Case Study: Shibboleth in Swiss Higher EducationCase Study: Shibboleth in Swiss Higher Education...
21
2005 © SWITCH Case Study: Shibboleth in Swiss Higher Education Thomas Lenggenhager <[email protected]> Ueli Kienholz <[email protected]>
Transcript of Case Study: Shibboleth in Swiss Higher EducationCase Study: Shibboleth in Swiss Higher Education...
2005 © SWITCH
Case Study:Shibboleth in
Swiss Higher Education
Thomas Lenggenhager <[email protected]>
Ueli Kienholz <[email protected]>
2005 © SWITCH 2Case Study, Thomas Lenggenhager & Ueli Kienholz
Project Timeline
2001 2002 2003 2004 2005 2006
ImplementationPilot Operation
Study, Planning
Study
ArchitectureEvaluation‡ Shibboleth
2005 © SWITCH 3Case Study, Thomas Lenggenhager & Ueli Kienholz
University A
Library B
University C
Without AAI
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
ß Tedious user registrationat all resources
ß Unreliable and outdateduser data at resources
ß Different login processes
ß Many different passwords
ß Many resources notprotected due todifficulties
ß Often IP-basedauthorization
ß Costly implementation ofinter-institutional access
e-Journals
2005 © SWITCH 4Case Study, Thomas Lenggenhager & Ueli Kienholz
University A
Library B
University C
AAI
With AAI
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
ß No user registration anduser data maintenance atresource needed
ß Single login process forthe users
ß Many new resourcesavailable for the users
ß Enlarged usercommunities for resources
ß Authorization independentof location
ß Efficient implementation ofinter-institutional access
e-Journals
2005 © SWITCH 5Case Study, Thomas Lenggenhager & Ueli Kienholz
SWITCHaai Building Blocks
IdentityProviders
(Home Orgs)
Service Providers
(Resources)
OrganisationalFramework
Interoperation
CentralServices
Finances
2005 © SWITCH 6Case Study, Thomas Lenggenhager & Ueli Kienholz
Organisational Framework
SWITCH acts as SWITCHaai Federation Service Provider
Federation membership based on signed service agreements
Organisation
2005 © SWITCH 7Case Study, Thomas Lenggenhager & Ueli Kienholz
Requires agreement on technical details like
ß Standards
ß SAML 1.1
ß Software versions used
ß Shibboleth 1.1 for Identity ProvidersShibboleth 1.2.1 for Service Providers
ß Accepted Certification Authorities
ß SWITCHpki and Thawte, Trustcenter, VeriSign
ß Attributes possible to exchange
ß Attribute specification – swissEduPerson Interoperation
Interoperation
2005 © SWITCH 8Case Study, Thomas Lenggenhager & Ueli Kienholz
Criteria for attribute specification
ß Start small extend as required
ß Common understanding on interpretation
ß Already widely used
Attribute usage by applications
ß Use minimal set really requiredß It is a data protection principle
Interoperation
Interoperation: Attributes
2005 © SWITCH 9Case Study, Thomas Lenggenhager & Ueli Kienholz
Identity Provider Integration
AAI-enabled Identity Provider
UserDirectory
AuthenticationSystem
AAI
Currently in use in SWITCHaai:
• Authentication Systems
• OpenLDAP with CAS or Pubcookie
• Kerberos AuthN with Active Directory
• Windows AuthN with IIS
• User Directory
• OpenLDAP
• Active Directory
IdentityProviders
2005 © SWITCH 10Case Study, Thomas Lenggenhager & Ueli Kienholz
Identity Providers in SWITCHaai
Operational AAI Identity Provider
ETH Zürich
UniversitätZürich
VirtualHomeOrg
SWITCH
Université de Genève
110’000 Swiss Higher Ed usershave an AAI-Account (= 50% of all)
Zürcher HochschuleWinterthur
AAI Identity Provider getting readyUniversity Hospital
Zürich
UniversitätLuzernUniversité de
Fribourg
Prototype running
Universität Bern
Université deLausanne
Service Agreement
IdentityProviders
2005 © SWITCH 11Case Study, Thomas Lenggenhager & Ueli Kienholz
Virtual Home Organization – VHO
Integrate End Users without Identity Providerß Resource Owner creates @VHO “AAI-enabled” accounts for
users without an Identity Provider
ß A VHO account is only usable for that resource managed by theResource Owner
Federation Member
IdentityProvider
ResourceOwner
End UserAdmin
Some end userswithout
Identity Provider
VHO Service @SWITCH User Dir
VHO PolicyIdentityProviders
2005 © SWITCH 12Case Study, Thomas Lenggenhager & Ueli Kienholz
SWITCHaai Building Blocks
IdentityProviders
(Home Orgs)
Service Providers
(Resources)
OrganisationalFramework
Interoperation
CentralServices
Finances
2005 © SWITCH 13Case Study, Thomas Lenggenhager & Ueli Kienholz
Types of Service Providers
e-learning libraries
other web applications
DOITDOIT
VITELSVITELS
Vista@SVCVista@SVC
AD Learn & CoAD Learn & Co
Vconf-ReservationVconf-Reservation
SMS-GatewaySMS-Gateway
EZproxyEZproxy
commercial
ScienceDirectScienceDirectWebCT@ETHZWebCT@ETHZ
OLATOLAT
MoodleMoodleBSCWBSCW
BlackboardBlackboard
SwissLexSwissLex
IS-AcademiaIS-AcademiaJobs@BWIJobs@BWI
ILIASILIAS
TWikiTWiki
eShopseShops
ServiceProviders
……
2005 © SWITCH 14Case Study, Thomas Lenggenhager & Ueli Kienholz
Service Provider Example: DOIT
ETHZUniZH
SWITCH
UniL
AAI Identity Provider
UniGE
UniBE
VHO
AAI Service Provider
DOIT: Dermatology Online with Interactive Technology
500 AAI Users
Access RuleIdP = UniZH | UniBE | UniLaffiliation = studentstudyBranch = medicinestudyLevel = 15
ServiceProviders
2005 © SWITCH 15Case Study, Thomas Lenggenhager & Ueli Kienholz
Service Provider Example: OLAT
ETHZUniZH
SWITCH
UniL
AAI Identity Provider
UniGE
UniBE
VHO
AAI Service Provider
OLAT: Online Learning an Training (open source e-learning platform of the University of Zurich)
5000 AAI Users75 Courses
ServiceProviders
2005 © SWITCH 16Case Study, Thomas Lenggenhager & Ueli Kienholz
Integration of „Blackboxes“
ß Authentication/AuthorizationGateway
ß Portal Functionalities (optional)
ß User Management (optional)
ß Adaptors toBlackbox Applications:ß WebCT Vista
ß WebCT CE
ß …
AAIportal
Shibboleth
ApplicationSignOnA1
...
A2
ServiceProviders
API
2005 © SWITCH 17Case Study, Thomas Lenggenhager & Ueli Kienholz
Central AAI-Services
q Strategy & Marketing
q International Contacts
q Support, Consulting, Training
q Providing Federation-specific Files and Configuration Guides
q Operating WAYF
q Test Counterparts (Identity Provider and Service Provider)
q Jump Start Service
CentralServices
2005 © SWITCH 18Case Study, Thomas Lenggenhager & Ueli Kienholz
Funding
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
funding / costs
pilot project project operationalservice
funded by SWITCH& Universities funded by federal grants funded by tariffs
Finances
2005 © SWITCH 19Case Study, Thomas Lenggenhager & Ueli Kienholz
Outlook
ß Projects with federal grants
ß Non-web service providers, e.g. Grid
ß ECTS (Study)
ß AAA (Study)
ß Federation Partners
2005 © SWITCH 20Case Study, Thomas Lenggenhager & Ueli Kienholz
Further Information
ß SWITCHaai Websitehttp://www.switch.ch/aai
ß Shibbolethhttp://shibboleth.internet2.edu/
ß Shibboleth Demohttp://www.switch.ch/aai/demo
ß Attribute Specificationhttp://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf
2005 © SWITCH 21Case Study, Thomas Lenggenhager & Ueli Kienholz
Questions ?
Q & A
http://www.switch.ch/aai
