shibboleth protected proxy servers
DESCRIPTION
Shibboleth protected proxy servers. a case study from the Danish library sector. DEFF. Denmark's Electronic Research library Founded in 1998 to provide a joint IT strategy for the Danish research libraries Provides infrastructure and middleware for the libraries. AAI. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/1.jpg)
Jakob Gadegaard Bendixen, [email protected]
Shibboleth protected proxy servers
a case study from the Danish library sector
![Page 2: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/2.jpg)
Jakob gadegaard bendixen, [email protected]
DEFFDenmark's Electronic Research library
Founded in 1998 to provide a joint IT strategy
for the Danish research libraries
Provides infrastructure and middleware for
the libraries
![Page 3: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/3.jpg)
Jakob gadegaard bendixen, [email protected]
AAIOne of the original visions was to provide
a standardized way to handle user
administration and access control across
institutional borders
Did anyone say federation…
![Page 4: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/4.jpg)
Jakob gadegaard bendixen, [email protected]
The DEF keyThis vision was attempted realized through
an ambitious project called ‘The DEF key’.
A lot of effort was done but the project was
dropped due to conflict of interest
![Page 5: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/5.jpg)
Jakob gadegaard bendixen, [email protected]
DEFF ServicesDEFF negotiates licenses for accessing article
databases and electronic periodicals for the
research libraries
Most of these are campus wide licenses and
the access control is IP based
![Page 6: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/6.jpg)
Jakob gadegaard bendixen, [email protected]
ChallengeHow do we provide home access for the
users such that
• Only registered users have access
• Access through ordinary web browser
• No need for changing browser settings (necessary with ordinary proxy servers)
![Page 7: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/7.jpg)
Jakob gadegaard bendixen, [email protected]
LDAP 2001In 2001 a new project was launched to meetthis specific challenge• The lesson learned at the DEF key project
was that it failed because it tried to be as general as possible
• So this time one of the goals was to design a solution which met only this specific challenge
![Page 8: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/8.jpg)
Jakob gadegaard bendixen, [email protected]
The SolutionA network of LDAP servers (one for each
involved institution) providing data for a
centralized login controlling the access to a
farm of rewriting proxy servers
![Page 9: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/9.jpg)
Jakob gadegaard bendixen, [email protected]
Centrallogin
LDAP
LDAP
LDAP
Proxyserver
ServiceProvider
ServiceProvider
ServiceProvider
![Page 10: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/10.jpg)
Jakob gadegaard bendixen, [email protected]
Some Statistics ZZZZZWe have a solution running in productionwith• 40+ user organizations• ~ 250.000 users• providing access to several hundred
databases• Configuration lists more than 7.000
domains
![Page 11: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/11.jpg)
Jakob gadegaard bendixen, [email protected]
Is it perfectA short answer: no, but it is working
• 2 single points of failure (login and proxy)
• Centralized login = potential security issue
• Performance issue
• URL exchanging issue
![Page 12: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/12.jpg)
Jakob gadegaard bendixen, [email protected]
Shibbolizing the setupIn 2005 we ran a pilot project to try to
put Shibboleth access control on our
proxy farm
The EZProxy has already been Shibbolized by
the vendor. This version does however not
meet our requirements fully
![Page 13: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/13.jpg)
Jakob gadegaard bendixen, [email protected]
IdentityProvider
WAYF
Proxyserver
ServiceProvider
ServiceProvider
ServiceProvider
![Page 14: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/14.jpg)
Jakob gadegaard bendixen, [email protected]
Have you implemented it The short answer: no
The building of a Danish federation DK-AAI
is in progress and we are awaiting the
outcome of this project
![Page 15: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/15.jpg)
Jakob gadegaard bendixen, [email protected]
Why use proxies at allAllows to progress in building our federation
without having to wait for the resource-
providers to get Shibboleth ready
Some resource providers probably will not be
ready in this decade
![Page 16: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/16.jpg)
Jakob gadegaard bendixen, [email protected]
IdentityProvider
WAYF Proxyserver
ServiceProvider
ServiceProvider
ServiceProvider
![Page 17: Shibboleth protected proxy servers](https://reader035.vdocument.in/reader035/viewer/2022062322/56814f0e550346895dbca229/html5/thumbnails/17.jpg)
Jakob gadegaard bendixen, [email protected]
Questions and [email protected]
www.statsbiblioteket.dk
www.deff.dk
www.deff.dk/aai