1 / 29

Enhancing life-long learning, teaching and research through information resources and services

Enhancing life-long learning, teaching and research through information resources and services. Shibboleth: Moving towards single sign-on through MetaLib and SFX. Dr Richard Cross, eServices Manager (Resource Discovery) Libraries and Learning Resources, Nottingham Trent University.

bweems
Download Presentation

Enhancing life-long learning, teaching and research through information resources and services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enhancing life-long learning, teaching and research through information resources and services

  2. Shibboleth: Moving towards single sign-on through MetaLib and SFX Dr Richard Cross, eServices Manager (Resource Discovery) Libraries and Learning Resources, Nottingham Trent University

  3. Introducing myself… I am: • one of two eServices Managers within the Information Resources team of Libraries and Learning Resources at Nottingham Trent University

  4. Working with Ex Libris • Deputy of the IGeLU Product Working Group for Verde • Co-chair of the EPUG-UKI SFX and MetaLib product strand • Co-opted member of the EPUG-UKI Committee • Manage the university’s work as a Verde implementation partner • Participated in pre-release customer testing of MetaLib 4.0 • Contracted to deliver SFX implementation training for six UK library services

  5. Nottingham Trent University • Nottingham is located in the East Midlands, and is home to two universities • NTU enrols around 23.5k students • NTU comprises three campuses • NTU is organised into nine academic schools, including: Art and Design, Nottingham Business School, Nottingham Law School and School of Science and Technology • LLR is organised into two main teams: Customer Services and Information Resources

  6. Ex Libris applications at NTU • ALEPH (v.19) – LMS (and ARC [ALEPH Reporting Center]) • SFX (v.3) – OpenURL link resolver • MetaLib (v.4) – library portal (branded as eSearch) • Digitool (v.2) – institutional repository • Verde (v.2) – electronic resource management application eServices manager (LMS) eServices manager (RD) ALEPH SFX MetaLib Digitool Verde

  7. Agenda • Electronic resources: the authentication options • The Athens framework in the UK • Federated access management – and Shibboleth

  8. Authentication options • Authenticating users remains one of the central challenges of electronic resource management • Range of technologies available: • IP (on-site) • Proxy servers (to mimic IP) • Athens (in UK) • Resource-specific username and password

  9. Athens framework • Centrally funded for UK universities by JISC • Delegated identity management by Eduserv • Universities create Athens usernames and passwords for their staff and students, batch upload them to the Eduserv database • Universities use ‘permissions sets’ to manage entitlements – who gets access to which resources • Resource providers activate service with Eduserv; login is routed to Eduserv who manage the authentication, pass user back to the resource with an entitlement flag and a PUID

  10. Off-campus access – using Athens • To enable off-campus authentication to electronic resources and services, LLR’s preference has (in the past) been to use the Athens framework • Providing customers with Athens usernames and passwords has enabled LLR to meet key authentication objectives • Ensuring that customers have ‘only’ to make use of an additional username and password to gain access to a wide range of resources • Allowing customers to set up and manage unique, individual user accounts on appropriate resources • Maintaining the security and confidentiality of university usernames and passwords by not exposing them outside of the university network • Filtering access to resources based for non-standard customers (with more limited access rights)

  11. Frustrations • Customers have been required to remember and make use of a second (Athens) username and password • Not all resources required by off-campus customers have supported Athens based authentication (so it was not a single solution) • Customers often struggle to enter their Athens details in the appropriate login boxes • Recurrent administrative overheads

  12. Recent changes in the environment • A new, alternative ‘federated access management’ framework has emerged • JISC opted to stop centrally funding Eduserv’s Athens service in the spring of 2008 • Information providers have begun to review their own authentication frameworks – though not all have engaged with the challenges of Shibboleth with the same sense of urgency

  13. ‘Shibboleth’ – the basics • Shibboleth is one of a number of technologies which enable ‘federated access management’ • Rather than a separate (Athens-style) username and password, customers use their university username and password to gain access to Shibboleth enabled resources

  14. ‘Shibboleth’ – the workflow • When an off-campus visitor arrives at a Shibboleth enabled resource, they indicate the institution they are from • They are routed back to a login page at that institution, where they enter their university username and password • If successful, the institution then sends a set of ‘attributes’ back to the resource, and (when the right conditions are met) the customer is accepted and allowed into the resources as a logged-in user • As the user then moves between Shibboleth-enabled resources (in the same session) they should automatically be authentication checked

  15. Shibboleth - Wilson Web demo I – the login page

  16. Shibboleth – Wilson Web demo II – the WAYF page Where Are You From?

  17. Shibboleth – Wilson Web demo III – the NTU sign in page WAYFLess URL would point directly to this login screen

  18. Shibboleth – Wilson Web demo IV – logged into the resource… …with an active Shibboleth session now running

  19. How does Shibboleth differ from eZproxy? • Shibboleth is not anonymous like eZproxy/IP – supports personalisation and individual account management • Enables authorisation as well as authentication (through attribute release) • Although WAYFLess URLs are available for many services, there is no requirement to access resources through library approved routes • Possible to leverage both technologies together – by ‘Shibbolizing’ eZproxy (setting a Shibboleth cookie even when the resource being accessed by proxy is not Shibboleth enabled)

  20. Requirements to make use of federated access management (Shibboleth) • An authorised (probably national) FAM federation is established with verified members • Resource providers establish themselves as FAM Service Providers (SPs) • Institutions establish themselves as FAM Identity Providers (IdPs) • Technical requirements are agreed over attribute release

  21. General challenges with Shibboleth For users • Not all resource providers will be ready to support federated access management • Not all Shibboleth-compliant providers support WAYFLess URLs • The terminology used by service providers is not consistent

  22. LLR went live with Shibboleth – July 2008 • First resources to migrate were those no longer supporting Athens • Introduced Shibbolized eZproxy – to mimic on-campus IP • Moved other resources to Shibboleth as quickly as possible • In September 2009, LLR will no longer use Athens for NTU staff and students • Retain Athens for non-standard users

  23. General challenges with Shibboleth II For librarians • Need for close collaboration and synchronisation between technical and library staff – overheads for both – Shibboleth implementation (technical) will not be library led • Shibboleth requires more work to set-up, configure and test • Sites may need to run existing systems in parallel with Shibboleth • There is no web interface for administrators – utilities will need to be built by the user community • Standards, architectures and methodologies are still evolving • Even in the ‘best case scenario’ libraries will still need to manage workarounds for some resources

  24. MetaLib: Shibboleth • Where framework exists, login to MetaLib can itself be Shibbolized – other university resources can also use a Shibboleth login • Login links can be a challenge: WAYFLess URLs may not be available; deep-linking may not be possible • WAYFLess URLs can be very long – too long sometimes to fit in the Alternative access URL field in the MetaLib IRD (so either use one field, or alias the URL) • Alternative Link to record in native interface in IRD may not work (part of the deep-linking problematic) • Not all resources are able to automatically recognise that a Shibboleth session is active (might need to ‘touch’ login to activate a session on a resource)

  25. SFX: Shibboleth • Possible to set proxy flag in SFX Admin, but no concept of on-campus and off-campus URLs (pre-Shibboleth problem; IP checking) • Ex Libris has not begun to look at management of FullText target parsers that can construct outbound URLs – these would need to be federation specific in any case • Shibboleth URLs do not necessarily support deep-linking to Journal or Article level – limitation of the existing technology https://shibboleth.chadwyck.co.uk/secure/authenticate.cgi?product=PAO&location=UK&returnpage=http://pao.chadwyck.co.uk/shibbolethLogin.do&forward=/home.do&entityId=https%3A%2F%2Fshibidp.ntu.ac.uk%2Fshibboleth https://www.lexisnexis.com/start/shib/idpurlrd?providerId=https%3A%2F%2Fshibidp.ntu.ac.uk%2Fshibboleth&fedId=3&appToken=43FF9DC93354C583BBD978A5FE0E2211

  26. SFX: Shibboleth • Possible methods for Shibboleth deep-linking from SFX Develop Shibboleth WAYFLess URLs which can include metadata elements Cache the metadata elements and pick up those values after Shibboleth authentication Providers develop scripts which can manage authentication & deep-linking Ex Libris develop SFX Admin utilities to insert complex local values into target parsers • Work in this area is only just beginning and little is settled…

  27. Future potential of Shibboleth • Supporting intra- and inter-Federation collaboration • Support for embedding genuine Single-Sign On within institutions • Through attribute management may become possible to establish filtered, targetted subscription arrangements with providers

  28. Shibboleth and Federated Access Management in the UK – useful links The UK Access Management Federation http://www.ukfederation.org.uk/ Shibboleth compliant resources and services http://www.ukfederation.org.uk/content/Documents/AvailableServices JISC update on resources working towards Shibboleth compliance http://access.jiscinvolve.org/federated-access-and-publishers/

  29. Any questions – and thank you! Richard Cross, Nottingham Trent University richard.cross@ntu.ac.uk +44(0)115 848 4878

More Related