OpenAthens LA 2.0:
A joined-up approach to identity
OpenAthens workshops, May 2009
David Orrell, Eduserv
david.orrell@eduserv.org.uk
www.eduserv.org.uk

Overview
• Local authentication
• Product background and goals
• Architecture
• Configuration processes
• Roadmap and future developments

What is OpenAthens LA?
Software to enable federated access to
internal and external Web resources

Federated identity
Service Providers
Identity Provider (resources)

Federated identity
Service Providers
Identity Provider (resources)
Control
Policy
Subscriptions
Management

Running an identity provider
System
IT Services administrator
Identity provider
Librarian
Configuration
User-repository

Our top 3 priorities for OpenAthens LA
2.0...

Our top 3 priorities for OpenAthens LA
2.0...

1) Ease of installation, configuration &
maintenance
• Web-based administration
• Built-in diagnostics and statistics

2) Support for multiple, Open Standards

3) Adaptable and extendable
• Modular architecture
• Open APIs – write your own extensions

OpenAthens LA 2.0
• Administration control...

OpenAthens LA 2.0: administration
System
administrator
Administration
Runtime server(s) server
Runtime Model
Librarian
User-repository
Staff / students

OpenAthens LA 2.0: administration
Administration
server
Model history
Admin application(s) Model

OpenAthens LA 2.0
• Runtime flexibility...

OpenAthens 'Atacama' platform
Protocol modules

OpenAthens LA 2.0: modules
• Authentication
• Data-store
connectors
OpenAthens LA runtime • Identity
protocols
(SAML, OpenID
Platform etc)
• Attribute
Webserver
release policies
• Custom
attributes
• …

Runtime installation
• Runtime connects to administration server
• Multiple runtimes can point to the same
server and model
– Load-balancing
– High availability
Administration
Runtime server(s) server
Apache runtime Model

Runtime installation
• Install Apache module (mod_openathens)
• Point runtime at administration console
– ...in httpd.conf
OAConfig http://admin.example.ac.uk/OalaAdmin/Publish/0/Apache

Authentication
• Built-in
– LDAP
– OpenAthens MD
• Custom
– Apache (eg. mod_authnz_ldap)
– Kerberos
– Windows domain
– PHP, Perl...
– ...or multiple methods

Built-in authentication
1) Configure authentication providers in GUI
2) Configure runtime to use named provider
<Location /oala/sso>
AuthType OpenAthens:ldap
require valid-user
</Location>

Custom authentication
1) Configure runtime to use custom provider
– eg. mod_auth_..., PHP, mod_perl
<Location /oala/sso>
AuthType OpenAthens:php
require valid-user
</Location>
2) Write authentication provider
...
$auth = new OALACustomAuth($userId);
$auth->establishSession();

Data handling
Organisation
boundary
User-categories:
Authenticated
user Attributes
Staff,
students...
User data
Services,
Federations,
Partners
Affiliates,
alumni... Release
policy

Data-stores and user-categories
• Enable organisation and description of users
• Users may grouped be in multiple categories
– ...but must be in at least one
• Categories may be assigned by rules
– ...or may be assigned explicitly
• Attributes are assigned to categories

Attribute types
• LDAP
• SQL database
– MySQL
– Microsoft SQL Server
• Fixed value
• Derived
– eg. eduPersonTargetedID
• Scripted

Attribute release
• Control flow of data leaving
organisation
• Control which attributes are sent to
which service providers
• Should only disclose minimum required
“Release attribute x to everyone”
“Release attribute y to service z”

Thank you!
david.orrell@eduserv.org.uk

OpenAthens LA 2.0: release schedule
July 2009: Sept 2009: Oct/Nov 2009:
June 2009: .NET runtime .NET runtime 2.1 advisory
Beta release alpha release GA release group
March 2009: July 2009: end July 2009: Jan 2010:
Initial Alpha Test VM images OpenAthens LA 2.0 2.1 release
Apache GA release

2.1 release
• Librarian console
• Integrated statistics/diagnostics
• More built-in authn options
– including OpenID
• More supported federations