Authentication and authorization including focussing on shibboleth
Download
1 / 22

Authentication and Authorization (including focussing on Shibboleth) - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

Authentication and Authorization (including focussing on Shibboleth). Dr Tony McDonald, Assistant Director FMSC Project manager, IAMSECT http://iamsect.ncl.ac.uk Project manager, FDTL-4 ePortfolios http://www.eportfol ios.ac.uk

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Authentication and Authorization (including focussing on Shibboleth)' - nasya


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Authentication and authorization including focussing on shibboleth
Authentication and Authorization (including focussing on Shibboleth)

  • Dr Tony McDonald, Assistant Director FMSC

    • Project manager, IAMSECT http://iamsect.ncl.ac.uk

      • Project manager, FDTL-4 ePortfolios http://www.eportfolios.ac.uk

      • Technical Director, CETL4HealthNE http://www.cetl4healthne.ac.uk

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Background
Background Shibboleth)

  • School of Medical Education Development

  • Responsible for IT provision of the MBBS programme, 1700 students, 1400 staff - many in the NHS

  • Project manager, IAMSECT (Shibboleth dissemination)

  • Project manager, FDTL-4 ePortfolios

  • Technical Director, CETL4HealthNE

    • ie not an über-geek...

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


The session
The session... Shibboleth)

  • Is about information/knowledge transfer

  • Is informal

  • Is about making connections

  • Is about problem solving...

  • Is about recognizing the potential of authentication/authorization systems

  • Is about getting these systems setup at your institution

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Outline
Outline Shibboleth)

  • What is authentication/authorization

  • Single sign on

  • Shibboleth (introduction, issues)

  • Use cases

  • Discussion

  • Shibboleth futures

  • Roundup

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


What is authentication authorization
What is authentication/authorization? Shibboleth)

  • authentication - identifies who you are

    • username, N.I. number, email address, employee number, biometrics, DNA

  • authorization - what you are allowed to do

    • almost always requires another level of lookup

  • in the past, particularly for online systems, these have usually been combined. You login to a system and it knows what you can do.

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Authentication
Authentication Shibboleth)

  • login (username/password) - Windows, unix, Amazon

    • username can be anything; d56rtx, bingo@bob.com

    • would be keyed against flat files, databases, active directory, LDAP

    • These ‘databases’ can be held locally or remotely

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Single sign on
Single sign on Shibboleth)

  • A way of accessing more systems using one login

  • It can be centralised (Athens, one big domain)

    • Big database in the middle of the world, managed centrally

  • Can also be de-centralised (Shibboleth is best known example)

    • Lots of small databases, managed locally

    • implies some level of communication between sites

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Why use single sign on
Why use single sign on? Shibboleth)

  • Shared students

    • including students from ‘feeder’ colleges

  • Shared resources

    • Journals, re-usable learning objects

    • Not necessarily electronic resources

  • Increasingly needed for ‘joined up’ systems and processes

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Shibboleth

Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

Judges 12:5-7

Shibboleth

  • Possibly the first password

  • Distributed authentication and authorization

  • Standards-based (SAML)

  • Lots of backing from JISC and Internet-2

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Core concepts of shibboleth
Core Concepts of Shibboleth Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

  • A user is authenticated at “home”

  • Home knows who and what a user is

    • eg Tony McDonald, member of staff; access to some admin areas

  • Service providers make access decisions based on what a user is (ie staff, student, medic etc)

  • Service providers should only know the minimum about a user

    • Can improve privacy

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Some issues
Some Issues... Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

  • Involves trust between institutions - this must come first

    • and this is where federations can help

  • Data protection issues

  • Technical ability of provider and consumer of Shibboleth-enabled resources

    • not rocket-science, but not trivial either (IAMSECT is helping to simplify the process)

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Some use cases
Some use cases Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

  • Based on some selected projects currently underway;

    • IAMSECT (Shibboleth awareness raising, developing functioning systems)

    • FDTL-4 ePortfolios (ePortfolios for medicine, since grown into a major growth area for our school)

    • CETL4HealthNE (9000 health care students in 3 years)

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Iamsect jisc funded may 04 apr 06

What worked? Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

IAMSECTJISC fundedMay 04-Apr 06

More people using Shibboleth

Better inter-institutional relations

Insight into NHS processes

Different VLEs/OSes worked

BlackBoard/Open Source

  • Three Universities; Newcastle*, Durham* and Northumbria, plus Subject Centre for Medicine, Dentistry and Veterinary Medicine - and the NHS

  • Technical andmanagerial issues are addressed, documented and disseminated.

What could have been done better?

Consortium agreements

Emphasized benefits earlier?

Certification authority issues

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Eportfolios fdtl 4 funded oct 03 sep 05

What worked? Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

ePortfoliosFDTL-4 fundedOct 03-Sep 05

ePortfolios integrated into course

Better inter-institutional relations

Led to ePET project - web service enabled ePortfolio, authentication issues

See Simons talk tomorrow! (10:30am)

Sydney room - ie here

Also led to EPICS project - ePortfolios and Shibboleth

  • Three Universities; Newcastle, Sheffield and Leeds - focussing on medical students

  • ePortfolios for medical students at all institutions, using two different VLEs

What lessons were learnt?

ePortfolios and Shibboleth are not a natural fit

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Cetl4healthne hefce funded oct 04 sep 09

What’s Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.working?

CETL4HealthNEHEFCE fundedOct 04-Sep 09

People wanting to use Shibboleth

Good inter-institutional relations

Insight into NHS processes

  • Five Universities of North-East; Newcastle, Northumbria, Durham, Sunderland, Teesside. Strategic Health Authorities and NHS Trusts

  • £4.5 million over 5 years

  • Impact on 9000diverse students in first 3 years

What could be done better?

Better communications - always

Emphasized benefits earlier?

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Shibboleth and cetl4healthne
Shibboleth and CETL4HealthNE Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

  • Perhaps an ideal vehicle for Shibboleth

  • Access required to wide range of resources

    • VLEs, training, video, admin.

  • For a wide range of students

  • From many institutions

    • Five HEIs, SHA’s, NHS Trusts

Medicine

Nursing

Physiotherapy

Dentistry

Speech & Language Therapy

Occupational Therapy

Pharmacy

Radiography

Social Work

Foundation Degrees

and 9000 students impacted in first three years...

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Jisc investment
JISC Investment Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

  • Various programmes, attacking problem from both sides:

    • Information provision (EDINA, MIMAS etc) - origins in Shibboleth parlance

    • Information usage (core middleware) - targets in Shib-speak

  • Large sums of money have been invested

    • 01/04 - 13 projects, 05/05, 07/04, DeL - 6 projects

  • And are transitioning from Athens to Shibboleth

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Your turn 15 mins
Your Turn! - 15 mins Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

  • Using examples from the use cases (or wherever), do a SWOT on;

Introducing single sign on systems into my organisation

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Discussion points
Discussion points? Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

  • It could work but not here...

  • What would we use it for?

  • How do we get started?

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Shibboleth futures

What happens next? Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

Shibboleth Futures

  • Shibboleth is a disruptive technology

  • Authentication, privacy barrier removed

  • Online “reputation based” systems could kill journals?

  • Services bought in from outside e.g. webmail for students

  • Niche services flourish

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Group discussion
Group Discussion Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

  • Some possible talking points;

    • Is Shibboleth really disruptive?

    • How can I make this work at my institution?

      • and It’ll never work at my institution

    • Where do I sign up?

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005


Resources
Resources Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

  • IAMSECT - http://iamsect.ncl.ac.uk/

    • Lots of links and resources to Shibboleth and related information. Including a glossary - http://iamsect.ncl.ac.uk/glossary

  • MEDEV - http://www.ncl.ac.uk/medev/

    • VLEs, ePortfolios, Admin systems, Medical Education, CETL4HealthNE, Subject Centre for Medicine, Veterinary Medicine and Dentistry

  • JISC - http://www.jisc.ac.uk/ (search for Shibboleth)

    • Driving the Shibboleth agenda in the UK

Dr Tony McDonald - FMSC

www.ncl.ac.uk/medev

tony.mcdonald@ncl.ac.uk

Breaking Boundaries 2005