Embed Size (px)
DESCRIPTION
This joint presentation by Rhys Smith and Zoe Young explains the process of implementing a federated access management infrustructure, based on Shibboleth, at the University of Cardiff.
Citation preview
Implementing a Shibboleth IDP service
Rhys Smith & Zoë Young Cardiff University
Outline
➢ Implementing a production service➢ HA➢ Conforming to Tech' Recommendations➢ Migration to Shib
Implementing a ProdN Service
➢ Institutions planning a realworld production Shib IDP deployment:➢ Think beyond simple technical details➢ Consider higher level issues of design➢ Including HA and resiliency issues
➢ Otherwise:➢ When your IDP server breaks (and it will),
you're (technical terminology coming up) screwed!
Cardiff's setupidp.cardiff.ac.uk
idp1.cf.ac.uk idp2.cf.ac.uk
(NetScaler)
hashibShared Memory
idp3.cf.ac.uk
hashibShared Memory
Cardiff's setup (con't)
➢ idp1 & idp2 Physical servers PowerEdge➢ idp3 VM on VMWareESX infrastructure;
primarily for development, only occasionally in service
➢ All linux RHEL4➢ Server up/down checking via idp.xml:
➢ ...Shibboleth_StatusHandler...<Location>.+/shibbolethidp/Status</Location>
➢ “AVAILABLE” if everything has loaded OK
Cardiff's setup (con't)
➢ Fully monitored via SNMP➢ Standard server stuff (CPU usage, memory
usage, Temperatures, etc)➢ Custom perl scripts parse Shib log files➢ Exposed via custom SNMP OIDs
➢ Cacti (open source) monitoring solution already in place
➢ email me for a copy of scripts/cacti templates, etc.
Cardiff's setup (con't)
Tech' Recommendations
➢ Metadata (the list of who is on the federation:➢ CRON job to update overnight, every night
➢ Attributes:➢ Haven't implemented eduPerson in
directory, use own attributes and map to eduPerson schema using resolver.xml
Tech' Recommendations (con't)
➢ eduPersonScopedAffiliation:➢ Mapped to CardiffFAMAffiliation attribute in
our directory (webauth tree)➢ Provisioned by our IDM sytem➢ “member” if current staff, current student,
current training grade doctor, manually “made” member in IDM web interface
➢ staff/student similarly IDM driven
Tech' Recommendations (con't)
➢ eduPersonTargetedID:➢ Simply using PersistentIDAttributeDefinition,
linked to IDM IdentityNumber➢ Dynamically cryptographically creates an
opaque, consistent TargetedID per user per resource
➢ eduPersonPrincipalName:➢ Mapped to cn attribute in our directory
Tech' Recommendations (con't)
➢ eduPersonEntitlement:➢ Mapped to CardiffFamEntitlements attribute
in our directory➢ Provisioned by our IDM system where
possible➢ Manually administered via IDM web
interface otherwise
Tech' Recommendations (con't)
➢ Attribute Release Policies➢ arp.site.xml➢ Set to release minimum information
(scopedAffiliation and TargetedID) unless specifically set otherwise
➢ Release more if desired on a case by case basis
Authentication Options
➢ Apache vs Tomcat:➢ Apache simpler➢ Tomcat a lot more user friendly for your users➢ Our login page:
Overview
➢ Auditing of resources➢ Promotion and Communication➢ What has happened so far?➢ What’s going to happen next?➢ Questions?
Auditing of resources
➢ Resources tested for shibboleth compliance.
➢ Noncompliant resources ➢ Westlaw – generic usernames and
passwords until new platform released➢ Lexis Nexis Professional – should be moved
to Butterworths ➢ Alerts, Saved Searches and
Personalisation.
Promotion and Communication
➢ Emails about shibboleth/CU Login sent to all Information services staff
➢ Presentation on changes given to all library and helpdesk staff
➢ Documentation sent to all 18 libraries ➢ Web page – Off campus access➢ Changes to databases page➢ Subject Librarians cascaded information to all
new students and staff
What has happened so far?
➢ Went live – Sept 06➢ Users
➢ New Training Grade Doctors➢ New Students➢ New Staff➢ Users with expired accounts or problems
➢ 53.35 % of access to “Athens” eresources is by CU login
What’s going to happen next?
➢ 2nd July – changes to website to encourage remaining Athens users to switch
➢ Email to users with active Athens accounts➢ Monitor use of Athens accounts over the
next year and contact individual users to migrate.
➢ April 08 – All Athens accounts expire
the end Any Questions? www.identityproject.org/survey.doc for:
more info a copy of these slides clarification of any points meaningful discussion about shib meaningless discussion about stanley
cup finals... email: [email protected]
