Beyond Library eResources: Using OpenAthens for Enterprise Security


Published on

Jonathan Richardson and Robin Keith's presentation given at the OpenAthens seminar: Work smarter not harder with FAM. March 2011

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Identity Management who a person is what we know about a personAuthentication are they who they say they areFederated Access what can they access
  • Not using ldap – or use a secure versionHandle password errors etcAs we increase security we increase the need to support password changes Reducing help desk callsConsistent anti phishing
  • Beyond Library eResources: Using OpenAthens for Enterprise Security

    1. 1. Beyond Library eResources: Using OpenAthens for enterprise security<br />Jonathan Richardson – Assistant CIS Director<br />Robin Keith – Head of Web Development<br />
    2. 2. March 14, 2011<br />Who are we?<br />300 acre campus university on the outskirts of Norwich<br />23, 000 students<br />Rated in the top 3 of main stream universities in the NSS<br />fourth greatest concentration of ‘most highly cited researchers’ in the UK, after London, Oxford and Cambridge.<br />
    3. 3. March 14, 2011<br />Athens @ UEA<br />Pre 2006 used Classic Athens<br />High cost of management<br />Non user friendly – multiple passwords<br />2006 Implemented Athens DA <br />Is linked in to the UEA Identity Management System for roles, and Active Directory for authentication<br />Uses Athens/Shibboleth gateway.<br />We only access others/external resources – no UEA Service Provider.<br />We need to move forwards…<br />
    4. 4. March 14, 2011<br />Why?What’s changed?<br />Climate Science Hack has focused UEA on the security of our systems.<br />UEA is a target for hackers and phishing attacks.<br />Authentication and role based access from mobile devices needs addressing.<br />Need to provide means to place UEA content in the users space<br />Need to develop a seamless, flexible and consistent authentication environment.<br />Need a way of putting more of our content into a federated environment.<br />
    5. 5. March 14, 2011<br />What we want to do:Our Objective…<br />To have a single, seamless environment, that supports internal and external authentication, supporting automatic single sign on, via multiple protocols, to internal and external resources, based on the attributes of the user and level of confidence in the authentication and device being used.<br />There are many providers of Federated Access products<br />Only OpenAthens allows SAML, Shibboleth and Athens<br />
    6. 6. What we want to do:Components…<br />March 14, 2011<br />Authentication<br />Identity Management<br />Federated Access<br />
    7. 7. March 14, 2011<br />Personnel<br />Components:Identity Management…<br />Dept<br />Oracle Roles<br />Grade<br />AD Groups<br />Visitors<br />Contractor,<br />Honorary, etc<br />Blackboard Groups<br />Course<br />Students<br />Library Rights<br />FT/PT<br />Physical Access<br />Applicants<br />Status<br />E:resources<br />Partners<br />Alumni<br />
    8. 8. March 14, 2011<br />Components:Authentication<br />Eliminates complexity by allowing Unix, Linux, and Mac systems to participate as “full citizens” in Active Directory<br />Provides centralized authentication and single sign-on<br />Allows smart card authentication for Unix and Linux systems<br />Facilitates migration to a single Active Directory-based infrastructure for all systems and users<br />Simplifies security and compliance Group Policy for Unix, Linux, and Mac OS X systems<br />Vintella Services for Java enable AD authentication at the application level<br />Vintella Authentication Services<br />
    9. 9. OpenAthens LA<br />Support multiple protocols so gives us the best flexibility<br />OpenAthens SP<br />For UEA collections provides the route for us to become a publisher.<br />SimpleSAML<br />Provides a lightweight route for us to SAML enable many internal resources<br />Working with suppliers to enable SAML/Shibboleth authentication<br />March 14, 2011<br />Components:Federated Access…<br />
    10. 10. Putting it together:Extending OpenAthens…<br />Return Reason<br />, <br />Password Expired<br />Browser<br />etc<br />Capability<br />VAS <br />YES<br />SPNEGO<br />Request In<br />O<br />Authentication<br />N<br />ATHENS<br />Attribute Provider<br />Login<br />Automatic Login<br />Authentication<br />Anti Phishing<br />SHIBOLETH<br />Attributes<br />NO<br />SAML<br />Y<br />Roles<br />LDAP<br />Anti Phishing <br />Level of <br />Login Screen<br />Authenticated<br />E<br />Response Out<br />ID<br />(<br />via LDAP Proxy<br />)<br />Screen<br />confidence<br />S<br />Level of <br />Confidence<br />ATHENS<br />SHIBOLETH<br />SAML<br />Custom Auth <br />Provider<br />Alternative<br />Login Screen<br />Mapping<br />(<br />Facebook etc<br />)<br />rd<br />3<br />party Idp<br />UEA IDMS<br />(<br />SPOT<br />)<br />
    11. 11. OpenAthensIdP<br />UEA Active Directory <br />SPOT GUI<br />Blackboard<br />UEA Alumni<br />Always Authenticated Route<br />Polopoly (intranet)<br />Single Sign On Route<br />UEA CRM Contacts<br />Polopoly (admin)<br />UEA Research Partners<br />ePrints<br />Athens<br />OpenId<br />External Journals<br />InfoCard<br />How?Enabling a variety of access…<br />
    12. 12. March 14, 2011<br />Progress:What we have done so far…<br />Custom install of OpenAthens LA 2.1 – the basic install was not secure!<br />https infrastructure<br />Implemented automatic login via SPNEGO<br />Integration with QAS (Quest/Vintella Product)<br />Return authentication sub errors via php auth module, enabling password expiry management<br />Implemented SimpleSAML Service Provider<br />
    13. 13. March 14, 2011<br />Progress:What we have learnt so far..<br />SAML setups are HARD - especially with pki's<br />OpenAthens makes it a bit easier - but docs could be more detailed.<br />Need better public documentation of setting up various Service Providers.<br />Eduserve support has been really helpful.<br />
    14. 14. March 14, 2011<br />What’s Next?This is not a short term project!<br />Configure internal apps for SAML<br />Blackboard, Aleph, SITS e:Vision, etc.<br />Research OpenAthens as a keystone for collaborative working tools<br />Enable trusting the home institution.<br /> Not just UKHEIs but globally, plus NHS and UK/EU governments.<br />Address policy issues (ToCU etc)<br />Address Teaching and Learning, Admin, Student Experience<br />- SU eVoting<br />- Placements - Medical + PGCE courses, collaboration with placement partners<br />Link external IDs like Facebook to internal accounts, with reduced levels of confidence.<br />
    15. 15. Questions?<br />March 14, 2011<br />