1. Why are HEAnet in this space?
– Collaborative, shared and cloud services
– IP address access control and IPv6
– Synergy with eduroam (single credential, eduGAIN)
– NREN fulfils the role of federation operator
2. Terminology
Single Log On
• single point of authentication
• synchronised account and credentials
• authenticate to each application
Single Sign On (SSO)
• single point of authentication
• single credential, single account
• authenticate once
3. Edugate
Identity Provider
• Authenticates user and provides user data
• Personal, non-personal or none
Service Provider
• Authorises access based on incoming data
• Personalises experience based on incoming data
• Persists the experience between sessions
• Links application data with incoming data
4. Edugate
Identity Providers
• Institutes of Technology
• Universities
• Research agencies on the HEAnet network
• Expanded set in the future
5. Edugate
– Potential Services
• Institutional services
» Any website requiring a login [for non-campus users]
• Shared services
» HEAnet services, An Cheim services, IReL, NDLR
• Academic content
» Publishers (EBSCO, Elsevier, JSTOR) and databases
• Research portals
» Or any cross-institutional research group resource
• Organisations offering academic discount
» Microsoft Dreamspark, o2, Travelcard
7. Edugate
– Internationally
AT ACOnet-AAI IT IDEM
AU Australian Access Federation AAF LV LAIFE
CA Canadian Access Federation CAF NL SURFnet
CH SWITCHaai NO FEIDE
CZ eduID.cz PT RCTSaai
DE DFN-AAI SE SWAMID
DK WAYF US InCommon
ES SIR UK UK Access Management Federation for
FI Haka Education and Research
FR Fédération Éducation-Recherche
GR GRNET eduGAIN to connect these federations
HR AAI@EduHr
HU NIIF AAI
IE Edugate
8. UK Access Mgmt. Fed.
• Athens services was proprietary and library only
• Open standards were used for non-library services
• UK Access Management Federation provides alternative
to Athens that allows a single access platform services
both library and non-library.
• 800 Members, All UK Higher Education Institutions have
joined the UK Access Management Federation,
• 50% of those institutions use it gain access to library
content using Shibboleth
• 50% use the Athens Gateway to federated access.
• Publishers support Shibboleth is approximately 50%.
9.
10.
11. Edugate
Based on the SAML2 Protocol
• Interoperable Web-SSO Profile (saml2int.org)
– Shibboleth 2, simpleSAMLphp
– Oracle, IBM, Ping and Microsoft ADFS v2
Implementation
– Service Provider
• Web server plug-in (optional application integration)
– Identity Provider
• Web application with connection to campus directory
12. Edugate –SAML
Z39.50 Protocol
• Search multiple targets at the same time
• Retrieve
SAML Protocol
• Authenticate with multiple targets as needed
• Authorise
13. Edugate
Authentication
• Responsibility of the institution
• Usually LDAP, but other options available
Authorization
– Controlled by the service provider
– Institution can filter users before service provider
– Based on the users attributes
15. Edugate
Attributes eduPersonScopedAffiliation
student undergraduate or postgraduate
staff all staff
faculty to distinguish teaching staff
employee staff other than staff/faculty (e.g., contractor)
member comprises all the categories named above
affiliate relationship short of full member
alum Alumnus (graduate)
library-walk-in
16. Why use Edugate...
• Reduce account provisioning for walk-in and campus users
• Reduce the number of passwords for your users
• Reduce the number of prompts for those passwords
• Filter user access to content by affiliation or special groups
• Stop worrying about licences and users on your wifi network or open
terminals
• Start to eliminate abuse of shared credentials/generic accounts
• IPv4 to IPv6 migration (193.1.200.412 Vs 2002:c101:e4a5::c101:e4a5)
• Enhanced personalisation, without loosing privacy.
• No fee
17. Edugate on Campus
IT department sets up identity provider
service (IdP)
Any other department can opt to accept a
federated login (SP)
– Library can opt to replace Ezproxy URL in the
catalogue.
– Library can opt to enable federated login to the
library website, repositories
– Library can opt to integrate ezproxy with the IdP
18. Edugate on Campus
IT department sets up identity provider
service (IdP)
IADT,UCD,CIT,DKIT,TCD,NUIM,NUIG,ITT,
WIT,LIT,DCU,DIT,UL,DIAS,NCAD
19. Edugate on Campus
Catalogue with
Ezproxy
Publisher content
Publisher content
User Publisher content
Publisher content
LDAP
20. Edugate on Campus
Catalogue with
Ezproxy
Publisher content
Publisher content
User Publisher content
Publisher content
Shibb
LDAP
21. Edugate on Campus
Catalogue with
Ezproxy
Publisher content
Publisher content
User Publisher content
Publisher content
Shibb
Publisher content
Publisher content
LDAP Publisher content
non-library
services
28. Edugate on Campus
(Assuming a service supports Shibboleth)
Use Shibboleth...
• if you intend to take advantage of fine grained access control
• If the service offers personalisation and persistent sessions (e.g. search
results, search preferences etc).
• if the content of the service is frequently accessed as a result of a Google
search rather than a search of your Opac (thus bypassing your EZproxy
URLs).
• if Shibboleth is frequently used to access other services like student email and
you want to avail of the single-sign-on with no re-authentication prompts
29. Edugate on Campus
Some services do not support a Shibboleth
login yet.
• Use EZproxy for services with no personalisation features and for services
that don’t feature in Google results, and for services that don’t support
Shibboleth
• Use EZproxy with Shibboleth for these non personalised services if your
campus uses Shibboleth for other frequently accessed services (thus
benefiting from single-sign-on)
• Use Shibboleth if any of the reasons listed on the previous slide fit