT THE PRINCIPAL DID INDEED AUTHENTICATE WITH THE

IDENTITY PROVIDER AT A PARTICULAR TIME USING A PARTICULAR METHOD OF AUTHENTICATION

• AUTHORIZATION DECISION STATEMENT: ASSERTS THAT A SUBJECT IS PERMITTED TO PERFORM ACTION A ONRESOURCE R GIVEN EVIDENCE E.

• EDUPERSON - AN LDAP OBJECT CLASS TO FACILITATE INTER-INSTITUTIONAL APPLICATIONSPROVIDER URL, AND THE NETWORK ADMINISTRATOR.

• ENTITYID - ID THAT IDENTIFIES AN ENTERPRISE IN A FEDERATION. USUALLY A URL THAT POINTS TO AN XML FILE OF INFO ABOUT THE ENTITY, SUCH AS THE ID

• FEDERATED IDENTITY - MANAGEMENT OF IDENTITY INFORMATION BETWEEN MEMBERS OF A FEDERATION.• IDENTITY PROVIDER (IDP) - THE SYSTEM THAT AUTHENTICATES AN ENTITY

• SERVICE PROVIDER (SP) - MAKES ONLINE RESOURCES AVAILABLE TO USERS BASED IN PART ON INFORMATIONABOUT THEM THAT IT RECEIVES FROM OTHER INCOMMON PARTICIPANTS.

• WHERE ARE YOU FROM (WAYF) - A SERVER USED BY THE SHIBBOLETH SOFTWARE TO DETERMINE WHAT AUSER'S HOME ORGANIZATION IS.

HTTP://EN.WIKIPEDIA.ORG/WIKI/SECURITY_ASSERTION_MARKUP_LANGUAGE#SAML_ASSERTIONS

http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Page 29: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SOME LINKS TO PLAY WITH

DIRECT LINKS TO ARTICLES:• INTELLIGENT LIBRARIES AND APOMEDIATORS:

DISTINGUISHING BETWEEN LIBRARY 3.0 AND LIBRARY2.0.

• PERSPECTIVE VOLUME RENDERED MOTION: GAININGINSIGHTS VIRTUALLY

PROXIED WITH AUTH=SHIBB:• INTELLIGENT LIBRARIES AND APOMEDIATORS

• PERSPECTIVE VOLUME RENDERED MOTION

PROXIED WITHOUT AUTH=SHIBB:• INTELLIGENT LIBRARIES AND APOMEDIATORS

• PERSPECTIVE VOLUME RENDERED MOTION

http://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=lxh&AN=89927733&auth=shibb
http://www.sciencedirect.com/science/article/pii/S0895611199000269
https://login.ezproxy.net.ucf.edu/login?auth=shibb&url=http://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=lxh&AN=89927733&auth=shibb
https://login.ezproxy.net.ucf.edu/login?auth=shibb&url=http://www.sciencedirect.com/science/article/pii/S0895611199000269
https://login.ezproxy.net.ucf.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=lxh&AN=89927733&auth=shibb
https://login.ezproxy.net.ucf.edu/login?url=http://www.sciencedirect.com/science/article/pii/S0895611199000269

Top Related

Shibboleth SP Logout Support - Shibboleth Training …...Current state of SLO in Shibboleth Shibboleth Service Provider 2.5.x • Supports local and global logout Shibboleth Identity
Shibboleth SP Logout Support - Shibboleth Training …...Current state of SLO in Shibboleth Shibboleth Service Provider 2.5.x • Supports local and global logout Shibboleth Identity
Lab Notebooks: A Librarian's Primer
Lab Notebooks: A Librarian's Primer
APIs: A Librarian's Perspective
APIs: A Librarian's Perspective
Librarian's Guide to Finding Health Information Online
Librarian's Guide to Finding Health Information Online
Life Lessons Learned: Through a Librarian's Lens
Life Lessons Learned: Through a Librarian's Lens
What's in the research librarian's tool shed?
What's in the research librarian's tool shed?
60962508 Document 8 -- Chief Librarian's Report
60962508 Document 8 -- Chief Librarian's Report
Shibboleth Tutorial
Shibboleth Tutorial