Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai

2005 © SWITCH

Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai

Martin Sutter, Head of NetServices, SWITCH(Ueli Kienholz & Thomas Lenggenhager)

UK e-Science Core Programme Town Meeting

Monday 11th April 2005

2005 © SWITCH 2AAI Deployment in Switzerland

Project Timeline

2001 2002 2003 2004 2005 2006

ImplementationPilot Operation

Study, Planning

Study

ArchitectureEvaluation

Shibboleth


University A

Library B

University C

Without AAI

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB

AuthorizationUser Administration

AuthenticationResource Credentials

Tedious user registration at all resources

Unreliable and outdated user data at resources

Different login processes

Many different passwords

Many resources not protected due to difficulties

Often IP-based authorization

Costly implementation of inter-institutional access

e-Journals


University A

Library B

University C

AAI

With AAI

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB

No user registration and user data maintenance at resource needed

Single login process for the users

Many new resources available for the users

Enlarged user communities for resources

Authorization independent of location

Efficient implementation of inter-institutional access

e-Journals

AuthorizationUser Administration

AuthenticationResource Credentials


SWITCHaai Building Blocks

IdentityProviders

(Home Orgs)

Service Providers

(Resources)

OrganizationalFramework

Interoperation

CentralServices

Finances


Organizational Framework

SWITCH acts as SWITCHaai Federation service provider

Federation membership based on signed service agreements

Organization


Requires agreement on technical details like

Standards SAML 1.1

Software versions Shibboleth 1.1 for identity providers

Shibboleth 1.2.1 for service providers

Accepted certificate authorities SWITCHpki, plus Thawte, Trustcenter, VeriSign

Attribute specification SwissEduPerson Interoperation

Interoperation


Criteria for attribute specification

Start simple, extend as required

Common understanding on interpretation

Already widely used

SwissEduPerson

Attribute usage by applications

Use minimal set required Data protection principle

Interoperation

Interoperation: Attributes


Identity Provider Integration

AAI-enabled Identity Provider

UserDirectory

AuthenticationSystem

AAI

Currently in use in SWITCHaai:• Authentication Systems

• OpenLDAP with CAS or Pubcookie• Kerberos AuthN with Active Directory • Windows AuthN with IIS

• User Directory• OpenLDAP• Active Directory

Identity Providers


Identity Providers in SWITCHaai

Operational AAI Identity Provider

SFIT Zurich

UniversityZurich

VirtualHomeOrg

SWITCH

Université de Genève

110’000 Swiss Higher Ed usershave an AAI-Account (≈ 50% of all)

Zürcher HochschuleWinterthur

AAI Identity Provider getting readyUniversity Hospital

Zurich

UniversityLucerneUniversité de

Fribourg

Prototype running

University Bern

Université deLausanne

Service Agreement

Identity Providers


Virtual Home Organization – VHO

Integrate end users without identity pprovider Resource owner creates @VHO “AAI-enabled” accounts for

users without an identity provider

A VHO account is only usable for the resource managed by the resource owner

Federation Member

IdentityProvider

ResourceOwner

End UserAdmin

Some end userswithout

identity provider

VHO Service @SWITCH User Dir

VHO PolicyIdentity Providers


SWITCHaai Building Blocks

IdentityProviders

(Home Orgs)

Service Providers

(Resources)

OrganizationalFramework

Interoperation

CentralServices

Finances


Types of Service Providers

e-learning libraries

other web applications

DOITDOIT

VITELSVITELS

Vista@SVCVista@SVC

AD Learn & CoAD Learn & Co

Vconf-ReservationVconf-Reservation

SMS-GatewaySMS-Gateway

EZproxyEZproxy

commercial

ScienceDirectScienceDirectWebCT@ETHZWebCT@ETHZ

OLATOLAT

MoodleMoodleBSCWBSCW

BlackboardBlackboard

SwissLexSwissLex

IS-AcademiaIS-AcademiaJobs@BWIJobs@BWI

ILIASILIAS

TWikiTWiki

eShopseShops

Service Providers

……


Service Provider Example: DOIT

ETHZUniZH

SWITCH

UniL

AAI Identity Provider

UniGE

UniBE

VHO

AAI Service Provider

DOIT: Dermatology Online with Interactive Technology

500 AAI Users

Access RuleIdP = UniZH | UniBE | UniLaffiliation = studentstudyBranch = medicinestudyLevel = 15

Service Providers


Service Provider Example: OLAT

ETHZUniZH

SWITCH

UniL

AAI Identity Provider

UniGE

UniBE

VHO

AAI Service Provider

OLAT: Online Learning an Training (open source e-learning platform of the University of Zurich)

5000 AAI Users75 Courses

Service Providers


Integration of „Blackboxes“

Authentication / authorization gateway

Portal functionalities (optional) User management (optional) Adaptors to

blackbox applications: WebCT Vista WebCT CE …

AAIportal

Shibboleth

SignOnA1

...

A2

Service Providers

API

Application


Central AAI Services

Strategy & marketing International contacts Support, consulting, training Providing federation-specific files and

configuration guides Operating WAYF Testing parties (identity provider service provider) Jump-start service

Central Services


Funding

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

funding / costs

pilot project project operational service

funded by SWITCH & Universities funded by federal grants funded by tariffs

Finances


Outlook

Projects with federal grants Non-web service providers, e.g. grid ECTS (Study) AAA (Study) Federation partners


Further Information

SWITCHaai Websitehttp://www.switch.ch/aai

Shibbolethhttp://shibboleth.internet2.edu/

Shibboleth Demohttp://www.switch.ch/aai/demo

Attribute Specificationhttp://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf


Questions ?

Q & A

http://www.switch.ch/aai

[email protected]

Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai

Documents

Transcript of Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai