SLIDE 1
Eisuke Ito, Eiji Abe, Yoshiaki Kasahara Kyushu University ito.eisuke.523@m.kyushu‐u.ac.jp
UPKI update from Japan APAN29, Sydney 2010
Outline
- 1. Introduction
- 2. Shibboleth SSO
- 3. Problems of IdP
- 4. Analysis
- 5. Conclusion
1
Eisuke Ito, Eiji Abe, Yoshiaki Kasahara Kyushu University - - PowerPoint PPT Presentation
Eisuke Ito, Eiji Abe, Yoshiaki Kasahara Kyushu University - - PowerPoint PPT Presentation
APAN29, Sydney 2010 UPKI update from Japan Eisuke Ito, Eiji Abe, Yoshiaki Kasahara Kyushu University ito.eisuke.523@m.kyushuu.ac.jp Outline 1. Introduction 2. Shibboleth SSO 3. Problems of IdP 4. Analysis 5. Conclusion 1 1. Introduction 1.
SLIDE 2
SLIDE 3
- 1. Introduction
1. Introduction
- 2. Shibboleth SSO
3. Problems of IdP
- 4. Analysis
5. Conclusion
2
SLIDE 4
- 1. Introduction
- Protected services in University
E-Learning, e-Syllabi, Researcher activity DB, Student
portal, …
E-Journal, Google Apps, Windows Live, …
- Shibboleth SSO (Single Sign-on)
Distributed SSO Middleware Identity Providers (IdP), Service Providers (SP). (and
Discovery Service (DS))
- Federation
A trust relationship between Identity Providers (IdP)
and Service Providers (SP).
NII of Japan deploys Shibboleth SSO Federation Kyushu University joins this federation
3
SLIDE 5
History
2005 2006 2007 2008 2009 2010 2011
LDAP
kitenet (Wireless LAN)
University ID University authN plaBorm
Joined UPK Shibboleth IdP
Kyushu Univ.
Password manager
ID IntegraJon UPKI SSO trial UPKI‐Fed Trail eduroam.jp Server Cert. service UPKI IniJaJve GRID
UPKI‐Fed Federa7on NII, Japan
Join UPKI‐Fed (JP Federa7on) 4
SLIDE 6
In this presentation,
- Show a case study of shibboleth IdP and
SP operation in Kyushu University
- Report some problems of shibboleth IdP
- peration.
- Report results of two month operation.
5
SLIDE 7
- 2. Shibboleth SSO
1. Introduction
- 2. Shibboleth SSO
3. Problems of IdP
- 4. Analysis
5. Conclusion
6
SLIDE 8
- 2. Shibboleth SSO
- Before Shibboleth
Kyushu U
Students 18,000 Staffs 7,000 (prof. 2500)
Campus wide authentication system (since
2007.)
IDM and LDAP server
IDM: Identity management system (Meta Directory) LDAP server is used as password authenticator.
7
SLIDE 9
Password manager Active Directory
Enterprise system for officials
Matrix code DB Active Directory
EducaJon system for students login
IC Card (User ID) ID card
login
Other worker
Secure Matrix code authN Critical Service Critical Service ID/PW, or Matrix code LDAP ref Shibboleth IdP (SSO)
IDM
Shibboleth SSO Mail WebCT EZproxy kitenet (WiFi) refer refer ID/PW
System Overview
8
MS DS Refworks Shibboleth SSO E‐Journal
Federated SPs
MyLibrary
Personnel DB Student DB
SLIDE 10
Dataflow of IDM
Staff list
LDAP
Staff
Daily IDM (Identity Management Sys.)
Personnel DB Staffs
ID Card
Student list Twice in a Year
Student DB Students
Learning System (PCs, Server, WBT) Account activation
ID Card
9
SLIDE 11
Integrated Services
- WebCT (e-Learning)
- NetAcademy2 (English study)
- kitenet (WiFi)
- Campus licensed software
- Space management system
- Cute.Anyware (E-journal proxy by Library)
- Webmail (Primary e-mail service)
- Course registration and grade point management sys.,
- Researcher activity DB
10
SLIDE 12
SSO Policy
Internal service Out sourced service Usability
- riented
- Webmail
- WebCT (e‐Learning)
- Software download site
(licensed software)
- University portal
- E‐Journal services
- RefWorks
- Google Apps
Security
- riented
- Financial system
- Grade point
management system
Shibbolize!
11
SLIDE 13
- 3. Problems of IdP
1. Introduction
- 2. Shibboleth SSO
3. Problems of IdP
- 4. Analysis
5. Conclusion
12
SLIDE 14
- 3. Problems of IdP
SP
LDAP
IdP
Attributes matching Attribute filtering
13
SLIDE 15
Attributes matching
LDAP
IdP
Existing schema (attributes) eduperson schema
Add/Change schema
Solutions
Attributes Translation Schema Matching
attribute-resolver.xml
mismatch
OpenLDAP’s rewrite module
Open LDAP (rewrite)
14
SLIDE 16
Attribute filtering
SP
IdP
MyLibrary EZproxy WebCT
Internal SPs SP SP OK Serves all attributes SP External SPs SP SP No Against privacy policy
15
SLIDE 17
IdP SP
Solutions for attribute filtering problem
Internal SPs
- 1. Write filter rules for each SP.
SP SP SP External SPs
rule rule rule rule
IdP SP SP
- 2. Two IdPs
rule
IdP SP SP
rule
LDAP IdP Open LDAP (rewrite)
- 3. Filtering script
rules
16
SLIDE 18
- 4. Analysis
1. Introduction
- 2. Shibboleth SSO
3. Problems of IdP
- 4. Analysis
5. Conclusion
17
SLIDE 19
- 4. Analysis
18
SJSDS (Solaris)
Shibboleth IdP Tomcat (CentOS) (VMware) (Windows XP)
OpenLDAP, CentOS.
LDAP IdP Open LDAP
(rewrite)
SP MyLibrary
EZproxy WebCT
Internal SPs SP SP Shibboleth IdP and SPs in Kyushu Universiy
SLIDE 20
IdP SP
19
Kyushu University Library http://www.lib.kyushu‐u.ac.jp/
SLIDE 21
Results
- Two months operation
Just serviced in at Dec. 1, 2009.
- No serious trouble.
- Some trivial matters.
Some users bookmark the IdP site.
404 Not Found: /idp/Authn/Password 7time(s) He/She can’t access to the service which he/she wants.
20
SLIDE 22
Statistics: Unique users
Students 1815 18000 Staffs 467
7000 (2500)
Total 2291 25000 at Jan.26,2010.
21
SLIDE 23
Statistics: Rank‐Freqency
Top 200 users (10% users)
- ccupy 41.2% access.
22
SLIDE 24
Statistics: Daily access
23
SLIDE 25
Statistics: Hourly access
Most user access at afternoo.
24
SLIDE 26
- 5. Conclusion
1. Introduction
- 2. Shibboleth SSO
3. Problems of IdP
- 4. Analysis
5. Conclusion
25
SLIDE 27
- 5. Conclusion
- A case study of Shibboleth IdP in a
university
- Two problems for IdP construction
Attribute matching Attribute filtering
- Two months operation
No serious trouble. Got statistics
No over load
26
SLIDE 28
27