OpenAthens LA 2.0: a joined-up approach to identity

1,542 views

Published on

David Orrell, Identity Systems Architect at Eduserv, discusses building identity solutions that support multiple open standards.

Published in: Technology
2 Comments
0 Likes
Statistics
Notes
  • I liked the presentation and bookmarked it.

    http://www.increasingmuscle.com/
    http://www.increasingmuscle.com/category/muscle-groups/
    http://www.increasingmuscle.com/category/muscle-groups/abdomain/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Openathens looks great, nice post
    Suzee
    http://www.prepayphonezone.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
1,542
On SlideShare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
15
Comments
2
Likes
0
Embeds 0
No embeds

No notes for slide

OpenAthens LA 2.0: a joined-up approach to identity

  1. 1. OpenAthens LA 2.0: A joined-up approach to identity OpenAthens workshops, May 2009 David Orrell, Eduserv david.orrell@eduserv.org.uk www.eduserv.org.uk
  2. 2. Overview • Local authentication • Product background and goals • Architecture • Configuration processes • Roadmap and future developments
  3. 3. What is OpenAthens LA? Software to enable federated access to internal and external Web resources
  4. 4. Federated identity Service Providers Identity Provider (resources)
  5. 5. Federated identity Service Providers Identity Provider (resources) Control Policy Subscriptions Management
  6. 6. Running an identity provider System IT Services administrator Identity provider Librarian Configuration User-repository
  7. 7. Our top 3 priorities for OpenAthens LA 2.0...
  8. 8. Our top 3 priorities for OpenAthens LA 2.0...
  9. 9. 1) Ease of installation, configuration & maintenance • Web-based administration • Built-in diagnostics and statistics
  10. 10. 2) Support for multiple, Open Standards
  11. 11. 3) Adaptable and extendable • Modular architecture • Open APIs – write your own extensions
  12. 12. OpenAthens LA 2.0 • Administration control...
  13. 13. OpenAthens LA 2.0: administration System administrator Administration Runtime server(s) server Runtime Model Librarian User-repository Staff / students
  14. 14. OpenAthens LA 2.0: administration Administration server Model history Admin application(s) Model
  15. 15. OpenAthens LA 2.0 • Runtime flexibility...
  16. 16. OpenAthens 'Atacama' platform Protocol modules
  17. 17. OpenAthens LA 2.0: modules • Authentication • Data-store connectors OpenAthens LA runtime • Identity protocols (SAML, OpenID Platform etc) • Attribute Webserver release policies • Custom attributes • …
  18. 18. Runtime installation • Runtime connects to administration server • Multiple runtimes can point to the same server and model – Load-balancing – High availability Administration Runtime server(s) server Apache runtime Model
  19. 19. Runtime installation • Install Apache module (mod_openathens) • Point runtime at administration console – ...in httpd.conf OAConfig http://admin.example.ac.uk/OalaAdmin/Publish/0/Apache
  20. 20. Authentication • Built-in – LDAP – OpenAthens MD • Custom – Apache (eg. mod_authnz_ldap) – Kerberos – Windows domain – PHP, Perl... – ...or multiple methods
  21. 21. Built-in authentication 1) Configure authentication providers in GUI 2) Configure runtime to use named provider <Location /oala/sso> AuthType OpenAthens:ldap require valid-user </Location>
  22. 22. Custom authentication 1) Configure runtime to use custom provider – eg. mod_auth_..., PHP, mod_perl <Location /oala/sso> AuthType OpenAthens:php require valid-user </Location> 2) Write authentication provider ... $auth = new OALACustomAuth($userId); $auth->establishSession();
  23. 23. Data handling Organisation boundary User-categories: Authenticated user Attributes Staff, students... User data Services, Federations, Partners Affiliates, alumni... Release policy
  24. 24. Data-stores and user-categories • Enable organisation and description of users • Users may grouped be in multiple categories – ...but must be in at least one • Categories may be assigned by rules – ...or may be assigned explicitly • Attributes are assigned to categories
  25. 25. Attribute types • LDAP • SQL database – MySQL – Microsoft SQL Server • Fixed value • Derived – eg. eduPersonTargetedID • Scripted
  26. 26. Attribute release • Control flow of data leaving organisation • Control which attributes are sent to which service providers • Should only disclose minimum required “Release attribute x to everyone” “Release attribute y to service z”
  27. 27. Thank you! david.orrell@eduserv.org.uk
  28. 28. OpenAthens LA 2.0: release schedule July 2009: Sept 2009: Oct/Nov 2009: June 2009: .NET runtime .NET runtime 2.1 advisory Beta release alpha release GA release group March 2009: July 2009: end July 2009: Jan 2010: Initial Alpha Test VM images OpenAthens LA 2.0 2.1 release Apache GA release
  29. 29. 2.1 release • Librarian console • Integrated statistics/diagnostics • More built-in authn options – including OpenID • More supported federations

×