Copyright Andy Ingham, 2010. This work is the intellectual property of the author. Permission is granted for this material...
Shibboleth Access to Licensed Library   Resources Through InCommon             Andy Ingham           University Libraries ...
WHAT I’D LIKE TO COVER Overview of the problem area InC-Library initiative - Background InC-Library vendor subgroup    Pro...
Overview of the problem areaGet ALL, but ONLY, the “right” University affiliates to licensed external library resources, e...
Proxy versus Shibboleth                              Benefit	                                  Proxy	        Shibboleth	  P...
Proxy    Needed to accommodate “location based”    access model that is the de facto standardShibboleth    Framework that ...
ARCHITECTURAL SHIFT                     Primary	  structural	               Secondary	                       element	     ...
InC-Library Initiative - what is it?
InC-Library Initiative - in a nutshell "Access to library online resources and services has skyrocketed as opportunities f...
InCommon "The mission of the InCommon Federation is to create and support a common framework for trustworthy shared manage...
InC-Library Initiative     Phase I (Feb 2007– Dec 2008)    •   Identify technical challenges and propose solutions    •  I...
InC-Library Vendor subgroup
InC-Library Vendor subgroup  Task List  1.  Identify a list of high priority vendors in Libraryland  2.  Define best pract...
Identify a list of vendors   https://spaces.internet2.edu/display/inclibrary/TargetResources    •  Importance of the resou...
Discuss and document “best practices”  https://spaces.internet2.edu/display/inclibrary/Best+Practices  1.  Authorization v...
SP	                                               IdP	    WAYF                              Authentication service(Where A...
common-lib-terms “Many contracts between higher education institutions and information publishers provide access to publis...
SP	                                                         IdP	  WAYF                                                   A...
SP	                                                 IdP	  Deep link    WAYF                     Authentication service    ...
SP	                                                IdP	  EZproxy-        WAYF                          Authentication serv...
Document configuration information specific to vendorshttps://spaces.internet2.edu/display/inclibrary/RegistryOfResources ...
Recruit and sponsor new vendors into InCommon1.  Identify vendors of interest to the InCommon community2.  Identify instit...
The InC-Library group would welcome participationin the process from other institutions:     join one of the InC-Library ...
Case study of UNC-Chapel Hill      Putting the pieces together
InC-Library Vendor subgroup  Task List  1.  Identify a list of high priority vendors in Library land  2.  Define best prac...
Provide information about how to “connect the dots”https://spaces.internet2.edu/display/inclibrary/Shibboleth+-+EZproxy   ...
Pre-requisite #1An institution-wide (enterprise) directory service thatcontains information about the users for whom youwi...
Overview of current architecture at UNC-CH
Pre-requisite #2An Identity management environment (policies andbusiness practices) that governs the management ofidentity...
Pre-requisite #3A Shibboleth IdP from which service providers(EZproxy itself, JSTOR, OCLC, Elsevier, etc) canobtain suffic...
Pre-requisite #4An EZproxy installation that provides authenticatedremote access to library resources.
Pre-requisite #5Institutional membership in a federation such asInCommon.
Implementation steps:1.  Configure IdP to release standard entitlement    attributes (eduPersonEntitlement)2.  Shibboleth ...
SP	                                                  IdP	  EZproxy-               WAYF               Authentication servic...
SP	                                                  IdP	  EZproxy-               WAYF               Authentication servic...
THANK YOUandy_ingham@unc.edu
Shibboleth access to licensed library resources
Shibboleth access to licensed library resources
Upcoming SlideShare
Loading in …5
×

Shibboleth access to licensed library resources

1,855 views
1,774 views

Published on

Presentation at EDUCAUSE Mid-Atlantic Regional Conference, January 2010

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,855
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Shibboleth access to licensed library resources

  1. 1. Copyright Andy Ingham, 2010. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
  2. 2. Shibboleth Access to Licensed Library Resources Through InCommon Andy Ingham University Libraries UNC-Chapel Hill 01-15-2010
  3. 3. WHAT I’D LIKE TO COVER Overview of the problem area InC-Library initiative - Background InC-Library vendor subgroup Progress thus far Work still outstanding Case study at UNC-Chapel Hill
  4. 4. Overview of the problem areaGet ALL, but ONLY, the “right” University affiliates to licensed external library resources, even from the “open web,” effectively and efficiently. OR“How can the current proxy-server-centric model be improved?”
  5. 5. Proxy versus Shibboleth Benefit   Proxy   Shibboleth  Provides  SSO  for  LIBRARY  resources   X   X  Provides  SSO  (also)  for  other  “campus”   X  resources  Eliminates  IP  range  management  for   Only  if  force  LIBRARY   authn  even   ON-­‐ CAMPUS  Eliminates  IP  range  management  for   X  VENDOR(S)  (including  need  for  library  to  keep  list  sync-­‐ed  across  all  vendors)  Allows  possibility  for  PERSONALIZATION   X  streamlining  across  mulPple  vendors  
  6. 6. Proxy Needed to accommodate “location based” access model that is the de facto standardShibboleth Framework that allows an “user attribute based” access model
  7. 7. ARCHITECTURAL SHIFT Primary  structural   Secondary   element   structural  element   PROXY   LOCATION  (IP   AQributes  about   address)   the  user  (via  proxy   server  authn  /   authz)   SHIBBOLETH   AQributes  about   LOCATION  (to   the  user  (via  IdP)     accommodate   “walk-­‐ins”)  
  8. 8. InC-Library Initiative - what is it?
  9. 9. InC-Library Initiative - in a nutshell "Access to library online resources and services has skyrocketed as opportunities for distance learning and the user expectations for availability of online information have increased. Providing access to these resources requires substantial time and resources by libraries, as well as often being complex for the users. The InCommon Library Services collaboration formed in 2007 to explore implementing access to library services and electronic resources using Shibboleth authentication." https://spaces.internet2.edu/display/inclibrary/InC-Library
  10. 10. InCommon "The mission of the InCommon Federation is to create and support a common framework for trustworthy shared management of access to on-line resources in support of education and research in the United States. To achieve its mission, InCommon will facilitate development of a community-based common trust fabric sufficient to enable participants to make appropriate decisions about the release of identity information and the control of access to protected online resources. ” http://www.incommonfederation.org/about.cfm
  11. 11. InC-Library Initiative Phase I (Feb 2007– Dec 2008) •   Identify technical challenges and propose solutions •  Identify organizational needs •  Result: “Focus on the Shibboleth / EZproxy hybrid” Phase II (March 2009‐ present) •  Encourage pilots of the technology solution •  Address specific organizational needs •  Build momentum in the community
  12. 12. InC-Library Vendor subgroup
  13. 13. InC-Library Vendor subgroup Task List 1.  Identify a list of high priority vendors in Libraryland 2.  Define best practices for both vendors and institutions 3.  Document configuration information specific to vendors 4.  Provide information about how to “connect the dots” 5.  Recruit and sponsor new vendors into InCommon
  14. 14. Identify a list of vendors https://spaces.internet2.edu/display/inclibrary/TargetResources •  Importance of the resource in the library marketplace •  Experience that participant libraries have with that vendor’s tech support •  Experience that the VENDOR has with Shibboleth •  WHICH federation(s) the vendor is already a member of
  15. 15. Discuss and document “best practices” https://spaces.internet2.edu/display/inclibrary/Best+Practices 1.  Authorization via eduPerson attributes 2.  Implement WAYFless URLs 3.  Implement authenticated direct links to resources 4.  Shibboleth/EZproxy hybrid compliance
  16. 16. SP   IdP   WAYF Authentication service(Where AreYou From?) [ If successful ]Make A8ribute  (eduPerson)   Value  authori- En=tlement   common-­‐lib-­‐terms  zation ScopedAffiliaPon   staff@unc.edu  decision  …  ?   …  ?  SUCCESS ?!
  17. 17. common-lib-terms “Many contracts between higher education institutions and information publishers provide access to published information for a standard higher-ed population consisting of regular full-time faculty, staff, and students (of a particular institution), also including anyone physically present in that institutions library regardless of affiliation. This value is used to indicate that the holder of the entitlement has access to resources under those contract terms…” http://middleware.internet2.edu/urn-mace/urn-mace-dir-entitlement.html
  18. 18. SP   IdP  WAYF Authentication service “Discovery  Problem”   WITHOUT  WAYFless  URLs,  a[user  must:   ]   If successful 1.  Find  the  “login”  area  of  the  vendor  site  Make 2.  A8ribute  (eduPerson)   Value   Select  the  correct  federa=on  authori- 3.  Select  the  correct  ins=tu=on   En=tlement   common-­‐lib-­‐terms  zation ScopedAffiliaPon   staff@unc.edu   WITH  WAYFless  URLs,  a  user  bypasses  all  three  decision  steps  above.    While  this  …  OES  require  that   …  ?   D ?   the  user  follow  a  library  managed  link,   that  is  CURRENTLY  the  case  for  use  with  SUCCESS ?! EZproxy    
  19. 19. SP   IdP  Deep link WAYF Authentication service [ If successful ]Make A8ribute  (eduPerson)   Value  authori- En=tlement   common-­‐lib-­‐terms  zation ScopedAffiliaPon   staff@unc.edu  decision  …  ?   …  ?  SUCCESSFUL authz = user immediately at deep link
  20. 20. SP   IdP  EZproxy- WAYF Authentication serviceprefixed link [ If successful ] By  taking  advantage  of  EZproxy’s  ability,   through  custom  configuraPon,  to  make   Make A8ribute  (eduPerson)   Value   library-­‐managed  links  WAYFless,  the   authori- En=tlement   is  able  to  gcommon-­‐lib-­‐terms   insPtuPon   racefully  handle   zation ScopedAffiliaPon   to  resources,  avoid  the   remote  access   staff@unc.edu   decision  …  discovery  problem,  and  do  so  using  the   ?   …  ?   SAME  EZproxy-­‐prefixed  links  it  currently  has!     SUCCESS ?!
  21. 21. Document configuration information specific to vendorshttps://spaces.internet2.edu/display/inclibrary/RegistryOfResources “Registry of resources” containing configuration specifics, compliance with best practices, vendor contact info, links to additional documentation, and EZproxy configuration examples.
  22. 22. Recruit and sponsor new vendors into InCommon1.  Identify vendors of interest to the InCommon community2.  Identify institutions willing to lobby those vendors to join3.  Identify institutions willing to do the work of officially SPONSORING each vendor into InCommon
  23. 23. The InC-Library group would welcome participationin the process from other institutions:   join one of the InC-Library sub-groups   evaluate and comment on the Best Practices document   add a case study to the website   offer to assist with the sponsorship of new vendors into InCommon   Implement Shibboleth auth to build momentum
  24. 24. Case study of UNC-Chapel Hill Putting the pieces together
  25. 25. InC-Library Vendor subgroup Task List 1.  Identify a list of high priority vendors in Library land 2.  Define best practices for both vendors and institutions 3.  Document configuration information specific to vendors 4.  Provide information about how to “connect the dots” 5.  Recruit and sponsor new vendors into InCommon
  26. 26. Provide information about how to “connect the dots”https://spaces.internet2.edu/display/inclibrary/Shibboleth+-+EZproxy +HOW-TO
  27. 27. Pre-requisite #1An institution-wide (enterprise) directory service thatcontains information about the users for whom youwish to authorize access to electronic resources.
  28. 28. Overview of current architecture at UNC-CH
  29. 29. Pre-requisite #2An Identity management environment (policies andbusiness practices) that governs the management ofidentity information for the users in the enterprisedirectory. This is necessary to build and maintain thetrust necessary to participate in a federation such asInCommon.
  30. 30. Pre-requisite #3A Shibboleth IdP from which service providers(EZproxy itself, JSTOR, OCLC, Elsevier, etc) canobtain sufficient identity information about each userof their services who requests access.
  31. 31. Pre-requisite #4An EZproxy installation that provides authenticatedremote access to library resources.
  32. 32. Pre-requisite #5Institutional membership in a federation such asInCommon.
  33. 33. Implementation steps:1.  Configure IdP to release standard entitlement attributes (eduPersonEntitlement)2.  Shibboleth enable the EZproxy installation3.  Setup EZproxy authorization based on eduPersonEntitlement4.  Configure Shibboleth access to resource providers via EZproxy’s support for WAYFless URLs
  34. 34. SP   IdP  EZproxy- WAYF Authentication serviceprefixed link [ If successful ]EZproxy   A8ribute  (eduPerson)   Value  makes   En=tlement   common-­‐lib-­‐terms  authorizaPon   ScopedAffiliaPon   staff@unc.edu  decision    …  ?   …  ?   SUCCESS ! (EZproxy authz mimicking remote SPs future “attribute-based” authz)
  35. 35. SP   IdP  EZproxy- WAYF Authentication serviceprefixed link [ If successful ]External   A8ribute  (eduPerson)   Value  resource  makes   En=tlement   common-­‐lib-­‐terms  authorizaPon   ScopedAffiliaPon   staff@unc.edu  decision    …  ?   …  ?   SUCCESS ! (Session HANDED OFF to remote resource, taking EZproxy OUT of the process )
  36. 36. THANK YOUandy_ingham@unc.edu

×