This joint presentation by Rhys Smith and Zoe Young explains the process of implementing a federated access management infrustructure, based on Shibboleth, at the University of Cardiff.
2. Outline
Implementing a production service
➢
HA
➢
Conforming to Tech' Recommendations
➢
Migration to Shib
➢
3. Implementing a ProdN Service
Institutions planning a realworld
➢
production Shib IDP deployment:
Think beyond simple technical details
➢
Consider higher level issues of design
➢
Including HA and resiliency issues
➢
Otherwise:
➢
When your IDP server breaks (and it will),
➢
you're (technical terminology coming up)
screwed!
5. Cardiff's setup (con't)
idp1 & idp2 Physical servers PowerEdge
➢
idp3 VM on VMWareESX infrastructure;
➢
primarily for development, only
occasionally in service
All linux RHEL4
➢
Server up/down checking via idp.xml:
➢
...Shibboleth_StatusHandler...
➢
<Location>.+/shibbolethidp/Status</Location>
“AVAILABLE” if everything has loaded OK
➢
6. Cardiff's setup (con't)
Fully monitored via SNMP
➢
Standard server stuff (CPU usage, memory
➢
usage, Temperatures, etc)
Custom perl scripts parse Shib log files
➢
Exposed via custom SNMP OIDs
➢
Cacti (open source) monitoring solution
➢
already in place
email me for a copy of scripts/cacti
➢
templates, etc.
8. Tech' Recommendations
Metadata (the list of who is on the
➢
federation:
CRON job to update overnight, every night
➢
Attributes:
➢
Haven't implemented eduPerson in
➢
directory, use own attributes and map to
eduPerson schema using resolver.xml
9. Tech' Recommendations (con't)
eduPersonScopedAffiliation:
➢
Mapped to CardiffFAMAffiliation attribute in
➢
our directory (webauth tree)
Provisioned by our IDM sytem
➢
“member” if current staff, current student,
➢
current training grade doctor, manually
“made” member in IDM web interface
staff/student similarly IDM driven
➢
10. Tech' Recommendations (con't)
eduPersonTargetedID:
➢
Simply using PersistentIDAttributeDefinition,
➢
linked to IDM IdentityNumber
Dynamically cryptographically creates an
➢
opaque, consistent TargetedID per user per
resource
eduPersonPrincipalName:
➢
Mapped to cn attribute in our directory
➢
11. Tech' Recommendations (con't)
eduPersonEntitlement:
➢
Mapped to CardiffFamEntitlements attribute
➢
in our directory
Provisioned by our IDM system where
➢
possible
Manually administered via IDM web
➢
interface otherwise
12. Tech' Recommendations (con't)
Attribute Release Policies
➢
arp.site.xml
➢
Set to release minimum information
➢
(scopedAffiliation and TargetedID) unless
specifically set otherwise
Release more if desired on a case by case
➢
basis
13. Authentication Options
Apache vs Tomcat:
➢
Apache simpler
➢
Tomcat a lot more user friendly for your users
➢
Our login page:
➢
14.
15. Overview
Auditing of resources
➢
Promotion and Communication
➢
What has happened so far?
➢
What’s going to happen next?
➢
Questions?
➢
16. Auditing of resources
Resources tested for shibboleth
➢
compliance.
Noncompliant resources
➢
Westlaw – generic usernames and
➢
passwords until new platform released
Lexis Nexis Professional – should be moved
➢
to Butterworths
Alerts, Saved Searches and
➢
Personalisation.
17. Promotion and Communication
Emails about shibboleth/CU Login sent to all
➢
Information services staff
Presentation on changes given to all library and
➢
helpdesk staff
Documentation sent to all 18 libraries
➢
Web page – Off campus access
➢
Changes to databases page
➢
Subject Librarians cascaded information to all
➢
new students and staff
18. What has happened so far?
Went live – Sept 06
➢
Users
➢
New Training Grade Doctors
➢
New Students
➢
New Staff
➢
Users with expired accounts or problems
➢
53.35 % of access to “Athens” eresources
➢
is by CU login
19. What’s going to happen next?
2nd July – changes to website to encourage
➢
remaining Athens users to switch
Email to users with active Athens accounts
➢
Monitor use of Athens accounts over the
➢
next year and contact individual users to
migrate.
April 08 – All Athens accounts expire
➢
20.
21.
22. the end
Any Questions?
www.identityproject.org/survey.doc
for:
more info
a copy of these slides
clarification of any points
meaningful discussion about shib
meaningless discussion about stanley
cup finals...
email: smith@cardiff.ac.uk