More Bang for the Buck: Leveraging Identity Infrastructuresplaza.ufl.edu/mconlon/More Bang for the...
-
Upload
vuongthuan -
Category
Documents
-
view
227 -
download
0
Transcript of More Bang for the Buck: Leveraging Identity Infrastructuresplaza.ufl.edu/mconlon/More Bang for the...
More Bang for the Buck: Leveraging Identity Infrastructures
John O’Keefe, Lafayette College
Mike Conlon, University of Florida
1
About This Session
• Tag team presentation – John and Mike
• About our schools
• About Shibboleth
• Shibboleth at Lafayette
• Shibboleth at UF
• Leverage Scenarios
• Conclusions, Contacts and References
2
Lafayette College
• 2382 Students, 206 Faculty
• Small, residential, private liberal arts college
• Easton, Pennsylvania
• IT centralized, 28 staff
• Open-source centric
3
University of Florida
• 52,112 Students, 4,278 Faculty
• Large public research-1 university
• Gainesville, Florida
• IT decentralized, >1,000 IT staff
• Commercial (PeopleSoft), open source (Sakai), locally-developed (Student Systems) software
4
What is Shibboleth?
• Internet2 open source software project with lead site at Ohio State
• Federated identity (multiple identity providers) as well as declarative authorization (attribute release)
• Lots of adopters: NSF, NIH, Microsoft DreamSpark, Elsevier, Mobile Campus, Turnitin.com, many more
• InCommon Trust Federation http://incommonfederation.org
• Shibboleth Demo http://shibboleth.internet2.edu/demo/shib_demo.html
• See http://shibboleth.internet2.edu
5
Shibboleth at Lafayette
• Intro to Shib Net@EDU 2003
• ITS/Library merge 2005: 11 usernames/passwords
• Centralized identity store in openLDAP
• Joined InCommon June 2007
7
Shibboleth at Lafayette --Architecture
• RedHat Enterprise 5
• Tomcat 5.5.2.6
• Apache 2.2
• Shibboleth 2.1.4 (SP and IdP)
8
Shibboleth at UF -- Engagement
• SSO in 1997, comprehensive directory (1.8M people) 2003
• Town Halls, presentations, web sites• One year selection process resulting in Shib• Joined InCommon in 2009• Goal to replace legacy SSO solution across
enterprise applications and 80 department applications, in 46 departments and colleges. May 2010
9
Shibboleth at UF -- Architecture
• Data synchronized from PeopleSoft, Active Directory, UF Directory, Student Records System into SQL Server database
• Shibboleth authenticates via Kerberos• Shibboleth vends attributes via the SQL Server
database• Eight attribute release policies
10
Lafayette University Tickets
• Student life used this vendor
• Wanted to validate users for ticket purchase
• University Tickets joined InCommon
• Sending basic attributes
11
UF Departments and ARPs
• Attribute release policies simplify department applications and allow them to use enterprise data without additional complex interfaces
• Example: Restrict access to downloadable software to faculty, staff and students
• Example: Sign on to college and research portals
• Example: Allow access to authorized groups –research admins, restricted data users, …
12
Lafayette E2Campus
• Spam-like emails sent to campus prompted project
• Worked with Public Safety
• Go-Live October 2009
13
UF Federation for Research
• Scenario 1: UF is the IDP. Outside agency is the SP– Example: NIH. UF researchers sign on to NIH sites
using UF credentials
• Scenario 2: UF is the SP. Outside agency is the IDP– Example: UF Clinical and Translational Science
Institute Research portal. Researchers from other universities sign on with their home credentials
14
Lafayette Library Apps
• Jstor
– Looking to move away from proxy service
– IT/Library collaboration in merged organization
– our first production use of Shibboleth
• RefWorks
– Cumbersome login process
– Users complained
15
UF Enterprise Systems
• Five enterprise applications expected to act as one with respect to sign on and session management – PSFT, ISIS, Cognos, Reports, ISIS-Admin
• Create a global session management cookie managed by Apache
• Users sign on via Shib to Apache RPS, which manages cookie and passes authentication to enterprise apps
16
Lafayette Moodle Spaces
• Alumni Ambassadors (213 users)
• Oomycete Undergrad Molecular Genetics Network
• Alumni Chapter Volunteers (Live Jan 1, 2010)
• Our first use of SP
17
UF Active Directory Groups
• UF Active Directory has over 170,000 user objects, over 20,000 group objects, and 80% of UF’s workstations, laptops and servers (70,000)
• Groups can be created and maintained by local sysadmins
• A Shibboleth ARP vends group memberships.• Local departments can insure that their web
apps permit access only to members of their groups
18
Lafayette Conclusions
• Finding partners is a challenge
• When it works, it’s great
• Always ask if Shibboleth can help
• Centralize whenever possible
• Leverage Shibboleth as Single Sign-On
19
UF Conclusions
• Engage the IT community• Shibboleth scales well• Shibboleth works well in a mixed environment• Once basic IDM is in place, controlling access
via affiliations, roles, groups is straightforward• Shibboleth replaces legacy SSO solutions across
local and enterprise applications
20
Contacts, References
• John O’Keefe
– email: [email protected]
– twitter: okeefej_62
– web: http://its.lafayette.edu
• Mike Conlon
– email: [email protected]
– facebook: http://www.facebook.com/mconlon
– web: http://www.it.ufl.edu
21