1 / 23

User

One-Stop-Shop/Single-Sign-On Requirements of CESSDA Ken Miller –UK Data Archive, University of Essex.

addo
Download Presentation

User

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  2. The term "shibboleth“ originates from a Hebrew word which literally means the part of a plant containing grains. It derives from an account in the Hebrew Bible, in which pronunciation of this word was used to distinguish members of the Ephraimites, whose dialect lacked the "sh" sound, from members of the Gileadites whose dialect did include such a sound. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  3. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  4. Doris Salcedo’s "Shibboleth"is a subterranean chasm that stretches the length of the Turbine Hall. Salcedo is addressing racism and colonialism that underlies the modern world. A ‘shibboleth’ acting as a test of belonging to a particular social group or class. By definition, it is used to exclude those deemed unsuitable to join this group. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  5. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  6. Shibboleth Single Sign-on and Federating Software was developed specifically to address the challenges of: • Multiple passwords required for multiple applications • Scaling the account management of multiple applications • Security issues associated with accessing third-party services • Privacy • Interoperability within and across organizational boundaries • Enabling institutions to choose their authentication technology • Enabling service providers to control access to their resources. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  7. Explore Analyse User Internet Internet Discover by Browsing and Searching Harvest and categorise using multilingual thesauri. Distributed Semantic Web (Meta)data Servers CESSDA Data Portal One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  8. There are two primary parts to the Shibboleth system: Identity Provider - the software run by an organization with users wishing to access a restricted service; Service Provider - the software run by the provider managing the restricted service. Shibboleth acts a broker between these two providers, so that the individual’s relationship with the institution determines access rights to resources that are hosted by the service provider. It uses Security Assertion Markup Language (SAML) for Authentication and Aurthorisation (AA) One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  9. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  10. Step 1: When you click on a protected resource' link, your web browser sends a HTTP request to URL for the webpage '/secure/' Step 2: The web server answers with a HTTP Redirect to a WAYF server located at another URL for Shibboleth authentication. Step 3: The WAYF server sends your web browser a HTML webpage with a list of all Home Organizations available in the Federation One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  11. Step 4: Your web browser sends the selection you made for the Home Organization to the WAYF server for the webpage '/secure/' . Step 5: The WAYF server sends your web browser a HTTP Redirect sends a HTTP Request for the login page of your Home Organization. Step 6: Your Home Organization answers with a login webpage. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  12. Step 7: Your web browser submits your user ID and password (your 'Credentials') to the web server of your Home Organization Step 8: The web server checks the validity of user ID and password provided. An HTTP Redirect is sent to your web browser that forwards you to the resource you initially requested. Together with this redirect your web browser receives a handle (some opaque data) and forwards this handle to the resource web server. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  13. Step 9: When the web server of the resource receives a handle from a user, it directly sends an attribute request to the Home Organization of the user by sending the handle it just received. Step 10: At the Home Organization, the handle received from the resource gets checked. To be valid, it must be presented by the resource before a timeout is reached. If valid, the requested user attributes for the user referred to by the handle are transmitted to the resource One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  14. HE/FE Instistutions NHS organisations Local Government Offices National Government Offices eduPersonTargetedID eduPersonScopedAffiliation UK Federation ESDS ukda Census One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  15. Additional information:- HE/FE Name Email Department/Discipline Commercial Research Agreement to Special Licences Virtual Organization Service Provider Registration Database UK Federation ESDS ukda Census One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  16. A user attempts to access the SP resource. • 2. This directs the user to the VO Proxy IdP • 3. A request is sent to the VO Proxy SP • 4. VO Proxy SP directs the user to the WAYF • 5. The user authenticates at their HO (IdP) • 6. HO replies to VO with SAML AA and handle. Registration Database One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  17. 6. VO uses handle and address of HO AA to request attributes.HO AA releases attributesto the VO 7. VO AA consults ARP for directory entry corresponding to handle 8. VO AA releases attributes to SP 9. Based on the attributes, the SP either sends user to registration system or allows access. Registration Database One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  18. CESSDA challenges:- What information/attributes? Does the Portal collect any additional information not provided by Feds? Do individual CESSDA members have VOSP systems? Does the Portal have a VOSP system? Can CESSDA members and/or the Portal operate with a standard Shibboleth set-up? Does the Portal need Shibboleth at all? EU Federation? CESSDA UK Fed UKDA NO Fed NSD One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  19. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  20. Registration Database One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  21. Registration Database Registration Database One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  22. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

  23. One-Stop-Shop/Single-Sign-On Requirements of CESSDAKen Miller –UK Data Archive, University of Essex

More Related