Why are HEAnet in this space?  –   Collaborative, shared and cloud services  –   IP address access control and IPv6  –   S...
TerminologySingle Log On    • single point of authentication    • synchronised account and credentials    • authenticate t...
Edugate   Identity Provider      • Authenticates user and provides user data      • Personal, non-personal or noneService ...
EdugateIdentity Providers  •   Institutes of Technology  •   Universities  •   Research agencies on the HEAnet network  • ...
Edugate– Potential Services  •   Institutional services          » Any website requiring a login [for non-campus users]  •...
Edugate  – Potential Services* Bodington.org         * Horde        * TWiki        *Science Direct   * Proquest* Condor   ...
Edugate    – InternationallyAT ACOnet-AAI                         IT IDEMAU Australian Access Federation AAF   LV LAIFECA ...
UK Access Mgmt. Fed.•   Athens services was proprietary and library only•   Open standards were used for non-library servi...
Edugate   Based on the SAML2 Protocol     • Interoperable Web-SSO Profile (saml2int.org)         – Shibboleth 2, simpleSAM...
Edugate –SAMLZ39.50 Protocol     • Search multiple targets at the same time     • RetrieveSAML Protocol    • Authenticate ...
EdugateAuthentication     • Responsibility of the institution     • Usually LDAP, but other options availableAuthorization...
EdugateAttributes   • GivenName, surname, email & Organisation      – Joseph, Bloggs, joe.bloggs@um.ie, University of Mull...
Edugate   Attributes     eduPersonScopedAffiliationstudent undergraduate or postgraduatestaff     all stafffaculty   to di...
Why use Edugate... •   Reduce account provisioning for walk-in and campus users •   Reduce the number of passwords for you...
Edugate on CampusIT department sets up identity provider  service (IdP)Any other department can opt to accept a  federated...
Edugate on CampusIT department sets up identity provider  service (IdP)IADT,UCD,CIT,DKIT,TCD,NUIM,NUIG,ITT,WIT,LIT,DCU,DIT...
Edugate on Campus         Catalogue with            Ezproxy                          Publisher content                    ...
Edugate on Campus         Catalogue with            Ezproxy                          Publisher content                    ...
Edugate on Campus         Catalogue with            Ezproxy                          Publisher content                    ...
Edugate on Campus           Catalogue          (With Shibb)                         Publisher content                     ...
Edugate on Campus          Catalogue           (Without           Ezproxy)                      Publisher content         ...
Hybrid Edugate on Campus         Catalogue       (some Ezproxy        some Shibb)                       Publisher content ...
Edugate on Campus           Repository          (With Shibb)         Full upload or          preferencesUser            Sh...
Edugate for non-academic         libraries         Repository        (With Shibb)       Full upload or        preferencesU...
When to use EZ, Shibb or other
Edugate on Campus(Assuming a service supports Shibboleth)Use Shibboleth...•   if you intend to take advantage of fine grai...
Edugate on CampusSome services do not support a Shibboleth login yet.•   Use EZproxy for services with no personalisation ...
IdP Configuration SP  SPAdmin Admin       Edugate             Resource                                              Non   ...
Lir glenn wearen
Lir glenn wearen
Upcoming SlideShare
Loading in …5
×

Lir glenn wearen

433 views
355 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
433
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Lir glenn wearen

  1. 1. Why are HEAnet in this space? – Collaborative, shared and cloud services – IP address access control and IPv6 – Synergy with eduroam (single credential, eduGAIN) – NREN fulfils the role of federation operator
  2. 2. TerminologySingle Log On • single point of authentication • synchronised account and credentials • authenticate to each applicationSingle Sign On (SSO) • single point of authentication • single credential, single account • authenticate once
  3. 3. Edugate Identity Provider • Authenticates user and provides user data • Personal, non-personal or noneService Provider • Authorises access based on incoming data • Personalises experience based on incoming data • Persists the experience between sessions • Links application data with incoming data
  4. 4. EdugateIdentity Providers • Institutes of Technology • Universities • Research agencies on the HEAnet network • Expanded set in the future
  5. 5. Edugate– Potential Services • Institutional services » Any website requiring a login [for non-campus users] • Shared services » HEAnet services, An Cheim services, IReL, NDLR • Academic content » Publishers (EBSCO, Elsevier, JSTOR) and databases • Research portals » Or any cross-institutional research group resource • Organisations offering academic discount » Microsoft Dreamspark, o2, Travelcard
  6. 6. Edugate – Potential Services* Bodington.org * Horde * TWiki *Science Direct * Proquest* Condor * Joomla * uPortal * ExLibris * Serial Solutions* Confluence Wiki * LionShare * WordPress * JSTOR * SCRAN* Darwin Streaming * MediaWiki * Zope + Plone * The Literary * Thomson Gale* Dokuwiki * Mahara * Live@edu Encyclopedia * EZproxy* Drupal * MyProxy * ArtSTOR * Metapress * Blackboard* DSpace * Napster * Elluminate * Moodle * CLIX* eAcademy * PHEAA * CSA * OCLC * Sakai* Fedora Repository * Sharepoint * Digitalbrain * Ovid. * WebAssign* Google Apps * SYMPA * EBSCO * Project MUSE * WebCT* GridSphere/GridShib * Symplicity * Elsvier * Thomson * TurnItIn Reuters *Zetoc* Dawsonera *TargetConnect
  7. 7. Edugate – InternationallyAT ACOnet-AAI IT IDEMAU Australian Access Federation AAF LV LAIFECA Canadian Access Federation CAF NL SURFnetCH SWITCHaai NO FEIDECZ eduID.cz PT RCTSaaiDE DFN-AAI SE SWAMIDDK WAYF US InCommonES SIR UK UK Access Management Federation forFI Haka Education and ResearchFR Fédération Éducation-RechercheGR GRNET eduGAIN to connect these federationsHR AAI@EduHrHU NIIF AAIIE Edugate
  8. 8. UK Access Mgmt. Fed.• Athens services was proprietary and library only• Open standards were used for non-library services• UK Access Management Federation provides alternative to Athens that allows a single access platform services both library and non-library.• 800 Members, All UK Higher Education Institutions have joined the UK Access Management Federation,• 50% of those institutions use it gain access to library content using Shibboleth• 50% use the Athens Gateway to federated access.• Publishers support Shibboleth is approximately 50%.
  9. 9. Edugate Based on the SAML2 Protocol • Interoperable Web-SSO Profile (saml2int.org) – Shibboleth 2, simpleSAMLphp – Oracle, IBM, Ping and Microsoft ADFS v2Implementation – Service Provider • Web server plug-in (optional application integration) – Identity Provider • Web application with connection to campus directory
  10. 10. Edugate –SAMLZ39.50 Protocol • Search multiple targets at the same time • RetrieveSAML Protocol • Authenticate with multiple targets as needed • Authorise
  11. 11. EdugateAuthentication • Responsibility of the institution • Usually LDAP, but other options availableAuthorization – Controlled by the service provider – Institution can filter users before service provider – Based on the users attributes
  12. 12. EdugateAttributes • GivenName, surname, email & Organisation – Joseph, Bloggs, joe.bloggs@um.ie, University of Mullingar • EduPersonPrincipalName – jblgs-stu133@um.ie • EduPersonTargetedID – a44ffed231eda7b7a7d • EduPersonScopedAffiliation – student@um.ie, library-walk-in@um.ie • EduPersonEntitlement urn:mace:heanet.ie:media:write
  13. 13. Edugate Attributes eduPersonScopedAffiliationstudent undergraduate or postgraduatestaff all stafffaculty to distinguish teaching staffemployee staff other than staff/faculty (e.g., contractor)member comprises all the categories named aboveaffiliate relationship short of full memberalum Alumnus (graduate)library-walk-in
  14. 14. Why use Edugate... • Reduce account provisioning for walk-in and campus users • Reduce the number of passwords for your users • Reduce the number of prompts for those passwords • Filter user access to content by affiliation or special groups • Stop worrying about licences and users on your wifi network or open terminals • Start to eliminate abuse of shared credentials/generic accounts • IPv4 to IPv6 migration (193.1.200.412 Vs 2002:c101:e4a5::c101:e4a5) • Enhanced personalisation, without loosing privacy. • No fee
  15. 15. Edugate on CampusIT department sets up identity provider service (IdP)Any other department can opt to accept a federated login (SP) – Library can opt to replace Ezproxy URL in the catalogue. – Library can opt to enable federated login to the library website, repositories – Library can opt to integrate ezproxy with the IdP
  16. 16. Edugate on CampusIT department sets up identity provider service (IdP)IADT,UCD,CIT,DKIT,TCD,NUIM,NUIG,ITT,WIT,LIT,DCU,DIT,UL,DIAS,NCAD
  17. 17. Edugate on Campus Catalogue with Ezproxy Publisher content Publisher contentUser Publisher content Publisher content LDAP
  18. 18. Edugate on Campus Catalogue with Ezproxy Publisher content Publisher contentUser Publisher content Publisher content Shibb LDAP
  19. 19. Edugate on Campus Catalogue with Ezproxy Publisher content Publisher contentUser Publisher content Publisher content Shibb Publisher content Publisher content LDAP Publisher content non-library services
  20. 20. Edugate on Campus Catalogue (With Shibb) Publisher content Publisher contentUser Publisher content Publisher content Shibb Publisher content Publisher content LDAP Publisher content non-library services
  21. 21. Edugate on Campus Catalogue (Without Ezproxy) Publisher content Publisher contentUser Publisher content Publisher content Shibb Publisher content Publisher content LDAP Publisher content non-library services
  22. 22. Hybrid Edugate on Campus Catalogue (some Ezproxy some Shibb) Publisher content Publisher contentUser Publisher content Publisher content Shibb Publisher content Publisher content LDAP Publisher content non-library services
  23. 23. Edugate on Campus Repository (With Shibb) Full upload or preferencesUser Shibb Shibb Shibb LDAP LDAP LDAP
  24. 24. Edugate for non-academic libraries Repository (With Shibb) Full upload or preferencesUser Shibb Shibb Shibb LDAP LDAP LDAP
  25. 25. When to use EZ, Shibb or other
  26. 26. Edugate on Campus(Assuming a service supports Shibboleth)Use Shibboleth...• if you intend to take advantage of fine grained access control• If the service offers personalisation and persistent sessions (e.g. search results, search preferences etc).• if the content of the service is frequently accessed as a result of a Google search rather than a search of your Opac (thus bypassing your EZproxy URLs).• if Shibboleth is frequently used to access other services like student email and you want to avail of the single-sign-on with no re-authentication prompts
  27. 27. Edugate on CampusSome services do not support a Shibboleth login yet.• Use EZproxy for services with no personalisation features and for services that don’t feature in Google results, and for services that don’t support Shibboleth• Use EZproxy with Shibboleth for these non personalised services if your campus uses Shibboleth for other frequently accessed services (thus benefiting from single-sign-on)• Use Shibboleth if any of the reasons listed on the previous slide fit
  28. 28. IdP Configuration SP SPAdmin Admin Edugate Resource Non Registry Shibboleth IdP Shibb IdP IdP IdPAdminIdP Admin Admin DB Shibb config files

×