Post on 30-Apr-2020
Thomas LenggenhagerThomas.lenggenhager@switch.ch
AAI für BibliothekenWo und wie kann AAI nützlich sein?
Bern, 20. November 2009
2© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Übersicht
Kurze Einführung in AAI
Zugriff auf lizenzierte Inhalte
VO Plattform:Kollaboration von ‚Gruppen‘ überOrganisationsgrenzen hinweg
1
2
3
3© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Wofür steht AAI?
Authentifizierungs- und Autorisierungs-InfrastrukturAuthentication Authorization Infrastructure
AuthN & AuthZ
4© 2009 SWITCH AAI für Bibliotheken - Nov 2009
AutorisierungBenutzerverwaltungAuthentifizierung Ressource Passwort
• Aufwendige Registrierungbei allen Ressourcen
• Unzuverlässige undveraltete Daten
• VerschiedeneLogin-Verfahren
• Viele Passworte• Viele Ressourcen
werden nicht geschützt• Wenn geschützt,
dann oft nur durchIP-Adressen
Ohne AAI
Universität A
Bibliothek B
Universität C
Student AdmWeb Portale-Learning
Literatur DB
e-LearningResearch DB
e-Zeitschriften
5© 2009 SWITCH AAI für Bibliotheken - Nov 2009
AutorisierungBenutzerverwaltungAuthentifizierung Ressource Passwort
• Registrierung bei denRessourcen entfällt
• EinheitlichesLogin-Verfahren
• Web Single-Sign-On• Erschliesst Benutzern
neue Ressourcen• Standort-unabhängig
Mit AAI
Universität A
Bibliothek B
Universität C
AAIStudent AdmWeb Portale-Learning
Literatur DB
e-LearningResearch DB
e-Zeitschriften
6© 2009 SWITCH AAI für Bibliotheken - Nov 2009
SWITCHaai Federation in Autumn 2009
# AAI enabled accounts # Resources
>95% coverage inhigher education
# Home Organizations
7© 2009 SWITCH AAI für Bibliotheken - Nov 2009
• Open Source
Word Shibboleth was used toidentify members of a group
• Based on Security AssertionMarkup Language (SAML)
• Internationally used by universities
https://shibboleth.internet2.edu
Shibboleth - The Software
8© 2009 SWITCH AAI für Bibliotheken - Nov 2009
AAI-enabling a Home Organization
Prerequisite• Authentication System• User Directory
• Shibboleth Identity Provider(IdP) is a Java WebApp
Web Servers supported• Tomcat/JBoss• Apache + Tomcat/JBoss• IIS + Tomcat/JBoss
UserDirectory
Principal
Identity Provider
WebAppServer
Shib
bole
th
http://www.switch.ch/aai/howto
AuthenticationSystem
9© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Shibboleth Service Provider for Apache/IIS
• Runs on: Linux, Solaris, Windows, Mac OS X, FreeBSD, …
• Protects static contentand web applications
• shibd fetches attributesand propagates them
• Can authorize users with Apache directives Shibboleth XML Access rules
• Provides attributes to applications Alternative authorization method
Apache/IISWeb server
Modulesmod_shib mod_php mod_jk
PHPApplication Tomcat
JavaApplication
1
JavaApplication
2
shibd
10© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Demo
http://www.switch.ch/aai/demo/
11© 2009 SWITCH AAI für Bibliotheken - Nov 2009
2001 2002 2003 2004 2005 2006 2007
Implemen-tationPilot Production Study
ArchitectureEvaluation
Shibboleth Shibboleth 2.x
Nov 1999: Term AAI first time mentioned in a documentNov 2000: AAI Workshop
2008
AAI Subsidies2004 - 2007
2009
AAA/SWITCH2008 - 2011
Shibboleth 1.3
SWITCHaai Project Timeline
12© 2009 SWITCH AAI für Bibliotheken - Nov 2009
• A set of organizations agreeing on acommon set of rules and standards
• Goal Cooperate in inter-organizationalauthentication, authorization and accounting
Common trust• Legal
• Technical
What is a Federation?
13© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Federation Metadata
XML File (e.g. metadata.switchaai.xml) that contains list of:• Accepted Root CA certificates• Description of Identity Providers
(incl. embedded certificates)• Description of Service Providers
(incl. embedded certificates)
SWITCHaai Metadata is signed by SWITCH
Metadata technically describes federation!
http://www.switch.ch/aai/metadata
14© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Die SWITCHaai Föderation• SWITCH ist der Betreiber der SWITCHaai Föderation• Mitglied der Föderation durch Unterschreiben des Service Agreements
15© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Rechtlicher Rahmen für SWITCHaaiBundesrecht, kantonales Recht (speziell Datenschutz)
SWITCHAAI Policy
Service Agreement
Org n
User Regulations
Org ...
User Regulations
Org 2
User Regulations
Org 1
User Regulations
16© 2009 SWITCH AAI für Bibliotheken - Nov 2009
PersonalUnique IdentifierSurnameGiven nameE-mail
User IDMatriculation numberEmployee numberAddress(es)Phone number(s)Preferred languageDate of birthGender
Group MembershipHome Organization NameHome Organization TypeAffiliation
Study branchStudy levelStaff categoryGroup membershipOrganization PathOrganizational Unit Path
SWITCHaai Attributes
Implementation of Attributes Mandatory Recommended or optional
Based on eduPerson Attributes “Schweizerisches
Hochschulinformations-system” (SHIS)
NO password
http://www.switch.ch/aai/attributes
17© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Dermatology Online with Interactive Technology (DOIT)
Attribute Based Authorization Example
Authorization RuleHomeOrg = UZH | UniBE | UNILAffiliation = StudentStudyBranch = MedicineStudyLevel = 20DOIT: http://www.cyberderm.net
18© 2009 SWITCH AAI für Bibliotheken - Nov 2009
AAI makes life easier for everybody
Collaboration between multipleorganizations is simplified
User data is maintainedonly once
Authentication only atuser’s home organization
Users have a single accountfor all their services
AAI - Essential Facts
19© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Übersicht
Kurze Einführung in AAI
Zugriff auf lizenzierte Inhalte
VO Plattform:Kollaboration von ‚Gruppen‘ überOrganisationsgrenzen hinweg
1
2
3
20© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Status der Federation Partner
• Dawson Books• EBSCO• EBSCOhost• Elsevier• ScienceDirect• Scopus (only licensed by EPFL)• H.W. Wilson• WilsonWeb• MetaPress• SpringerLink and many other publishers• S. Karger AG• SAGW• InfoClio• Schweizerisches Bundesgericht• Web Zugang für Juristen• Thomson Reuters Inc.• ISI Web of Knowledge
• Universitätsbibliothek Freiburg, DE• ReDI
• Apple Sales International• Apple Neptun Store• ETH Alumni Vereinigung• Instruct• CASUS• Jobzippers• Jobzippers• Microsoft Schweiz AG• DreamSpark / Microsoft Software
Download• Netenviron GmbH• polyright SA
21© 2009 SWITCH AAI für Bibliotheken - Nov 2009
E-content Provider mit Shibboleth
22© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Uni Zürich
WWW
SFX
ElsevierScienceDirect
ShibIP-Filter
redirect redirect
link listlink list
Access to a Shibbolized Provider of e-Journals
Uni Zürich userat home
23© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Uni Zürich
WWW
SFX
NatureIP-Filter
EZproxy Shib
link listlink list
redirect redirect
redirect
rewrite
Access to a Non-Shibbolized Provider of e-Journals
Uni Zürich userat home
24© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Links zu Publisher und AAI
• JISC (UK): Service Provider Interface Study http://sites.google.com/site/publisherinterfacestudy/
• InCommon (US): Arbeitsgruppe InC-Library https://spaces.internet2.edu/display/inclibrary/InC-Library
• Wie kann ich direkte Login Links (Bookmarks) machen,ohne Umweg über den Discovery Service? http://switch.ch/aai/support/serviceproviders/sp-compose-login-url.html
25© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Übersicht
Kurze Einführung in AAI
Zugriff auf lizenzierte Inhalte
VO Plattform:Kollaboration von ‚Gruppen‘ überOrganisationsgrenzen hinweg
1
2
3
26© 2009 SWITCH AAI für Bibliotheken - Nov 2009
The VO Problem
• Support for Virtual Organizations across institutionalboundaries is unsolved Who belongs to the VO, who not? Where to store VO specific attributes shared by multiple services?
• Storing VO specific info in the Home OrganizationIdentity Providers is unfeasible
• Virtual Organization = A group of collaborating individuals
27© 2009 SWITCH AAI für Bibliotheken - Nov 2009
The Idea
• Use VO Platform(s) to store VO specific info
• Let SP aggregate attributes from users Home Institution, and from VO Platform(s)
• Use a shared identifier between all involved entities
• Use standard SAML 2 back-channel attribute queriesto SAML 2 Attribute Authorities
28© 2009 SWITCH AAI für Bibliotheken - Nov 2009
The Library Use Case
• The VO: Swiss University Libraries In the beginning the IDS libraries with Ex Libris Aleph Primary interest of IDS: get rid of the proprietary Aleph «Shared User File»
• VO Services The Aleph library systems using Shibboleth with Ex Libris PDS
• A new central Library Identity Provider for all userswithout an AAI account(not included on the following slides)
• Proposal for an E-lib.ch web portal sub project
29© 2009 SWITCH AAI für Bibliotheken - Nov 2009
The Components
Universitäts Identity Provider
Aleph Systeme mit PDS
Bibliotheks VO System
30© 2009 SWITCH AAI für Bibliotheken - Nov 2009
User registers on the VO Platform
31© 2009 SWITCH AAI für Bibliotheken - Nov 2009
Shared ID
• Attribute known by Home IdP, VO Services SP and VO Platform• Used as SAML 2 Persistent NameIdentifier for attribute request• Could be a common identifier like swissEduPersonUniqueID Rather unlikely for generic VOs Problematic if IDs are already widely known
• Could also be a value of the form eduPersonTargetedID that isgenerated by the IdP for an SP or group of VO SPs with:
<EntityDescriptor entityID="http://vo.example.org/biomed"> <AffiliationDescriptor affiliationOwnerID="http://vo.example.org/vo"> <AffiliateMember>http://vo.example.org/vo</AffiliateMember> <AffiliateMember>http://vo1.example1.org/sp1</AffiliateMember> <AffiliateMember>http://vo1.example2.org/sp2</AffiliateMember> </AffiliationDescriptor></EntityDescriptor>
32© 2009 SWITCH AAI für Bibliotheken - Nov 2009
User connects to a VO Service
1)
2)
3)
4)
33© 2009 SWITCH AAI für Bibliotheken - Nov 2009
VO Service aggregates attributes
Knowing a Shared ID,a VO Service is able to aggregateattributes without user interaction
Use SP tool resolvertest
1)2)
3)
34© 2009 SWITCH AAI für Bibliotheken - Nov 2009
SWITCHaai Link Collection
• How to join SWITCHaai? http://www.switch.ch/aai/join
• AAI Support Information http://www.switch.ch/aai/support or ask aai@switch.ch
• AAI-announce Mailinglist http://lists.switch.ch/mailman/listinfo/aai-announce
• The AAI Demo http://www.switch.ch/aai/demo