Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access
-
Upload
athena-hoeppner -
Category
Internet
-
view
403 -
download
2
description
Transcript of Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access
![Page 1: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/1.jpg)
SHIBBLE-ME-THISONE LIBRARIAN’S FORAY INTO
SHIBBOLETH FOR BETTER ACCESSAN ILLUSTRATED NARRATIVE
ATHENA HOEPPNERELECTRONIC RESOURCES LIBRARIAN
UNIVERSITY OF CENTRAL FLORIDA
@CYBRGRL #INTERNETLIBRARIAN
![Page 2: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/2.jpg)
CAMPUSSERVICE
RESEARCHER AT HOME
![Page 3: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/3.jpg)
DREADED PAYWALL
PUBLISHERSITE
CAMPUSSERVICE
![Page 4: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/4.jpg)
THE LONG CONFUSING SLOGLIBRARYSERVER
PUBLISHERSITE
![Page 5: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/5.jpg)
YET ANOTHER LOGINPROXYSERVER
MEDIATEDREQUESTS
PUBLISHERSITE
LIBRARYSERVER
![Page 6: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/6.jpg)
PERSPECITVE…VPN!
SECURITY.ACCESS!
![Page 7: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/7.jpg)
SHIBBOLETH DAYDREAMS
• SHIBBOLETH IS WIDELY USED BYLIBRARIES AND LIBRARY VENDORS.
• TURN SHIBBOLETH ON AND OFF INVENDOR ADMIN
• LOTS OF USER ATTRIBUTES SHARED
• SIGNED IN USERS WILL BE ABLE TOUSE WILD-WEB LINKS
• MOVE BETWEEN UCF SYSTEMSWITHOUT SIGNING IN
• PERSONALIZED EXPERIENCE
• GRANULAR ACCESS CONTROL
![Page 8: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/8.jpg)
DIFFERENT PRIORITIESENTERPRISE
SINGLE SIGN ON.MANAGED IDS.
SECURITY.
BUT, LIBRARY
ACCESS…
![Page 9: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/9.jpg)
THINGS I LEARNED…SHIBBOLETH IS
• STANDARDS BASED
• OPEN SOURCE
• MIDDLEWARE
• SINGLE SIGN-ONACROSS OR WITHINORGANIZATIONALBOUNDARIES.
• CREATED BYINCOMMON, A SUB-PROJECT OF INTERNET2
HTTPS://SHIBBOLETH.NET/ABOUT/
![Page 10: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/10.jpg)
SHIBBOLETH IN CONTEXT• NOT-FOR-PROFIT
NETWORKING CONSORTIUM
• FOR U.S. RESEARCH ANDEDUCATION COMMUNITIES
HTTPS://SHIBBOLETH.NET/CONSORTIUM/
![Page 11: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/11.jpg)
UNITED FEDERATION OF PLANETS
• OPERATES THE IDENTITYFEDERATION FOR INTERNET2
• IDENTITY PROVIDERS GETSINGLE SIGN-ON AND PRIVACYPROTECTION
• SERVICE PROVIDERS GETACCESS CONTROL
HTTP://WWW.INTERNET2.EDU/PRODUCTS-SERVICES/TRUST-IDENTITY-MIDDLEWARE/INCOMMON-FEDERATION
![Page 12: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/12.jpg)
THINGS I LEARNED…• SECURITY ASSERTION MARKUPLANGUAGE (SAML)
• XML-BASED COMMUNICATIONOF USER AUTHENTICATION, ENTITLEMENT, ANDATTRIBUTES.
• SAML ALLOWS ENTITIES TOMAKE ASSERTIONS ABOUTUSERS TO OTHER ENTITIES, SUCH AS A PARTNER COMPANYOR ANOTHER ENTERPRISEAPPLICATION.
HTTPS://WWW.OASIS-OPEN.ORG/COMMITTEES/TC_HOME.PHP?WG_ABBREV=SECURITY
![Page 13: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/13.jpg)
CAMPUSSERVICE
TEACHER AT HOME
USERCREDENTIALS
LDAP
AUTHENTI-CATION
![Page 14: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/14.jpg)
CAMPUSSERVICE
INTERNAL DIALOG
LDAP
AUTHENTI-CATION / USER INFO
USERCREDENTIALS
HE IS A UCF EDU-PERSON
CHECK ON THIS GUY FOR ME…
YEAH. HERE’S HIS NAME AND
OTHER DATA.
ATTRIBUTESASSERTATIONS
OK. HE IS ENTITLED
TO MY SERVICE,
USERCRED
DO YOU KNOW THIS
GUY?
HE GETS A COOKIE
![Page 15: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/15.jpg)
MENEWHILE IN I.T. …
ENTERPRISE-WIDE FEDERATED ID AND SSO:
• LEANING MANAGEMENT SYSTEM
• OPAC/LIBRARY ACCOUNTS
• ILLIAD
• EZPROXY
SINGLE SIGN ON!!
![Page 16: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/16.jpg)
ON TO THE LIBRARY…LIBRARYSERVER HE HAS A
COOKIE.
HERE ARE HIS ATTRIBUTES
![Page 17: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/17.jpg)
EXTERNAL SERVICEPROVIDERS
LIBRARY VENDORS IN INCOMMONFEDERATATION:
• HATHI TRUST
• EBSCOHOST
• PROQUEST
• EBL• ELSEVIER
• JSTOR• …HTTPS://SPACES.INTERNET2.EDU/DISPLAY
/INCLIBRARY/TARGETRESOURCES
HTTPS://SPACES.INTERNET2.EDU/DISPLAY/INCLIBRARY/REGISTRYOFRESOURCES
OK
ENABLE, PLEASE!!
THEY GET OUR
ENTITYid, AND WE’LL ASSERT
eduPERSON
![Page 18: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/18.jpg)
PAYWALL REDUXPUBLISHER
SITE
??!
![Page 19: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/19.jpg)
WAYF – WHERE ARE YOUFROM PUBLISHER
SITE
![Page 20: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/20.jpg)
SINGLE SIGN-ON!HE HAS A COOKIE.
I ASSERT HE IS A UCF eduPERSON.
PUBLISHERSITE
![Page 21: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/21.jpg)
INCOMMON BESTPRACTICES FOR LIBRARIES• AUTHORIZATION VIA EDUPERSON
ATTRIBUTES
• IMPLEMENT WAYFLESS URLS
• IMPLEMENT AUTHENTICATED DIRECTLINKS TO RESOURCES.
• SHIBBOLETH ENABLE EZPROXY
• USE SHIBBOLETH-READY EZPROXYSTARTING POINT URLS
HTTPS://SPACES.INTERNET2.EDU/DISPLAY/INCLIBRARY/BEST+PRACTICES
SINGLE SIGN ON ACCESS!
![Page 22: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/22.jpg)
EZPROXY SHIBB URLS
• EZPROXY STARTING POINT URLSHTTPS://LOGIN.EZPROXY.UCF.EDU/LOGIN&URL=
• SHIBBOLIZEDHTTPS://LOGIN.EZPROXY.UCF.EDU/LOGIN?AUTH=SHIBB&URL=
• WORKS WELL WITH LIBX TO PROXY ON THE FLY
• UCF DEPLOYED IN: SFX, EBSCOHOSTDISCOVERY… WAITING TO USE IN OTHER SERVICES
CAVEATS: • SOME EXTERNAL SYSTEMS ARE READY FOR THIS. • GOES STRAIGHT TO THE FEDERATED ID LOGIN -
BYPASSES OLD LIBRARY ID LOGIN,
![Page 23: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/23.jpg)
INEVITABLE PAYWALLS
LibX
![Page 24: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/24.jpg)
ONE LOGINHE HAS A COOKIE.
HERE ARE HIS
ATTRIBUTES
PUBLISHERSITE
PROXYSERVER
MEDIATEDREQUESTS
PUBLISHERSITE
LibX
![Page 25: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/25.jpg)
LIBRARIAN SHIBBOLETHSUMMARY• CAMPUS SINGLE SIGN-ON WITH FEDERATED ID• LOTS OF ENTRY POINTS FROM MANY UCF SERVICES
• LOG IN FROM ONE SYSTEM MAY ALLOWS ACCESS TOTHE OTHER FEDERATION SHIBBOLETH-ENABLEDSERVICES
•WAYF ON SHIBBOLETH-ENABLED VENDOR SITES
•STILL NEED EZPROXIED LINKS FOR MOST LIBRARYCONTENT
•SHIBBOLETH ENABLED STARTINGPOINT URLS ANDLIBX ARE A PARTIAL SOLUTION FOR SEAMLESSACCESS
![Page 26: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/26.jpg)
PRACTICAL STEPS FORLIBRARIANSASK I.T. TO ENABLE LIBRARYPARTNERS
SHIBBOLIZE EZPROXY
EXPLAIN VPN LIMITATIONS TOFACULTY
PROMOTE A CUSTOM LIBX
ASK VENDORS TO PARTICIPATE ININCOMMON
![Page 28: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/28.jpg)
SELECTED GLOSSARY
• ASSERTION - THE IDENTITY INFORMATION PROVIDED BY AN IDENTITY PROVIDER TO A SERVICE PROVIDER.• ATTRIBUTE - A SINGLE PIECE OF INFORMATIO. SOME ATTRIBUTES ARE GENERAL; OTHERS ARE PERSONAL. SOME
SUBSET OF ALL ATTRIBUTES DEFINES A UNIQUE INDIVIDUAL. EXAMPLES OF AN ATTRIBUTE ARE NAME ANDENROLLMENT.
• ATTRIBUTE STATEMENT: ASSERTS THAT A SUBJECT IS ASSOCIATED WITH CERTAIN ATTRIBUTES. AN ATTRIBUTE
IS SIMPLY A NAME-VALUE PAIR. RELYING PARTIES USE ATTRIBUTES TO MAKE ACCESS-CONTROL DECISIONS.• AUTHENTICATION STATEMENTS: STATEMENT THAT THE PRINCIPAL DID INDEED AUTHENTICATE WITH THE
IDENTITY PROVIDER AT A PARTICULAR TIME USING A PARTICULAR METHOD OF AUTHENTICATION
• AUTHORIZATION DECISION STATEMENT: ASSERTS THAT A SUBJECT IS PERMITTED TO PERFORM ACTION A ONRESOURCE R GIVEN EVIDENCE E.
• EDUPERSON - AN LDAP OBJECT CLASS TO FACILITATE INTER-INSTITUTIONAL APPLICATIONSPROVIDER URL, AND THE NETWORK ADMINISTRATOR.
• ENTITYID - ID THAT IDENTIFIES AN ENTERPRISE IN A FEDERATION. USUALLY A URL THAT POINTS TO AN XML FILE OF INFO ABOUT THE ENTITY, SUCH AS THE ID
• FEDERATED IDENTITY - MANAGEMENT OF IDENTITY INFORMATION BETWEEN MEMBERS OF A FEDERATION.• IDENTITY PROVIDER (IDP) - THE SYSTEM THAT AUTHENTICATES AN ENTITY
• SERVICE PROVIDER (SP) - MAKES ONLINE RESOURCES AVAILABLE TO USERS BASED IN PART ON INFORMATIONABOUT THEM THAT IT RECEIVES FROM OTHER INCOMMON PARTICIPANTS.
• WHERE ARE YOU FROM (WAYF) - A SERVER USED BY THE SHIBBOLETH SOFTWARE TO DETERMINE WHAT AUSER'S HOME ORGANIZATION IS.
HTTP://EN.WIKIPEDIA.ORG/WIKI/SECURITY_ASSERTION_MARKUP_LANGUAGE#SAML_ASSERTIONS
![Page 29: Shibbole-Me-This: One Librarian's Foray Into Shibboleth For Better Access](https://reader034.fdocuments.net/reader034/viewer/2022042700/559b12121a28ab97498b4757/html5/thumbnails/29.jpg)
SOME LINKS TO PLAY WITH
DIRECT LINKS TO ARTICLES:• INTELLIGENT LIBRARIES AND APOMEDIATORS:
DISTINGUISHING BETWEEN LIBRARY 3.0 AND LIBRARY2.0.
• PERSPECTIVE VOLUME RENDERED MOTION: GAININGINSIGHTS VIRTUALLY
PROXIED WITH AUTH=SHIBB:• INTELLIGENT LIBRARIES AND APOMEDIATORS
• PERSPECTIVE VOLUME RENDERED MOTION
PROXIED WITHOUT AUTH=SHIBB:• INTELLIGENT LIBRARIES AND APOMEDIATORS
• PERSPECTIVE VOLUME RENDERED MOTION