More Bang for the Buck: Leveraging Identity Infrastructures

John O’Keefe, Lafayette College

Mike Conlon, University of Florida

1

About This Session

• Tag team presentation – John and Mike

• About our schools

• About Shibboleth

• Shibboleth at Lafayette

• Shibboleth at UF

• Leverage Scenarios

• Conclusions, Contacts and References

2

Lafayette College

• 2382 Students, 206 Faculty

• Small, residential, private liberal arts college

• Easton, Pennsylvania

• IT centralized, 28 staff

• Open-source centric

3

University of Florida

• 52,112 Students, 4,278 Faculty

• Large public research-1 university

• Gainesville, Florida

• IT decentralized, >1,000 IT staff

• Commercial (PeopleSoft), open source (Sakai), locally-developed (Student Systems) software

4

What is Shibboleth?

• Internet2 open source software project with lead site at Ohio State

• Federated identity (multiple identity providers) as well as declarative authorization (attribute release)

• Lots of adopters: NSF, NIH, Microsoft DreamSpark, Elsevier, Mobile Campus, Turnitin.com, many more

• InCommon Trust Federation http://incommonfederation.org

• Shibboleth Demo http://shibboleth.internet2.edu/demo/shib_demo.html

• See http://shibboleth.internet2.edu

5

Shibboleth Flow

6

Shibboleth at Lafayette

• Intro to Shib Net@EDU 2003

• ITS/Library merge 2005: 11 usernames/passwords

• Centralized identity store in openLDAP

• Joined InCommon June 2007

7

Shibboleth at Lafayette --Architecture

• RedHat Enterprise 5

• Tomcat 5.5.2.6

• Apache 2.2

• Shibboleth 2.1.4 (SP and IdP)

8

Shibboleth at UF -- Engagement

• SSO in 1997, comprehensive directory (1.8M people) 2003

• Town Halls, presentations, web sites• One year selection process resulting in Shib• Joined InCommon in 2009• Goal to replace legacy SSO solution across

enterprise applications and 80 department applications, in 46 departments and colleges. May 2010

9

Shibboleth at UF -- Architecture

• Data synchronized from PeopleSoft, Active Directory, UF Directory, Student Records System into SQL Server database

• Shibboleth authenticates via Kerberos• Shibboleth vends attributes via the SQL Server

database• Eight attribute release policies

10

Lafayette University Tickets

• Student life used this vendor

• Wanted to validate users for ticket purchase

• University Tickets joined InCommon

• Sending basic attributes

11

UF Departments and ARPs

• Attribute release policies simplify department applications and allow them to use enterprise data without additional complex interfaces

• Example: Restrict access to downloadable software to faculty, staff and students

• Example: Sign on to college and research portals

• Example: Allow access to authorized groups –research admins, restricted data users, …

12

Lafayette E2Campus

• Spam-like emails sent to campus prompted project

• Worked with Public Safety

• Go-Live October 2009

13

UF Federation for Research

• Scenario 1: UF is the IDP. Outside agency is the SP– Example: NIH. UF researchers sign on to NIH sites

using UF credentials

• Scenario 2: UF is the SP. Outside agency is the IDP– Example: UF Clinical and Translational Science

Institute Research portal. Researchers from other universities sign on with their home credentials

14

Lafayette Library Apps

• Jstor

– Looking to move away from proxy service

– IT/Library collaboration in merged organization

– our first production use of Shibboleth

• RefWorks

– Cumbersome login process

– Users complained

15

UF Enterprise Systems

• Five enterprise applications expected to act as one with respect to sign on and session management – PSFT, ISIS, Cognos, Reports, ISIS-Admin

• Create a global session management cookie managed by Apache

• Users sign on via Shib to Apache RPS, which manages cookie and passes authentication to enterprise apps

16

Lafayette Moodle Spaces

• Alumni Ambassadors (213 users)

• Oomycete Undergrad Molecular Genetics Network

• Alumni Chapter Volunteers (Live Jan 1, 2010)

• Our first use of SP

17

UF Active Directory Groups

• UF Active Directory has over 170,000 user objects, over 20,000 group objects, and 80% of UF’s workstations, laptops and servers (70,000)

• Groups can be created and maintained by local sysadmins

• A Shibboleth ARP vends group memberships.• Local departments can insure that their web

apps permit access only to members of their groups

18

Lafayette Conclusions

• Finding partners is a challenge

• When it works, it’s great

• Always ask if Shibboleth can help

• Centralize whenever possible

• Leverage Shibboleth as Single Sign-On

19

UF Conclusions

• Engage the IT community• Shibboleth scales well• Shibboleth works well in a mixed environment• Once basic IDM is in place, controlling access

via affiliations, roles, groups is straightforward• Shibboleth replaces legacy SSO solutions across

local and enterprise applications

20

Contacts, References

• John O’Keefe

– email: okeefej@lafayette.edu

– twitter: okeefej_62

– web: http://its.lafayette.edu

• Mike Conlon

– email: mconlon@ufl.edu

– facebook: http://www.facebook.com/mconlon

– web: http://www.it.ufl.edu

21