Implementing a production Shibboleth IdP service at Cardiff University

Implementing a Shibboleth IDP service Rhys Smith & Zoë Young Cardiff University

Outline Implementing a production service ➢ HA ➢ Conforming to Tech' Recommendations ➢ Migration to Shib ➢

Implementing a ProdN Service Institutions planning a realworld ➢ production Shib IDP deployment: Think beyond simple technical details ➢ Consider higher level issues of design ➢ Including HA and resiliency issues ➢ Otherwise: ➢ When your IDP server breaks (and it will), ➢ you're (technical terminology coming up) screwed!

Cardiff's setup idp.cardiff.ac.uk (NetScaler) hashib hashib Shared Memory Shared Memory idp2.cf.ac.uk idp3.cf.ac.uk idp1.cf.ac.uk

Cardiff's setup (con't) idp1 & idp2 Physical servers PowerEdge ➢ idp3 VM on VMWareESX infrastructure; ➢ primarily for development, only occasionally in service All linux RHEL4 ➢ Server up/down checking via idp.xml: ➢ ...Shibboleth_StatusHandler... ➢ <Location>.+/shibbolethidp/Status</Location> “AVAILABLE” if everything has loaded OK ➢

Cardiff's setup (con't) Fully monitored via SNMP ➢ Standard server stuff (CPU usage, memory ➢ usage, Temperatures, etc) Custom perl scripts parse Shib log files ➢ Exposed via custom SNMP OIDs ➢ Cacti (open source) monitoring solution ➢ already in place email me for a copy of scripts/cacti ➢ templates, etc.

Cardiff's setup (con't)

Tech' Recommendations Metadata (the list of who is on the ➢ federation: CRON job to update overnight, every night ➢ Attributes: ➢ Haven't implemented eduPerson in ➢ directory, use own attributes and map to eduPerson schema using resolver.xml

Tech' Recommendations (con't) eduPersonScopedAffiliation: ➢ Mapped to CardiffFAMAffiliation attribute in ➢ our directory (webauth tree) Provisioned by our IDM sytem ➢ “member” if current staff, current student, ➢ current training grade doctor, manually “made” member in IDM web interface staff/student similarly IDM driven ➢

Tech' Recommendations (con't) eduPersonTargetedID: ➢ Simply using PersistentIDAttributeDefinition, ➢ linked to IDM IdentityNumber Dynamically cryptographically creates an ➢ opaque, consistent TargetedID per user per resource eduPersonPrincipalName: ➢ Mapped to cn attribute in our directory ➢

Tech' Recommendations (con't) eduPersonEntitlement: ➢ Mapped to CardiffFamEntitlements attribute ➢ in our directory Provisioned by our IDM system where ➢ possible Manually administered via IDM web ➢ interface otherwise

Tech' Recommendations (con't) Attribute Release Policies ➢ arp.site.xml ➢ Set to release minimum information ➢ (scopedAffiliation and TargetedID) unless specifically set otherwise Release more if desired on a case by case ➢ basis

Authentication Options Apache vs Tomcat: ➢ Apache simpler ➢ Tomcat a lot more user friendly for your users ➢ Our login page: ➢

Overview Auditing of resources ➢ Promotion and Communication ➢ What has happened so far? ➢ What’s going to happen next? ➢ Questions? ➢

Auditing of resources Resources tested for shibboleth ➢ compliance. Noncompliant resources ➢ Westlaw – generic usernames and ➢ passwords until new platform released Lexis Nexis Professional – should be moved ➢ to Butterworths Alerts, Saved Searches and ➢ Personalisation.

Promotion and Communication Emails about shibboleth/CU Login sent to all ➢ Information services staff Presentation on changes given to all library and ➢ helpdesk staff Documentation sent to all 18 libraries ➢ Web page – Off campus access ➢ Changes to databases page ➢ Subject Librarians cascaded information to all ➢ new students and staff

What has happened so far? Went live – Sept 06 ➢ Users ➢ New Training Grade Doctors ➢ New Students ➢ New Staff ➢ Users with expired accounts or problems ➢ 53.35 % of access to “Athens” eresources ➢ is by CU login

What’s going to happen next? 2nd July – changes to website to encourage ➢ remaining Athens users to switch Email to users with active Athens accounts ➢ Monitor use of Athens accounts over the ➢ next year and contact individual users to migrate. April 08 – All Athens accounts expire ➢

the end Any Questions?  www.identityproject.org/survey.doc  for:  more info  a copy of these slides  clarification of any points  meaningful discussion about shib  meaningless discussion about stanley  cup finals... email: smith@cardiff.ac.uk 

Implementing a production Shibboleth IdP service at Cardiff University

by JISC.AM on Jun 14, 2007

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 9

Statistics

Implementing a production Shibboleth IdP service at Cardiff University — Presentation Transcript