www.kennisnet.nl naam van de auteur 7 januari 2008 kennisnet entree: federated authentication pieter...

www.kennisnet.nl

Naam van de Auteur

7 januari 2008

Kennisnet Entree: federated authentication

Pieter Bruring Technical Product Manager

EdReNe expert workshop - 26 February 2009 2

Identification … a must


Narrowing the scope of identity

Kennisnet Entree: providing SSO to VLE/LMS


What’s it all about?


Some figures

Total of 600.000 educational users in the Netherlands:•165 schools connected (300.000 estimated federative users)•300.000 Entree selfservice accounts

13 Service providers:•Educational online video streaming service•Government sites•Educational content providers•Webshop


Elements of an authentication and authorisation service


Users use different accounts to access websitesWebsites use centralised userstores (identity providers)

Rise of the Learning management systems as identity provider for schoolsFederated autentication, platforms function as hub

Anatomy of the Entree federation


Anatomy of the Entree federation hub


Confederation 2009


Kennisnet content, educational publishers & educational video streaming services

Primary education, high schools and colleges

Higher Education,Universities

Surfnet, Universities, Publishers

High school teachers and students

Educational content providers (publishers)

central authorisation via webshop

A-Select

• Dutch authentication platform: www.a-select.org• Open Source• Not yet using standard SAML 2.0• It does however support Shiboleth via and agent and filter

solution• Used nationwide in DigID, provides users with a personalised

login code for authentication on websites from various governmental bodies


A-Select protocol

A-Select interfacing: Service Provider


3. Authentication Set SSO token

2. Go authenticate

4. user attributes

5. Set application token with attributes

1. URL

6. Redirect after authorisation

A-Select protocol

A-Select interfacing: Identity Provider


3. “Go authenticate there”

1. “Where are you from?

2. “I belong to this organisation”

4. “my loginname & password”

5. Interface with userstore

6. “Is ok?”

7. “user authenticated ok”

8. “have a SSO token (cookie)”

A-Select IdP interfacing problems

A-Select IdP’s are very difficult to set up:

• Need for ‘foreign’ software in system (A-Select server)

• Need to develop custom A-Select AuthSP for non LDAP userstores, such as MySQL.

• A-Select protocol not an international standard, like SAML 2.0, Shiboleth


Entree solution: Cookiemonster interface


Requirements:• No need for ‘foreign’ software in system• Native authentication of user by VLE/LMS• Standardisation of user attributes sent to Entree• For security purposes assertion of trust needed

Consequence:No standard (eg SAML 2.0) fit the bill on ‘easy to implement’ due to maturity differences in VLE/LMS providers.

Goal:

Virtual Learning Environments and Learning Management Systems shall be connected to Entree using easy to implement webservices.

A-Select Cookiemonster

protocol

A-Select Entree expansion: LMS IdP webservices


3. “Go authenticate there”

4. “my loginname & password”

6. User attributes using EduPerson schema

1. “Where are you from?

2. “I belong to this organisation”

5.Get attributes

8. “have a SSO token (cookie)”

Cookiemonster interface: results


• Solution provides Single Sign On path directly from VLE/LMS to Service Provider.

• 1 month after introducing new interfacing method 100 schools were connected.

• Average development time for VLE/LMS provider is 2 weeks

Next step: building bigger bridges


The standards SAML 2.0 en OpenId are selected for these bridges


You?


Questions?

www.kennisnet.nl naam van de auteur 7 januari 2008 kennisnet entree: federated authentication pieter...

Documents

vlelms edrene expert

authorisation slide

webshop slide

hub slide

scope of identity slide

educational users

kennisnet entree

service providers