Planning your cloud strategy: Adur and Worthing Councils
Beyond Library eResources: Using OpenAthens for Enterprise Security
1. Beyond Library eResources: Using OpenAthens for enterprise security Jonathan Richardson – Assistant CIS Director Robin Keith – Head of Web Development
2. March 14, 2011 Who are we? 300 acre campus university on the outskirts of Norwich 23, 000 students Rated in the top 3 of main stream universities in the NSS fourth greatest concentration of ‘most highly cited researchers’ in the UK, after London, Oxford and Cambridge.
3. March 14, 2011 Athens @ UEA Pre 2006 used Classic Athens High cost of management Non user friendly – multiple passwords 2006 Implemented Athens DA Is linked in to the UEA Identity Management System for roles, and Active Directory for authentication Uses Athens/Shibboleth gateway. We only access others/external resources – no UEA Service Provider. We need to move forwards…
4. March 14, 2011 Why?What’s changed? Climate Science Hack has focused UEA on the security of our systems. UEA is a target for hackers and phishing attacks. Authentication and role based access from mobile devices needs addressing. Need to provide means to place UEA content in the users space Need to develop a seamless, flexible and consistent authentication environment. Need a way of putting more of our content into a federated environment.
5. March 14, 2011 What we want to do:Our Objective… To have a single, seamless environment, that supports internal and external authentication, supporting automatic single sign on, via multiple protocols, to internal and external resources, based on the attributes of the user and level of confidence in the authentication and device being used. There are many providers of Federated Access products Only OpenAthens allows SAML, Shibboleth and Athens
6. What we want to do:Components… March 14, 2011 Authentication Identity Management Federated Access
7. March 14, 2011 Personnel Components:Identity Management… Dept Oracle Roles Grade AD Groups Visitors Contractor, Honorary, etc Blackboard Groups Course Students Library Rights FT/PT Physical Access Applicants Status E:resources Partners Alumni
8. March 14, 2011 Components:Authentication Eliminates complexity by allowing Unix, Linux, and Mac systems to participate as “full citizens” in Active Directory Provides centralized authentication and single sign-on Allows smart card authentication for Unix and Linux systems Facilitates migration to a single Active Directory-based infrastructure for all systems and users Simplifies security and compliance Group Policy for Unix, Linux, and Mac OS X systems Vintella Services for Java enable AD authentication at the application level Vintella Authentication Services
9. OpenAthens LA Support multiple protocols so gives us the best flexibility OpenAthens SP For UEA collections provides the route for us to become a publisher. SimpleSAML Provides a lightweight route for us to SAML enable many internal resources Working with suppliers to enable SAML/Shibboleth authentication March 14, 2011 Components:Federated Access…
10. Putting it together:Extending OpenAthens… Return Reason , Password Expired Browser etc Capability VAS YES SPNEGO Request In O Authentication N ATHENS Attribute Provider Login Automatic Login Authentication Anti Phishing SHIBOLETH Attributes NO SAML Y Roles LDAP Anti Phishing Level of Login Screen Authenticated E Response Out ID ( via LDAP Proxy ) Screen confidence S Level of Confidence ATHENS SHIBOLETH SAML Custom Auth Provider Alternative Login Screen Mapping ( Facebook etc ) rd 3 party Idp UEA IDMS ( SPOT )
11. OpenAthensIdP UEA Active Directory SPOT GUI Blackboard UEA Alumni Always Authenticated Route Polopoly (intranet) Single Sign On Route UEA CRM Contacts Polopoly (admin) UEA Research Partners ePrints Athens OpenId External Journals InfoCard How?Enabling a variety of access…
12. March 14, 2011 Progress:What we have done so far… Custom install of OpenAthens LA 2.1 – the basic install was not secure! https infrastructure Implemented automatic login via SPNEGO Integration with QAS (Quest/Vintella Product) Return authentication sub errors via php auth module, enabling password expiry management Implemented SimpleSAML Service Provider
13. March 14, 2011 Progress:What we have learnt so far.. SAML setups are HARD - especially with pki's OpenAthens makes it a bit easier - but docs could be more detailed. Need better public documentation of setting up various Service Providers. Eduserve support has been really helpful.
14. March 14, 2011 What’s Next?This is not a short term project! Configure internal apps for SAML Blackboard, Aleph, SITS e:Vision, etc. Research OpenAthens as a keystone for collaborative working tools Enable trusting the home institution. Not just UKHEIs but globally, plus NHS and UK/EU governments. Address policy issues (ToCU etc) Address Teaching and Learning, Admin, Student Experience - SU eVoting - Placements - Medical + PGCE courses, collaboration with placement partners Link external IDs like Facebook to internal accounts, with reduced levels of confidence.
Identity Management who a person is what we know about a personAuthentication are they who they say they areFederated Access what can they access
Not using ldap – or use a secure versionHandle password errors etcAs we increase security we increase the need to support password changes Reducing help desk callsConsistent anti phishing