SlideShare a Scribd company logo

Implementing a production Shibboleth IdP service at Cardiff University

J
JISC.AM

This joint presentation by Rhys Smith and Zoe Young explains the process of implementing a federated access management infrustructure, based on Shibboleth, at the University of Cardiff.

Technology
1 of 22
Download to read offline
Implementing a   Shibboleth IDP service Rhys Smith & Zoë Young  Cardiff University
Outline Implementing a production service ➢ HA ➢ Conforming to Tech' Recommendations ➢ Migration to Shib ➢
Implementing a ProdN Service Institutions planning a real­world  ➢ production Shib IDP deployment: Think beyond simple technical details ➢ Consider higher level issues of design ➢ Including HA and resiliency issues ➢ Otherwise: ➢ When your IDP server breaks (and it will),  ➢ you're (technical terminology coming up)  screwed!
Cardiff's setup idp.cardiff.ac.uk (NetScaler) hashib hashib Shared Memory Shared Memory idp2.cf.ac.uk idp3.cf.ac.uk idp1.cf.ac.uk
Cardiff's setup (con't) idp1 & idp2 ­ Physical servers ­ PowerEdge ➢ idp3 ­ VM on VMWare­ESX infrastructure;  ➢ primarily for development, only  occasionally in service All linux ­ RHEL4 ➢ Server up/down checking via idp.xml: ➢ ...Shibboleth_StatusHandler... ➢ <Location>.+/shibbolethidp/Status</Location> “AVAILABLE” if everything has loaded OK ➢
Cardiff's setup (con't) Fully monitored via SNMP ➢ Standard server stuff (CPU usage, memory  ➢ usage, Temperatures, etc) Custom perl scripts parse Shib log files ➢ Exposed via custom SNMP OIDs ➢ Cacti (open source) monitoring solution  ➢ already in place email me for a copy of scripts/cacti  ➢ templates, etc.
Cardiff's setup (con't)
Tech' Recommendations Metadata (the list of who is on the  ➢ federation: CRON job to update overnight, every night ➢ Attributes: ➢ Haven't implemented eduPerson in  ➢ directory, use own attributes and map to  eduPerson schema using resolver.xml
Tech' Recommendations (con't) eduPersonScopedAffiliation: ➢ Mapped to CardiffFAMAffiliation attribute in  ➢ our directory (webauth tree) Provisioned by our IDM sytem ➢ “member” if current staff, current student,  ➢ current training grade doctor, manually  “made” member in IDM web interface staff/student similarly IDM driven ➢
Tech' Recommendations (con't) eduPersonTargetedID: ➢ Simply using PersistentIDAttributeDefinition,  ➢ linked to IDM IdentityNumber Dynamically cryptographically creates an  ➢ opaque, consistent TargetedID per user per  resource eduPersonPrincipalName: ➢ Mapped to cn attribute in our directory ➢
Tech' Recommendations (con't) eduPersonEntitlement: ➢ Mapped to CardiffFamEntitlements attribute  ➢ in our directory Provisioned by our IDM system where  ➢ possible Manually administered via IDM web  ➢ interface otherwise
Tech' Recommendations (con't) Attribute Release Policies ➢ arp.site.xml ➢ Set to release minimum information  ➢ (scopedAffiliation and TargetedID) unless  specifically set otherwise Release more if desired on a case by case  ➢ basis
Authentication Options Apache vs Tomcat: ➢ Apache simpler ➢ Tomcat a lot more user friendly for your users ➢ Our login page: ➢
Overview Auditing of resources ➢ Promotion and Communication ➢ What has happened so far? ➢ What’s going to happen next? ➢ Questions? ➢
Auditing of resources Resources tested for shibboleth  ➢ compliance. Non­compliant resources  ➢ Westlaw – generic usernames and  ➢ passwords until new platform released Lexis Nexis Professional – should be moved  ➢ to Butterworths  Alerts, Saved Searches and  ➢ Personalisation.
Promotion and Communication Emails about shibboleth/CU Login sent to all  ➢ Information services staff Presentation on changes given to all library and  ➢ helpdesk staff Documentation sent to all 18 libraries  ➢ Web page – Off campus access ➢ Changes to databases page ➢ Subject Librarians cascaded information to all  ➢ new students and staff
What has happened so far? Went live – Sept 06 ➢ Users ➢ New Training Grade Doctors ➢ New Students ➢ New Staff ➢ Users with expired accounts or problems ➢ 53.35 % of access to “Athens” e­resources  ➢ is by CU login
What’s going to happen next? 2nd July – changes to website to encourage  ➢ remaining Athens users to switch Email to users with active Athens accounts ➢ Monitor use of Athens accounts over the  ➢ next year and contact individual users to  migrate. April 08 – All Athens accounts expire ➢
the end Any Questions?  www.identity­project.org/survey.doc  for:  more info  a copy of these slides  clarification of any points  meaningful discussion about shib  meaningless discussion about stanley   cup finals... email: smith@cardiff.ac.uk 

Recommended

H2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom KraljevicH2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom KraljevicSri Ambati
 
Open-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th JuneOpen-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th JuneInnovative Management Services
 
Why Talend for Big Data?
Why Talend for Big Data?Why Talend for Big Data?
Why Talend for Big Data?Edureka!
 
Keys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in HadoopKeys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in HadoopDataWorks Summit
 
xdsl
xdslxdsl
xdslkali
 
Presentazione Blog Università la Sapienza
Presentazione Blog Università la SapienzaPresentazione Blog Università la Sapienza
Presentazione Blog Università la Sapienzafabio73
 
Memory Test for the Aging
Memory Test for the AgingMemory Test for the Aging
Memory Test for the Agingnewskoo
 
Comoselavacerebro
ComoselavacerebroComoselavacerebro
Comoselavacerebropaquitaguapa
 

Recommended

H2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom KraljevicH2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom KraljevicSri Ambati
 
Open-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th JuneOpen-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th JuneInnovative Management Services
 
Why Talend for Big Data?
Why Talend for Big Data?Why Talend for Big Data?
Why Talend for Big Data?Edureka!
 
Keys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in HadoopKeys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in HadoopDataWorks Summit
 
xdsl
xdslxdsl
xdslkali
 
Presentazione Blog Università la Sapienza
Presentazione Blog Università la SapienzaPresentazione Blog Università la Sapienza
Presentazione Blog Università la Sapienzafabio73
 
Memory Test for the Aging
Memory Test for the AgingMemory Test for the Aging
Memory Test for the Agingnewskoo
 
Comoselavacerebro
ComoselavacerebroComoselavacerebro
Comoselavacerebropaquitaguapa
 
Actividad 15
Actividad 15Actividad 15
Actividad 15ttturbo
 
Test
TestTest
TestQOU
 
Un paseo por las calles de Gijón
Un paseo por las calles de GijónUn paseo por las calles de Gijón
Un paseo por las calles de GijónIES Rosario de Acuña
 
The Art Of Pricing
The Art Of PricingThe Art Of Pricing
The Art Of Pricingeve841126
 
The Berry Tree - How it works
The Berry Tree - How it worksThe Berry Tree - How it works
The Berry Tree - How it worksberrytree
 
Digital Parents - St Crispins
Digital Parents - St CrispinsDigital Parents - St Crispins
Digital Parents - St CrispinsToby Treacher
 
Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Steven Verjans
 
Being Google
Being GoogleBeing Google
Being GoogleTom Dyson
 
Crime Prevention Movie
Crime Prevention MovieCrime Prevention Movie
Crime Prevention Moviesocialsubjects
 
Happiness
HappinessHappiness
Happinesseve841126
 
Primi Elementi Di Geometria
Primi Elementi Di GeometriaPrimi Elementi Di Geometria
Primi Elementi Di Geometrialiceogaribaldi
 
Personal Carbon Rationing
Personal Carbon RationingPersonal Carbon Rationing
Personal Carbon RationingTom Dyson
 
I Numeri Relativi
I Numeri RelativiI Numeri Relativi
I Numeri Relativiliceogaribaldi
 
G U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LG U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LToni Solano
 
Szetela Ses Toronto Contextual
Szetela Ses Toronto ContextualSzetela Ses Toronto Contextual
Szetela Ses Toronto ContextualDavid Szetela
 
產業實習期末報告
產業實習期末報告產業實習期末報告
產業實習期末報告bgbgbg
 
Síntesi Dafo
Síntesi DafoSíntesi Dafo
Síntesi Dafojordi.calvet
 
I Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri PeriodiciI Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri Periodiciliceogaribaldi
 
TEKNOLOGIA Txostena
TEKNOLOGIA TxostenaTEKNOLOGIA Txostena
TEKNOLOGIA Txostenasanbizente
 
La Población
La PoblaciónLa Población
La PoblaciónIsaac Buzo
 
Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation RevisedOntico
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload PresentationOntico
 

More Related Content

Viewers also liked

Actividad 15
Actividad 15Actividad 15
Actividad 15ttturbo
 
Test
TestTest
TestQOU
 
The Art Of Pricing
The Art Of PricingThe Art Of Pricing
The Art Of Pricingeve841126
 
The Berry Tree - How it works
The Berry Tree - How it worksThe Berry Tree - How it works
The Berry Tree - How it worksberrytree
 
Digital Parents - St Crispins
Digital Parents - St CrispinsDigital Parents - St Crispins
Digital Parents - St CrispinsToby Treacher
 
Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Steven Verjans
 
Being Google
Being GoogleBeing Google
Being GoogleTom Dyson
 
Crime Prevention Movie
Crime Prevention MovieCrime Prevention Movie
Crime Prevention Moviesocialsubjects
 
Primi Elementi Di Geometria
Primi Elementi Di GeometriaPrimi Elementi Di Geometria
Primi Elementi Di Geometrialiceogaribaldi
 
Personal Carbon Rationing
Personal Carbon RationingPersonal Carbon Rationing
Personal Carbon RationingTom Dyson
 
G U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LG U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LToni Solano
 
Szetela Ses Toronto Contextual
Szetela Ses Toronto ContextualSzetela Ses Toronto Contextual
Szetela Ses Toronto ContextualDavid Szetela
 
產業實習期末報告
產業實習期末報告產業實習期末報告
產業實習期末報告bgbgbg
 
I Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri PeriodiciI Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri Periodiciliceogaribaldi
 
TEKNOLOGIA Txostena
TEKNOLOGIA TxostenaTEKNOLOGIA Txostena
TEKNOLOGIA Txostenasanbizente
 

Viewers also liked (20)

Actividad 15
Actividad 15Actividad 15
Actividad 15
 
Test
TestTest
Test
 
Un paseo por las calles de Gijón
Un paseo por las calles de GijónUn paseo por las calles de Gijón
Un paseo por las calles de Gijón
 
The Art Of Pricing
The Art Of PricingThe Art Of Pricing
The Art Of Pricing
 
The Berry Tree - How it works
The Berry Tree - How it worksThe Berry Tree - How it works
The Berry Tree - How it works
 
Digital Parents - St Crispins
Digital Parents - St CrispinsDigital Parents - St Crispins
Digital Parents - St Crispins
 
Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007
 
Being Google
Being GoogleBeing Google
Being Google
 
Crime Prevention Movie
Crime Prevention MovieCrime Prevention Movie
Crime Prevention Movie
 
Happiness
HappinessHappiness
Happiness
 
Primi Elementi Di Geometria
Primi Elementi Di GeometriaPrimi Elementi Di Geometria
Primi Elementi Di Geometria
 
Personal Carbon Rationing
Personal Carbon RationingPersonal Carbon Rationing
Personal Carbon Rationing
 
I Numeri Relativi
I Numeri RelativiI Numeri Relativi
I Numeri Relativi
 
G U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LG U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A L
 
Szetela Ses Toronto Contextual
Szetela Ses Toronto ContextualSzetela Ses Toronto Contextual
Szetela Ses Toronto Contextual
 
產業實習期末報告
產業實習期末報告產業實習期末報告
產業實習期末報告
 
Síntesi Dafo
Síntesi DafoSíntesi Dafo
Síntesi Dafo
 
I Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri PeriodiciI Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri Periodici
 
TEKNOLOGIA Txostena
TEKNOLOGIA TxostenaTEKNOLOGIA Txostena
TEKNOLOGIA Txostena
 
La Población
La PoblaciónLa Población
La Población
 

Similar to Implementing a production Shibboleth IdP service at Cardiff University

Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation RevisedOntico
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload PresentationOntico
 
YAPC2007 Remote System Monitoring (w. Notes)
YAPC2007 Remote System Monitoring (w. Notes)YAPC2007 Remote System Monitoring (w. Notes)
YAPC2007 Remote System Monitoring (w. Notes)rgiersig
 
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)jjhuff
 
Blueprint talk at Open Hackday London 2009
Blueprint talk at Open Hackday London 2009Blueprint talk at Open Hackday London 2009
Blueprint talk at Open Hackday London 2009Ricardo Varela
 
My History with Atlassian Tools, and Why I'm Moving to Studio
My History with Atlassian Tools, and Why I'm Moving to StudioMy History with Atlassian Tools, and Why I'm Moving to Studio
My History with Atlassian Tools, and Why I'm Moving to StudioAtlassian
 
Scaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWScaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWTreehouse Agency
 
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendWide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendMySQLConference
 
The Current State of Asynchronous Processing With Ruby
The Current State of Asynchronous Processing With RubyThe Current State of Asynchronous Processing With Ruby
The Current State of Asynchronous Processing With Rubymattmatt
 
Pallab\'s Presentation at Gis for Transportation Symposium
Pallab\'s Presentation at Gis for Transportation SymposiumPallab\'s Presentation at Gis for Transportation Symposium
Pallab\'s Presentation at Gis for Transportation Symposiumpallabgc
 
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...SAP Cloud Platform
 
Agile Java Testing With Open Source Frameworks
Agile Java Testing With Open Source FrameworksAgile Java Testing With Open Source Frameworks
Agile Java Testing With Open Source FrameworksViraf Karai
 
Actors in a New "Highly Parallel" World
Actors in a New "Highly Parallel" WorldActors in a New "Highly Parallel" World
Actors in a New "Highly Parallel" WorldFabio Correa
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2360|Conferences
 
Rails Conf Europe 2007 Notes
Rails Conf Europe 2007 NotesRails Conf Europe 2007 Notes
Rails Conf Europe 2007 NotesRoss Lawley
 
Extending The My Sql Data Landscape
Extending The My Sql Data LandscapeExtending The My Sql Data Landscape
Extending The My Sql Data LandscapeRonald Bradford
 

Similar to Implementing a production Shibboleth IdP service at Cardiff University (20)

Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation Revised
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload Presentation
 
YAPC2007 Remote System Monitoring (w. Notes)
YAPC2007 Remote System Monitoring (w. Notes)YAPC2007 Remote System Monitoring (w. Notes)
YAPC2007 Remote System Monitoring (w. Notes)
 
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
 
Blueprint talk at Open Hackday London 2009
Blueprint talk at Open Hackday London 2009Blueprint talk at Open Hackday London 2009
Blueprint talk at Open Hackday London 2009
 
My History with Atlassian Tools, and Why I'm Moving to Studio
My History with Atlassian Tools, and Why I'm Moving to StudioMy History with Atlassian Tools, and Why I'm Moving to Studio
My History with Atlassian Tools, and Why I'm Moving to Studio
 
Scaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWScaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOW
 
Magee Dday2 Fixing App Performance Italiano
Magee Dday2 Fixing App Performance ItalianoMagee Dday2 Fixing App Performance Italiano
Magee Dday2 Fixing App Performance Italiano
 
Case Studies
Case StudiesCase Studies
Case Studies
 
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendWide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
 
The Current State of Asynchronous Processing With Ruby
The Current State of Asynchronous Processing With RubyThe Current State of Asynchronous Processing With Ruby
The Current State of Asynchronous Processing With Ruby
 
SEASR Installation
SEASR InstallationSEASR Installation
SEASR Installation
 
Pallab\'s Presentation at Gis for Transportation Symposium
Pallab\'s Presentation at Gis for Transportation SymposiumPallab\'s Presentation at Gis for Transportation Symposium
Pallab\'s Presentation at Gis for Transportation Symposium
 
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
 
Agile Java Testing With Open Source Frameworks
Agile Java Testing With Open Source FrameworksAgile Java Testing With Open Source Frameworks
Agile Java Testing With Open Source Frameworks
 
Actors in a New "Highly Parallel" World
Actors in a New "Highly Parallel" WorldActors in a New "Highly Parallel" World
Actors in a New "Highly Parallel" World
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2
 
Rails Conf Europe 2007 Notes
Rails Conf Europe 2007 NotesRails Conf Europe 2007 Notes
Rails Conf Europe 2007 Notes
 
Seminar - JBoss Migration
Seminar - JBoss MigrationSeminar - JBoss Migration
Seminar - JBoss Migration
 
Extending The My Sql Data Landscape
Extending The My Sql Data LandscapeExtending The My Sql Data Landscape
Extending The My Sql Data Landscape
 

More from JISC.AM

Identity Assurance Profiles
Identity Assurance ProfilesIdentity Assurance Profiles
Identity Assurance ProfilesJISC.AM
 
Assurance
AssuranceAssurance
AssuranceJISC.AM
 
I2 Fedsoup
I2 FedsoupI2 Fedsoup
I2 FedsoupJISC.AM
 
Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)JISC.AM
 
Federated Futures (Nicole Harris)
Federated Futures (Nicole Harris)Federated Futures (Nicole Harris)
Federated Futures (Nicole Harris)JISC.AM
 
Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)JISC.AM
 
The Identity Project (Rhys Smith)
The Identity Project (Rhys Smith)The Identity Project (Rhys Smith)
The Identity Project (Rhys Smith)JISC.AM
 
Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)JISC.AM
 
Shibboleth 2.0 SP slides - Installfest
Shibboleth 2.0 SP slides - InstallfestShibboleth 2.0 SP slides - Installfest
Shibboleth 2.0 SP slides - InstallfestJISC.AM
 
SARoNGS project (Jens Jensen)
SARoNGS project (Jens Jensen)SARoNGS project (Jens Jensen)
SARoNGS project (Jens Jensen)JISC.AM
 
Names project (Amanda Hill)
Names project (Amanda Hill)Names project (Amanda Hill)
Names project (Amanda Hill)JISC.AM
 
Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)JISC.AM
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)JISC.AM
 
Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)JISC.AM
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)JISC.AM
 
Internet2 Fall MM 2007 - Jane Charlton
Internet2 Fall MM 2007 - Jane CharltonInternet2 Fall MM 2007 - Jane Charlton
Internet2 Fall MM 2007 - Jane CharltonJISC.AM
 
'Connecting poeple to resources' by Nicole Harris at UKSG 2007
'Connecting poeple to resources' by Nicole Harris at UKSG 2007'Connecting poeple to resources' by Nicole Harris at UKSG 2007
'Connecting poeple to resources' by Nicole Harris at UKSG 2007JISC.AM
 
Federated Access Management 102
Federated Access Management 102Federated Access Management 102
Federated Access Management 102JISC.AM
 
Federated Access Management (Sconul Access Conference)
Federated Access Management (Sconul Access Conference)Federated Access Management (Sconul Access Conference)
Federated Access Management (Sconul Access Conference)JISC.AM
 

More from JISC.AM (20)

Identity Assurance Profiles
Identity Assurance ProfilesIdentity Assurance Profiles
Identity Assurance Profiles
 
Assurance
AssuranceAssurance
Assurance
 
I2 Fedsoup
I2 FedsoupI2 Fedsoup
I2 Fedsoup
 
Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)
 
Federated Futures (Nicole Harris)
Federated Futures (Nicole Harris)Federated Futures (Nicole Harris)
Federated Futures (Nicole Harris)
 
Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)
 
The Identity Project (Rhys Smith)
The Identity Project (Rhys Smith)The Identity Project (Rhys Smith)
The Identity Project (Rhys Smith)
 
Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)
 
Shibboleth 2.0 SP slides - Installfest
Shibboleth 2.0 SP slides - InstallfestShibboleth 2.0 SP slides - Installfest
Shibboleth 2.0 SP slides - Installfest
 
SARoNGS project (Jens Jensen)
SARoNGS project (Jens Jensen)SARoNGS project (Jens Jensen)
SARoNGS project (Jens Jensen)
 
Names project (Amanda Hill)
Names project (Amanda Hill)Names project (Amanda Hill)
Names project (Amanda Hill)
 
Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)
 
Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)
 
Internet2 Fall MM 2007 - Jane Charlton
Internet2 Fall MM 2007 - Jane CharltonInternet2 Fall MM 2007 - Jane Charlton
Internet2 Fall MM 2007 - Jane Charlton
 
'Connecting poeple to resources' by Nicole Harris at UKSG 2007
'Connecting poeple to resources' by Nicole Harris at UKSG 2007'Connecting poeple to resources' by Nicole Harris at UKSG 2007
'Connecting poeple to resources' by Nicole Harris at UKSG 2007
 
Openid
OpenidOpenid
Openid
 
Federated Access Management 102
Federated Access Management 102Federated Access Management 102
Federated Access Management 102
 
Federated Access Management (Sconul Access Conference)
Federated Access Management (Sconul Access Conference)Federated Access Management (Sconul Access Conference)
Federated Access Management (Sconul Access Conference)
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Implementing a production Shibboleth IdP service at Cardiff University

  • 2. Outline Implementing a production service ➢ HA ➢ Conforming to Tech' Recommendations ➢ Migration to Shib ➢
  • 3. Implementing a ProdN Service Institutions planning a real­world  ➢ production Shib IDP deployment: Think beyond simple technical details ➢ Consider higher level issues of design ➢ Including HA and resiliency issues ➢ Otherwise: ➢ When your IDP server breaks (and it will),  ➢ you're (technical terminology coming up)  screwed!
  • 4. Cardiff's setup idp.cardiff.ac.uk (NetScaler) hashib hashib Shared Memory Shared Memory idp2.cf.ac.uk idp3.cf.ac.uk idp1.cf.ac.uk
  • 5. Cardiff's setup (con't) idp1 & idp2 ­ Physical servers ­ PowerEdge ➢ idp3 ­ VM on VMWare­ESX infrastructure;  ➢ primarily for development, only  occasionally in service All linux ­ RHEL4 ➢ Server up/down checking via idp.xml: ➢ ...Shibboleth_StatusHandler... ➢ <Location>.+/shibbolethidp/Status</Location> “AVAILABLE” if everything has loaded OK ➢
  • 6. Cardiff's setup (con't) Fully monitored via SNMP ➢ Standard server stuff (CPU usage, memory  ➢ usage, Temperatures, etc) Custom perl scripts parse Shib log files ➢ Exposed via custom SNMP OIDs ➢ Cacti (open source) monitoring solution  ➢ already in place email me for a copy of scripts/cacti  ➢ templates, etc.
  • 8. Tech' Recommendations Metadata (the list of who is on the  ➢ federation: CRON job to update overnight, every night ➢ Attributes: ➢ Haven't implemented eduPerson in  ➢ directory, use own attributes and map to  eduPerson schema using resolver.xml
  • 9. Tech' Recommendations (con't) eduPersonScopedAffiliation: ➢ Mapped to CardiffFAMAffiliation attribute in  ➢ our directory (webauth tree) Provisioned by our IDM sytem ➢ “member” if current staff, current student,  ➢ current training grade doctor, manually  “made” member in IDM web interface staff/student similarly IDM driven ➢
  • 10. Tech' Recommendations (con't) eduPersonTargetedID: ➢ Simply using PersistentIDAttributeDefinition,  ➢ linked to IDM IdentityNumber Dynamically cryptographically creates an  ➢ opaque, consistent TargetedID per user per  resource eduPersonPrincipalName: ➢ Mapped to cn attribute in our directory ➢
  • 11. Tech' Recommendations (con't) eduPersonEntitlement: ➢ Mapped to CardiffFamEntitlements attribute  ➢ in our directory Provisioned by our IDM system where  ➢ possible Manually administered via IDM web  ➢ interface otherwise
  • 12. Tech' Recommendations (con't) Attribute Release Policies ➢ arp.site.xml ➢ Set to release minimum information  ➢ (scopedAffiliation and TargetedID) unless  specifically set otherwise Release more if desired on a case by case  ➢ basis
  • 13. Authentication Options Apache vs Tomcat: ➢ Apache simpler ➢ Tomcat a lot more user friendly for your users ➢ Our login page: ➢
  • 14.
  • 15. Overview Auditing of resources ➢ Promotion and Communication ➢ What has happened so far? ➢ What’s going to happen next? ➢ Questions? ➢
  • 16. Auditing of resources Resources tested for shibboleth  ➢ compliance. Non­compliant resources  ➢ Westlaw – generic usernames and  ➢ passwords until new platform released Lexis Nexis Professional – should be moved  ➢ to Butterworths  Alerts, Saved Searches and  ➢ Personalisation.
  • 17. Promotion and Communication Emails about shibboleth/CU Login sent to all  ➢ Information services staff Presentation on changes given to all library and  ➢ helpdesk staff Documentation sent to all 18 libraries  ➢ Web page – Off campus access ➢ Changes to databases page ➢ Subject Librarians cascaded information to all  ➢ new students and staff
  • 18. What has happened so far? Went live – Sept 06 ➢ Users ➢ New Training Grade Doctors ➢ New Students ➢ New Staff ➢ Users with expired accounts or problems ➢ 53.35 % of access to “Athens” e­resources  ➢ is by CU login
  • 19. What’s going to happen next? 2nd July – changes to website to encourage  ➢ remaining Athens users to switch Email to users with active Athens accounts ➢ Monitor use of Athens accounts over the  ➢ next year and contact individual users to  migrate. April 08 – All Athens accounts expire ➢
  • 20.
  • 21.
  • 22. the end Any Questions?  www.identity­project.org/survey.doc  for:  more info  a copy of these slides  clarification of any points  meaningful discussion about shib  meaningless discussion about stanley   cup finals... email: smith@cardiff.ac.uk 