AAI für Bibliotheken - SWITCH€¦ · Thomas Lenggenhager [email protected] AAI für...

Thomas [email protected]

AAI für BibliothekenWo und wie kann AAI nützlich sein?

Bern, 20. November 2009

2© 2009 SWITCH AAI für Bibliotheken - Nov 2009

Übersicht

Kurze Einführung in AAI

Zugriff auf lizenzierte Inhalte

VO Plattform:Kollaboration von ‚Gruppen‘ überOrganisationsgrenzen hinweg

1

2

3


Wofür steht AAI?

Authentifizierungs- und Autorisierungs-InfrastrukturAuthentication Authorization Infrastructure

AuthN & AuthZ


AutorisierungBenutzerverwaltungAuthentifizierung Ressource Passwort

• Aufwendige Registrierungbei allen Ressourcen

• Unzuverlässige undveraltete Daten

• VerschiedeneLogin-Verfahren

• Viele Passworte• Viele Ressourcen

werden nicht geschützt• Wenn geschützt,

dann oft nur durchIP-Adressen

Ohne AAI

Universität A

Bibliothek B

Universität C

Student AdmWeb Portale-Learning

Literatur DB

e-LearningResearch DB

e-Zeitschriften


AutorisierungBenutzerverwaltungAuthentifizierung Ressource Passwort

• Registrierung bei denRessourcen entfällt

• EinheitlichesLogin-Verfahren

• Web Single-Sign-On• Erschliesst Benutzern

neue Ressourcen• Standort-unabhängig

Mit AAI

Universität A

Bibliothek B

Universität C

AAIStudent AdmWeb Portale-Learning

Literatur DB

e-LearningResearch DB

e-Zeitschriften


SWITCHaai Federation in Autumn 2009

# AAI enabled accounts # Resources

>95% coverage inhigher education

# Home Organizations


• Open Source

Word Shibboleth was used toidentify members of a group

• Based on Security AssertionMarkup Language (SAML)

• Internationally used by universities

https://shibboleth.internet2.edu

Shibboleth - The Software

https://shibboleth.internet2.edu


AAI-enabling a Home Organization

Prerequisite• Authentication System• User Directory

• Shibboleth Identity Provider(IdP) is a Java WebApp

Web Servers supported• Tomcat/JBoss• Apache + Tomcat/JBoss• IIS + Tomcat/JBoss

UserDirectory

Principal

Identity Provider

WebAppServer

Shib

bole

th

http://www.switch.ch/aai/howto

AuthenticationSystem

http://www.switch.ch/aai/howto


Shibboleth Service Provider for Apache/IIS

• Runs on: Linux, Solaris, Windows, Mac OS X, FreeBSD, …

• Protects static contentand web applications

• shibd fetches attributesand propagates them

• Can authorize users with Apache directives Shibboleth XML Access rules

• Provides attributes to applications Alternative authorization method

Apache/IISWeb server

Modulesmod_shib mod_php mod_jk

PHPApplication Tomcat

JavaApplication

1

JavaApplication

2

shibd


Demo

http://www.switch.ch/aai/demo/

http://www.switch.ch/aai/demo/


2001 2002 2003 2004 2005 2006 2007

Implemen-tationPilot Production Study

ArchitectureEvaluation

Shibboleth Shibboleth 2.x

Nov 1999: Term AAI first time mentioned in a documentNov 2000: AAI Workshop

2008

AAI Subsidies2004 - 2007

2009

AAA/SWITCH2008 - 2011

Shibboleth 1.3

SWITCHaai Project Timeline


• A set of organizations agreeing on acommon set of rules and standards

• Goal Cooperate in inter-organizationalauthentication, authorization and accounting

Common trust• Legal

• Technical

What is a Federation?


Federation Metadata

XML File (e.g. metadata.switchaai.xml) that contains list of:• Accepted Root CA certificates• Description of Identity Providers

(incl. embedded certificates)• Description of Service Providers

(incl. embedded certificates)

SWITCHaai Metadata is signed by SWITCH

Metadata technically describes federation!

http://www.switch.ch/aai/metadata

http://www.switch.ch/aai/metadata


Die SWITCHaai Föderation• SWITCH ist der Betreiber der SWITCHaai Föderation• Mitglied der Föderation durch Unterschreiben des Service Agreements


Rechtlicher Rahmen für SWITCHaaiBundesrecht, kantonales Recht (speziell Datenschutz)

SWITCHAAI Policy

Service Agreement

Org n

User Regulations

Org ...

User Regulations

Org 2

User Regulations

Org 1

User Regulations


PersonalUnique IdentifierSurnameGiven nameE-mail

User IDMatriculation numberEmployee numberAddress(es)Phone number(s)Preferred languageDate of birthGender

Group MembershipHome Organization NameHome Organization TypeAffiliation

Study branchStudy levelStaff categoryGroup membershipOrganization PathOrganizational Unit Path

SWITCHaai Attributes

Implementation of Attributes Mandatory Recommended or optional

Based on eduPerson Attributes “Schweizerisches

Hochschulinformations-system” (SHIS)

NO password

http://www.switch.ch/aai/attributes

http://www.switch.ch/aai/attributes


Dermatology Online with Interactive Technology (DOIT)

Attribute Based Authorization Example

Authorization RuleHomeOrg = UZH | UniBE | UNILAffiliation = StudentStudyBranch = MedicineStudyLevel = 20DOIT: http://www.cyberderm.net

http://www.cyberderm.net


AAI makes life easier for everybody

Collaboration between multipleorganizations is simplified

User data is maintainedonly once

Authentication only atuser’s home organization

Users have a single accountfor all their services

AAI - Essential Facts


Übersicht




1

2

3


Status der Federation Partner

• Dawson Books• EBSCO• EBSCOhost• Elsevier• ScienceDirect• Scopus (only licensed by EPFL)• H.W. Wilson• WilsonWeb• MetaPress• SpringerLink and many other publishers• S. Karger AG• SAGW• InfoClio• Schweizerisches Bundesgericht• Web Zugang für Juristen• Thomson Reuters Inc.• ISI Web of Knowledge

• Universitätsbibliothek Freiburg, DE• ReDI

• Apple Sales International• Apple Neptun Store• ETH Alumni Vereinigung• Instruct• CASUS• Jobzippers• Jobzippers• Microsoft Schweiz AG• DreamSpark / Microsoft Software

Download• Netenviron GmbH• polyright SA


E-content Provider mit Shibboleth


Uni Zürich

WWW

SFX

ElsevierScienceDirect

ShibIP-Filter

redirect redirect

link listlink list

Access to a Shibbolized Provider of e-Journals

Uni Zürich userat home


Uni Zürich

WWW

SFX

NatureIP-Filter

EZproxy Shib

link listlink list

redirect redirect

redirect

rewrite

Access to a Non-Shibbolized Provider of e-Journals

Uni Zürich userat home


Links zu Publisher und AAI

• JISC (UK): Service Provider Interface Study http://sites.google.com/site/publisherinterfacestudy/

• InCommon (US): Arbeitsgruppe InC-Library https://spaces.internet2.edu/display/inclibrary/InC-Library

• Wie kann ich direkte Login Links (Bookmarks) machen,ohne Umweg über den Discovery Service? http://switch.ch/aai/support/serviceproviders/sp-compose-login-url.html

http://sites.google.com/site/publisherinterfacestudy/

https://spaces.internet2.edu/display/inclibrary/InC-Library

http://switch.ch/aai/support/serviceproviders/sp-compose-login-url.html


Übersicht




1

2

3


The VO Problem

• Support for Virtual Organizations across institutionalboundaries is unsolved Who belongs to the VO, who not? Where to store VO specific attributes shared by multiple services?

• Storing VO specific info in the Home OrganizationIdentity Providers is unfeasible

• Virtual Organization = A group of collaborating individuals


The Idea

• Use VO Platform(s) to store VO specific info

• Let SP aggregate attributes from users Home Institution, and from VO Platform(s)

• Use a shared identifier between all involved entities

• Use standard SAML 2 back-channel attribute queriesto SAML 2 Attribute Authorities


The Library Use Case

• The VO: Swiss University Libraries In the beginning the IDS libraries with Ex Libris Aleph Primary interest of IDS: get rid of the proprietary Aleph «Shared User File»

• VO Services The Aleph library systems using Shibboleth with Ex Libris PDS

• A new central Library Identity Provider for all userswithout an AAI account(not included on the following slides)

• Proposal for an E-lib.ch web portal sub project


The Components

Universitäts Identity Provider

Aleph Systeme mit PDS

Bibliotheks VO System


User registers on the VO Platform


Shared ID

• Attribute known by Home IdP, VO Services SP and VO Platform• Used as SAML 2 Persistent NameIdentifier for attribute request• Could be a common identifier like swissEduPersonUniqueID Rather unlikely for generic VOs Problematic if IDs are already widely known

• Could also be a value of the form eduPersonTargetedID that isgenerated by the IdP for an SP or group of VO SPs with:

<EntityDescriptor entityID="http://vo.example.org/biomed"> <AffiliationDescriptor affiliationOwnerID="http://vo.example.org/vo"> <AffiliateMember>http://vo.example.org/vo</AffiliateMember> <AffiliateMember>http://vo1.example1.org/sp1</AffiliateMember> <AffiliateMember>http://vo1.example2.org/sp2</AffiliateMember> </AffiliationDescriptor></EntityDescriptor>


User connects to a VO Service

1)

2)

3)

4)


VO Service aggregates attributes

Knowing a Shared ID,a VO Service is able to aggregateattributes without user interaction

Use SP tool resolvertest

1)2)

3)


SWITCHaai Link Collection

• How to join SWITCHaai? http://www.switch.ch/aai/join

• AAI Support Information http://www.switch.ch/aai/support or ask [email protected]

• AAI-announce Mailinglist http://lists.switch.ch/mailman/listinfo/aai-announce

• The AAI Demo http://www.switch.ch/aai/demo

http://www.switch.ch/aai/join

http://www.switch.ch/aai/support

http://lists.switch.ch/mailman/listinfo/aai-announce

http://www.switch.ch/aai/demo

AAI für Bibliotheken - SWITCH€¦ · Thomas Lenggenhager [email protected] AAI für...

Documents

Transcript of AAI für Bibliotheken - SWITCH€¦ · Thomas Lenggenhager [email protected] AAI für...