1 / 25

EDINA Service Conversion

EDINA Service Conversion. Fiona Culloch, EDINA JISC Core Middleware Programme Meeting — 16-17 May 2005. EDINA’s role. Host UK national data services JISC Information Environment components: bibliographic abstracts and indexes geographic data L&T resources multimedia resources

monte
Download Presentation

EDINA Service Conversion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EDINA Service Conversion Fiona Culloch, EDINA JISC Core Middleware Programme Meeting — 16-17 May 2005

  2. EDINA’s role • Host UK national data services • JISC Information Environment components: • bibliographic abstracts and indexes • geographic data • L&T resources • multimedia resources • curation and preservation • Based at Edinburgh but nationally funded by JISC JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  3. Current EDINA services • Geographic and mapping: • Digimap (Ordnance Survey data) • UKBORDERS (boundary info) • Multi-media: • Education Image Gallery (Getty Images) • Education Media Online (films from Imperial War Museum etc.) • History: Index to The Times, 1790-1980 JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  4. Bibliographic data • Agriculture and life sciences: • AGDEX, BIOSIS, CAB Abstracts, UPDATE • Engineering: Inspec • Social science: EconLit, PAIS (Politics), Stat. Accounts of Scotland 1790s–1830s • Library catalogues: SALSER JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  5. Platforms • Multiple enterprise-class Sun SMP systems • 16GB RAM ea. • Running Solaris (currently 2.8) • > 10TB mass storage • JANET connectivity JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  6. Current AAA regime • Athens (for academic users): • SSO between EDINA and other resources • Local password file (commercial users) • Browser user sees “front page” with • buttons for Athens and local login • service status, planned outages • Previous JISC AAA projects on X.509 client certificates and Shibboleth (TIES) JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  7. EDINA authZ requirements • Requirements differ from one-off services • Many services share common AAA model • So, want to centralise authZ & accounting • Coarse-grained authZ: most services are accessible to “all users at institution X,Y…” • Not to a list of individuals (e.g., Digimap) JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  8. More requirements • Support for multiple AAA mechanisms • Athens, Shibboleth, X.509 client certs, ... • Want extensibility without disturbing production services • Do this by running AAA on separate web servers from the services • Contrast one-off service using Shibboleth mechanisms directly on main web server JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  9. Current authZ implementation • Perl CGI script (per service) • Common AAA framework factored out into central LoginScript module, except for • Digimap, UKBORDERS, Stat. Acc., SALSER • LoginScripthandles local logins directly • Or calls “Athens Agent” perl API • and checks user has Athens resource for this service • Starts proxy HTTP session on production web server (using shared secret) JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  10. Current accounting setup • Central log at Athens of successful logins • Plus local (EDINA) logging • log timestamp and username • keep separate log files for each service • Standard cases handled by LoginScript JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  11. Shibbolizing a service • Add Shibboleth login button to front page • Button links to Shibboleth login script • Currently separate from Athens script but very similar in form • Common AAA requirements again factored into central ShibLoginmodule • Layer ShibLogin on existing LoginScript; uses shared framework (e.g., for logging) JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  12. JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  13. JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  14. JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  15. JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  16. Basic authZ is easy ShibLoginallows coding without much knowledge of Shib Script is behind a Shib-protected URL servicefunction checks using Shibboleth that the user’s institution subscribes to the named service (update) #!/home/cpan/bin/perl use ShibLogin; package Edina::Autho::LoginScript; SiteSearch=1; service(“update”, “URL”); JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  17. Behind the scenes • Shibboleth enforces that user must have account at an Identity Provider (IdP) in the SDSS federation • IdP must provide eduPersonScopedAffiliation attribute indicating user’s institutional affiliation: • e.g., member@ed.ac.uk is from Edinburgh • EDINA licensing table maps scopes (ed.ac.uk) to services subscribed to by that institution • The ShibLoginmodule checks this automatically JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  18. Use of attributes • eduPersonScopedAffiliation gives institution • Trust IdP’s scope assertion (automatically verified against the federation’s metadata) • Assumes IdP won’t give credentials to non-members of institution (fed. policy but weak link) • We don’t trust IdPs to assert subscriptions; instead, local table of institutional subscriptions JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  19. Service personalisation • Many services offer personalisation: • saved searches • auto. e-mailing of new items matching stored searches • If IdP supplies the eduPersonTargetedID attribute, use it as an opaque pseudo-username: • JK5jhuMPbKBNlllh4DLlqb9nLXM=@sdss.ac.uk • Otherwise, user gets reduced functionality with a shared pseudo-username (_shibboleth) • Log Shibboleth session cookie for traceability in all cases JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  20. Attributes used in SDSS • eduPersonScopedAffiliation • e.g., student@lse.ac.uk • eduPersonTargetedID • e.g., xdIe346Kb82hdJhzbhvje23wE=@ncl.ac.uk • eduPersonEntitlement • e.g., urn:mace:ac.uk:sdss.ac.uk:entitlement:med • eduPersonPrincipalName • e.g., jjones@uni.ac.uk JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  21. Progress to date • Established SDSS federation and common ShibLoginframework for EDINA services • Shibbolized initial services: • BIOSIS, Education Media Online, UPDATE • Chosen because subscribed to by the initial IdPs: • Edinburgh, LSE, Newcastle, Oxford • Contributed bug reports, XSLT scripts to convert 1.31.2 & 1.1 metadata format, NAT to Internet2 JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  22. Current work • Training service-delivery staff • Education Image Gallery (requested by LSE) • Support for medically restricted content in Education Media Online • review contract position (MAAS sublicence) • liaise with IAMSECT (Newcastle, Durham)… • to define eduPersonEntitlement attribute value corresponding to existing Athens EDINA_MEDIA_MEDICAL resource • Investigate other commercial CAs JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  23. Issues • EDINA resources are only in the SDSS federation • But multiple UK educational federations are evolving (MATU, schools, KC-ROLO,…) • And Shibboleth multi-federation support is still immature • SDSS provides metadata in 1.3, 1.2 and 1.1 formats • but no guarantee to support all formats in perpetuity JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  24. Future work (CM:I year 2) • Broadening (service delivery): • AGDEX, ITTT, … similar to the ones already done • Also deepening (harder cases): • Digimap, UKBORDERS (finer-grain authZ) • OpenURL, weblinks; merge ShibLogin& LoginScript • JISC have funded new work items: • multi-federation working, including a meta-WAYF • virtual organisation use cases (e-Science person hired) • attribute release policy tools • more sophisticated resource registry JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

  25. Highlights • Established SDSS federation and a common AAA framework across multiple EDINA services • Service developers don’t need to know Shib • Three services already “live” • Don’t panic: a one-off service is easier! • IdP need only provide one standard attribute for login to most services (and optionally one for personalisation) • Rest of services to be converted in next year • Attention turning to harder cases and new tools JISC Core Middleware Programme Meeting, Loughborough, 16-17 May 2005

More Related