www.kennisnet.nl
Naam van de Auteur
7 januari 2008
Kennisnet Entree: federated authentication
Pieter Bruring Technical Product Manager
Some figures
Total of 600.000 educational users in the Netherlands:•165 schools connected (300.000 estimated federative users)•300.000 Entree selfservice accounts
13 Service providers:•Educational online video streaming service•Government sites•Educational content providers•Webshop
EdReNe expert workshop - 26 February 2009 6
Elements of an authentication and authorisation service
EdReNe expert workshop - 26 February 2009 7
Users use different accounts to access websitesWebsites use centralised userstores (identity providers)
Rise of the Learning management systems as identity provider for schoolsFederated autentication, platforms function as hub
Confederation 2009
EdReNe expert workshop - 26 February 2009 10
Kennisnet content, educational publishers & educational video streaming services
Primary education, high schools and colleges
Higher Education,Universities
Surfnet, Universities, Publishers
High school teachers and students
Educational content providers (publishers)
central authorisation via webshop
A-Select
• Dutch authentication platform: www.a-select.org• Open Source• Not yet using standard SAML 2.0• It does however support Shiboleth via and agent and filter
solution• Used nationwide in DigID, provides users with a personalised
login code for authentication on websites from various governmental bodies
EdReNe expert workshop - 26 February 2009 11
A-Select protocol
A-Select interfacing: Service Provider
EdReNe expert workshop - 26 February 2009 12
3. Authentication Set SSO token
2. Go authenticate
4. user attributes
5. Set application token with attributes
1. URL
6. Redirect after authorisation
A-Select protocol
A-Select interfacing: Identity Provider
EdReNe expert workshop - 26 February 2009 13
3. “Go authenticate there”
1. “Where are you from?
2. “I belong to this organisation”
4. “my loginname & password”
5. Interface with userstore
6. “Is ok?”
7. “user authenticated ok”
8. “have a SSO token (cookie)”
A-Select IdP interfacing problems
A-Select IdP’s are very difficult to set up:
• Need for ‘foreign’ software in system (A-Select server)
• Need to develop custom A-Select AuthSP for non LDAP userstores, such as MySQL.
• A-Select protocol not an international standard, like SAML 2.0, Shiboleth
EdReNe expert workshop - 26 February 2009 14
Entree solution: Cookiemonster interface
EdReNe expert workshop - 26 February 2009 15
Requirements:• No need for ‘foreign’ software in system• Native authentication of user by VLE/LMS• Standardisation of user attributes sent to Entree• For security purposes assertion of trust needed
Consequence:No standard (eg SAML 2.0) fit the bill on ‘easy to implement’ due to maturity differences in VLE/LMS providers.
Goal:
Virtual Learning Environments and Learning Management Systems shall be connected to Entree using easy to implement webservices.
A-Select Cookiemonster
protocol
A-Select Entree expansion: LMS IdP webservices
EdReNe expert workshop - 26 February 2009 16
3. “Go authenticate there”
4. “my loginname & password”
6. User attributes using EduPerson schema
1. “Where are you from?
2. “I belong to this organisation”
5.Get attributes
8. “have a SSO token (cookie)”
Cookiemonster interface: results
EdReNe expert workshop - 26 February 2009 17
• Solution provides Single Sign On path directly from VLE/LMS to Service Provider.
• 1 month after introducing new interfacing method 100 schools were connected.
• Average development time for VLE/LMS provider is 2 weeks
The standards SAML 2.0 en OpenId are selected for these bridges
EdReNe expert workshop - 26 February 2009 19