andy swiffin
play

Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena - PowerPoint PPT Presentation

Aug 20, 2022 •282 likes •1.05k views

Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena EuroCAMP Athens. 13 November, 2008 Image courtesy of wikipedia.org To Assertions Attributes From 13 November, 2008 Terena EuroCAMP Athens. What will I be talking about?

  1. Andy Swiffin a.l.swiffin@dundee.ac.uk University of Dundee Terena EuroCAMP Athens. 13 November, 2008 Image courtesy of wikipedia.org

  2. To Assertions Attributes From 13 November, 2008 Terena EuroCAMP Athens.

  3. What will I be talking about? • Background: – Identity management at Dundee – Access management in UK academia • Dundee deploys Shibboleth: – Authenticating against eDirectory – Generating and releasing attributes – How did it go? Terena EuroCAMP, Athens. 13 November, 2008

  4. 13 November, 2008 Terena EuroCAMP, Athens.

  5. Dundee University • Over 18,000 students • Over 3000 staff • Strong Identity Management • File/Print Infrastructure based on Terena EuroCAMP, Athens. 13 November, 2008

  6. • eDirectory is the enterprise directory • Zenworks manages the desktop • Novell Groupwise for campus email • Novell IDM for directory synchronisation Terena EuroCAMP, Athens. 13 November, 2008

  7. But there are other “X500” Directories • N ovell eDirectory • Microsoft Active Directory • SunOne/iPlanet • OpenLDAP • IBM Tivoli (SecureWay) Terena EuroCAMP, Athens. 13 November, 2008

  8. ALL use LDAP • It’s a “Standard” – Isn’t it? • The nice thing about standards is that you have so many to choose from ( furthermore, if you don’t like any of them you can just wait for next years model ) – Andrew Stuart Tanenbaum » Computer Networks, Terena EuroCAMP, Athens. 13 November, 2008

  9. Directory population • Automatic processes (scripts) – from Student records (SITS) – From HR • Usernames – ALS123 ? – M81V003 ? – MCRALS ? – ALSwiffin • John Smith gets an extra initial – JZSmith, JYSmith, JXSmith etc Terena EuroCAMP, Athens. 13 November, 2008

  10. Novell IDM • Novell Identity Manager – (aka DirXML) – Synchronisation between eDirectory trees • Bidirectional (if you want) – Also to Groupwise – To Microsoft AD (if we want it)! – Large number of other connectors. 5 Terena EuroCAMP, Athens. 13 November, 2008

  11. SITS Main Dundee Tree Vault Tree LDAP Tree HR IPT Tree Groupwise Terena EuroCAMP, Athens. 13 November, 2008

  12. 13 November, 2008 Terena EuroCAMP, Athens.

  13. 13 November, 2008 Terena EuroCAMP, Athens.

  14. Even Applicants get an entry • As soon as someone applies • 19,000 per year – But only ~5000 come • Huge wastage of usernames – But disambiguation is not a big problem – John Smith was never going to get JSmith anyway Terena EuroCAMP, Athens. 13 November, 2008

  15. Leavers accounts retained • Automatic processes Identify – Staff leaving – Students completing their course • The clock starts ticking – After a month: • Accounts disabled • Moved into the holding pen Terena EuroCAMP, Athens. 13 November, 2008

  16. Active accounts retained • If an account has been used – It is retained for 2 years! • After which it is recycled • YES! We reuse ePPN! What?? You mean you expose it!!! Terena EuroCAMP, Athens. 13 November, 2008

  17. LDAP with everything • So: – Dundee is well established in Identity management – Email and login accounts are automatically created – LDAP is used by all applications for authentication • But what about external resources? Terena EuroCAMP, Athens. 13 November, 2008

  18. Athens • An Access Management System for controlling secure access to web based services. • Originally created at Bath University • Adopted by JISC as preferred authentication mechanism • Eduserv created in 1999 and ran Athens on behalf of the academic community • Usernames and password held by Athens but administered at a local level • originally: “a big database table with about 4.5 million rows and 300 columns” – Athens DA – “Devolved Authentication” Terena EuroCAMP, Athens. 13 November, 2008

  19. Athens • 500 HE and FE institutions used Athens • 300 licenced resources • But: – Athens used proprietary protocols – Mostly only used by UK Academia (and a few others) – So, little international acceptance 10 Terena EuroCAMP, Athens. 13 November, 2008

  20. JISC announcement - 2006 Terena EuroCAMP, Athens. 13 November, 2008

  21. 13 November, 2008 Terena EuroCAMP, Athens.

  22. • > 600 UK members (and increasing) • Uses Shibboleth – Operates in a similar way to Athens DA – Uses SAML to exchange information – Protects privacy • Least sensitive attibutes released • Member, staff, student, medic, • Shibboleth – growing globally – USA, France, Switzerland, China, Belgium, Greece, Finland, Australia, Canada, Czech Republic, Netherlands……. Terena EuroCAMP, Athens. 13 November, 2008

  23. What we intended to do • JISC had funded Athens <-> Shibboleth gateways • Plan to use Shibboleth to access Athens resources this way. • January 22 nd 2008 – There was a “disagreement” • Athens access would still be available – but at a price….. Terena EuroCAMP, Athens. 13 November, 2008

  24. What we actually did • Deployed two IdPs • One Real and one Virtual • With HAShib and Cisco “content switching” for automatic failover Terena EuroCAMP, Athens. 13 November, 2008

  25. What we actually did • And decided to stop using Athens entirely and rely on the Federation for authentication Terena EuroCAMP, Athens. 13 November, 2008

  26. The building blocks • Linux • OpenSSl • Apache • Mod_proxy_ajp • Tomcat • Java • Shibboleth IdP Terena EuroCAMP, Athens. 13 November, 2008

  27. The building blocks • Linux Novell SLES 10 • OpenSSl 0.9.8g • Apache 2.2.6 • Mod_proxy_ajp • Tomcat 5.5.25 • Java jdk1.5.0_14 • Shibboleth IdP 1.3.3 Terena EuroCAMP, Athens. 13 November, 2008

  28. Also available on • Some experimentation: • Bare bones XP box + – Apache 2.2.9 • Includes OpenSSL! – Tomcat 5.5.26 – JRE 1.5.0.16 – Shib 1.3.3 • INSTALL in 10 Minutes! • (There is also a windows installer) 15 Terena EuroCAMP, Athens. 13 November, 2008

  29. Authentication • Shibboleth 1.3 relies on Apache or Tomcat for authentication • I decided to use Tomcat – With Apache you get a popup box – With a Tomcat “Realm” you have a whole page to “brand” • Shib 2 has the authentication bundled in Terena EuroCAMP, Athens. 13 November, 2008

  30. Tomcat Realm • /usr/local/tomcat/conf/server.xml objectClass: inetOrgPerson; organizationalPerson; Person; ndsLoginProperties; Top; Terena EuroCAMP, Athens. 13 November, 2008

  31. /usr/local/tomcat/webapps/shibboleth-idp/WEB-INF/web.xml The login web pages Terena EuroCAMP, Athens. 13 November, 2008 objectClass: inetOrgPerson; organizationalPerson; Person; ndsLoginProperties; Top;

  32. What if I don’t understand it? • You don’t really need to! –Just cut and paste! • Cook books: – https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/Tomcat %20Authentication%20for%20Shibboleth%20IdP – https://spaces.internet2.edu/display/SHIB/IdPUserAuthnConfig • What you’re actually doing: – http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html Terena EuroCAMP, Athens. 13 November, 2008

  33. Other directories? • Most will work as described • But AD won’t • A problem of “Referrals” – “I don’t have it but I know someone who does” – http://java.sun.com/products/jndi/tutorial/ldap/referral/jndi.html • There is a Tomcat “fix” Terena EuroCAMP, Athens. 13 November, 2008

  34. • http://wiki.apache.org/tomcat/JNDI_HowTo • http://www.jspwiki.org/wiki/ActiveDirectoryIntegration Terena EuroCAMP, Athens. 13 November, 2008

  35. Authorisation • Shibboleth will be asked for some attributes • Normally the Trinity of: – eduPersonScopedAffiliation • Member, Staff, Student @dundee.ac.uk – eduPersonTargetedId • <Hash>@dundee,ac,uk • The same <hash> each time you visit that resource • A different <hash> for each different resource – eduPersonEntitlemen t • Defined by the Service Provider • Eg – access to medical resources • eduPersonPrincipalName • NOT RELEASED! 20 Terena EuroCAMP, Athens. 13 November, 2008

  36. Attributes: Where are you going to get them from? • First you need access to your directory • /usr/local/shibboleth-idp/etc/resolver.xml Search with cn = PRINCIPAL in this LDAP server • Will work with most directories – Except AD Terena EuroCAMP, Athens. 13 November, 2008

  37. For AD: Restrict the attributes returned The GC: Beware! Referrals fix • https://spaces.internet2.edu/display/SHIB/JNDIDataConnector • Some people have given up and used a database! Terena EuroCAMP, Athens. 13 November, 2008

  38. Attributes: Are you going to store them? • Extend the Schema? • You don’t need to do that – The information may already be there! Terena EuroCAMP, Athens. 13 November, 2008

  39. Simple attribute stored: • Scoped affiliation Member Staff Member@dundee.ac.uk Staff@dundee.ac.uk Terena EuroCAMP, Athens. 13 November, 2008

  40. But you may already have the information! M81V003 ‘ workforceID: M81V003 ’ 0 1 2 3 4 5 6 7 8 9 10 11 12 13 workforceidstr=workforceid.get(0) ‘M81V003’ Terena EuroCAMP, Athens. 13 November, 2008

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ANDY WARHOL THIS IS ANDY WARHOL (U.S.A. 1928-1987) THIS IS POP ART Pop art is an art movement

ANDY WARHOL THIS IS ANDY WARHOL (U.S.A. 1928-1987) THIS IS POP ART Pop art is an art movement

ANDY WARHOL THIS IS ANDY WARHOL (U.S.A. 1928-1987) THIS IS POP ART Pop art is an art movement that emerged in the 1950s and flourished in the 1960s in America and Britain, drawing inspiration from sources in popular and commercial culture :

550 views • 12 slides
Who Is Andy Goldsworthy? Andy Goldsworthy is a British artist, known for his sculptures and

Who Is Andy Goldsworthy? Andy Goldsworthy is a British artist, known for his sculptures and

Who Is Andy Goldsworthy? Andy Goldsworthy is a British artist, known for his sculptures and photography. He is an environmentalist, which is someone who wants to protect the environment around them. Here are some facts about him: born in 1956,

565 views • 10 slides
Zen Internet Building For Ultrafast Andy Furnell &lt;andy.furnell@zeninternet.co.uk&gt;

Zen Internet Building For Ultrafast Andy Furnell &lt;andy.furnell@zeninternet.co.uk&gt;

Zen Internet Building For Ultrafast Andy Furnell &lt;andy.furnell@zeninternet.co.uk&gt; Technical Architect Zen Internet About Zen OVER 110K INDEPENDENT BROADBAND PRIVATELY CONNECTIONS OVER OWNED ISP 3.5M 1995 450 10K NETWORK 25

257 views • 23 slides
Bond Investor Presentation May 2016 Management Overview Andy Mitchell, CEO Andy Mitchell CBE

Bond Investor Presentation May 2016 Management Overview Andy Mitchell, CEO Andy Mitchell CBE

Bond Investor Presentation May 2016 Management Overview Andy Mitchell, CEO Andy Mitchell CBE FREng took the role as Tideway CEO after leaving his post as Programme Director and Board Member at Crossrail in summer 2014, where he was responsible

379 views • 23 slides
Andy Campion, EVP &amp; Chief Financial Officer: Good afternoon, everyone. I'm Andy Campion, and

Andy Campion, EVP &amp; Chief Financial Officer: Good afternoon, everyone. I'm Andy Campion, and

Andy Campion, EVP &amp; Chief Financial Officer: Good afternoon, everyone. I'm Andy Campion, and thank you all for joining us today. Mark opened today by sharing NIKE's mission: to bring innovation and inspiration to every athlete in the world.

599 views • 11 slides
4/18/18 Irritable Bowel Syndrome (IBS) Dr. Andy Liu, MD PGY-4, Division of Gastroenterology

4/18/18 Irritable Bowel Syndrome (IBS) Dr. Andy Liu, MD PGY-4, Division of Gastroenterology

4/18/18 Irritable Bowel Syndrome (IBS) Dr. Andy Liu, MD PGY-4, Division of Gastroenterology Cumming School of Medicine, University of Calgary April 17, 2018 Financial disclosure Thank You to Our Name: Dr. Andy Liu, MD Speaker

372 views • 7 slides
Women in Geothermal WING Go for No! Andy Blair Global Chair - WING Andy.blair@upflow.nz 2

Women in Geothermal WING Go for No! Andy Blair Global Chair - WING Andy.blair@upflow.nz 2

Women in Geothermal WING Go for No! Andy Blair Global Chair - WING Andy.blair@upflow.nz 2 Go-for-No Campaign Launch 3 Hearing No Invite you all to stop and have a think about your job, deep breath, what do you REALLY want?

448 views • 9 slides
CC0pi results from T2K Andy Furmanski NuFact 15 Rio

CC0pi results from T2K Andy Furmanski NuFact 15 Rio

CC0pi results from T2K Andy Furmanski NuFact 15 Rio de Janeiro Andy Furmanski 1 The T2K experiment Long-baseline neutrino oscillaFon

276 views • 23 slides
How to Effectively Use Evernote and Other Web Apps and Software Andy Morris Introduction to

How to Effectively Use Evernote and Other Web Apps and Software Andy Morris Introduction to

How to Effectively Use Evernote and Other Web Apps and Software Andy Morris Introduction to Andy Morris Married 10 years to Jenelle Foster and adoptive father of five with one on the way Owns Realty Trust Services full

1.26k views • 80 slides
ATOM Training Company Capability 2013 Andy Cooper / Mike Hayward Andy Cooper - Managing Director

ATOM Training Company Capability 2013 Andy Cooper / Mike Hayward Andy Cooper - Managing Director

ATOM Training Company Capability 2013 Andy Cooper / Mike Hayward Andy Cooper - Managing Director ATOM Training 26 years in Counter Threat and C-IED Environments Former British Army Bomb Technician serving across the globe, Instructor at

523 views • 30 slides
ANDY WARHOL 1 SOURCE: http://lecturayartemadina.blogspot.com.es/2014_05_01_archive.html ANDY

ANDY WARHOL 1 SOURCE: http://lecturayartemadina.blogspot.com.es/2014_05_01_archive.html ANDY

ANDY WARHOL 1 SOURCE: http://lecturayartemadina.blogspot.com.es/2014_05_01_archive.html ANDY WARHOL 1 3 1 2 SOURCE: SOURCE: SOURCE: http://blogs.quien.c https://www.studybl http://www.mshumanities.org/i om/the-g- ue.com/notes/note/

874 views • 16 slides
A Field Guide To The Perl Command Line Andy Lester andy@petdance.com http://petdance.com/perl/

A Field Guide To The Perl Command Line Andy Lester andy@petdance.com http://petdance.com/perl/

A Field Guide To The Perl Command Line Andy Lester andy@petdance.com http://petdance.com/perl/ Where we're going Command-line == super lazy The magic filehandle The -e switch -p, -n: Implicit looping -l, -0: Record separator

1.12k views • 18 slides
GNU Guile Free Software Means of Production FSCONS 2011 Andy Wingo Greetings! Andy Wingo

GNU Guile Free Software Means of Production FSCONS 2011 Andy Wingo Greetings! Andy Wingo

GNU Guile Free Software Means of Production FSCONS 2011 Andy Wingo Greetings! Andy Wingo Guile co-maintainer, along with Ludovic Courts Agenda Hacking Guile in 5 easy steps On a mission: Guile &amp; GNU Live-hack! Hacking Guile in 5

304 views • 28 slides
Strategy for growth 29 November 2018 Andy Thorburn Group CEO Agenda Welcome and

Strategy for growth 29 November 2018 Andy Thorburn Group CEO Agenda Welcome and

Strategy for growth 29 November 2018 Andy Thorburn Group CEO Agenda Welcome and introductions Business overview Andy Thorburn Healthcare market Dr Shaun OHanlon Medicine management Ian Taylor Patient update Jason Keane

962 views • 59 slides
Overview of TLS v1.3 Whats new, whats removed and whats changed? About Me Andy

Overview of TLS v1.3 Whats new, whats removed and whats changed? About Me Andy

Overview of TLS v1.3 Whats new, whats removed and whats changed? About Me Andy Brodie Worldpay Principal Design Engineer. Based in Cambridge, UK. andy.brodie@owasp.org Neither a cryptographer nor a mathematician!

773 views • 61 slides
The Fourth Way: Debate with Sir Michael Barber Andy Hargreaves Andy Hargreaves The Second Way

The Fourth Way: Debate with Sir Michael Barber Andy Hargreaves Andy Hargreaves The Second Way

Welcome to Welcome to The Fourth Way: Debate with Sir Michael Barber Andy Hargreaves Andy Hargreaves The Second Way T op-Down Gove r nme nt Go a ls Pe rfo rma nc e T a rg e ts Pa re nt Cho ic e Ma rke t Co mpe titio n Re so

361 views • 25 slides
Constrained Optimization Benchmark for Optimization Modulo Theories: a Cloud Resource Management

Constrained Optimization Benchmark for Optimization Modulo Theories: a Cloud Resource Management

Constrained Optimization Benchmark for Optimization Modulo Theories: a Cloud Resource Management Problem scu 12 s 1 M ad alina Era R azvan Mete 1West University of Timi soara, Romania 2Institute e-Austria Timi soara, Romania

939 views • 77 slides
Developing and Testing Java Microservices on Docker Todd Fasullo Dir. Engineering 4/20/2016

Developing and Testing Java Microservices on Docker Todd Fasullo Dir. Engineering 4/20/2016

Developing and Testing Java Microservices on Docker Todd Fasullo Dir. Engineering 4/20/2016 Agenda Who is Smartsheet + why we started using Docker Docker fundamentals Demo - creating a service Demo - building service + Docker container Demo

510 views • 29 slides
Day 9: Regular Expressions Suggested reading: Learning Perl (6th Ed.) Chapter 7: In the World of

Day 9: Regular Expressions Suggested reading: Learning Perl (6th Ed.) Chapter 7: In the World of

Computer Sciences 368 Introduction to Perl Day 9: Regular Expressions Suggested reading: Learning Perl (6th Ed.) Chapter 7: In the World of Regular Expressions Chapter 8: Matching with Regular Expressions 2012 Summer Cartwright 1 Computer

216 views • 21 slides
CS 5150 So(ware Engineering 2. Steps in the so(ware development process William Y. Arms So(ware

CS 5150 So(ware Engineering 2. Steps in the so(ware development process William Y. Arms So(ware

Cornell University Compu1ng and Informa1on Science CS 5150 So(ware Engineering 2. Steps in the so(ware development process William Y. Arms So(ware Process Fundamental Assump1on: Good processes lead to good so(ware Good processes reduce risk

260 views • 22 slides
Anno Accademico 2007-2008 Laboratorio di Tecnologie Web Sviluppo di applicazioni web JSF

Anno Accademico 2007-2008 Laboratorio di Tecnologie Web Sviluppo di applicazioni web JSF

Universita degli Studi di Bologna Facolta di Ingegneria Anno Accademico 2007-2008 Laboratorio di Tecnologie Web Sviluppo di applicazioni web JSF Pattern DAO |Tecnologie Web L-A http://www-lia.deis.unibo.it/Courses/TecnologieWeb0708/

699 views • 24 slides
Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego

Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego

Quality assessment in DevOps: Automated Analysis of a Tax Fraud Detection System Diego Perez-Palacin, Youssef Ridene, Jos Merseguer University of Zaragoza, Netfective Technology Diego Perez-Palacin Big Blu eGov Tax Fraud Detection System

907 views • 41 slides
Effective interprocedural resource leak detection Emina Torlak and Satish Chandra IBM T.J. Watson

Effective interprocedural resource leak detection Emina Torlak and Satish Chandra IBM T.J. Watson

Effective interprocedural resource leak detection Emina Torlak and Satish Chandra IBM T.J. Watson Research Center Hawthorne, NY Resource leaks in Java void test(File file, String enc) throws IOException { PrintWriter out = null; Unlike

502 views • 46 slides
ORC Layout: Adaptive GUI Layout with OR-Constraints Yue Jiang University of Maryland, College

ORC Layout: Adaptive GUI Layout with OR-Constraints Yue Jiang University of Maryland, College

ORC Layout: Adaptive GUI Layout with OR-Constraints Yue Jiang University of Maryland, College Park Ruofei Du Google, San Francisco Christof Lutteroth University of Bath, Bath, United Kingdom Wolfgang Stuerzlinger SIAT, Simon Fraser

613 views • 20 slides

More recommend