Little Red Riding Hood and the Federated IdP
 

Little Red Riding Hood and the Federated IdP

on

  • 1,578 views

Philip Adams, De Montfort University; presentation given at the OpenAthens seminar: Work smarter not harder with FAM. March 2011

Philip Adams, De Montfort University; presentation given at the OpenAthens seminar: Work smarter not harder with FAM. March 2011

Statistics

Views

Total Views
1,578
Views on SlideShare
1,554
Embed Views
24

Actions

Likes
0
Downloads
6
Comments
0

1 Embed 24

http://www.eduserv.org.uk 24

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The advertised aim of my talk is ‘to help you recognise the wolves – that make running and IDP difficult and recruit the helpers – who can enable you to reach your goal’. This comes out of the experience of my role as Athens Domain Administrator for many years and particularly the transition from OpenAthens MD to something easier for our studnets to use.
  • I want to recruit Red Riding Hood as a Helper for this talk. It is not just that the release of a film by that name this month makes my talk seem topical. Really I wanted to start with something that most people here would think they know about. A lot of the talk today uses terms like ‘eduPersonScopedAffiliation’ that give people headaches just thinking about them. I hope to avoid some of that by looking at all this from a slightly different point of view.
  • RRH is a folktale and folktales have their own literature exploring how they work.In RRH the Mother sends some food to the Grandmother, She asks RRH to take it for her. RRH is aided only by her natural cuteness and is opposed by the Wolf.
  • The is a general pattern that can be observed in many different narratives. The Sender – Object – Receiver row works for RRH, but also for Lord of the Rings: Gandalf wants to send the Ring to oblivion. He asks Frodo as the Agent to take it, helped by Sam and opposed by Sauron and his allies.
  • So what happens if you take this narrative structure and apply it to the way university students login to access electronic resources? Well, the characters in the different roles change, but the structure remains the same. The University wants to send login credentials to the protected electronic resources. The Library has been given this task and is helped in this, at the moment, by Eduserv’s OpenAthens MD. The Adversary, or Wolf in this slide, is the personification of everything frustrating about this task.But I learnt from Alfred Hitchcock not to reveal your monsters too soon. So next I want to look at:
  • How much is at stake in this story? Lots of staff use their Athens accounts everyday. I was going to divide the spend on resources by the number of hours in a year to get a figure for the cost of this system breaking down. But that would not cover half the cost of helpdesk calls, disrupted research, frustrated students, etc.
  • What about OpenAthens MD as a helper?At DMU we have a long experience of using this tool. We have developed routines for administering the service. Staff are familiar with how it works and can explain it to new students.It works for lots of resources.We get useful statistics back that help build a picture of electronic resource usage.
  • What is wrong with current set-up?Students forget passwords: 178 requests for help through me and justask in November 2010.Some account details never deliveredStudents leave, interrupt or extend their studiesUse of resources may be lowered by password problemsHow can we identify current staff members?Some of these issues are familiar to everyone, some are specific to DMU.
  • There is more in Grandma’s basket of food than a username and password. The system we move to has to be easy for the students to use; tied into University membership so that new students are recognised and departing users removed; it has to abide by the commitments we agreed to in joining the UK Federation, access a wide variety of services and not leak data about people.
  • What happens if we put Shibboleth in the Helper role?By ‘Shibboleth’ I mean an implementation of an open source piece of software by the University’s Central IT Dept, known (last year) as ISAS.Login details are now SAML credentials ‘eduPersonTargetedID’Agent is Library and ISAS working together;Helper brings potential advantages like:Familiar username and password;Tied to membership database;No third party involved in data sharing;Discreet information transmitted.
  • Shibboleth and the wolvesLocally slow development of ShibbolethNot all subscribed resources are members of UK federation
  • OpenAthens LA would bring some advantages to the library: students would not forget their passwords so often and would go somewhere else to get them reset.Library teaching sessions would be a bit simpler as they would not have to raise awareness of ‘Athens passwords’ when explaining how to login to resources.Administering the system would mean building our own LDAP tree, based on the main University LDAP. We could still use OpenAthens MD for such ‘special cases’ as Emeritus Professors, if they turn out not to be in the original source of data.
  • My version of the RRH story is about taming wolves and making them friends, rather than chopping them up with hatchets. We have been waiting for version 2.1 to come out of beta and for more documentation to be published. Setting up the application ourselves has meant getting to grips with how the software itself works, and particularly how it interacts with the University LDAP service. Building it this way has meant we have been suggesting ways in which the main service could be improved. It may still be that we need to set up more formal understandings with the services that we are going to be relying upon: maybe Service Level Agreements are a way of achieving this.
  • Progress at De Montfort UniversityStart mid-2010UK Access Management Federation registration in December 2010 in hidden modeTesting authentication and authorisation Jan 2011Investigating enhancing LDAP dataRe-organisation of IT staff out of Library and into University Central Services department: Feb. 2011
  • In one sense we are ‘in the middle’ of setting up OpenAthens LA. We have all the testing, marketing and explaining still to do. In another we are ‘at the beginning’ as there is much more that we could do, once these wolves have been tamed or scarred away. Most of the things on this list are to do with relationships. That is what the story has been about all along.

Little Red Riding Hood and the Federated IdP Little Red Riding Hood and the Federated IdP Presentation Transcript

  • Little Red Riding Hood and the Federated Identity Provider
  • Narrative Analysis of Red Riding Hood – Opening Section
    Scanned by NobbiP, via Wikimedia Commons
  • Narrative Analysis of a folktale via Vladimir Propp
    Photo used under Creative Commons from Stevecadman via Flickr
  • Narrative Analysis of current authentication arrangements
    Photo used under Creative Commons from Stevecadman via Flickr
  • How much is at stake here?
    27000 Athens users
    £875000 annual spend on electronic resources
    A lot of annoyed people, with good reason, if the authentication service breaks down
  • OpenAthens MD as a helper
    We have been using this for years
    We have routines for administering and supporting the service
    It works for Athens and UK federation authenticated resources
    We get usage statistics for logins
    Scanned by NobbiP, via Wikimedia Commons
  • What is wrong with current set-up?
    Students forget passwords
    Password reset does not match email aliases
    Some account details never delivered
    Students leave, interrupt or extend their studies
    Use of resources may be lowered by password problems
    How can we identify current staff members?
    Photo used under Creative Commons from Fremlin via Flickr
  • What are we trying to deliver?
    Easy for students to use;
    Tied in with University membership;
    Abiding by access regulations;
    Access wide range of electronic services;
    No more information revealed than necessary.
    Photo used under Creative Commons from Ewlas via Flickr
  • Will Shibboleth help?
    Photo used under Creative Commons from Stevecadman via Flickr
  • Shibboleth and the wolves
    Locally slow development of Shibboleth
    Not all subscribed resources are members of UK federation
    Photo used under Creative Commons from Dennis from Atlanta via Flickr
  • OpenAthens LA as a helper
    Familiar login details;
    Existing password reset page;
    Usable interface for categories and attributes;
    Integrates with University database for staff and students;
    Can still use OpenAthens MD for ‘special cases’;
    Usage statistics for logins to different resources.
    Scanned by NobbiP, via Wikimedia Commons
  • How about OpenAthens LA?
    OpenAthens LA and the wolves
    Wait for version upgrade close to meeting our needs
    Need to set up application ourselves
    Need to understand authentication terminology
    Need a Service Level Agreement with local LDAP provider
    Photo used under Creative Commons from Dennis from Atlanta via Flickr
  • Progress at
    De Montfort University
    Start mid-2010
    UK Access Management Federation registration in December 2010 in hidden mode
    Testing authentication and authorisation Jan 2011
    Investigating enhancing LDAP data
    Re-organisation of IT staff out of Library and into University Central Services department: Feb. 2011
    Photo used under Creative Commons from Stevecadman via Flickr
  • On the ‘to do’ list
    More testing
    Develop launch strategy
    Integrate with teaching and support in Library
    Explain changes to Faculties
    Investigate OpenID, OpenAthens SP
    Tame Wolves, make into Helpers
    By Scanned by NobbiP, via Wikimedia Commons