1. Implementing a Production HA Shibboleth IDP service Rhys Smith, Cardiff University

2. Outline

Implementing a production service

HA

Conforming to Tech' Recommendations

Migration to Shib

3. Implementing a ProdN Service

Institutions planning a real-world production Shib IDP deployment:

• Think beyond simple technical details

• Consider higher level issues of design

• Including HA and resiliency issues

Otherwise:

• When your IDP server breaks (and it will), you're (technical terminology coming up) screwed!

4. Cardiff's setup idp.cardiff.ac.uk idp1.cf.ac.uk idp2.cf.ac.uk (NetScaler) hashib Shared Memory idp3.cf.ac.uk hashib Shared Memory 5. Cardiff's setup (con't)

idp1 & idp2 - Physical servers - PowerEdge

idp3 - VM on VMWare-ESX infrastructure; primarily for development, only occasionally in service

All linux - RHEL4

Server up/down checking via idp.xml:

• ...Shibboleth_StatusHandler... .+/shibbolethidp/Status

• AVAILABLE if everything has loaded OK

6. Cardiff's setup (con't)

Fully monitored via SNMP

• Standard server stuff (CPU usage, memory usage, Temperatures, etc)

• Custom perl scripts parse Shib log files

• Exposed via custom SNMP OIDs

Cacti (open source) monitoring solution already in place

email me for a copy of scripts/cacti templates, etc.

7. Cardiff's setup (con't) 8. Tech' Recommendations

Metadata (the list of who is on the federation:

• CRON job to update overnight, every night

Attributes:

• Haven't implemented eduPerson in directory, use own attributes and map to eduPerson schema using resolver.xml

9. Tech' Recommendations (con't)

eduPersonScopedAffiliation:

• Mapped to CardiffFAMAffiliation attribute in our directory (webauth tree)

• Provisioned by our IDM sytem

• member if current staff, current student, current training grade doctor, manually made member in IDM web interface

• staff/student similarly IDM driven

10. Tech' Recommendations (con't)

eduPersonTargetedID:

• Simply using PersistentIDAttributeDefinition, linked to IDM IdentityNumber

• Dynamically cryptographically creates an opaque, consistent TargetedID per user per resource

eduPersonPrincipalName:

• Mapped to cn attribute in our directory

11. Tech' Recommendations (con't)

eduPersonEntitlement:

• Mapped to CardiffFamEntitlements attribute in our directory

• Provisioned by our IDM system where possible

• Manually administered via IDM web interface otherwise

12. Tech' Recommendations (con't)

Attribute Release Policies

• arp.site.xml

• Set to release minimum information (scopedAffiliation and TargetedID) unless specifically set otherwise

• Release more if desired on a case by case basis

13. Authentication Options

Apache vs Tomcat:

• Apache simpler

• Tomcat a lot more user friendly for your users

• Our login page:

14. 15. Shibboleth at Cardiff University Zo Young Subject Librarian 16. Overview

Auditing of resources

Promotion and Communication

What has happened so far?

Whats going to happen next?

Questions?

17. Auditing of resources

Resources tested for shibboleth compliance.

Non-compliant resources

• Westlaw generic usernames and passwords until new platform released

• Lexis Nexis Professional should be moved to Butterworths

Alerts, Saved Searches and Personalisation.

18. Promotion and Communication

Emails about shibboleth/CU Login sent to all Information services staff

Presentation on changes given to all library and helpdesk staff

Documentation sent to all 18 libraries

Web page Off campus access

Changes to databases page

Subject Librarians cascaded information to all new students and staff

19. What has happened so far?

Went live Sept 06

Users

• New Training Grade Doctors

• New Students

• New Staff

• Users with expired accounts or problems

53.35 % of access to Athens e-resources is by CU login

20. Whats going to happen next?

2 ndJuly changes to website to encourage remaining Athens users to switch

Email to users with active Athens accounts

Monitor use of Athens accounts over the next year and contact individual users to migrate.

April 08 All Athens accounts expire

21. 22. 23. the end

Any Questions?

for:

• more info

• a copy of these slides

• clarification of any points

• meaningful discussion about shib

• meaningless discussion about stanley cup finals...

email: smith@cardiff.ac.uk