shibbole-me-this: one librarian's foray into shibboleth for better access
DESCRIPTION
An overview of Shibboleth and it's use for providing access to library subscribed resources. Lots of illustrations and brief explanations of the technologies involved, such as EZproxy, Federated ID, Single Sign On, and their limitations. Athena Hoeppner. “Shibble-Me-This: One Librarian's Foray into Shibboleth for Better Access.” Internet Librarian 2014, Monterey, CA, 27 October 2014.TRANSCRIPT
SHIBBLE-ME-THISONE LIBRARIAN’S FORAY INTO
SHIBBOLETH FOR BETTER ACCESSAN ILLUSTRATED NARRATIVE
ATHENA HOEPPNERELECTRONIC RESOURCES LIBRARIAN
UNIVERSITY OF CENTRAL FLORIDA
@CYBRGRL #INTERNETLIBRARIAN
CAMPUSSERVICE
RESEARCHER AT HOME
DREADED PAYWALL
PUBLISHERSITE
CAMPUSSERVICE
THE LONG CONFUSING SLOGLIBRARYSERVER
PUBLISHERSITE
YET ANOTHER LOGINPROXYSERVER
MEDIATEDREQUESTS
PUBLISHERSITE
LIBRARYSERVER
PERSPECITVE…VPN!
SECURITY.ACCESS!
SHIBBOLETH DAYDREAMS
• SHIBBOLETH IS WIDELY USED BYLIBRARIES AND LIBRARY VENDORS.
• TURN SHIBBOLETH ON AND OFF INVENDOR ADMIN
• LOTS OF USER ATTRIBUTES SHARED
• SIGNED IN USERS WILL BE ABLE TOUSE WILD-WEB LINKS
• MOVE BETWEEN UCF SYSTEMSWITHOUT SIGNING IN
• PERSONALIZED EXPERIENCE
• GRANULAR ACCESS CONTROL
DIFFERENT PRIORITIESENTERPRISE
SINGLE SIGN ON.MANAGED IDS.
SECURITY.
BUT, LIBRARY
ACCESS…
THINGS I LEARNED…SHIBBOLETH IS
• STANDARDS BASED
• OPEN SOURCE
• MIDDLEWARE
• SINGLE SIGN-ONACROSS OR WITHINORGANIZATIONALBOUNDARIES.
• CREATED BYINCOMMON, A SUB-PROJECT OF INTERNET2
HTTPS://SHIBBOLETH.NET/ABOUT/
SHIBBOLETH IN CONTEXT• NOT-FOR-PROFIT
NETWORKING CONSORTIUM
• FOR U.S. RESEARCH ANDEDUCATION COMMUNITIES
HTTPS://SHIBBOLETH.NET/CONSORTIUM/
UNITED FEDERATION OF PLANETS
• OPERATES THE IDENTITYFEDERATION FOR INTERNET2
• IDENTITY PROVIDERS GETSINGLE SIGN-ON AND PRIVACYPROTECTION
• SERVICE PROVIDERS GETACCESS CONTROL
HTTP://WWW.INTERNET2.EDU/PRODUCTS-SERVICES/TRUST-IDENTITY-MIDDLEWARE/INCOMMON-FEDERATION
THINGS I LEARNED…• SECURITY ASSERTION MARKUPLANGUAGE (SAML)
• XML-BASED COMMUNICATIONOF USER AUTHENTICATION, ENTITLEMENT, ANDATTRIBUTES.
• SAML ALLOWS ENTITIES TOMAKE ASSERTIONS ABOUTUSERS TO OTHER ENTITIES, SUCH AS A PARTNER COMPANYOR ANOTHER ENTERPRISEAPPLICATION.
HTTPS://WWW.OASIS-OPEN.ORG/COMMITTEES/TC_HOME.PHP?WG_ABBREV=SECURITY
CAMPUSSERVICE
TEACHER AT HOME
USERCREDENTIALS
LDAP
AUTHENTI-CATION
CAMPUSSERVICE
INTERNAL DIALOG
LDAP
AUTHENTI-CATION / USER INFO
USERCREDENTIALS
HE IS A UCF EDU-PERSON
CHECK ON THIS GUY FOR ME…
YEAH. HERE’S HIS NAME AND
OTHER DATA.
ATTRIBUTESASSERTATIONS
OK. HE IS ENTITLED
TO MY SERVICE,
USERCRED
DO YOU KNOW THIS
GUY?
HE GETS A COOKIE
MENEWHILE IN I.T. …
ENTERPRISE-WIDE FEDERATED ID AND SSO:
• LEANING MANAGEMENT SYSTEM
• OPAC/LIBRARY ACCOUNTS
• ILLIAD
• EZPROXY
SINGLE SIGN ON!!
ON TO THE LIBRARY…LIBRARYSERVER HE HAS A
COOKIE.
HERE ARE HIS ATTRIBUTES
EXTERNAL SERVICEPROVIDERS
LIBRARY VENDORS IN INCOMMONFEDERATATION:
• HATHI TRUST
• EBSCOHOST
• PROQUEST
• EBL• ELSEVIER
• JSTOR• …HTTPS://SPACES.INTERNET2.EDU/DISPLAY
/INCLIBRARY/TARGETRESOURCES
HTTPS://SPACES.INTERNET2.EDU/DISPLAY/INCLIBRARY/REGISTRYOFRESOURCES
OK
ENABLE, PLEASE!!
THEY GET OUR
ENTITYid, AND WE’LL ASSERT
eduPERSON
PAYWALL REDUXPUBLISHER
SITE
??!
WAYF – WHERE ARE YOUFROM PUBLISHER
SITE
SINGLE SIGN-ON!HE HAS A COOKIE.
I ASSERT HE IS A UCF eduPERSON.
PUBLISHERSITE
INCOMMON BESTPRACTICES FOR LIBRARIES• AUTHORIZATION VIA EDUPERSON
ATTRIBUTES
• IMPLEMENT WAYFLESS URLS
• IMPLEMENT AUTHENTICATED DIRECTLINKS TO RESOURCES.
• SHIBBOLETH ENABLE EZPROXY
• USE SHIBBOLETH-READY EZPROXYSTARTING POINT URLS
HTTPS://SPACES.INTERNET2.EDU/DISPLAY/INCLIBRARY/BEST+PRACTICES
SINGLE SIGN ON ACCESS!
EZPROXY SHIBB URLS
• EZPROXY STARTING POINT URLSHTTPS://LOGIN.EZPROXY.UCF.EDU/LOGIN&URL=
• SHIBBOLIZEDHTTPS://LOGIN.EZPROXY.UCF.EDU/LOGIN?AUTH=SHIBB&URL=
• WORKS WELL WITH LIBX TO PROXY ON THE FLY
• UCF DEPLOYED IN: SFX, EBSCOHOSTDISCOVERY… WAITING TO USE IN OTHER SERVICES
CAVEATS: • SOME EXTERNAL SYSTEMS ARE READY FOR THIS. • GOES STRAIGHT TO THE FEDERATED ID LOGIN -
BYPASSES OLD LIBRARY ID LOGIN,
INEVITABLE PAYWALLS
LibX
ONE LOGINHE HAS A COOKIE.
HERE ARE HIS
ATTRIBUTES
PUBLISHERSITE
PROXYSERVER
MEDIATEDREQUESTS
PUBLISHERSITE
LibX
LIBRARIAN SHIBBOLETHSUMMARY• CAMPUS SINGLE SIGN-ON WITH FEDERATED ID• LOTS OF ENTRY POINTS FROM MANY UCF SERVICES
• LOG IN FROM ONE SYSTEM MAY ALLOWS ACCESS TOTHE OTHER FEDERATION SHIBBOLETH-ENABLEDSERVICES
•WAYF ON SHIBBOLETH-ENABLED VENDOR SITES
•STILL NEED EZPROXIED LINKS FOR MOST LIBRARYCONTENT
•SHIBBOLETH ENABLED STARTINGPOINT URLS ANDLIBX ARE A PARTIAL SOLUTION FOR SEAMLESSACCESS
PRACTICAL STEPS FORLIBRARIANSASK I.T. TO ENABLE LIBRARYPARTNERS
SHIBBOLIZE EZPROXY
EXPLAIN VPN LIMITATIONS TOFACULTY
PROMOTE A CUSTOM LIBX
ASK VENDORS TO PARTICIPATE ININCOMMON
SELECTED GLOSSARY
• ASSERTION - THE IDENTITY INFORMATION PROVIDED BY AN IDENTITY PROVIDER TO A SERVICE PROVIDER.• ATTRIBUTE - A SINGLE PIECE OF INFORMATIO. SOME ATTRIBUTES ARE GENERAL; OTHERS ARE PERSONAL. SOME
SUBSET OF ALL ATTRIBUTES DEFINES A UNIQUE INDIVIDUAL. EXAMPLES OF AN ATTRIBUTE ARE NAME ANDENROLLMENT.
• ATTRIBUTE STATEMENT: ASSERTS THAT A SUBJECT IS ASSOCIATED WITH CERTAIN ATTRIBUTES. AN ATTRIBUTE
IS SIMPLY A NAME-VALUE PAIR. RELYING PARTIES USE ATTRIBUTES TO MAKE ACCESS-CONTROL DECISIONS.• AUTHENTICATION STATEMENTS: STATEMENT THAT THE PRINCIPAL DID INDEED AUTHENTICATE WITH THE
IDENTITY PROVIDER AT A PARTICULAR TIME USING A PARTICULAR METHOD OF AUTHENTICATION
• AUTHORIZATION DECISION STATEMENT: ASSERTS THAT A SUBJECT IS PERMITTED TO PERFORM ACTION A ONRESOURCE R GIVEN EVIDENCE E.
• EDUPERSON - AN LDAP OBJECT CLASS TO FACILITATE INTER-INSTITUTIONAL APPLICATIONSPROVIDER URL, AND THE NETWORK ADMINISTRATOR.
• ENTITYID - ID THAT IDENTIFIES AN ENTERPRISE IN A FEDERATION. USUALLY A URL THAT POINTS TO AN XML FILE OF INFO ABOUT THE ENTITY, SUCH AS THE ID
• FEDERATED IDENTITY - MANAGEMENT OF IDENTITY INFORMATION BETWEEN MEMBERS OF A FEDERATION.• IDENTITY PROVIDER (IDP) - THE SYSTEM THAT AUTHENTICATES AN ENTITY
• SERVICE PROVIDER (SP) - MAKES ONLINE RESOURCES AVAILABLE TO USERS BASED IN PART ON INFORMATIONABOUT THEM THAT IT RECEIVES FROM OTHER INCOMMON PARTICIPANTS.
• WHERE ARE YOU FROM (WAYF) - A SERVER USED BY THE SHIBBOLETH SOFTWARE TO DETERMINE WHAT AUSER'S HOME ORGANIZATION IS.
HTTP://EN.WIKIPEDIA.ORG/WIKI/SECURITY_ASSERTION_MARKUP_LANGUAGE#SAML_ASSERTIONS
SOME LINKS TO PLAY WITH
DIRECT LINKS TO ARTICLES:• INTELLIGENT LIBRARIES AND APOMEDIATORS:
DISTINGUISHING BETWEEN LIBRARY 3.0 AND LIBRARY2.0.
• PERSPECTIVE VOLUME RENDERED MOTION: GAININGINSIGHTS VIRTUALLY
PROXIED WITH AUTH=SHIBB:• INTELLIGENT LIBRARIES AND APOMEDIATORS
• PERSPECTIVE VOLUME RENDERED MOTION
PROXIED WITHOUT AUTH=SHIBB:• INTELLIGENT LIBRARIES AND APOMEDIATORS
• PERSPECTIVE VOLUME RENDERED MOTION