Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access

Post on 07-Jul-2015

402 views 2 download

Preview:

Click to see full reader
Report this document
SHARE

description

An overview of Shibboleth and it's use for providing access to library subscribed resources. Lots of illustrations and brief explanations of the technologies involved, such as EZproxy, Federated ID, Single Sign On, and their limitations. Athena Hoeppner. “Shibble-Me-This: One Librarian's Foray into Shibboleth for Better Access.” Internet Librarian 2014, Monterey, CA, 27 October 2014.

transcript

SHIBBLE-ME-THISONE LIBRARIAN’S FORAY INTO

SHIBBOLETH FOR BETTER ACCESSAN ILLUSTRATED NARRATIVE

ATHENA HOEPPNERELECTRONIC RESOURCES LIBRARIAN

UNIVERSITY OF CENTRAL FLORIDA

@CYBRGRL #INTERNETLIBRARIAN

CAMPUSSERVICE

RESEARCHER AT HOME

DREADED PAYWALL

PUBLISHERSITE

CAMPUSSERVICE

THE LONG CONFUSING SLOGLIBRARYSERVER

PUBLISHERSITE

YET ANOTHER LOGINPROXYSERVER

MEDIATEDREQUESTS

PUBLISHERSITE

LIBRARYSERVER

PERSPECITVE…VPN!

SECURITY.ACCESS!

SHIBBOLETH DAYDREAMS

• SHIBBOLETH IS WIDELY USED BYLIBRARIES AND LIBRARY VENDORS.

• TURN SHIBBOLETH ON AND OFF INVENDOR ADMIN

• LOTS OF USER ATTRIBUTES SHARED

• SIGNED IN USERS WILL BE ABLE TOUSE WILD-WEB LINKS

• MOVE BETWEEN UCF SYSTEMSWITHOUT SIGNING IN

• PERSONALIZED EXPERIENCE

• GRANULAR ACCESS CONTROL

DIFFERENT PRIORITIESENTERPRISE

SINGLE SIGN ON.MANAGED IDS.

SECURITY.

BUT, LIBRARY

ACCESS…

THINGS I LEARNED…SHIBBOLETH IS

• STANDARDS BASED

• OPEN SOURCE

• MIDDLEWARE

• SINGLE SIGN-ONACROSS OR WITHINORGANIZATIONALBOUNDARIES.

• CREATED BYINCOMMON, A SUB-PROJECT OF INTERNET2

HTTPS://SHIBBOLETH.NET/ABOUT/

https://shibboleth.net/about/

SHIBBOLETH IN CONTEXT• NOT-FOR-PROFIT

NETWORKING CONSORTIUM

• FOR U.S. RESEARCH ANDEDUCATION COMMUNITIES

HTTPS://SHIBBOLETH.NET/CONSORTIUM/

https://shibboleth.net/consortium/

UNITED FEDERATION OF PLANETS

• OPERATES THE IDENTITYFEDERATION FOR INTERNET2

• IDENTITY PROVIDERS GETSINGLE SIGN-ON AND PRIVACYPROTECTION

• SERVICE PROVIDERS GETACCESS CONTROL

HTTP://WWW.INTERNET2.EDU/PRODUCTS-SERVICES/TRUST-IDENTITY-MIDDLEWARE/INCOMMON-FEDERATION

http://www.internet2.edu/products-services/trust-identity-middleware/incommon-federation

THINGS I LEARNED…• SECURITY ASSERTION MARKUPLANGUAGE (SAML)

• XML-BASED COMMUNICATIONOF USER AUTHENTICATION, ENTITLEMENT, ANDATTRIBUTES.

• SAML ALLOWS ENTITIES TOMAKE ASSERTIONS ABOUTUSERS TO OTHER ENTITIES, SUCH AS A PARTNER COMPANYOR ANOTHER ENTERPRISEAPPLICATION.

HTTPS://WWW.OASIS-OPEN.ORG/COMMITTEES/TC_HOME.PHP?WG_ABBREV=SECURITY

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

CAMPUSSERVICE

TEACHER AT HOME

USERCREDENTIALS

LDAP

AUTHENTI-CATION

CAMPUSSERVICE

INTERNAL DIALOG

LDAP

AUTHENTI-CATION / USER INFO

USERCREDENTIALS

HE IS A UCF EDU-PERSON

CHECK ON THIS GUY FOR ME…

YEAH. HERE’S HIS NAME AND

OTHER DATA.

ATTRIBUTESASSERTATIONS

OK. HE IS ENTITLED

TO MY SERVICE,

USERCRED

DO YOU KNOW THIS

GUY?

HE GETS A COOKIE

MENEWHILE IN I.T. …

ENTERPRISE-WIDE FEDERATED ID AND SSO:

• LEANING MANAGEMENT SYSTEM

• OPAC/LIBRARY ACCOUNTS

• ILLIAD

• EZPROXY

SINGLE SIGN ON!!

ON TO THE LIBRARY…LIBRARYSERVER HE HAS A

COOKIE.

HERE ARE HIS ATTRIBUTES

EXTERNAL SERVICEPROVIDERS

LIBRARY VENDORS IN INCOMMONFEDERATATION:

• HATHI TRUST

• EBSCOHOST

• PROQUEST

• EBL• ELSEVIER

• JSTOR• …HTTPS://SPACES.INTERNET2.EDU/DISPLAY

/INCLIBRARY/TARGETRESOURCES

HTTPS://SPACES.INTERNET2.EDU/DISPLAY/INCLIBRARY/REGISTRYOFRESOURCES

OK

ENABLE, PLEASE!!

THEY GET OUR

ENTITYid, AND WE’LL ASSERT

eduPERSON

https://spaces.internet2.edu/display/inclibrary/targetresources
https://spaces.internet2.edu/DISPLAY/INCLIBRARY/REGISTRYOFRESOURCES

PAYWALL REDUXPUBLISHER

SITE

??!

WAYF – WHERE ARE YOUFROM PUBLISHER

SITE

SINGLE SIGN-ON!HE HAS A COOKIE.

I ASSERT HE IS A UCF eduPERSON.

PUBLISHERSITE

INCOMMON BESTPRACTICES FOR LIBRARIES• AUTHORIZATION VIA EDUPERSON

ATTRIBUTES

• IMPLEMENT WAYFLESS URLS

• IMPLEMENT AUTHENTICATED DIRECTLINKS TO RESOURCES.

• SHIBBOLETH ENABLE EZPROXY

• USE SHIBBOLETH-READY EZPROXYSTARTING POINT URLS

HTTPS://SPACES.INTERNET2.EDU/DISPLAY/INCLIBRARY/BEST+PRACTICES

SINGLE SIGN ON ACCESS!

https://spaces.internet2.edu/display/inclibrary/Best+Practices

EZPROXY SHIBB URLS

• EZPROXY STARTING POINT URLSHTTPS://LOGIN.EZPROXY.UCF.EDU/LOGIN&URL=

• SHIBBOLIZEDHTTPS://LOGIN.EZPROXY.UCF.EDU/LOGIN?AUTH=SHIBB&URL=

• WORKS WELL WITH LIBX TO PROXY ON THE FLY

• UCF DEPLOYED IN: SFX, EBSCOHOSTDISCOVERY… WAITING TO USE IN OTHER SERVICES

CAVEATS: • SOME EXTERNAL SYSTEMS ARE READY FOR THIS. • GOES STRAIGHT TO THE FEDERATED ID LOGIN -

BYPASSES OLD LIBRARY ID LOGIN,

https://login.ezproxy.ucf.edu/login&url=
https://login.ezproxy.ucf.edu/login?auth=shibb&url=

INEVITABLE PAYWALLS

LibX

ONE LOGINHE HAS A COOKIE.

HERE ARE HIS

ATTRIBUTES

PUBLISHERSITE

PROXYSERVER

MEDIATEDREQUESTS

PUBLISHERSITE

LibX

LIBRARIAN SHIBBOLETHSUMMARY• CAMPUS SINGLE SIGN-ON WITH FEDERATED ID• LOTS OF ENTRY POINTS FROM MANY UCF SERVICES

• LOG IN FROM ONE SYSTEM MAY ALLOWS ACCESS TOTHE OTHER FEDERATION SHIBBOLETH-ENABLEDSERVICES

•WAYF ON SHIBBOLETH-ENABLED VENDOR SITES

•STILL NEED EZPROXIED LINKS FOR MOST LIBRARYCONTENT

•SHIBBOLETH ENABLED STARTINGPOINT URLS ANDLIBX ARE A PARTIAL SOLUTION FOR SEAMLESSACCESS

PRACTICAL STEPS FORLIBRARIANSASK I.T. TO ENABLE LIBRARYPARTNERS

SHIBBOLIZE EZPROXY

EXPLAIN VPN LIMITATIONS TOFACULTY

PROMOTE A CUSTOM LIBX

ASK VENDORS TO PARTICIPATE ININCOMMON

THANK YOU!ATHENA HOEPPNER

ATHENA@UCF.EDU

@CYBRGRL

mailto:athena@ucf.edu

SELECTED GLOSSARY

• ASSERTION - THE IDENTITY INFORMATION PROVIDED BY AN IDENTITY PROVIDER TO A SERVICE PROVIDER.• ATTRIBUTE - A SINGLE PIECE OF INFORMATIO. SOME ATTRIBUTES ARE GENERAL; OTHERS ARE PERSONAL. SOME

SUBSET OF ALL ATTRIBUTES DEFINES A UNIQUE INDIVIDUAL. EXAMPLES OF AN ATTRIBUTE ARE NAME ANDENROLLMENT.

• ATTRIBUTE STATEMENT: ASSERTS THAT A SUBJECT IS ASSOCIATED WITH CERTAIN ATTRIBUTES. AN ATTRIBUTE

IS SIMPLY A NAME-VALUE PAIR. RELYING PARTIES USE ATTRIBUTES TO MAKE ACCESS-CONTROL DECISIONS.• AUTHENTICATION STATEMENTS: STATEMENT THAT THE PRINCIPAL DID INDEED AUTHENTICATE WITH THE

IDENTITY PROVIDER AT A PARTICULAR TIME USING A PARTICULAR METHOD OF AUTHENTICATION

• AUTHORIZATION DECISION STATEMENT: ASSERTS THAT A SUBJECT IS PERMITTED TO PERFORM ACTION A ONRESOURCE R GIVEN EVIDENCE E.

• EDUPERSON - AN LDAP OBJECT CLASS TO FACILITATE INTER-INSTITUTIONAL APPLICATIONSPROVIDER URL, AND THE NETWORK ADMINISTRATOR.

• ENTITYID - ID THAT IDENTIFIES AN ENTERPRISE IN A FEDERATION. USUALLY A URL THAT POINTS TO AN XML FILE OF INFO ABOUT THE ENTITY, SUCH AS THE ID

• FEDERATED IDENTITY - MANAGEMENT OF IDENTITY INFORMATION BETWEEN MEMBERS OF A FEDERATION.• IDENTITY PROVIDER (IDP) - THE SYSTEM THAT AUTHENTICATES AN ENTITY

• SERVICE PROVIDER (SP) - MAKES ONLINE RESOURCES AVAILABLE TO USERS BASED IN PART ON INFORMATIONABOUT THEM THAT IT RECEIVES FROM OTHER INCOMMON PARTICIPANTS.

• WHERE ARE YOU FROM (WAYF) - A SERVER USED BY THE SHIBBOLETH SOFTWARE TO DETERMINE WHAT AUSER'S HOME ORGANIZATION IS.

HTTP://EN.WIKIPEDIA.ORG/WIKI/SECURITY_ASSERTION_MARKUP_LANGUAGE#SAML_ASSERTIONS

http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

SOME LINKS TO PLAY WITH

DIRECT LINKS TO ARTICLES:• INTELLIGENT LIBRARIES AND APOMEDIATORS:

DISTINGUISHING BETWEEN LIBRARY 3.0 AND LIBRARY2.0.

• PERSPECTIVE VOLUME RENDERED MOTION: GAININGINSIGHTS VIRTUALLY

PROXIED WITH AUTH=SHIBB:• INTELLIGENT LIBRARIES AND APOMEDIATORS

• PERSPECTIVE VOLUME RENDERED MOTION

PROXIED WITHOUT AUTH=SHIBB:• INTELLIGENT LIBRARIES AND APOMEDIATORS

• PERSPECTIVE VOLUME RENDERED MOTION

http://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=lxh&AN=89927733&auth=shibb
http://www.sciencedirect.com/science/article/pii/S0895611199000269
https://login.ezproxy.net.ucf.edu/login?auth=shibb&url=http://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=lxh&AN=89927733&auth=shibb
https://login.ezproxy.net.ucf.edu/login?auth=shibb&url=http://www.sciencedirect.com/science/article/pii/S0895611199000269
https://login.ezproxy.net.ucf.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=lxh&AN=89927733&auth=shibb
https://login.ezproxy.net.ucf.edu/login?url=http://www.sciencedirect.com/science/article/pii/S0895611199000269

Top related

Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.
Documents
THE LIBRARIAN'S GUIDE TO LITTLEBITS & STEAM
Documents
OXFORD JOURNALS LIBRARIAN'S HANDBOOK
Documents
ProQuest Pivot now supports Shibboleth S · 2017-10-23 · ProQuest Pivot now supports Shibboleth Single Sign-On. What is Shibboleth? Shibboleth is the world's most widely deployed
Documents
2009 Foray NL
Documents
fROM THE LIBRARIAN'S DESK - ufdcimages.uflib.ufl.eduufdcimages.uflib.ufl.edu/AA/00/00/87/55/00042/Library_Informer_vol...fROM THE LIBRARIAN'S DESK Willamae M. Johnson Awann welcome
Documents
David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project.
Documents
Shibboleth Update
Documents
Anwendungen sch ützen mit Shibboleth 4. Shibboleth-Workshop Berlin, 28. Februar 2007
Documents
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
Documents
Shibboleth & Federations
Documents
2006 Avalon Foray
Documents
Shibboleth & Shibboleth Consortium
Documents
7 October 2015 Shibboleth. Agenda Shibboleth Background and Status Why is Shibboleth Important (to Higher Ed)? Current Pilots Course Management.
Documents
Shibboleth SP Logout Support - Shibboleth Training …...Current state of SLO in Shibboleth Shibboleth Service Provider 2.5.x • Supports local and global logout Shibboleth Identity
Documents
Life Lessons Learned: Through a Librarian's Lens
Education
Shibboleth: Molecules, Music, and Middleware. Outline ● Terms ● Problem statement ● Solution space – Shibboleth and Federations ● Description of Shibboleth.
Documents
Shibboleth at Newcastle
Documents
Classification: The librarian's numbers game
Education
What's in the research librarian's tool shed?
Education

Copyright © 2018 DOCUMENTS