elag trondheim 2004 1 distributed access control - bibsys and the feide solution sigbjørn holmslet,...
TRANSCRIPT
ELAG Trondheim 20041
Distributed Access ControlDistributed Access Control- BIBSYS and the FEIDE solution- BIBSYS and the FEIDE solution
Sigbjørn Holmslet, BIBSYS, NorwayIngrid Melve, UNINET, Norway
ELAG Trondheim 20042
Some definitionsSome definitions
Authentication - Process of providing the identity of a user. (Who are you?)
Authorization - Process of granting or denying access rights for a resource to an authenticated user. (What are you allowed to do?)
Credentials - Information that includes identification and proof of identification that is used to gain access to resources. Examples of credentials are user names and passwords, smart cards, and certificates.
ELAG Trondheim 20043
Problems in a distributed Problems in a distributed environmentenvironment
• Lots of credentials• Lots of registration and logon procedures
ELAG Trondheim 20044
Distributed Access ControlDistributed Access Control
ELAG Trondheim 20045
Single Sign On (SSO)Single Sign On (SSO)
SSO = challenges
• Technological issues• proxies• cookies• timeout
• Security issues• shared credentials• different security levels• trust
ELAG Trondheim 20046
The trend in distributed access The trend in distributed access controlcontrol
ELAG Trondheim 20047
Some BIBSYS-factsSome BIBSYS-factsBIBSYS is an integrated library system used by all Norwegian University Libraries, the National Library, all College Libraries, and a number of research libraries
The BIBSYS users
Primary users:Ca 2.500 librarians
End users:Ca 600.000 – patrons (not all active)Ca 4000 – academic users (research document database)1000+ – users of other different systems
ELAG Trondheim 20048
Access Control:A1 – UnixA2 – User file
BIBSYS history of access BIBSYS history of access control control
(the late eighties)(the late eighties)
Legacy System(cataloguing, search, etc)
A1 = AuthenticationA2 = Authorization
Users
UNIX pw. file
ELAG Trondheim 20049
BIBSYS history of access BIBSYS history of access controlcontrol
(mid. nineties)(mid. nineties)A1 = AuthenticationA2 = Authorization
Access Control:A1 – Patron-ID, last nameA2 –
Access Control:A1 – UnixA2 – User file
Legacy System
Web search
Patrons
IP-listAccess Control:A1 – IP-filteringA2 –
ISI search
Users
UNIX pw. file
ELAG Trondheim 200410
Access Control:A1 – Apache password-file
Access Control:A1 – Patron-ID, last nameA2 –
Access Control:A1 – UnixA2 – User file
BIBSYS history of access BIBSYS history of access controlcontrol
(late nineties)(late nineties)
Legacy System
Web search
A1 = AuthenticationA2 = Authorization
Some web service
Patrons
Apache pw. file
IP-listAccess Control:A1 – IP-filteringA2 –
ISI search
Users
UNIX pw. file
Access Control:A1 – Apache password-fileSome web service
Apache pw. file
ELAG Trondheim 200411
BIBSYS in the late ninetiesBIBSYS in the late nineties
BIBSYS
ELAG Trondheim 200412
BIBSYS Access Control ProjectBIBSYS Access Control Project
Goal:• Provide interoperability between internal systems• Offer access control to our patrons.• Avoid administration overhead. • Consider cross-organizational access control.
ELAG Trondheim 200413
BIBSYS Access Control ProjectBIBSYS Access Control Project
We considered two commercial access control systems, • Candle/Cactus • ISOS/Athens.
Conclusion: • Too expensive • BIBSYS is not the right institution to host a cross-organizational access control system for our end users.
Decisions:• Develop our own access control for internal use• Wait and see for an cross-organizational solution.
ELAG Trondheim 200414
Commonrole based access control system
A common A common role based access control system
Only access-relevant information:
credentials, roles, IPs
Patrons
Apache pw. file
IP-list
UsersUNIX pw. file
Apache pw. file
ELAG Trondheim 200415
Starting pointStarting pointA1 = AuthenticationA2 = Authorization
Access Control:A1 – Apache password-file
Access Control:A1 – Patron-ID, last nameA2 –
Access Control:A1 – UnixA2 – User file
Legacy System
Web search
Some web service
Patrons
Apache pw. file
IP-listAccess Control:A1 – IP-filteringA2 –
ISI search
Users
UNIX pw. file
Access Control:A1 – Apache password-fileSome web service
Apache pw. file
ELAG Trondheim 200416
Result (ideal)Result (ideal)
Service A
Service B
Service C
Service D
Service E
Commonrole based access control system
ELAG Trondheim 200417
Result (real)Result (real)
• Implemented a new role based access control system
• We released new personalized services for patrons and librarians
• Low administration costs (machine-generated password by email)
• Still some systems use their old access control
• The wait and see strategy paid off – result: FEIDE
ELAG Trondheim 200418
Status of 2002Status of 2002
BIBSYS
ELAG Trondheim 200419
New challengeNew challenge
• Offering our users access through the FEIDE system
ELAG Trondheim 200420
FEIDE FEIDE (Federated Electronic Identity for Education)(Federated Electronic Identity for Education)
Goals of the FEIDE project:
• Establish a common, secure electronic identity for Norwegian academic users.
• Implement the academic sector's system for reliable user data handling, secure identification of internet-service users and assignment of user access-rights.
• Common data model for persons
• Standardization/development of user management systems
• Provide a central login server
ELAG Trondheim 200421
Integrating with the FEIDE system (I)Integrating with the FEIDE system (I)
One year ago we released a pilot using the FEIDE authentication
• Application: Personalized services for patrons and librarians• Technology: Java Servlets, Tomcat server• Objective: technical issues (not performance)• Available for a limited group of users
ELAG Trondheim 200422
Integrating with the FEIDE system (II)Integrating with the FEIDE system (II)
Efforts to make it work
• Received a Java-library, a Servlet Filter and a certificate from FEIDE• Configured Tomcat to use the Servlet Filter • Configured the Servlet Filter
ELAG Trondheim 200423
Integrating with the FEIDE system (III)Integrating with the FEIDE system (III)
Experiences with the pilot
• Easy to implement• No errors throughout the test period• The users were satisfied
ELAG Trondheim 200424
Integrating with the FEIDE system (IV)Integrating with the FEIDE system (IV)
One obstacle: How to map a FEIDE user to a BIBSYS user?
Solution:The National Identity Number
BIBSYS have to extend the user database to include The National Identity Number
ELAG Trondheim 200425
Overview of the logon processOverview of the logon process
FEIDE
BIBSYS (Tomcat servlet container)
Filter
User
BIBSYS-services(servlet)
MORIA
AT(LDAP-server)AT
(LDAP-server)AT(LDAP-servers)
BIBSYS-services(servlets)
1
23
4
5
6
7
BIBSYS users
8 9
ELAG Trondheim 200426
Future plansFuture plans
• Let the pilot go into production within 3-4 months• Try out the Single Sign On features of FEIDE• Make use of other user attributes than only the National Identity Number. (For authorisation and for updating our own user data)