Implementing a production Shibboleth IdP service at Cardiff University


Published on

This joint presentation by Rhys Smith and Zoe Young explains the process of implementing a federated access management infrustructure, based on Shibboleth, at the University of Cardiff.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Implementing a production Shibboleth IdP service at Cardiff University

    1. 1. Implementing a Production HA Shibboleth IDP service Rhys Smith, Cardiff University
    2. 2. Outline <ul><li>Implementing a production service </li></ul><ul><li>HA </li></ul><ul><li>Conforming to Tech' Recommendations </li></ul><ul><li>Migration to Shib </li></ul>
    3. 3. Implementing a ProdN Service <ul><li>Institutions planning a real-world production Shib IDP deployment: </li></ul><ul><ul><li>Think beyond simple technical details </li></ul></ul><ul><ul><li>Consider higher level issues of design </li></ul></ul><ul><ul><li>Including HA and resiliency issues </li></ul></ul><ul><li>Otherwise: </li></ul><ul><ul><li>When your IDP server breaks (and it will), you're (technical terminology coming up) screwed! </li></ul></ul>
    4. 4. Cardiff's setup (NetScaler) hashib Shared Memory hashib Shared Memory
    5. 5. Cardiff's setup (con't) <ul><li>idp1 & idp2 - Physical servers - PowerEdge </li></ul><ul><li>idp3 - VM on VMWare-ESX infrastructure; primarily for development, only occasionally in service </li></ul><ul><li>All linux - RHEL4 </li></ul><ul><li>Server up/down checking via idp.xml: </li></ul><ul><ul><li>...Shibboleth_StatusHandler... <Location>.+/shibbolethidp/Status</Location> </li></ul></ul><ul><ul><li>“ AVAILABLE” if everything has loaded OK </li></ul></ul>
    6. 6. Cardiff's setup (con't) <ul><li>Fully monitored via SNMP </li></ul><ul><ul><li>Standard server stuff (CPU usage, memory usage, Temperatures, etc) </li></ul></ul><ul><ul><li>Custom perl scripts parse Shib log files </li></ul></ul><ul><ul><li>Exposed via custom SNMP OIDs </li></ul></ul><ul><li>Cacti (open source) monitoring solution already in place </li></ul><ul><li>email me for a copy of scripts/cacti templates, etc. </li></ul>
    7. 7. Cardiff's setup (con't)
    8. 8. Tech' Recommendations <ul><li>Metadata (the list of who is on the federation: </li></ul><ul><ul><li>CRON job to update overnight, every night </li></ul></ul><ul><li>Attributes: </li></ul><ul><ul><li>Haven't implemented eduPerson in directory, use own attributes and map to eduPerson schema using resolver.xml </li></ul></ul>
    9. 9. Tech' Recommendations (con't) <ul><li>eduPersonScopedAffiliation: </li></ul><ul><ul><li>Mapped to CardiffFAMAffiliation attribute in our directory (webauth tree) </li></ul></ul><ul><ul><li>Provisioned by our IDM sytem </li></ul></ul><ul><ul><li>“ member” if current staff, current student, current training grade doctor, manually “made” member in IDM web interface </li></ul></ul><ul><ul><li>staff/student similarly IDM driven </li></ul></ul>
    10. 10. Tech' Recommendations (con't) <ul><li>eduPersonTargetedID: </li></ul><ul><ul><li>Simply using PersistentIDAttributeDefinition, linked to IDM IdentityNumber </li></ul></ul><ul><ul><li>Dynamically cryptographically creates an opaque, consistent TargetedID per user per resource </li></ul></ul><ul><li>eduPersonPrincipalName: </li></ul><ul><ul><li>Mapped to cn attribute in our directory </li></ul></ul>
    11. 11. Tech' Recommendations (con't) <ul><li>eduPersonEntitlement: </li></ul><ul><ul><li>Mapped to CardiffFamEntitlements attribute in our directory </li></ul></ul><ul><ul><li>Provisioned by our IDM system where possible </li></ul></ul><ul><ul><li>Manually administered via IDM web interface otherwise </li></ul></ul>
    12. 12. Tech' Recommendations (con't) <ul><li>Attribute Release Policies </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Set to release minimum information (scopedAffiliation and TargetedID) unless specifically set otherwise </li></ul></ul><ul><ul><li>Release more if desired on a case by case basis </li></ul></ul>
    13. 13. Authentication Options <ul><li>Apache vs Tomcat: </li></ul><ul><ul><li>Apache simpler </li></ul></ul><ul><ul><li>Tomcat a lot more user friendly for your users </li></ul></ul><ul><ul><li>Our login page: </li></ul></ul>
    14. 15. Shibboleth at Cardiff University Zoë Young Subject Librarian
    15. 16. Overview <ul><li>Auditing of resources </li></ul><ul><li>Promotion and Communication </li></ul><ul><li>What has happened so far? </li></ul><ul><li>What’s going to happen next? </li></ul><ul><li>Questions? </li></ul>
    16. 17. Auditing of resources <ul><li>Resources tested for shibboleth compliance. </li></ul><ul><li>Non-compliant resources </li></ul><ul><ul><li>Westlaw – generic usernames and passwords until new platform released </li></ul></ul><ul><ul><li>Lexis Nexis Professional – should be moved to Butterworths </li></ul></ul><ul><li>Alerts, Saved Searches and Personalisation. </li></ul>
    17. 18. Promotion and Communication <ul><li>Emails about shibboleth/CU Login sent to all Information services staff </li></ul><ul><li>Presentation on changes given to all library and helpdesk staff </li></ul><ul><li>Documentation sent to all 18 libraries </li></ul><ul><li>Web page – Off campus access </li></ul><ul><li>Changes to databases page </li></ul><ul><li>Subject Librarians cascaded information to all new students and staff </li></ul>
    18. 19. What has happened so far? <ul><li>Went live – Sept 06 </li></ul><ul><li>Users </li></ul><ul><ul><li>New Training Grade Doctors </li></ul></ul><ul><ul><li>New Students </li></ul></ul><ul><ul><li>New Staff </li></ul></ul><ul><ul><li>Users with expired accounts or problems </li></ul></ul><ul><li>53.35 % of access to “Athens” e-resources is by CU login </li></ul>
    19. 20. What’s going to happen next? <ul><li>2 nd July – changes to website to encourage remaining Athens users to switch </li></ul><ul><li>Email to users with active Athens accounts </li></ul><ul><li>Monitor use of Athens accounts over the next year and contact individual users to migrate. </li></ul><ul><li>April 08 – All Athens accounts expire </li></ul>
    20. 23. the end <ul><li>Any Questions? </li></ul><ul><li>for: </li></ul><ul><ul><li>more info </li></ul></ul><ul><ul><li>a copy of these slides </li></ul></ul><ul><ul><li>clarification of any points </li></ul></ul><ul><ul><li>meaningful discussion about shib </li></ul></ul><ul><ul><li>meaningless discussion about stanley cup finals... </li></ul></ul><ul><li>email: </li></ul>