1 / 26

Distributed Access Control - BIBSYS and the FEIDE solution

Distributed Access Control - BIBSYS and the FEIDE solution. Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway. Some definitions. Authentication - Process of providing the identity of a user. (Who are you?)

armand-gutierrez
Download Presentation

Distributed Access Control - BIBSYS and the FEIDE solution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Access Control- BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway ELAG Trondheim 2004

  2. Some definitions Authentication - Process of providing the identity of a user. (Who are you?) Authorization - Process of granting or denying access rights for a resource to an authenticated user. (What are you allowed to do?) Credentials - Information that includes identification and proof of identification that is used to gain access to resources. Examples of credentials are user names and passwords, smart cards, and certificates. ELAG Trondheim 2004

  3. Problems in a distributed environment • Lots of credentials • Lots of registration and logon procedures ELAG Trondheim 2004

  4. Distributed Access Control ELAG Trondheim 2004

  5. Single Sign On (SSO) • SSO = challenges • Technological issues • proxies • cookies • timeout • Security issues • shared credentials • different security levels • trust ELAG Trondheim 2004

  6. The trend in distributed access control ELAG Trondheim 2004

  7. Some BIBSYS-facts BIBSYS is an integrated library system used by all Norwegian University Libraries, the National Library, all College Libraries, and a number of research libraries The BIBSYS users Primary users: Ca 2.500 librarians End users: Ca 600.000 – patrons (not all active) Ca 4000 – academic users (research document database) 1000+ – users of other different systems ELAG Trondheim 2004

  8. UNIX pw. file Users BIBSYS history of access control (the late eighties) A1 = Authentication A2 = Authorization Legacy System (cataloguing, search, etc) Access Control: A1 – Unix A2 – User file ELAG Trondheim 2004

  9. UNIX pw. file Patrons IP-list Users BIBSYS history of access control(mid. nineties) A1 = Authentication A2 = Authorization Legacy System Access Control: A1 – Unix A2 – User file Access Control: A1 – Patron-ID, last name A2 – Web search Access Control: A1 – IP-filtering A2 – ISI search ELAG Trondheim 2004

  10. Apache pw. file UNIX pw. file Apache pw. file Users IP-list Patrons BIBSYS history of access control(late nineties) A1 = Authentication A2 = Authorization Legacy System Access Control: A1 – Unix A2 – User file Access Control: A1 – Patron-ID, last name A2 – Web search Access Control: A1 – IP-filtering A2 – ISI search Access Control: A1 – Apache password-file Some web service Some web service Access Control: A1 – Apache password-file ELAG Trondheim 2004

  11. BIBSYS in the late nineties BIBSYS ELAG Trondheim 2004

  12. BIBSYS Access Control Project • Goal: • Provide interoperability between internal systems • Offer access control to our patrons. • Avoid administration overhead. • Consider cross-organizational access control. ELAG Trondheim 2004

  13. BIBSYS Access Control Project • We considered two commercial access control systems, • Candle/Cactus • ISOS/Athens. • Conclusion: • Too expensive • BIBSYS is not the right institution to host a cross-organizational access control system for our end users. • Decisions: • Develop our own access control for internal use • Wait and see for an cross-organizational solution. ELAG Trondheim 2004

  14. Apache pw. file UNIX pw. file Apache pw. file Patrons IP-list Users A common role based access control system Only access-relevant information: credentials, roles, IPs Common role based access control system ELAG Trondheim 2004

  15. Apache pw. file UNIX pw. file Apache pw. file Users IP-list Patrons Starting point A1 = Authentication A2 = Authorization Legacy System Access Control: A1 – Unix A2 – User file Access Control: A1 – Patron-ID, last name A2 – Web search Access Control: A1 – IP-filtering A2 – ISI search Access Control: A1 – Apache password-file Some web service Some web service Access Control: A1 – Apache password-file ELAG Trondheim 2004

  16. Result (ideal) Service A Common role based access control system Service B Service C Service D Service E ELAG Trondheim 2004

  17. Result (real) • Implemented a new role based access control system • We released new personalized services for patrons and librarians • Low administration costs (machine-generated password by email) • Still some systems use their old access control • The wait and see strategy paid off – result: FEIDE ELAG Trondheim 2004

  18. Status of 2002 BIBSYS ELAG Trondheim 2004

  19. New challenge • Offering our users access through the FEIDE system ELAG Trondheim 2004

  20. FEIDE (Federated Electronic Identity for Education) • Goals of the FEIDE project: • Establish a common, secure electronic identity for Norwegian academic users. • Implement the academic sector's system for reliable user data handling, secure identification of internet-service users and assignment of user access-rights. • Common data model for persons • Standardization/development of user management systems • Provide a central login server ELAG Trondheim 2004

  21. Integrating with the FEIDE system (I) • One year ago we released a pilot using the FEIDE authentication • Application: Personalized services for patrons and librarians • Technology: Java Servlets, Tomcat server • Objective: technical issues (not performance) • Available for a limited group of users ELAG Trondheim 2004

  22. Integrating with the FEIDE system (II) • Efforts to make it work • Received a Java-library, a Servlet Filter and a certificate from FEIDE • Configured Tomcat to use the Servlet Filter • Configured the Servlet Filter ELAG Trondheim 2004

  23. Integrating with the FEIDE system (III) • Experiences with the pilot • Easy to implement • No errors throughout the test period • The users were satisfied ELAG Trondheim 2004

  24. Integrating with the FEIDE system (IV) One obstacle: How to map a FEIDE user to a BIBSYS user? Solution: The National Identity Number BIBSYS have to extend the user database to include The National Identity Number ELAG Trondheim 2004

  25. Overview of the logon process FEIDE AT (LDAP-server) AT (LDAP-server) MORIA AT (LDAP-servers) 5 4 User 6 3 2 7 BIBSYS (Tomcat servlet container) 1 BIBSYS- services (servlet) BIBSYS- services (servlets) Filter 8 9 BIBSYS users ELAG Trondheim 2004

  26. Future plans • Let the pilot go into production within 3-4 months • Try out the Single Sign On features of FEIDE • Make use of other user attributes than only the National Identity Number. (For authorisation and for updating our own user data) ELAG Trondheim 2004

More Related