The document discusses the implementation and progress of the OpenAthens authentication system at the University of East Anglia, focusing on enhancing security and access to resources. It outlines the need for a seamless authentication environment due to increased security threats and the goal of integrating internal and external authentication systems. The document also highlights challenges faced in setting up federated access and the ongoing efforts to configure various applications for better collaborative tools and experiences.

1. Beyond Library eResources: Using OpenAthens for enterprise securityJonathan Richardson – Assistant CIS DirectorRobin Keith – Head of Web Development

2. March 14, 2011Who are we?300 acre campus university on the outskirts of Norwich23, 000 studentsRated in the top 3 of main stream universities in the NSSfourth greatest concentration of ‘most highly cited researchers’ in the UK, after London, Oxford and Cambridge.

3. March 14, 2011Athens @ UEAPre 2006 used Classic AthensHigh cost of managementNon user friendly – multiple passwords2006 Implemented Athens DA Is linked in to the UEA Identity Management System for roles, and Active Directory for authenticationUses Athens/Shibboleth gateway.We only access others/external resources – no UEA Service Provider.We need to move forwards…

4. March 14, 2011Why?What’s changed?Climate Science Hack has focused UEA on the security of our systems.UEA is a target for hackers and phishing attacks.Authentication and role based access from mobile devices needs addressing.Need to provide means to place UEA content in the users spaceNeed to develop a seamless, flexible and consistent authentication environment.Need a way of putting more of our content into a federated environment.

5. March 14, 2011What we want to do:Our Objective…To have a single, seamless environment, that supports internal and external authentication, supporting automatic single sign on, via multiple protocols, to internal and external resources, based on the attributes of the user and level of confidence in the authentication and device being used.There are many providers of Federated Access productsOnly OpenAthens allows SAML, Shibboleth and Athens

6. What we want to do:Components…March 14, 2011AuthenticationIdentity ManagementFederated Access

7. March 14, 2011PersonnelComponents:Identity Management…DeptOracle RolesGradeAD GroupsVisitorsContractor,Honorary, etcBlackboard GroupsCourseStudentsLibrary RightsFT/PTPhysical AccessApplicantsStatusE:resourcesPartnersAlumni

8. March 14, 2011Components:AuthenticationEliminates complexity by allowing Unix, Linux, and Mac systems to participate as “full citizens” in Active DirectoryProvides centralized authentication and single sign-onAllows smart card authentication for Unix and Linux systemsFacilitates migration to a single Active Directory-based infrastructure for all systems and usersSimplifies security and compliance Group Policy for Unix, Linux, and Mac OS X systemsVintella Services for Java enable AD authentication at the application levelVintella Authentication Services

9. OpenAthens LASupport multiple protocols so gives us the best flexibilityOpenAthens SPFor UEA collections provides the route for us to become a publisher.SimpleSAMLProvides a lightweight route for us to SAML enable many internal resourcesWorking with suppliers to enable SAML/Shibboleth authenticationMarch 14, 2011Components:Federated Access…

10. Putting it together:Extending OpenAthens…Return Reason, Password ExpiredBrowseretcCapabilityVAS YESSPNEGORequest InOAuthenticationNATHENSAttribute ProviderLoginAutomatic LoginAuthenticationAnti PhishingSHIBOLETHAttributesNOSAMLYRolesLDAPAnti Phishing Level of Login ScreenAuthenticatedEResponse OutID(via LDAP Proxy)ScreenconfidenceSLevel of ConfidenceATHENSSHIBOLETHSAMLCustom Auth ProviderAlternativeLogin ScreenMapping(Facebook etc)rd3party IdpUEA IDMS(SPOT)

11. OpenAthensIdPUEA Active Directory SPOT GUIBlackboardUEA AlumniAlways Authenticated RoutePolopoly (intranet)Single Sign On RouteUEA CRM ContactsPolopoly (admin)UEA Research PartnersePrintsAthensOpenIdExternal JournalsInfoCardHow?Enabling a variety of access…

12. March 14, 2011Progress:What we have done so far…Custom install of OpenAthens LA 2.1 – the basic install was not secure!https infrastructureImplemented automatic login via SPNEGOIntegration with QAS (Quest/Vintella Product)Return authentication sub errors via php auth module, enabling password expiry managementImplemented SimpleSAML Service Provider

13. March 14, 2011Progress:What we have learnt so far..SAML setups are HARD - especially with pki'sOpenAthens makes it a bit easier - but docs could be more detailed.Need better public documentation of setting up various Service Providers.Eduserve support has been really helpful.

14. March 14, 2011What’s Next?This is not a short term project!Configure internal apps for SAMLBlackboard, Aleph, SITS e:Vision, etc.Research OpenAthens as a keystone for collaborative working toolsEnable trusting the home institution. Not just UKHEIs but globally, plus NHS and UK/EU governments.Address policy issues (ToCU etc)Address Teaching and Learning, Admin, Student Experience- SU eVoting- Placements - Medical + PGCE courses, collaboration with placement partnersLink external IDs like Facebook to internal accounts, with reduced levels of confidence.

15. Questions?March 14, 2011