Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles...
Transcript of Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles...
![Page 1: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/1.jpg)
Shibboleth SSO - Charles University case
study
Jiri PavlikCESNET / Charles University Computer Centre
Haifa University, September 11th 2011
![Page 2: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/2.jpg)
Agenda
• Vision, goal, project
• Implementation - SFX, MetaLib, Aleph, DigiTool
• Sharing resources, future development
![Page 3: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/3.jpg)
Welcome & enjoy :-)
![Page 4: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/4.jpg)
Goal, vision
• All library systems & electronic resources working in Single-Sign-On environment
• Plan presented at IGeLU 2010 conference workshop in Ghent
![Page 5: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/5.jpg)
Charles University in Prague context
• 17 faculties, 3 institutes, hundreds of departments
• 2 institutes jointly run with Czech Academy of Sciences
• ~ 60 000 students and staff
![Page 6: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/6.jpg)
• SFX, bX, MetaLib, Aleph, DigiTool, Verde
• EZproxy, E-resources Portal
• ~150 subscribed electronic on-line resources, databases, ~65000 ejournals, ~51000 ebooks
Charles University in Prague context
![Page 7: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/7.jpg)
• decentralized subscription policy - not all resources are subscribed for all students and stuff
Charles University in Prague context
![Page 8: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/8.jpg)
• AAI: central LDAP, Shibboleth IdP
• CESNET member
• Czech Academic Identity Federation eduID.cz member
• involved in national and international projects
Charles University in Prague context
![Page 9: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/9.jpg)
Project
• reach the goal - SSO
• CESNET funded
• case-study
• guides
• finish summer 2011
![Page 10: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/10.jpg)
Project
• SFX, MetaLib, Aleph, DigiTool
• E-resources Portal
• EZproxy
• CMS - Document Globe
• Streaming & Podcast servers
![Page 11: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/11.jpg)
SFX
• Shibboleth authentication is not supported, IP address based authentication only
• Shibboleth WAYFless linking is supported
![Page 12: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/12.jpg)
SFX• authentication method switched from IP
address based to Shibboleth
• EZproxy configured as a proxy
• PROXY institution defined with IP address range 0.0.0.0 - 255.255.255.255
• institutions kept, but IP address ranges deleted
• PROXY institution added to all targets and activated
![Page 13: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/13.jpg)
SFX
• WAYFless linking set up for all resources supporting Shibboleth authentication
• (EZ)proxy linking set up for all resources without native Shibboleth authentication support
• Implemented by Michael Zach & Jiri Pavlik
![Page 14: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/14.jpg)
MetaLib
• Shibboleth authentication is supported in PDS authentication module
• multiple users affiliations are not supported in authorization
![Page 15: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/15.jpg)
MetaLib
• Shibboleth Service Provider installed & registered in eduID.cz federation
• authentication method at PDS switched from LDAP to Shibboleth
• set up WAYF skipping in SP configuration
• authorization mapping tuned in MetaLib configuration, based on eduPersonEntitlement attribute values
![Page 16: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/16.jpg)
MetaLib
• CAS admin preferred primary affiliation functionality developed
• Implemented by Martin Ledinsky & Jan Krajic & Michal Vocu & Jiri Pavlik
![Page 17: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/17.jpg)
![Page 18: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/18.jpg)
![Page 19: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/19.jpg)
![Page 20: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/20.jpg)
Aleph
• Shibboleth authentication is supported in PDS authentication module
• no authorization need
![Page 21: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/21.jpg)
Aleph
• Shibboleth Service Provider installed & registered in eduID.cz federation
• authentication method at PDS switched from LDAP, Aleph to Shibboleth
• Aleph authentication kept for ILL users
• set up WAYF skipping in SP configuration
![Page 22: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/22.jpg)
Aleph
• Implemented by Jaro Sivak & Jan Krajic & Jiri Pavlik
![Page 23: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/23.jpg)
![Page 24: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/24.jpg)
DigiTool
• Shibboleth authentication is supported in PDS authentication module
• multiple users affiliations are supported in authorization
![Page 25: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/25.jpg)
DigiTool
• Shibboleth Service Provider installed & registered in eduID.cz federation
• authentication method at PDS switched from LDAP, DigiTool to Shibboleth
• separate IdP started for registered external users authentication - no anonymous access to diploma works
![Page 26: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/26.jpg)
DigiTool
• authorization mapping tuned in DigiTool configuration, based on eduPersonEntitlement attribute values
• federated authentication set up
• own WAYF, eduID.cz members and the external users IdPs are listed
• Implemented by Andrea Fojtu & Jan Krajic & Michal Vocu & Jiri Pavlik
![Page 27: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/27.jpg)
![Page 28: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/28.jpg)
![Page 29: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/29.jpg)
EZproxy
• configured as a proxy pro SFX
• set up authentication skipping for access from appropriate University IP address ranges
• configurations for resources with native Shibboleth support kept as a backup access
• Implemented by Petr Novak & Jiri Pavlik
![Page 30: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/30.jpg)
Sharing resources
• guides available at eduID.cz Wiki• http://www.eduid.cz/wiki/eduid/admins/howto/deploy/index#knihovni_systemy
• using by: Masaryk University in Brno, Czech Academy of Sciences Library, National Technical Library, Moravian Library, Czech National Library, Tomas Bata University in Zlin, ...
• kept updated
![Page 31: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/31.jpg)
Sharing resources
• presentations & consultations
• test account
• English translation, EL Commons?
• special thanks to Ere Maijala and Ex Libris
![Page 32: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/32.jpg)
Future development
• SFX - Shibboleth authentication support for menu, AZ, statistics, ...
• NERS Enhancement Request in current ballot - Institutes: add Shibboleth authentication
![Page 33: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/33.jpg)
Future development
• MetaLib - authorization supporting users multiple affiliations
• Support Incident
• MetaLib, Aleph, DigiTool - Single Logout
• DigiTool - international authentication: eduGAIN, InCommon federation, ...
![Page 34: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/34.jpg)
Future development
• Academy of Sciences logins for the 2 joined University and Academy institutions members
• Discovery system - Primo
![Page 35: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/35.jpg)
Future development
• Raptor statistics
• unified top level e-resources usage statistics
• usage divided by user groups
• overcome providers inability to deliver statistics divided by user groups
• overcome missing ebooks statistics support in Ustat
![Page 36: Shibboleth SSO - Charles University case study · 2018-01-22 · Shibboleth SSO - Charles University case study Jiri Pavlik CESNET / Charles University Computer Centre Haifa University,](https://reader030.fdocuments.us/reader030/viewer/2022041016/5ec9335afabef3665e12c03b/html5/thumbnails/36.jpg)
Q & A, contact
Jiri Pavlik
http://www.cuni.cz/~pavlik