Implementing a production Shibboleth IdP service at Cardiff University

Implementing a Production HA Shibboleth IDP service Rhys Smith, Cardiff University

Outline
Implementing a production service
HA
Conforming to Tech' Recommendations
Migration to Shib

Implementing a ProdN Service
Institutions planning a real-world production Shib IDP deployment:
Think beyond simple technical details
Consider higher level issues of design
Including HA and resiliency issues
Otherwise:
When your IDP server breaks (and it will), you're (technical terminology coming up) screwed!

Cardiff's setup idp.cardiff.ac.uk idp1.cf.ac.uk idp2.cf.ac.uk (NetScaler) hashib Shared Memory idp3.cf.ac.uk hashib Shared Memory

Cardiff's setup (con't)
idp1 & idp2 - Physical servers - PowerEdge
idp3 - VM on VMWare-ESX infrastructure; primarily for development, only occasionally in service
All linux - RHEL4
Server up/down checking via idp.xml:
...Shibboleth_StatusHandler... <Location>.+/shibbolethidp/Status</Location>
“ AVAILABLE” if everything has loaded OK

Fully monitored via SNMP
Standard server stuff (CPU usage, memory usage, Temperatures, etc)
Custom perl scripts parse Shib log files
Exposed via custom SNMP OIDs
Cacti (open source) monitoring solution already in place
email me for a copy of scripts/cacti templates, etc.

Tech' Recommendations
Metadata (the list of who is on the federation:
CRON job to update overnight, every night
Attributes:
Haven't implemented eduPerson in directory, use own attributes and map to eduPerson schema using resolver.xml

Tech' Recommendations (con't)
eduPersonScopedAffiliation:
Mapped to CardiffFAMAffiliation attribute in our directory (webauth tree)
Provisioned by our IDM sytem
“ member” if current staff, current student, current training grade doctor, manually “made” member in IDM web interface
staff/student similarly IDM driven

eduPersonTargetedID:
Simply using PersistentIDAttributeDefinition, linked to IDM IdentityNumber
Dynamically cryptographically creates an opaque, consistent TargetedID per user per resource
eduPersonPrincipalName:
Mapped to cn attribute in our directory

eduPersonEntitlement:
Mapped to CardiffFamEntitlements attribute in our directory
Provisioned by our IDM system where possible
Manually administered via IDM web interface otherwise

Attribute Release Policies
arp.site.xml
Set to release minimum information (scopedAffiliation and TargetedID) unless specifically set otherwise
Release more if desired on a case by case basis

Authentication Options
Apache vs Tomcat:
Apache simpler
Tomcat a lot more user friendly for your users
Our login page:

Shibboleth at Cardiff University Zoë Young Subject Librarian

Overview
Auditing of resources
Promotion and Communication
What has happened so far?
What’s going to happen next?
Questions?

Auditing of resources
Resources tested for shibboleth compliance.
Non-compliant resources
Westlaw – generic usernames and passwords until new platform released
Lexis Nexis Professional – should be moved to Butterworths
Alerts, Saved Searches and Personalisation.

Promotion and Communication
Emails about shibboleth/CU Login sent to all Information services staff
Presentation on changes given to all library and helpdesk staff
Documentation sent to all 18 libraries
Web page – Off campus access
Changes to databases page
Subject Librarians cascaded information to all new students and staff

What has happened so far?
Went live – Sept 06
Users
New Training Grade Doctors
New Students
New Staff
Users with expired accounts or problems
53.35 % of access to “Athens” e-resources is by CU login

What’s going to happen next?
2 nd July – changes to website to encourage remaining Athens users to switch
Email to users with active Athens accounts
Monitor use of Athens accounts over the next year and contact individual users to migrate.
April 08 – All Athens accounts expire

the end
Any Questions?
for:
more info
a copy of these slides
clarification of any points
meaningful discussion about shib
meaningless discussion about stanley cup finals...
email: smith@cardiff.ac.uk

Implementing a production Shibboleth IdP service at Cardiff University

by JISC.AM

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1

Statistics