Implementing a  
Shibboleth IDP service


  Rhys Smith & Zoë Young
     Cardiff University
Outline
    Implementing a production service
➢


    HA
➢


    Conforming to Tech' Recommendations
➢


    Migration to ...
Implementing a ProdN Service
    Institutions planning a real­world 
➢

    production Shib IDP deployment:
        Think ...
Cardiff's setup
                     idp.cardiff.ac.uk
                                    (NetScaler)




               ...
Cardiff's setup (con't)
    idp1 & idp2 ­ Physical servers ­ PowerEdge
➢


    idp3 ­ VM on VMWare­ESX infrastructure; 
➢
...
Cardiff's setup (con't)
    Fully monitored via SNMP
➢


        Standard server stuff (CPU usage, memory 
    ➢

        ...
Cardiff's setup (con't)
Tech' Recommendations
    Metadata (the list of who is on the 
➢

    federation:
        CRON job to update overnight, ev...
Tech' Recommendations (con't)
    eduPersonScopedAffiliation:
➢


        Mapped to CardiffFAMAffiliation attribute in 
  ...
Tech' Recommendations (con't)
    eduPersonTargetedID:
➢


        Simply using PersistentIDAttributeDefinition, 
    ➢

 ...
Tech' Recommendations (con't)
    eduPersonEntitlement:
➢


        Mapped to CardiffFamEntitlements attribute 
    ➢

   ...
Tech' Recommendations (con't)
    Attribute Release Policies
➢


        arp.site.xml
    ➢


        Set to release minim...
Authentication Options
    Apache vs Tomcat:
➢


        Apache simpler
    ➢


        Tomcat a lot more user friendly fo...
Overview
    Auditing of resources
➢


    Promotion and Communication
➢


    What has happened so far?
➢


    What’s go...
Auditing of resources
    Resources tested for shibboleth 
➢

    compliance.
    Non­compliant resources 
➢

        West...
Promotion and Communication
    Emails about shibboleth/CU Login sent to all 
➢

    Information services staff
    Presen...
What has happened so far?
    Went live – Sept 06
➢


    Users
➢


        New Training Grade Doctors
    ➢


        New...
What’s going to happen next?
    2nd July – changes to website to encourage 
➢

    remaining Athens users to switch
    E...
the end
    Any Questions?



    www.identity­project.org/survey.doc



    for:



        more info
    


        ...
Implementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff University
Upcoming SlideShare
Loading in …5
×

Implementing a production Shibboleth IdP service at Cardiff University

3,761 views

Published on

This joint presentation by Rhys Smith and Zoe Young explains the process of implementing a federated access management infrustructure, based on Shibboleth, at the University of Cardiff.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,761
On SlideShare
0
From Embeds
0
Number of Embeds
48
Actions
Shares
0
Downloads
70
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Implementing a production Shibboleth IdP service at Cardiff University

  1. 1. Implementing a   Shibboleth IDP service Rhys Smith & Zoë Young  Cardiff University
  2. 2. Outline Implementing a production service ➢ HA ➢ Conforming to Tech' Recommendations ➢ Migration to Shib ➢
  3. 3. Implementing a ProdN Service Institutions planning a real­world  ➢ production Shib IDP deployment: Think beyond simple technical details ➢ Consider higher level issues of design ➢ Including HA and resiliency issues ➢ Otherwise: ➢ When your IDP server breaks (and it will),  ➢ you're (technical terminology coming up)  screwed!
  4. 4. Cardiff's setup idp.cardiff.ac.uk (NetScaler) hashib hashib Shared Memory Shared Memory idp2.cf.ac.uk idp3.cf.ac.uk idp1.cf.ac.uk
  5. 5. Cardiff's setup (con't) idp1 & idp2 ­ Physical servers ­ PowerEdge ➢ idp3 ­ VM on VMWare­ESX infrastructure;  ➢ primarily for development, only  occasionally in service All linux ­ RHEL4 ➢ Server up/down checking via idp.xml: ➢ ...Shibboleth_StatusHandler... ➢ <Location>.+/shibbolethidp/Status</Location> “AVAILABLE” if everything has loaded OK ➢
  6. 6. Cardiff's setup (con't) Fully monitored via SNMP ➢ Standard server stuff (CPU usage, memory  ➢ usage, Temperatures, etc) Custom perl scripts parse Shib log files ➢ Exposed via custom SNMP OIDs ➢ Cacti (open source) monitoring solution  ➢ already in place email me for a copy of scripts/cacti  ➢ templates, etc.
  7. 7. Cardiff's setup (con't)
  8. 8. Tech' Recommendations Metadata (the list of who is on the  ➢ federation: CRON job to update overnight, every night ➢ Attributes: ➢ Haven't implemented eduPerson in  ➢ directory, use own attributes and map to  eduPerson schema using resolver.xml
  9. 9. Tech' Recommendations (con't) eduPersonScopedAffiliation: ➢ Mapped to CardiffFAMAffiliation attribute in  ➢ our directory (webauth tree) Provisioned by our IDM sytem ➢ “member” if current staff, current student,  ➢ current training grade doctor, manually  “made” member in IDM web interface staff/student similarly IDM driven ➢
  10. 10. Tech' Recommendations (con't) eduPersonTargetedID: ➢ Simply using PersistentIDAttributeDefinition,  ➢ linked to IDM IdentityNumber Dynamically cryptographically creates an  ➢ opaque, consistent TargetedID per user per  resource eduPersonPrincipalName: ➢ Mapped to cn attribute in our directory ➢
  11. 11. Tech' Recommendations (con't) eduPersonEntitlement: ➢ Mapped to CardiffFamEntitlements attribute  ➢ in our directory Provisioned by our IDM system where  ➢ possible Manually administered via IDM web  ➢ interface otherwise
  12. 12. Tech' Recommendations (con't) Attribute Release Policies ➢ arp.site.xml ➢ Set to release minimum information  ➢ (scopedAffiliation and TargetedID) unless  specifically set otherwise Release more if desired on a case by case  ➢ basis
  13. 13. Authentication Options Apache vs Tomcat: ➢ Apache simpler ➢ Tomcat a lot more user friendly for your users ➢ Our login page: ➢
  14. 14. Overview Auditing of resources ➢ Promotion and Communication ➢ What has happened so far? ➢ What’s going to happen next? ➢ Questions? ➢
  15. 15. Auditing of resources Resources tested for shibboleth  ➢ compliance. Non­compliant resources  ➢ Westlaw – generic usernames and  ➢ passwords until new platform released Lexis Nexis Professional – should be moved  ➢ to Butterworths  Alerts, Saved Searches and  ➢ Personalisation.
  16. 16. Promotion and Communication Emails about shibboleth/CU Login sent to all  ➢ Information services staff Presentation on changes given to all library and  ➢ helpdesk staff Documentation sent to all 18 libraries  ➢ Web page – Off campus access ➢ Changes to databases page ➢ Subject Librarians cascaded information to all  ➢ new students and staff
  17. 17. What has happened so far? Went live – Sept 06 ➢ Users ➢ New Training Grade Doctors ➢ New Students ➢ New Staff ➢ Users with expired accounts or problems ➢ 53.35 % of access to “Athens” e­resources  ➢ is by CU login
  18. 18. What’s going to happen next? 2nd July – changes to website to encourage  ➢ remaining Athens users to switch Email to users with active Athens accounts ➢ Monitor use of Athens accounts over the  ➢ next year and contact individual users to  migrate. April 08 – All Athens accounts expire ➢
  19. 19. the end Any Questions?  www.identity­project.org/survey.doc  for:  more info  a copy of these slides  clarification of any points  meaningful discussion about shib  meaningless discussion about stanley   cup finals... email: smith@cardiff.ac.uk 

×