SlideShare a Scribd company logo

Implementing a production Shibboleth IdP service at Cardiff University

J
JISC.AM

This joint presentation by Rhys Smith and Zoe Young explains the process of implementing a federated access management infrustructure, based on Shibboleth, at the University of Cardiff.

Technology
1 of 22
Download to read offline
Implementing a   Shibboleth IDP service Rhys Smith & Zoë Young  Cardiff University
Outline Implementing a production service ➢ HA ➢ Conforming to Tech' Recommendations ➢ Migration to Shib ➢
Implementing a ProdN Service Institutions planning a real­world  ➢ production Shib IDP deployment: Think beyond simple technical details ➢ Consider higher level issues of design ➢ Including HA and resiliency issues ➢ Otherwise: ➢ When your IDP server breaks (and it will),  ➢ you're (technical terminology coming up)  screwed!
Cardiff's setup idp.cardiff.ac.uk (NetScaler) hashib hashib Shared Memory Shared Memory idp2.cf.ac.uk idp3.cf.ac.uk idp1.cf.ac.uk
Cardiff's setup (con't) idp1 & idp2 ­ Physical servers ­ PowerEdge ➢ idp3 ­ VM on VMWare­ESX infrastructure;  ➢ primarily for development, only  occasionally in service All linux ­ RHEL4 ➢ Server up/down checking via idp.xml: ➢ ...Shibboleth_StatusHandler... ➢ <Location>.+/shibbolethidp/Status</Location> “AVAILABLE” if everything has loaded OK ➢
Cardiff's setup (con't) Fully monitored via SNMP ➢ Standard server stuff (CPU usage, memory  ➢ usage, Temperatures, etc) Custom perl scripts parse Shib log files ➢ Exposed via custom SNMP OIDs ➢ Cacti (open source) monitoring solution  ➢ already in place email me for a copy of scripts/cacti  ➢ templates, etc.
Cardiff's setup (con't)
Tech' Recommendations Metadata (the list of who is on the  ➢ federation: CRON job to update overnight, every night ➢ Attributes: ➢ Haven't implemented eduPerson in  ➢ directory, use own attributes and map to  eduPerson schema using resolver.xml
Tech' Recommendations (con't) eduPersonScopedAffiliation: ➢ Mapped to CardiffFAMAffiliation attribute in  ➢ our directory (webauth tree) Provisioned by our IDM sytem ➢ “member” if current staff, current student,  ➢ current training grade doctor, manually  “made” member in IDM web interface staff/student similarly IDM driven ➢
Tech' Recommendations (con't) eduPersonTargetedID: ➢ Simply using PersistentIDAttributeDefinition,  ➢ linked to IDM IdentityNumber Dynamically cryptographically creates an  ➢ opaque, consistent TargetedID per user per  resource eduPersonPrincipalName: ➢ Mapped to cn attribute in our directory ➢
Tech' Recommendations (con't) eduPersonEntitlement: ➢ Mapped to CardiffFamEntitlements attribute  ➢ in our directory Provisioned by our IDM system where  ➢ possible Manually administered via IDM web  ➢ interface otherwise
Tech' Recommendations (con't) Attribute Release Policies ➢ arp.site.xml ➢ Set to release minimum information  ➢ (scopedAffiliation and TargetedID) unless  specifically set otherwise Release more if desired on a case by case  ➢ basis
Authentication Options Apache vs Tomcat: ➢ Apache simpler ➢ Tomcat a lot more user friendly for your users ➢ Our login page: ➢
Overview Auditing of resources ➢ Promotion and Communication ➢ What has happened so far? ➢ What’s going to happen next? ➢ Questions? ➢
Auditing of resources Resources tested for shibboleth  ➢ compliance. Non­compliant resources  ➢ Westlaw – generic usernames and  ➢ passwords until new platform released Lexis Nexis Professional – should be moved  ➢ to Butterworths  Alerts, Saved Searches and  ➢ Personalisation.
Promotion and Communication Emails about shibboleth/CU Login sent to all  ➢ Information services staff Presentation on changes given to all library and  ➢ helpdesk staff Documentation sent to all 18 libraries  ➢ Web page – Off campus access ➢ Changes to databases page ➢ Subject Librarians cascaded information to all  ➢ new students and staff
What has happened so far? Went live – Sept 06 ➢ Users ➢ New Training Grade Doctors ➢ New Students ➢ New Staff ➢ Users with expired accounts or problems ➢ 53.35 % of access to “Athens” e­resources  ➢ is by CU login
What’s going to happen next? 2nd July – changes to website to encourage  ➢ remaining Athens users to switch Email to users with active Athens accounts ➢ Monitor use of Athens accounts over the  ➢ next year and contact individual users to  migrate. April 08 – All Athens accounts expire ➢
the end Any Questions?  www.identity­project.org/survey.doc  for:  more info  a copy of these slides  clarification of any points  meaningful discussion about shib  meaningless discussion about stanley   cup finals... email: smith@cardiff.ac.uk 

Recommended

H2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom KraljevicH2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom KraljevicSri Ambati
 
Open-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th JuneOpen-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th JuneInnovative Management Services
 
Why Talend for Big Data?
Why Talend for Big Data?Why Talend for Big Data?
Why Talend for Big Data?Edureka!
 
Keys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in HadoopKeys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in HadoopDataWorks Summit
 
xdsl
xdslxdsl
xdslkali
 
Presentazione Blog Università la Sapienza
Presentazione Blog Università la SapienzaPresentazione Blog Università la Sapienza
Presentazione Blog Università la Sapienzafabio73
 
Memory Test for the Aging
Memory Test for the AgingMemory Test for the Aging
Memory Test for the Agingnewskoo
 
Comoselavacerebro
ComoselavacerebroComoselavacerebro
Comoselavacerebropaquitaguapa
 

Recommended

H2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom KraljevicH2O World - Building a Smarter Application - Tom Kraljevic
H2O World - Building a Smarter Application - Tom KraljevicSri Ambati
 
Open-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th JuneOpen-BDA - Big Data Hadoop Developer Training 10th & 11th June
Open-BDA - Big Data Hadoop Developer Training 10th & 11th JuneInnovative Management Services
 
Why Talend for Big Data?
Why Talend for Big Data?Why Talend for Big Data?
Why Talend for Big Data?Edureka!
 
Keys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in HadoopKeys to the Kingdom: SQL in Hadoop
Keys to the Kingdom: SQL in HadoopDataWorks Summit
 
xdsl
xdslxdsl
xdslkali
 
Presentazione Blog Università la Sapienza
Presentazione Blog Università la SapienzaPresentazione Blog Università la Sapienza
Presentazione Blog Università la Sapienzafabio73
 
Memory Test for the Aging
Memory Test for the AgingMemory Test for the Aging
Memory Test for the Agingnewskoo
 
Comoselavacerebro
ComoselavacerebroComoselavacerebro
Comoselavacerebropaquitaguapa
 
Actividad 15
Actividad 15Actividad 15
Actividad 15ttturbo
 
Test
TestTest
TestQOU
 
Un paseo por las calles de Gijón
Un paseo por las calles de GijónUn paseo por las calles de Gijón
Un paseo por las calles de GijónIES Rosario de Acuña
 
The Art Of Pricing
The Art Of PricingThe Art Of Pricing
The Art Of Pricingeve841126
 
The Berry Tree - How it works
The Berry Tree - How it worksThe Berry Tree - How it works
The Berry Tree - How it worksberrytree
 
Digital Parents - St Crispins
Digital Parents - St CrispinsDigital Parents - St Crispins
Digital Parents - St CrispinsToby Treacher
 
Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Steven Verjans
 
Being Google
Being GoogleBeing Google
Being GoogleTom Dyson
 
Crime Prevention Movie
Crime Prevention MovieCrime Prevention Movie
Crime Prevention Moviesocialsubjects
 
Happiness
HappinessHappiness
Happinesseve841126
 
Primi Elementi Di Geometria
Primi Elementi Di GeometriaPrimi Elementi Di Geometria
Primi Elementi Di Geometrialiceogaribaldi
 
Personal Carbon Rationing
Personal Carbon RationingPersonal Carbon Rationing
Personal Carbon RationingTom Dyson
 
I Numeri Relativi
I Numeri RelativiI Numeri Relativi
I Numeri Relativiliceogaribaldi
 
G U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LG U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LToni Solano
 
Szetela Ses Toronto Contextual
Szetela Ses Toronto ContextualSzetela Ses Toronto Contextual
Szetela Ses Toronto ContextualDavid Szetela
 
產業實習期末報告
產業實習期末報告產業實習期末報告
產業實習期末報告bgbgbg
 
Síntesi Dafo
Síntesi DafoSíntesi Dafo
Síntesi Dafojordi.calvet
 
I Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri PeriodiciI Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri Periodiciliceogaribaldi
 
TEKNOLOGIA Txostena
TEKNOLOGIA TxostenaTEKNOLOGIA Txostena
TEKNOLOGIA Txostenasanbizente
 
La Población
La PoblaciónLa Población
La PoblaciónIsaac Buzo
 
Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation RevisedOntico
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload PresentationOntico
 

More Related Content

Viewers also liked

Actividad 15
Actividad 15Actividad 15
Actividad 15ttturbo
 
Test
TestTest
TestQOU
 
The Art Of Pricing
The Art Of PricingThe Art Of Pricing
The Art Of Pricingeve841126
 
The Berry Tree - How it works
The Berry Tree - How it worksThe Berry Tree - How it works
The Berry Tree - How it worksberrytree
 
Digital Parents - St Crispins
Digital Parents - St CrispinsDigital Parents - St Crispins
Digital Parents - St CrispinsToby Treacher
 
Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Steven Verjans
 
Being Google
Being GoogleBeing Google
Being GoogleTom Dyson
 
Crime Prevention Movie
Crime Prevention MovieCrime Prevention Movie
Crime Prevention Moviesocialsubjects
 
Primi Elementi Di Geometria
Primi Elementi Di GeometriaPrimi Elementi Di Geometria
Primi Elementi Di Geometrialiceogaribaldi
 
Personal Carbon Rationing
Personal Carbon RationingPersonal Carbon Rationing
Personal Carbon RationingTom Dyson
 
G U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LG U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LToni Solano
 
Szetela Ses Toronto Contextual
Szetela Ses Toronto ContextualSzetela Ses Toronto Contextual
Szetela Ses Toronto ContextualDavid Szetela
 
產業實習期末報告
產業實習期末報告產業實習期末報告
產業實習期末報告bgbgbg
 
I Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri PeriodiciI Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri Periodiciliceogaribaldi
 
TEKNOLOGIA Txostena
TEKNOLOGIA TxostenaTEKNOLOGIA Txostena
TEKNOLOGIA Txostenasanbizente
 

Viewers also liked (20)

Actividad 15
Actividad 15Actividad 15
Actividad 15
 
Test
TestTest
Test
 
Un paseo por las calles de Gijón
Un paseo por las calles de GijónUn paseo por las calles de Gijón
Un paseo por las calles de Gijón
 
The Art Of Pricing
The Art Of PricingThe Art Of Pricing
The Art Of Pricing
 
The Berry Tree - How it works
The Berry Tree - How it worksThe Berry Tree - How it works
The Berry Tree - How it works
 
Digital Parents - St Crispins
Digital Parents - St CrispinsDigital Parents - St Crispins
Digital Parents - St Crispins
 
Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007Cannaerts Wambeke Verjans_EDEN2007
Cannaerts Wambeke Verjans_EDEN2007
 
Being Google
Being GoogleBeing Google
Being Google
 
Crime Prevention Movie
Crime Prevention MovieCrime Prevention Movie
Crime Prevention Movie
 
Happiness
HappinessHappiness
Happiness
 
Primi Elementi Di Geometria
Primi Elementi Di GeometriaPrimi Elementi Di Geometria
Primi Elementi Di Geometria
 
Personal Carbon Rationing
Personal Carbon RationingPersonal Carbon Rationing
Personal Carbon Rationing
 
I Numeri Relativi
I Numeri RelativiI Numeri Relativi
I Numeri Relativi
 
G U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A LG U I N E A E C U A T O R I A L
G U I N E A E C U A T O R I A L
 
Szetela Ses Toronto Contextual
Szetela Ses Toronto ContextualSzetela Ses Toronto Contextual
Szetela Ses Toronto Contextual
 
產業實習期末報告
產業實習期末報告產業實習期末報告
產業實習期末報告
 
Síntesi Dafo
Síntesi DafoSíntesi Dafo
Síntesi Dafo
 
I Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri PeriodiciI Numeri Razionali Assoluti E I Numeri Periodici
I Numeri Razionali Assoluti E I Numeri Periodici
 
TEKNOLOGIA Txostena
TEKNOLOGIA TxostenaTEKNOLOGIA Txostena
TEKNOLOGIA Txostena
 
La Población
La PoblaciónLa Población
La Población
 

Similar to Implementing a production Shibboleth IdP service at Cardiff University

Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation RevisedOntico
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload PresentationOntico
 
YAPC2007 Remote System Monitoring (w. Notes)
YAPC2007 Remote System Monitoring (w. Notes)YAPC2007 Remote System Monitoring (w. Notes)
YAPC2007 Remote System Monitoring (w. Notes)rgiersig
 
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)jjhuff
 
Blueprint talk at Open Hackday London 2009
Blueprint talk at Open Hackday London 2009Blueprint talk at Open Hackday London 2009
Blueprint talk at Open Hackday London 2009Ricardo Varela
 
My History with Atlassian Tools, and Why I'm Moving to Studio
My History with Atlassian Tools, and Why I'm Moving to StudioMy History with Atlassian Tools, and Why I'm Moving to Studio
My History with Atlassian Tools, and Why I'm Moving to StudioAtlassian
 
Scaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWScaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWTreehouse Agency
 
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendWide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendMySQLConference
 
The Current State of Asynchronous Processing With Ruby
The Current State of Asynchronous Processing With RubyThe Current State of Asynchronous Processing With Ruby
The Current State of Asynchronous Processing With Rubymattmatt
 
Pallab\'s Presentation at Gis for Transportation Symposium
Pallab\'s Presentation at Gis for Transportation SymposiumPallab\'s Presentation at Gis for Transportation Symposium
Pallab\'s Presentation at Gis for Transportation Symposiumpallabgc
 
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...SAP Cloud Platform
 
Agile Java Testing With Open Source Frameworks
Agile Java Testing With Open Source FrameworksAgile Java Testing With Open Source Frameworks
Agile Java Testing With Open Source FrameworksViraf Karai
 
Actors in a New "Highly Parallel" World
Actors in a New "Highly Parallel" WorldActors in a New "Highly Parallel" World
Actors in a New "Highly Parallel" WorldFabio Correa
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2360|Conferences
 
Rails Conf Europe 2007 Notes
Rails Conf Europe 2007 NotesRails Conf Europe 2007 Notes
Rails Conf Europe 2007 NotesRoss Lawley
 
Extending The My Sql Data Landscape
Extending The My Sql Data LandscapeExtending The My Sql Data Landscape
Extending The My Sql Data LandscapeRonald Bradford
 

Similar to Implementing a production Shibboleth IdP service at Cardiff University (20)

Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation Revised
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload Presentation
 
YAPC2007 Remote System Monitoring (w. Notes)
YAPC2007 Remote System Monitoring (w. Notes)YAPC2007 Remote System Monitoring (w. Notes)
YAPC2007 Remote System Monitoring (w. Notes)
 
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
Inside Picnik: How We Built Picnik (and What We Learned Along the Way)
 
Blueprint talk at Open Hackday London 2009
Blueprint talk at Open Hackday London 2009Blueprint talk at Open Hackday London 2009
Blueprint talk at Open Hackday London 2009
 
My History with Atlassian Tools, and Why I'm Moving to Studio
My History with Atlassian Tools, and Why I'm Moving to StudioMy History with Atlassian Tools, and Why I'm Moving to Studio
My History with Atlassian Tools, and Why I'm Moving to Studio
 
Scaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWScaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOW
 
Magee Dday2 Fixing App Performance Italiano
Magee Dday2 Fixing App Performance ItalianoMagee Dday2 Fixing App Performance Italiano
Magee Dday2 Fixing App Performance Italiano
 
Case Studies
Case StudiesCase Studies
Case Studies
 
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendWide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
 
The Current State of Asynchronous Processing With Ruby
The Current State of Asynchronous Processing With RubyThe Current State of Asynchronous Processing With Ruby
The Current State of Asynchronous Processing With Ruby
 
SEASR Installation
SEASR InstallationSEASR Installation
SEASR Installation
 
Pallab\'s Presentation at Gis for Transportation Symposium
Pallab\'s Presentation at Gis for Transportation SymposiumPallab\'s Presentation at Gis for Transportation Symposium
Pallab\'s Presentation at Gis for Transportation Symposium
 
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
Overview and Walkthrough of the Application Programming Model with SAP Cloud ...
 
Agile Java Testing With Open Source Frameworks
Agile Java Testing With Open Source FrameworksAgile Java Testing With Open Source Frameworks
Agile Java Testing With Open Source Frameworks
 
Actors in a New "Highly Parallel" World
Actors in a New "Highly Parallel" WorldActors in a New "Highly Parallel" World
Actors in a New "Highly Parallel" World
 
Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2Samuel Asher Rivello - PureMVC Hands On Part 2
Samuel Asher Rivello - PureMVC Hands On Part 2
 
Rails Conf Europe 2007 Notes
Rails Conf Europe 2007 NotesRails Conf Europe 2007 Notes
Rails Conf Europe 2007 Notes
 
Seminar - JBoss Migration
Seminar - JBoss MigrationSeminar - JBoss Migration
Seminar - JBoss Migration
 
Extending The My Sql Data Landscape
Extending The My Sql Data LandscapeExtending The My Sql Data Landscape
Extending The My Sql Data Landscape
 

More from JISC.AM

Identity Assurance Profiles
Identity Assurance ProfilesIdentity Assurance Profiles
Identity Assurance ProfilesJISC.AM
 
Assurance
AssuranceAssurance
AssuranceJISC.AM
 
I2 Fedsoup
I2 FedsoupI2 Fedsoup
I2 FedsoupJISC.AM
 
Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)JISC.AM
 
Federated Futures (Nicole Harris)
Federated Futures (Nicole Harris)Federated Futures (Nicole Harris)
Federated Futures (Nicole Harris)JISC.AM
 
Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)JISC.AM
 
The Identity Project (Rhys Smith)
The Identity Project (Rhys Smith)The Identity Project (Rhys Smith)
The Identity Project (Rhys Smith)JISC.AM
 
Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)JISC.AM
 
Shibboleth 2.0 SP slides - Installfest
Shibboleth 2.0 SP slides - InstallfestShibboleth 2.0 SP slides - Installfest
Shibboleth 2.0 SP slides - InstallfestJISC.AM
 
SARoNGS project (Jens Jensen)
SARoNGS project (Jens Jensen)SARoNGS project (Jens Jensen)
SARoNGS project (Jens Jensen)JISC.AM
 
Names project (Amanda Hill)
Names project (Amanda Hill)Names project (Amanda Hill)
Names project (Amanda Hill)JISC.AM
 
Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)JISC.AM
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)JISC.AM
 
Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)JISC.AM
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)JISC.AM
 
Internet2 Fall MM 2007 - Jane Charlton
Internet2 Fall MM 2007 - Jane CharltonInternet2 Fall MM 2007 - Jane Charlton
Internet2 Fall MM 2007 - Jane CharltonJISC.AM
 
'Connecting poeple to resources' by Nicole Harris at UKSG 2007
'Connecting poeple to resources' by Nicole Harris at UKSG 2007'Connecting poeple to resources' by Nicole Harris at UKSG 2007
'Connecting poeple to resources' by Nicole Harris at UKSG 2007JISC.AM
 
Federated Access Management 102
Federated Access Management 102Federated Access Management 102
Federated Access Management 102JISC.AM
 
Federated Access Management (Sconul Access Conference)
Federated Access Management (Sconul Access Conference)Federated Access Management (Sconul Access Conference)
Federated Access Management (Sconul Access Conference)JISC.AM
 

More from JISC.AM (20)

Identity Assurance Profiles
Identity Assurance ProfilesIdentity Assurance Profiles
Identity Assurance Profiles
 
Assurance
AssuranceAssurance
Assurance
 
I2 Fedsoup
I2 FedsoupI2 Fedsoup
I2 Fedsoup
 
Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)Cuckoo (Graham Mason, Ed Beddows)
Cuckoo (Graham Mason, Ed Beddows)
 
Federated Futures (Nicole Harris)
Federated Futures (Nicole Harris)Federated Futures (Nicole Harris)
Federated Futures (Nicole Harris)
 
Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)Introduction to Shib 2.0 (Chad La Joie)
Introduction to Shib 2.0 (Chad La Joie)
 
The Identity Project (Rhys Smith)
The Identity Project (Rhys Smith)The Identity Project (Rhys Smith)
The Identity Project (Rhys Smith)
 
Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)Shibboleth 2.0 IdP slides - Installfest (Edited)
Shibboleth 2.0 IdP slides - Installfest (Edited)
 
Shibboleth 2.0 SP slides - Installfest
Shibboleth 2.0 SP slides - InstallfestShibboleth 2.0 SP slides - Installfest
Shibboleth 2.0 SP slides - Installfest
 
SARoNGS project (Jens Jensen)
SARoNGS project (Jens Jensen)SARoNGS project (Jens Jensen)
SARoNGS project (Jens Jensen)
 
Names project (Amanda Hill)
Names project (Amanda Hill)Names project (Amanda Hill)
Names project (Amanda Hill)
 
Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)Studies in advanced access mgmt: GFIVO project (Cal Racey)
Studies in advanced access mgmt: GFIVO project (Cal Racey)
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)
 
Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)Shintau And VPMan proejcts (David Chadwick)
Shintau And VPMan proejcts (David Chadwick)
 
Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)Identity: Future directions (David Orrell, Eduserv Foundation)
Identity: Future directions (David Orrell, Eduserv Foundation)
 
Internet2 Fall MM 2007 - Jane Charlton
Internet2 Fall MM 2007 - Jane CharltonInternet2 Fall MM 2007 - Jane Charlton
Internet2 Fall MM 2007 - Jane Charlton
 
'Connecting poeple to resources' by Nicole Harris at UKSG 2007
'Connecting poeple to resources' by Nicole Harris at UKSG 2007'Connecting poeple to resources' by Nicole Harris at UKSG 2007
'Connecting poeple to resources' by Nicole Harris at UKSG 2007
 
Openid
OpenidOpenid
Openid
 
Federated Access Management 102
Federated Access Management 102Federated Access Management 102
Federated Access Management 102
 
Federated Access Management (Sconul Access Conference)
Federated Access Management (Sconul Access Conference)Federated Access Management (Sconul Access Conference)
Federated Access Management (Sconul Access Conference)
 

Recently uploaded

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Implementing a production Shibboleth IdP service at Cardiff University

  • 2. Outline Implementing a production service ➢ HA ➢ Conforming to Tech' Recommendations ➢ Migration to Shib ➢
  • 3. Implementing a ProdN Service Institutions planning a real­world  ➢ production Shib IDP deployment: Think beyond simple technical details ➢ Consider higher level issues of design ➢ Including HA and resiliency issues ➢ Otherwise: ➢ When your IDP server breaks (and it will),  ➢ you're (technical terminology coming up)  screwed!
  • 4. Cardiff's setup idp.cardiff.ac.uk (NetScaler) hashib hashib Shared Memory Shared Memory idp2.cf.ac.uk idp3.cf.ac.uk idp1.cf.ac.uk
  • 5. Cardiff's setup (con't) idp1 & idp2 ­ Physical servers ­ PowerEdge ➢ idp3 ­ VM on VMWare­ESX infrastructure;  ➢ primarily for development, only  occasionally in service All linux ­ RHEL4 ➢ Server up/down checking via idp.xml: ➢ ...Shibboleth_StatusHandler... ➢ <Location>.+/shibbolethidp/Status</Location> “AVAILABLE” if everything has loaded OK ➢
  • 6. Cardiff's setup (con't) Fully monitored via SNMP ➢ Standard server stuff (CPU usage, memory  ➢ usage, Temperatures, etc) Custom perl scripts parse Shib log files ➢ Exposed via custom SNMP OIDs ➢ Cacti (open source) monitoring solution  ➢ already in place email me for a copy of scripts/cacti  ➢ templates, etc.
  • 8. Tech' Recommendations Metadata (the list of who is on the  ➢ federation: CRON job to update overnight, every night ➢ Attributes: ➢ Haven't implemented eduPerson in  ➢ directory, use own attributes and map to  eduPerson schema using resolver.xml
  • 9. Tech' Recommendations (con't) eduPersonScopedAffiliation: ➢ Mapped to CardiffFAMAffiliation attribute in  ➢ our directory (webauth tree) Provisioned by our IDM sytem ➢ “member” if current staff, current student,  ➢ current training grade doctor, manually  “made” member in IDM web interface staff/student similarly IDM driven ➢
  • 10. Tech' Recommendations (con't) eduPersonTargetedID: ➢ Simply using PersistentIDAttributeDefinition,  ➢ linked to IDM IdentityNumber Dynamically cryptographically creates an  ➢ opaque, consistent TargetedID per user per  resource eduPersonPrincipalName: ➢ Mapped to cn attribute in our directory ➢
  • 11. Tech' Recommendations (con't) eduPersonEntitlement: ➢ Mapped to CardiffFamEntitlements attribute  ➢ in our directory Provisioned by our IDM system where  ➢ possible Manually administered via IDM web  ➢ interface otherwise
  • 12. Tech' Recommendations (con't) Attribute Release Policies ➢ arp.site.xml ➢ Set to release minimum information  ➢ (scopedAffiliation and TargetedID) unless  specifically set otherwise Release more if desired on a case by case  ➢ basis
  • 13. Authentication Options Apache vs Tomcat: ➢ Apache simpler ➢ Tomcat a lot more user friendly for your users ➢ Our login page: ➢
  • 14.
  • 15. Overview Auditing of resources ➢ Promotion and Communication ➢ What has happened so far? ➢ What’s going to happen next? ➢ Questions? ➢
  • 16. Auditing of resources Resources tested for shibboleth  ➢ compliance. Non­compliant resources  ➢ Westlaw – generic usernames and  ➢ passwords until new platform released Lexis Nexis Professional – should be moved  ➢ to Butterworths  Alerts, Saved Searches and  ➢ Personalisation.
  • 17. Promotion and Communication Emails about shibboleth/CU Login sent to all  ➢ Information services staff Presentation on changes given to all library and  ➢ helpdesk staff Documentation sent to all 18 libraries  ➢ Web page – Off campus access ➢ Changes to databases page ➢ Subject Librarians cascaded information to all  ➢ new students and staff
  • 18. What has happened so far? Went live – Sept 06 ➢ Users ➢ New Training Grade Doctors ➢ New Students ➢ New Staff ➢ Users with expired accounts or problems ➢ 53.35 % of access to “Athens” e­resources  ➢ is by CU login
  • 19. What’s going to happen next? 2nd July – changes to website to encourage  ➢ remaining Athens users to switch Email to users with active Athens accounts ➢ Monitor use of Athens accounts over the  ➢ next year and contact individual users to  migrate. April 08 – All Athens accounts expire ➢
  • 20.
  • 21.
  • 22. the end Any Questions?  www.identity­project.org/survey.doc  for:  more info  a copy of these slides  clarification of any points  meaningful discussion about shib  meaningless discussion about stanley   cup finals... email: smith@cardiff.ac.uk 