Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Little Red Riding Hood and the Federated IdP

1,332
views

Published on

Philip Adams, De Montfort University; presentation given at the OpenAthens seminar: Work smarter not harder with FAM. March 2011

Philip Adams, De Montfort University; presentation given at the OpenAthens seminar: Work smarter not harder with FAM. March 2011


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,332
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The advertised aim of my talk is ‘to help you recognise the wolves – that make running and IDP difficult and recruit the helpers – who can enable you to reach your goal’. This comes out of the experience of my role as Athens Domain Administrator for many years and particularly the transition from OpenAthens MD to something easier for our studnets to use.
  • I want to recruit Red Riding Hood as a Helper for this talk. It is not just that the release of a film by that name this month makes my talk seem topical. Really I wanted to start with something that most people here would think they know about. A lot of the talk today uses terms like ‘eduPersonScopedAffiliation’ that give people headaches just thinking about them. I hope to avoid some of that by looking at all this from a slightly different point of view.
  • RRH is a folktale and folktales have their own literature exploring how they work.In RRH the Mother sends some food to the Grandmother, She asks RRH to take it for her. RRH is aided only by her natural cuteness and is opposed by the Wolf.
  • The is a general pattern that can be observed in many different narratives. The Sender – Object – Receiver row works for RRH, but also for Lord of the Rings: Gandalf wants to send the Ring to oblivion. He asks Frodo as the Agent to take it, helped by Sam and opposed by Sauron and his allies.
  • So what happens if you take this narrative structure and apply it to the way university students login to access electronic resources? Well, the characters in the different roles change, but the structure remains the same. The University wants to send login credentials to the protected electronic resources. The Library has been given this task and is helped in this, at the moment, by Eduserv’s OpenAthens MD. The Adversary, or Wolf in this slide, is the personification of everything frustrating about this task.But I learnt from Alfred Hitchcock not to reveal your monsters too soon. So next I want to look at:
  • How much is at stake in this story? Lots of staff use their Athens accounts everyday. I was going to divide the spend on resources by the number of hours in a year to get a figure for the cost of this system breaking down. But that would not cover half the cost of helpdesk calls, disrupted research, frustrated students, etc.
  • What about OpenAthens MD as a helper?At DMU we have a long experience of using this tool. We have developed routines for administering the service. Staff are familiar with how it works and can explain it to new students.It works for lots of resources.We get useful statistics back that help build a picture of electronic resource usage.
  • What is wrong with current set-up?Students forget passwords: 178 requests for help through me and justask in November 2010.Some account details never deliveredStudents leave, interrupt or extend their studiesUse of resources may be lowered by password problemsHow can we identify current staff members?Some of these issues are familiar to everyone, some are specific to DMU.
  • There is more in Grandma’s basket of food than a username and password. The system we move to has to be easy for the students to use; tied into University membership so that new students are recognised and departing users removed; it has to abide by the commitments we agreed to in joining the UK Federation, access a wide variety of services and not leak data about people.
  • What happens if we put Shibboleth in the Helper role?By ‘Shibboleth’ I mean an implementation of an open source piece of software by the University’s Central IT Dept, known (last year) as ISAS.Login details are now SAML credentials ‘eduPersonTargetedID’Agent is Library and ISAS working together;Helper brings potential advantages like:Familiar username and password;Tied to membership database;No third party involved in data sharing;Discreet information transmitted.
  • Shibboleth and the wolvesLocally slow development of ShibbolethNot all subscribed resources are members of UK federation
  • OpenAthens LA would bring some advantages to the library: students would not forget their passwords so often and would go somewhere else to get them reset.Library teaching sessions would be a bit simpler as they would not have to raise awareness of ‘Athens passwords’ when explaining how to login to resources.Administering the system would mean building our own LDAP tree, based on the main University LDAP. We could still use OpenAthens MD for such ‘special cases’ as Emeritus Professors, if they turn out not to be in the original source of data.
  • My version of the RRH story is about taming wolves and making them friends, rather than chopping them up with hatchets. We have been waiting for version 2.1 to come out of beta and for more documentation to be published. Setting up the application ourselves has meant getting to grips with how the software itself works, and particularly how it interacts with the University LDAP service. Building it this way has meant we have been suggesting ways in which the main service could be improved. It may still be that we need to set up more formal understandings with the services that we are going to be relying upon: maybe Service Level Agreements are a way of achieving this.
  • Progress at De Montfort UniversityStart mid-2010UK Access Management Federation registration in December 2010 in hidden modeTesting authentication and authorisation Jan 2011Investigating enhancing LDAP dataRe-organisation of IT staff out of Library and into University Central Services department: Feb. 2011
  • In one sense we are ‘in the middle’ of setting up OpenAthens LA. We have all the testing, marketing and explaining still to do. In another we are ‘at the beginning’ as there is much more that we could do, once these wolves have been tamed or scarred away. Most of the things on this list are to do with relationships. That is what the story has been about all along.
  • Transcript

    • 1. Little Red Riding Hood and the Federated Identity Provider
    • 2.
    • 3. Narrative Analysis of Red Riding Hood – Opening Section
      Scanned by NobbiP, via Wikimedia Commons
    • 4. Narrative Analysis of a folktale via Vladimir Propp
      Photo used under Creative Commons from Stevecadman via Flickr
    • 5. Narrative Analysis of current authentication arrangements
      Photo used under Creative Commons from Stevecadman via Flickr
    • 6. How much is at stake here?
      27000 Athens users
      £875000 annual spend on electronic resources
      A lot of annoyed people, with good reason, if the authentication service breaks down
    • 7. OpenAthens MD as a helper
      We have been using this for years
      We have routines for administering and supporting the service
      It works for Athens and UK federation authenticated resources
      We get usage statistics for logins
      Scanned by NobbiP, via Wikimedia Commons
    • 8. What is wrong with current set-up?
      Students forget passwords
      Password reset does not match email aliases
      Some account details never delivered
      Students leave, interrupt or extend their studies
      Use of resources may be lowered by password problems
      How can we identify current staff members?
      Photo used under Creative Commons from Fremlin via Flickr
    • 9. What are we trying to deliver?
      Easy for students to use;
      Tied in with University membership;
      Abiding by access regulations;
      Access wide range of electronic services;
      No more information revealed than necessary.
      Photo used under Creative Commons from Ewlas via Flickr
    • 10. Will Shibboleth help?
      Photo used under Creative Commons from Stevecadman via Flickr
    • 11. Shibboleth and the wolves
      Locally slow development of Shibboleth
      Not all subscribed resources are members of UK federation
      Photo used under Creative Commons from Dennis from Atlanta via Flickr
    • 12. OpenAthens LA as a helper
      Familiar login details;
      Existing password reset page;
      Usable interface for categories and attributes;
      Integrates with University database for staff and students;
      Can still use OpenAthens MD for ‘special cases’;
      Usage statistics for logins to different resources.
      Scanned by NobbiP, via Wikimedia Commons
    • 13. How about OpenAthens LA?
      OpenAthens LA and the wolves
      Wait for version upgrade close to meeting our needs
      Need to set up application ourselves
      Need to understand authentication terminology
      Need a Service Level Agreement with local LDAP provider
      Photo used under Creative Commons from Dennis from Atlanta via Flickr
    • 14. Progress at
      De Montfort University
      Start mid-2010
      UK Access Management Federation registration in December 2010 in hidden mode
      Testing authentication and authorisation Jan 2011
      Investigating enhancing LDAP data
      Re-organisation of IT staff out of Library and into University Central Services department: Feb. 2011
      Photo used under Creative Commons from Stevecadman via Flickr
    • 15. On the ‘to do’ list
      More testing
      Develop launch strategy
      Integrate with teaching and support in Library
      Explain changes to Faculties
      Investigate OpenID, OpenAthens SP
      Tame Wolves, make into Helpers
      By Scanned by NobbiP, via Wikimedia Commons