Upload File

shibbole-me-this: one librarian's foray into shibboleth for better access

  • Home
  • Internet
  • Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access
29
SHIBBLE-ME-THIS ONE LIBRARIAN’S FORAY INTO SHIBBOLETH FOR BETTER ACCESS AN ILLUSTRATED NARRATIVE ATHENA HOEPPNER ELECTRONIC RESOURCES LIBRARIAN UNIVERSITY OF CENTRAL FLORIDA @CYBRGRL #INTERNETLIBRARIAN

Upload: athena-hoeppner

Post on 07-Jul-2015

399 views

Category:

Internet


2 download

Report

DESCRIPTION

An overview of Shibboleth and it's use for providing access to library subscribed resources. Lots of illustrations and brief explanations of the technologies involved, such as EZproxy, Federated ID, Single Sign On, and their limitations. Athena Hoeppner. “Shibble-Me-This: One Librarian's Foray into Shibboleth for Better Access.” Internet Librarian 2014, Monterey, CA, 27 October 2014.

TRANSCRIPT

Page 1: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SHIBBLE-ME-THISONE LIBRARIAN’S FORAY INTO

SHIBBOLETH FOR BETTER ACCESSAN ILLUSTRATED NARRATIVE

ATHENA HOEPPNERELECTRONIC RESOURCES LIBRARIAN

UNIVERSITY OF CENTRAL FLORIDA

@CYBRGRL #INTERNETLIBRARIAN

Page 2: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

CAMPUSSERVICE

RESEARCHER AT HOME

Page 3: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

DREADED PAYWALL

PUBLISHERSITE

CAMPUSSERVICE

Page 4: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

THE LONG CONFUSING SLOGLIBRARYSERVER

PUBLISHERSITE

Page 5: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

YET ANOTHER LOGINPROXYSERVER

MEDIATEDREQUESTS

PUBLISHERSITE

LIBRARYSERVER

Page 6: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

PERSPECITVE…VPN!

SECURITY.ACCESS!

Page 7: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SHIBBOLETH DAYDREAMS

• SHIBBOLETH IS WIDELY USED BYLIBRARIES AND LIBRARY VENDORS.

• TURN SHIBBOLETH ON AND OFF INVENDOR ADMIN

• LOTS OF USER ATTRIBUTES SHARED

• SIGNED IN USERS WILL BE ABLE TOUSE WILD-WEB LINKS

• MOVE BETWEEN UCF SYSTEMSWITHOUT SIGNING IN

• PERSONALIZED EXPERIENCE

• GRANULAR ACCESS CONTROL

Page 8: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

DIFFERENT PRIORITIESENTERPRISE

SINGLE SIGN ON.MANAGED IDS.

SECURITY.

BUT, LIBRARY

ACCESS…

Page 9: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

THINGS I LEARNED…SHIBBOLETH IS

• STANDARDS BASED

• OPEN SOURCE

• MIDDLEWARE

• SINGLE SIGN-ONACROSS OR WITHINORGANIZATIONALBOUNDARIES.

• CREATED BYINCOMMON, A SUB-PROJECT OF INTERNET2

HTTPS://SHIBBOLETH.NET/ABOUT/

https://shibboleth.net/about/
Page 10: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SHIBBOLETH IN CONTEXT• NOT-FOR-PROFIT

NETWORKING CONSORTIUM

• FOR U.S. RESEARCH ANDEDUCATION COMMUNITIES

HTTPS://SHIBBOLETH.NET/CONSORTIUM/

https://shibboleth.net/consortium/
Page 11: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

UNITED FEDERATION OF PLANETS

• OPERATES THE IDENTITYFEDERATION FOR INTERNET2

• IDENTITY PROVIDERS GETSINGLE SIGN-ON AND PRIVACYPROTECTION

• SERVICE PROVIDERS GETACCESS CONTROL

HTTP://WWW.INTERNET2.EDU/PRODUCTS-SERVICES/TRUST-IDENTITY-MIDDLEWARE/INCOMMON-FEDERATION

http://www.internet2.edu/products-services/trust-identity-middleware/incommon-federation
Page 12: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

THINGS I LEARNED…• SECURITY ASSERTION MARKUPLANGUAGE (SAML)

• XML-BASED COMMUNICATIONOF USER AUTHENTICATION, ENTITLEMENT, ANDATTRIBUTES.

• SAML ALLOWS ENTITIES TOMAKE ASSERTIONS ABOUTUSERS TO OTHER ENTITIES, SUCH AS A PARTNER COMPANYOR ANOTHER ENTERPRISEAPPLICATION.

HTTPS://WWW.OASIS-OPEN.ORG/COMMITTEES/TC_HOME.PHP?WG_ABBREV=SECURITY

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
Page 13: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

CAMPUSSERVICE

TEACHER AT HOME

USERCREDENTIALS

LDAP

AUTHENTI-CATION

Page 14: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

CAMPUSSERVICE

INTERNAL DIALOG

LDAP

AUTHENTI-CATION / USER INFO

USERCREDENTIALS

HE IS A UCF EDU-PERSON

CHECK ON THIS GUY FOR ME…

YEAH. HERE’S HIS NAME AND

OTHER DATA.

ATTRIBUTESASSERTATIONS

OK. HE IS ENTITLED

TO MY SERVICE,

USERCRED

DO YOU KNOW THIS

GUY?

HE GETS A COOKIE

Page 15: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

MENEWHILE IN I.T. …

ENTERPRISE-WIDE FEDERATED ID AND SSO:

• LEANING MANAGEMENT SYSTEM

• OPAC/LIBRARY ACCOUNTS

• ILLIAD

• EZPROXY

SINGLE SIGN ON!!

Page 16: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

ON TO THE LIBRARY…LIBRARYSERVER HE HAS A

COOKIE.

HERE ARE HIS ATTRIBUTES

Page 17: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

EXTERNAL SERVICEPROVIDERS

LIBRARY VENDORS IN INCOMMONFEDERATATION:

• HATHI TRUST

• EBSCOHOST

• PROQUEST

• EBL• ELSEVIER

• JSTOR• …HTTPS://SPACES.INTERNET2.EDU/DISPLAY

/INCLIBRARY/TARGETRESOURCES

HTTPS://SPACES.INTERNET2.EDU/DISPLAY/INCLIBRARY/REGISTRYOFRESOURCES

OK

ENABLE, PLEASE!!

THEY GET OUR

ENTITYid, AND WE’LL ASSERT

eduPERSON

https://spaces.internet2.edu/display/inclibrary/targetresources
https://spaces.internet2.edu/DISPLAY/INCLIBRARY/REGISTRYOFRESOURCES
Page 18: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

PAYWALL REDUXPUBLISHER

SITE

??!

Page 19: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

WAYF – WHERE ARE YOUFROM PUBLISHER

SITE

Page 20: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SINGLE SIGN-ON!HE HAS A COOKIE.

I ASSERT HE IS A UCF eduPERSON.

PUBLISHERSITE

Page 21: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

INCOMMON BESTPRACTICES FOR LIBRARIES• AUTHORIZATION VIA EDUPERSON

ATTRIBUTES

• IMPLEMENT WAYFLESS URLS

• IMPLEMENT AUTHENTICATED DIRECTLINKS TO RESOURCES.

• SHIBBOLETH ENABLE EZPROXY

• USE SHIBBOLETH-READY EZPROXYSTARTING POINT URLS

HTTPS://SPACES.INTERNET2.EDU/DISPLAY/INCLIBRARY/BEST+PRACTICES

SINGLE SIGN ON ACCESS!

https://spaces.internet2.edu/display/inclibrary/Best+Practices
Page 22: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

EZPROXY SHIBB URLS

• EZPROXY STARTING POINT URLSHTTPS://LOGIN.EZPROXY.UCF.EDU/LOGIN&URL=

• SHIBBOLIZEDHTTPS://LOGIN.EZPROXY.UCF.EDU/LOGIN?AUTH=SHIBB&URL=

• WORKS WELL WITH LIBX TO PROXY ON THE FLY

• UCF DEPLOYED IN: SFX, EBSCOHOSTDISCOVERY… WAITING TO USE IN OTHER SERVICES

CAVEATS: • SOME EXTERNAL SYSTEMS ARE READY FOR THIS. • GOES STRAIGHT TO THE FEDERATED ID LOGIN -

BYPASSES OLD LIBRARY ID LOGIN,

https://login.ezproxy.ucf.edu/login&url=
https://login.ezproxy.ucf.edu/login?auth=shibb&url=
Page 23: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

INEVITABLE PAYWALLS

LibX

Page 24: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

ONE LOGINHE HAS A COOKIE.

HERE ARE HIS

ATTRIBUTES

PUBLISHERSITE

PROXYSERVER

MEDIATEDREQUESTS

PUBLISHERSITE

LibX

Page 25: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

LIBRARIAN SHIBBOLETHSUMMARY• CAMPUS SINGLE SIGN-ON WITH FEDERATED ID• LOTS OF ENTRY POINTS FROM MANY UCF SERVICES

• LOG IN FROM ONE SYSTEM MAY ALLOWS ACCESS TOTHE OTHER FEDERATION SHIBBOLETH-ENABLEDSERVICES

•WAYF ON SHIBBOLETH-ENABLED VENDOR SITES

•STILL NEED EZPROXIED LINKS FOR MOST LIBRARYCONTENT

•SHIBBOLETH ENABLED STARTINGPOINT URLS ANDLIBX ARE A PARTIAL SOLUTION FOR SEAMLESSACCESS

Page 26: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

PRACTICAL STEPS FORLIBRARIANSASK I.T. TO ENABLE LIBRARYPARTNERS

SHIBBOLIZE EZPROXY

EXPLAIN VPN LIMITATIONS TOFACULTY

PROMOTE A CUSTOM LIBX

ASK VENDORS TO PARTICIPATE ININCOMMON

Page 27: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

THANK YOU!ATHENA HOEPPNER

[email protected]

@CYBRGRL

mailto:[email protected]
Page 28: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SELECTED GLOSSARY

• ASSERTION - THE IDENTITY INFORMATION PROVIDED BY AN IDENTITY PROVIDER TO A SERVICE PROVIDER.• ATTRIBUTE - A SINGLE PIECE OF INFORMATIO. SOME ATTRIBUTES ARE GENERAL; OTHERS ARE PERSONAL. SOME

SUBSET OF ALL ATTRIBUTES DEFINES A UNIQUE INDIVIDUAL. EXAMPLES OF AN ATTRIBUTE ARE NAME ANDENROLLMENT.

• ATTRIBUTE STATEMENT: ASSERTS THAT A SUBJECT IS ASSOCIATED WITH CERTAIN ATTRIBUTES. AN ATTRIBUTE

IS SIMPLY A NAME-VALUE PAIR. RELYING PARTIES USE ATTRIBUTES TO MAKE ACCESS-CONTROL DECISIONS.• AUTHENTICATION STATEMENTS: STATEMENT THAT THE PRINCIPAL DID INDEED AUTHENTICATE WITH THE

IDENTITY PROVIDER AT A PARTICULAR TIME USING A PARTICULAR METHOD OF AUTHENTICATION

• AUTHORIZATION DECISION STATEMENT: ASSERTS THAT A SUBJECT IS PERMITTED TO PERFORM ACTION A ONRESOURCE R GIVEN EVIDENCE E.

• EDUPERSON - AN LDAP OBJECT CLASS TO FACILITATE INTER-INSTITUTIONAL APPLICATIONSPROVIDER URL, AND THE NETWORK ADMINISTRATOR.

• ENTITYID - ID THAT IDENTIFIES AN ENTERPRISE IN A FEDERATION. USUALLY A URL THAT POINTS TO AN XML FILE OF INFO ABOUT THE ENTITY, SUCH AS THE ID

• FEDERATED IDENTITY - MANAGEMENT OF IDENTITY INFORMATION BETWEEN MEMBERS OF A FEDERATION.• IDENTITY PROVIDER (IDP) - THE SYSTEM THAT AUTHENTICATES AN ENTITY

• SERVICE PROVIDER (SP) - MAKES ONLINE RESOURCES AVAILABLE TO USERS BASED IN PART ON INFORMATIONABOUT THEM THAT IT RECEIVES FROM OTHER INCOMMON PARTICIPANTS.

• WHERE ARE YOU FROM (WAYF) - A SERVER USED BY THE SHIBBOLETH SOFTWARE TO DETERMINE WHAT AUSER'S HOME ORGANIZATION IS.

HTTP://EN.WIKIPEDIA.ORG/WIKI/SECURITY_ASSERTION_MARKUP_LANGUAGE#SAML_ASSERTIONS

http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Page 29: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

SOME LINKS TO PLAY WITH

DIRECT LINKS TO ARTICLES:• INTELLIGENT LIBRARIES AND APOMEDIATORS:

DISTINGUISHING BETWEEN LIBRARY 3.0 AND LIBRARY2.0.

• PERSPECTIVE VOLUME RENDERED MOTION: GAININGINSIGHTS VIRTUALLY

PROXIED WITH AUTH=SHIBB:• INTELLIGENT LIBRARIES AND APOMEDIATORS

• PERSPECTIVE VOLUME RENDERED MOTION

PROXIED WITHOUT AUTH=SHIBB:• INTELLIGENT LIBRARIES AND APOMEDIATORS

• PERSPECTIVE VOLUME RENDERED MOTION

http://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=lxh&AN=89927733&auth=shibb
http://www.sciencedirect.com/science/article/pii/S0895611199000269
https://login.ezproxy.net.ucf.edu/login?auth=shibb&url=http://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=lxh&AN=89927733&auth=shibb
https://login.ezproxy.net.ucf.edu/login?auth=shibb&url=http://www.sciencedirect.com/science/article/pii/S0895611199000269
https://login.ezproxy.net.ucf.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=lxh&AN=89927733&auth=shibb
https://login.ezproxy.net.ucf.edu/login?url=http://www.sciencedirect.com/science/article/pii/S0895611199000269

Librarian's challenge to publishers

60962508 Document 8 -- Chief Librarian's Report

Internet Shibboleth Project

David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project

Technology and Innovation: The Librarian's Dilemma

Innovation: The Librarian's Dilemma?

Digital Disruption: A Librarian's perspective

Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project

Shibboleth Roadmap -- 2005

Shibboleth: Molecules, Music, and Middleware. Outline ● Terms ● Problem statement ● Solution space – Shibboleth and Federations ● Description of Shibboleth

Gosiewski Foray

Lessons Learned: Through a Librarian's Lens

Shibboleth: EBSCOhost implementation

Shibboleth Tutorial

APIs: A Librarian's Perspective

Shibboleth & Shibboleth Consortium

Shibboleth Setup

Introduction to Shibboleth

Shibboleth Identity Provider Version 3 IAM Online March 11, 2015 Scott Cantor, Shibboleth Development Team Marvin Addison, Shibboleth Development Team

Web2.0--A Medical Librarian's Version

Life Lessons Learned: Through a Librarian's Lens

7 October 2015 Shibboleth. Agenda Shibboleth Background and Status Why is Shibboleth Important (to Higher Ed)? Current Pilots Course Management

Shibboleth and TAGPMA

Anwendungen sch ützen mit Shibboleth 4. Shibboleth-Workshop Berlin, 28. Februar 2007

Shibboleth SSO & Drupal

What's in the research librarian's tool shed?

Introduction to Shibboleth - SWITCH...• •SAML 2.0 • SSO ... Introduction to Shibboleth - Shibboleth Training 2015 Author: SWITCHaai Created Date: 20151015071708Z

A Librarian's Second Life

ProQuest Pivot now supports Shibboleth S · 2017-10-23 · ProQuest Pivot now supports Shibboleth Single Sign-On. What is Shibboleth? Shibboleth is the world's most widely deployed

Shibboleth Archive

LIS 2700: Librarian's Guide to Conflict Resolution

THE LIBRARIAN'S GUIDE TO LITTLEBITS & STEAM

Infographics: A Librarian's Best Friend

OXFORD JOURNALS LIBRARIAN'S HANDBOOK

The Hipster Librarian's Guide to Teen Craft Projects (Hipster Librarian's Guide To...)