SlideShare a Scribd company logo

Implementing a production Shibboleth IdP service at Cardiff University

J
JISC.AM

This joint presentation by Rhys Smith and Zoe Young explains the process of implementing a federated access management infrustructure, based on Shibboleth, at the University of Cardiff.

Technology
1 of 22
Download to read offline
Implementing a   Shibboleth IDP service Rhys Smith & Zoë Young  Cardiff University
Outline Implementing a production service ➢ HA ➢ Conforming to Tech' Recommendations ➢ Migration to Shib ➢
Implementing a ProdN Service Institutions planning a real­world  ➢ production Shib IDP deployment: Think beyond simple technical details ➢ Consider higher level issues of design ➢ Including HA and resiliency issues ➢ Otherwise: ➢ When your IDP server breaks (and it will),  ➢ you're (technical terminology coming up)  screwed!
Cardiff's setup idp.cardiff.ac.uk (NetScaler) hashib hashib Shared Memory Shared Memory idp2.cf.ac.uk idp3.cf.ac.uk idp1.cf.ac.uk
Cardiff's setup (con't) idp1 & idp2 ­ Physical servers ­ PowerEdge ➢ idp3 ­ VM on VMWare­ESX infrastructure;  ➢ primarily for development, only  occasionally in service All linux ­ RHEL4 ➢ Server up/down checking via idp.xml: ➢ ...Shibboleth_StatusHandler... ➢ <Location>.+/shibbolethidp/Status</Location> “AVAILABLE” if everything has loaded OK ➢
Cardiff's setup (con't) Fully monitored via SNMP ➢ Standard server stuff (CPU usage, memory  ➢ usage, Temperatures, etc) Custom perl scripts parse Shib log files ➢ Exposed via custom SNMP OIDs ➢ Cacti (open source) monitoring solution  ➢ already in place email me for a copy of scripts/cacti  ➢ templates, etc.
Cardiff's setup (con't)
Tech' Recommendations Metadata (the list of who is on the  ➢ federation: CRON job to update overnight, every night ➢ Attributes: ➢ Haven't implemented eduPerson in  ➢ directory, use own attributes and map to  eduPerson schema using resolver.xml
Tech' Recommendations (con't) eduPersonScopedAffiliation: ➢ Mapped to CardiffFAMAffiliation attribute in  ➢ our directory (webauth tree) Provisioned by our IDM sytem ➢ “member” if current staff, current student,  ➢ current training grade doctor, manually  “made” member in IDM web interface staff/student similarly IDM driven ➢
Tech' Recommendations (con't) eduPersonTargetedID: ➢ Simply using PersistentIDAttributeDefinition,  ➢ linked to IDM IdentityNumber Dynamically cryptographically creates an  ➢ opaque, consistent TargetedID per user per  resource eduPersonPrincipalName: ➢ Mapped to cn attribute in our directory ➢
Tech' Recommendations (con't) eduPersonEntitlement: ➢ Mapped to CardiffFamEntitlements attribute  ➢ in our directory Provisioned by our IDM system where  ➢ possible Manually administered via IDM web  ➢ interface otherwise
Tech' Recommendations (con't) Attribute Release Policies ➢ arp.site.xml ➢ Set to release minimum information  ➢ (scopedAffiliation and TargetedID) unless  specifically set otherwise Release more if desired on a case by case  ➢ basis
Authentication Options Apache vs Tomcat: ➢ Apache simpler ➢ Tomcat a lot more user friendly for your users ➢ Our login page: ➢
Overview Auditing of resources ➢ Promotion and Communication ➢ What has happened so far? ➢ What’s going to happen next? ➢ Questions? ➢
Auditing of resources Resources tested for shibboleth  ➢ compliance. Non­compliant resources  ➢ Westlaw – generic usernames and  ➢ passwords until new platform released Lexis Nexis Professional – should be moved  ➢ to Butterworths  Alerts, Saved Searches and  ➢ Personalisation.
Promotion and Communication Emails about shibboleth/CU Login sent to all  ➢ Information services staff Presentation on changes given to all library and  ➢ helpdesk staff Documentation sent to all 18 libraries  ➢ Web page – Off campus access ➢ Changes to databases page ➢ Subject Librarians cascaded information to all  ➢ new students and staff
What has happened so far? Went live – Sept 06 ➢ Users ➢ New Training Grade Doctors ➢ New Students ➢ New Staff ➢ Users with expired accounts or problems ➢ 53.35 % of access to “Athens” e­resources  ➢ is by CU login
What’s going to happen next? 2nd July – changes to website to encourage  ➢ remaining Athens users to switch Email to users with active Athens accounts ➢ Monitor use of Athens accounts over the  ➢ next year and contact individual users to  migrate. April 08 – All Athens accounts expire ➢
the end Any Questions?  www.identity­project.org/survey.doc  for:  more info  a copy of these slides  clarification of any points  meaningful discussion about shib  meaningless discussion about stanley   cup finals... email: smith@cardiff.ac.uk 

Recommended

H2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom KraljevicH2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom Kraljevic
Sri Ambati
 
Open-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th JuneOpen-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th June
Innovative Management Services
 
Why Talend for Big Data?
Why Talend for Big Data?Why Talend for Big Data?
Why Talend for Big Data?
Edureka!
 
Keys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in HadoopKeys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in Hadoop
DataWorks Summit
 
xdsl
xdslxdsl
xdsl
kali
 
Presentazione Blog Università la Sapienza
Presentazione Blog Università la SapienzaPresentazione Blog Università la Sapienza
Presentazione Blog Università la Sapienza
fabio73
 
Memory Test for the Aging
Memory Test for the AgingMemory Test for the Aging
Memory Test for the Aging
newskoo
 
Comoselavacerebro
ComoselavacerebroComoselavacerebro
Comoselavacerebro
paquitaguapa
 

Recommended

H2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom KraljevicH2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom Kraljevic
Sri Ambati
 
Open-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th JuneOpen-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th June
Innovative Management Services
 
Why Talend for Big Data?
Why Talend for Big Data?Why Talend for Big Data?
Why Talend for Big Data?
Edureka!
 
Keys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in HadoopKeys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in Hadoop
DataWorks Summit
 
xdsl
xdslxdsl
xdsl
kali
 
Presentazione Blog Università la Sapienza
Presentazione Blog Università la SapienzaPresentazione Blog Università la Sapienza
Presentazione Blog Università la Sapienza
fabio73
 
Memory Test for the Aging
Memory Test for the AgingMemory Test for the Aging
Memory Test for the Aging
newskoo
 
Comoselavacerebro
ComoselavacerebroComoselavacerebro
Comoselavacerebro
paquitaguapa
 
Actividad 15
Actividad 15Actividad 15
Actividad 15
ttturbo
 
Test
TestTest
Test
QOU
 
Un paseo por las calles de Gijón
Un paseo por las calles de GijónUn paseo por las calles de Gijón
Un paseo por las calles de Gijón
IES Rosario de Acuña
 
The Art Of Pricing
The Art Of PricingThe Art Of Pricing
The Art Of Pricing
eve841126
 
The Berry Tree - How it works
The Berry Tree - How it worksThe Berry Tree - How it works
The Berry Tree - How it works
berrytree
 
Digital Parents - St Crispins
Digital Parents - St CrispinsDigital Parents - St Crispins
Digital Parents - St Crispins
Toby Treacher
 
Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007
Steven Verjans
 
Being Google
Being GoogleBeing Google
Being Google
Tom Dyson
 
Crime Prevention Movie
Crime Prevention MovieCrime Prevention Movie
Crime Prevention Movie
socialsubjects
 
Happiness
HappinessHappiness
Happiness
eve841126
 
Primi Elementi Di Geometria
Primi Elementi Di GeometriaPrimi Elementi Di Geometria
Primi Elementi Di Geometria
liceogaribaldi
 
Personal Carbon Rationing
Personal Carbon RationingPersonal Carbon Rationing
Personal Carbon Rationing
Tom Dyson
 
I Numeri Relativi
I Numeri RelativiI Numeri Relativi
I Numeri Relativi
liceogaribaldi
 
G U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LG U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A L
Toni Solano
 
Szetela Ses Toronto Contextual
Szetela Ses Toronto ContextualSzetela Ses Toronto Contextual
Szetela Ses Toronto Contextual
David Szetela
 
產業實習期末報告
產業實習期末報告產業實習期末報告
產業實習期末報告
bgbgbg
 
Síntesi Dafo
Síntesi DafoSíntesi Dafo
Síntesi Dafo
jordi.calvet
 
I Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri PeriodiciI Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri Periodici
liceogaribaldi
 
TEKNOLOGIA Txostena
TEKNOLOGIA TxostenaTEKNOLOGIA Txostena
TEKNOLOGIA Txostena
sanbizente
 
La Población
La PoblaciónLa Población
La Población
Isaac Buzo
 
Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation Revised
Ontico
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload Presentation
Ontico
 

More Related Content

Viewers also liked

Actividad 15
Actividad 15Actividad 15
Actividad 15
ttturbo
 
The Art Of Pricing
The Art Of PricingThe Art Of Pricing
The Art Of Pricing
eve841126
 
Crime Prevention Movie
Crime Prevention MovieCrime Prevention Movie
Crime Prevention Movie
socialsubjects
 
Primi Elementi Di Geometria
Primi Elementi Di GeometriaPrimi Elementi Di Geometria
Primi Elementi Di Geometria
liceogaribaldi
 
Szetela Ses Toronto Contextual
Szetela Ses Toronto ContextualSzetela Ses Toronto Contextual
Szetela Ses Toronto Contextual
David Szetela
 
產業實習期末報告
產業實習期末報告產業實習期末報告
產業實習期末報告
bgbgbg
 
I Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri PeriodiciI Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri Periodici
liceogaribaldi
 
TEKNOLOGIA Txostena
TEKNOLOGIA TxostenaTEKNOLOGIA Txostena
TEKNOLOGIA Txostena
sanbizente
 

Viewers also liked (20)

Actividad 15
Actividad 15Actividad 15
Actividad 15
 
Test
TestTest
Test
 
Un paseo por las calles de Gijón
Un paseo por las calles de GijónUn paseo por las calles de Gijón
Un paseo por las calles de Gijón
 
The Art Of Pricing
The Art Of PricingThe Art Of Pricing
The Art Of Pricing
 
The Berry Tree - How it works
The Berry Tree - How it worksThe Berry Tree - How it works
The Berry Tree - How it works
 
Digital Parents - St Crispins
Digital Parents - St CrispinsDigital Parents - St Crispins
Digital Parents - St Crispins
 
Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007
 
Being Google
Being GoogleBeing Google
Being Google
 
Crime Prevention Movie
Crime Prevention MovieCrime Prevention Movie
Crime Prevention Movie
 
Happiness
HappinessHappiness
Happiness
 
Primi Elementi Di Geometria
Primi Elementi Di GeometriaPrimi Elementi Di Geometria
Primi Elementi Di Geometria
 
Personal Carbon Rationing
Personal Carbon RationingPersonal Carbon Rationing
Personal Carbon Rationing
 
I Numeri Relativi
I Numeri RelativiI Numeri Relativi
I Numeri Relativi
 
G U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LG U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A L
 
Szetela Ses Toronto Contextual
Szetela Ses Toronto ContextualSzetela Ses Toronto Contextual
Szetela Ses Toronto Contextual
 
產業實習期末報告
產業實習期末報告產業實習期末報告
產業實習期末報告
 
Síntesi Dafo
Síntesi DafoSíntesi Dafo
Síntesi Dafo
 
I Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri PeriodiciI Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri Periodici
 
TEKNOLOGIA Txostena
TEKNOLOGIA TxostenaTEKNOLOGIA Txostena
TEKNOLOGIA Txostena
 
La Población
La PoblaciónLa Población
La Población
 

Similar to Implementing a production Shibboleth IdP service at Cardiff University

Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation Revised
Ontico
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload Presentation
Ontico
 
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
jjhuff
 
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendWide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
MySQLConference
 
Rails Conf Europe 2007 Notes
Rails Conf Europe 2007 NotesRails Conf Europe 2007 Notes
Rails Conf Europe 2007 Notes
Ross Lawley
 

Similar to Implementing a production Shibboleth IdP service at Cardiff University (20)

Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation Revised
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload Presentation
 
YAPC2007 Remote System Monitoring (w. Notes)
YAPC2007 Remote System Monitoring (w. Notes)YAPC2007 Remote System Monitoring (w. Notes)
YAPC2007 Remote System Monitoring (w. Notes)
 
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
 
Blueprint talk at Open Hackday London 2009
Blueprint talk at Open Hackday London 2009Blueprint talk at Open Hackday London 2009
Blueprint talk at Open Hackday London 2009
 
My History with Atlassian Tools, and Why I'm Moving to Studio
My History with Atlassian Tools, and Why I'm Moving to StudioMy History with Atlassian Tools, and Why I'm Moving to Studio
My History with Atlassian Tools, and Why I'm Moving to Studio
 
Scaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWScaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOW
 
Magee Dday2 Fixing App Performance Italiano
Magee Dday2 Fixing App Performance ItalianoMagee Dday2 Fixing App Performance Italiano
Magee Dday2 Fixing App Performance Italiano
 
Case Studies
Case StudiesCase Studies
Case Studies
 
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendWide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
 
The Current State of Asynchronous Processing With Ruby
The Current State of Asynchronous Processing With RubyThe Current State of Asynchronous Processing With Ruby
The Current State of Asynchronous Processing With Ruby
 
SEASR Installation
SEASR InstallationSEASR Installation
SEASR Installation
 
Pallab\'s Presentation at Gis for Transportation Symposium
Pallab\'s Presentation at Gis for Transportation SymposiumPallab\'s Presentation at Gis for Transportation Symposium
Pallab\'s Presentation at Gis for Transportation Symposium
 
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
 
Agile Java Testing With Open Source Frameworks
Agile Java Testing With Open Source FrameworksAgile Java Testing With Open Source Frameworks
Agile Java Testing With Open Source Frameworks
 
Actors in a New "Highly Parallel" World
Actors in a New "Highly Parallel" WorldActors in a New "Highly Parallel" World
Actors in a New "Highly Parallel" World
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2
 
Rails Conf Europe 2007 Notes
Rails Conf Europe 2007 NotesRails Conf Europe 2007 Notes
Rails Conf Europe 2007 Notes
 
Seminar - JBoss Migration
Seminar - JBoss MigrationSeminar - JBoss Migration
Seminar - JBoss Migration
 
Extending The My Sql Data Landscape
Extending The My Sql Data LandscapeExtending The My Sql Data Landscape
Extending The My Sql Data Landscape
 

More from JISC.AM

Identity Assurance Profiles
Identity Assurance ProfilesIdentity Assurance Profiles
Identity Assurance Profiles
JISC.AM
 
Names project (Amanda Hill)
Names project (Amanda Hill)Names project (Amanda Hill)
Names project (Amanda Hill)
JISC.AM
 
Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)
JISC.AM
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)
JISC.AM
 
Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)
JISC.AM
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)
JISC.AM
 

More from JISC.AM (20)

Identity Assurance Profiles
Identity Assurance ProfilesIdentity Assurance Profiles
Identity Assurance Profiles
 
Assurance
AssuranceAssurance
Assurance
 
I2 Fedsoup
I2 FedsoupI2 Fedsoup
I2 Fedsoup
 
Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)
 
Federated Futures (Nicole Harris)
Federated Futures (Nicole Harris)Federated Futures (Nicole Harris)
Federated Futures (Nicole Harris)
 
Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)
 
The Identity Project (Rhys Smith)
The Identity Project (Rhys Smith)The Identity Project (Rhys Smith)
The Identity Project (Rhys Smith)
 
Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)
 
Shibboleth 2.0 SP slides - Installfest
Shibboleth 2.0 SP slides - InstallfestShibboleth 2.0 SP slides - Installfest
Shibboleth 2.0 SP slides - Installfest
 
SARoNGS project (Jens Jensen)
SARoNGS project (Jens Jensen)SARoNGS project (Jens Jensen)
SARoNGS project (Jens Jensen)
 
Names project (Amanda Hill)
Names project (Amanda Hill)Names project (Amanda Hill)
Names project (Amanda Hill)
 
Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)
 
Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)
 
Internet2 Fall MM 2007 - Jane Charlton
Internet2 Fall MM 2007 - Jane CharltonInternet2 Fall MM 2007 - Jane Charlton
Internet2 Fall MM 2007 - Jane Charlton
 
'Connecting poeple to resources' by Nicole Harris at UKSG 2007
'Connecting poeple to resources' by Nicole Harris at UKSG 2007'Connecting poeple to resources' by Nicole Harris at UKSG 2007
'Connecting poeple to resources' by Nicole Harris at UKSG 2007
 
Openid
OpenidOpenid
Openid
 
Federated Access Management 102
Federated Access Management 102Federated Access Management 102
Federated Access Management 102
 
Federated Access Management (Sconul Access Conference)
Federated Access Management (Sconul Access Conference)Federated Access Management (Sconul Access Conference)
Federated Access Management (Sconul Access Conference)
 

Recently uploaded

API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

Implementing a production Shibboleth IdP service at Cardiff University

  • 2. Outline Implementing a production service ➢ HA ➢ Conforming to Tech' Recommendations ➢ Migration to Shib ➢
  • 3. Implementing a ProdN Service Institutions planning a real­world  ➢ production Shib IDP deployment: Think beyond simple technical details ➢ Consider higher level issues of design ➢ Including HA and resiliency issues ➢ Otherwise: ➢ When your IDP server breaks (and it will),  ➢ you're (technical terminology coming up)  screwed!
  • 4. Cardiff's setup idp.cardiff.ac.uk (NetScaler) hashib hashib Shared Memory Shared Memory idp2.cf.ac.uk idp3.cf.ac.uk idp1.cf.ac.uk
  • 5. Cardiff's setup (con't) idp1 & idp2 ­ Physical servers ­ PowerEdge ➢ idp3 ­ VM on VMWare­ESX infrastructure;  ➢ primarily for development, only  occasionally in service All linux ­ RHEL4 ➢ Server up/down checking via idp.xml: ➢ ...Shibboleth_StatusHandler... ➢ <Location>.+/shibbolethidp/Status</Location> “AVAILABLE” if everything has loaded OK ➢
  • 6. Cardiff's setup (con't) Fully monitored via SNMP ➢ Standard server stuff (CPU usage, memory  ➢ usage, Temperatures, etc) Custom perl scripts parse Shib log files ➢ Exposed via custom SNMP OIDs ➢ Cacti (open source) monitoring solution  ➢ already in place email me for a copy of scripts/cacti  ➢ templates, etc.
  • 8. Tech' Recommendations Metadata (the list of who is on the  ➢ federation: CRON job to update overnight, every night ➢ Attributes: ➢ Haven't implemented eduPerson in  ➢ directory, use own attributes and map to  eduPerson schema using resolver.xml
  • 9. Tech' Recommendations (con't) eduPersonScopedAffiliation: ➢ Mapped to CardiffFAMAffiliation attribute in  ➢ our directory (webauth tree) Provisioned by our IDM sytem ➢ “member” if current staff, current student,  ➢ current training grade doctor, manually  “made” member in IDM web interface staff/student similarly IDM driven ➢
  • 10. Tech' Recommendations (con't) eduPersonTargetedID: ➢ Simply using PersistentIDAttributeDefinition,  ➢ linked to IDM IdentityNumber Dynamically cryptographically creates an  ➢ opaque, consistent TargetedID per user per  resource eduPersonPrincipalName: ➢ Mapped to cn attribute in our directory ➢
  • 11. Tech' Recommendations (con't) eduPersonEntitlement: ➢ Mapped to CardiffFamEntitlements attribute  ➢ in our directory Provisioned by our IDM system where  ➢ possible Manually administered via IDM web  ➢ interface otherwise
  • 12. Tech' Recommendations (con't) Attribute Release Policies ➢ arp.site.xml ➢ Set to release minimum information  ➢ (scopedAffiliation and TargetedID) unless  specifically set otherwise Release more if desired on a case by case  ➢ basis
  • 13. Authentication Options Apache vs Tomcat: ➢ Apache simpler ➢ Tomcat a lot more user friendly for your users ➢ Our login page: ➢
  • 14.
  • 15. Overview Auditing of resources ➢ Promotion and Communication ➢ What has happened so far? ➢ What’s going to happen next? ➢ Questions? ➢
  • 16. Auditing of resources Resources tested for shibboleth  ➢ compliance. Non­compliant resources  ➢ Westlaw – generic usernames and  ➢ passwords until new platform released Lexis Nexis Professional – should be moved  ➢ to Butterworths  Alerts, Saved Searches and  ➢ Personalisation.
  • 17. Promotion and Communication Emails about shibboleth/CU Login sent to all  ➢ Information services staff Presentation on changes given to all library and  ➢ helpdesk staff Documentation sent to all 18 libraries  ➢ Web page – Off campus access ➢ Changes to databases page ➢ Subject Librarians cascaded information to all  ➢ new students and staff
  • 18. What has happened so far? Went live – Sept 06 ➢ Users ➢ New Training Grade Doctors ➢ New Students ➢ New Staff ➢ Users with expired accounts or problems ➢ 53.35 % of access to “Athens” e­resources  ➢ is by CU login
  • 19. What’s going to happen next? 2nd July – changes to website to encourage  ➢ remaining Athens users to switch Email to users with active Athens accounts ➢ Monitor use of Athens accounts over the  ➢ next year and contact individual users to  migrate. April 08 – All Athens accounts expire ➢
  • 20.
  • 21.
  • 22. the end Any Questions?  www.identity­project.org/survey.doc  for:  more info  a copy of these slides  clarification of any points  meaningful discussion about shib  meaningless discussion about stanley   cup finals... email: smith@cardiff.ac.uk 