Learning Center
Plans & pricing Sign in
Sign Out



  • pg 1
									Access Management for
  Digital Libraries in a
 well-connected World
         John Paschoud
        SECURe Project
London School of Economics Library

           ICDL 2004, New Delhi      1
• InfoSystems Engineer at the LSE Library - The
  British Library of Political & Economic Science
  (“the World’s largest library dedicated to the
  social sciences”)
• …responsible for applied research projects, with
  external funding (JISC, EC, SURF, NSF…)
• I am not a “Dr.”, but an “Eng.”(ineer)
• …so I have no competence to decide what
  should be in the digital library
• …but I do know how to build the shelves!

                   ICDL 2004, New Delhi              2
• Access Management – key to DL security
• Principles of Access Management
• What the UK has now: Athens, GRID PKI
• What the UK is moving towards
• Distributed technology:
  Shibboleth & SAML
• Demands on libraries & universities

               ICDL 2004, New Delhi        3
 Why is Access Management so
• Library users (and where they want to
  study from) more diverse
• Library resources (and where they are
  physically, legally held) more diverse
• Resource owners want to maximise $$$
• Users (researchers) need to maximise
  currency of their knowledge
• Libraries have limited $$$!

                ICDL 2004, New Delhi       4
Principles of Access Management
• 4 processes:
    – Registration, AutheNtication, AuthoriZation,
• Membership institutions (university, library, etc)
  must control Reg and AuthN
• Resource hosts must control AuthZ
• Users must control own privacy (of attributes,
• Security must be appropriate (for value of
  resources protected)
• Scalability must be cross-domain, global
 (mostly) after Clifford Lynch, Coalition for Networked Information
                               ICDL 2004, New Delhi                   5
         UK Current Assets
• Athens: username/password based service for unifying
  access to digital library resources
   – Mainly licensed via JISC consortium deals
   – Over 2 million current usernames
   – Username/password database; maintenance devolved to
   – Around 500 HE and FE institutions use the Athens service
   – Around 200 licensed resources are controlled via Athens
   – A high proportion of the major academic publishers have now
     implemented Athens
• UK e-Science CA: service for issuing digital certificates
  for access to Grid-type resources
   – Based on OpenCA software (with local modifications)
   – Verification of user identities carried out by trusted RAs around
     the community
   – Current scale of operation a few hundred certificates per year

                           ICDL 2004, New Delhi                          6
    UK current challenges
• Athens uses single centralised database
  of users, and its own, proprietary protocols
  – Little international take-up as yet
  – Design lacks the flexibility and scalability of
    more recent approaches
• e-Science CA is similarly centrally
  administered, and hard to scale up

                    ICDL 2004, New Delhi              7
            UK current actions
•   AAA Programme (2002-2004)
     – Experiments with newer AM technologies and architectural models
     – (SECURe Project was the main vehicle to test and liaise with Shibboleth
•   Foundation studies (2004):
     – Digital Rights management
     – Institutional Profiling
     – Single sign-on technologies
     – Feasibility of a national certificate issuing service
     – Policy management with PERMIS
     – Assessment of eduPerson & similar schemas
•   Core Middleware Programme (2004-2006)
     – Invites larger-scale experiments, tackling problems like “virtual
       organisations” of users, and secure resource access via university or
       library portals
•   New Shibboleth-based service infrastructure (2004-2006)
                               ICDL 2004, New Delhi                          8
 What is Shibboleth? (ancient)
• A word which was made the criterion by which to
  distinguish the Ephraimites from the Gileadites.
  The Ephraimites, not being able to pronounce “sh”,
  called the word sibboleth.
 See: Judges xii (Jewish or Christian Bible)

• Hence, the criterion, test, or watchword of a party;
  a party cry or pet phrase.
                 Webster's Revised Unabridged Dictionary (1913)
 after Michael Gettes, Duke University & Shibboleth Project Team

                             ICDL 2004, New Delhi                  9
What is Shibboleth? (modern)
• An initiative to develop an architecture and policy
  framework supporting the sharing - between domains -
  of secured web resources and services

• A project delivering an open source implementation of
  the architecture and framework

• Deliverables:
    –Software for Origins (campuses)
    –Software for Targets (vendors)
    –Operational Federations (scalable trust)
after Michael Gettes, Duke University & Shibboleth Project Team

                            ICDL 2004, New Delhi                  10
             Shibboleth Goals
• Use federated administration as the lever; have the
  enterprise broker most services (authentication,
  authorization, resource discovery, etc.) in inter-realm
• Provide security while not degrading privacy.
   – Attribute-based Access Control
• Foster interrealm trust fabrics: federations and virtual
• Leverage campus expertise and build rough consensus
• Influence the marketplace; develop where necessary
• Support for heterogenity and open standards (SAML++)
 after Michael Gettes, Duke University & Shibboleth Project Team

                             ICDL 2004, New Delhi                  11
 Attribute-based Authorization
• Identity-based approach
  –The identity of a prospective user is passed to the
   controlled resource and is used to determine (perhaps
   with requests for additional attributes about the user)
   whether to permit access.
  –This approach requires the user to trust the target to
   protect privacy.
• Attribute-based approach
  –Attributes are exchanged about a prospective user
   until the controlled resource has sufficient information
   to make a decision.
  –This approach does not degrade privacy.
after Michael Gettes, Duke University & Shibboleth Project Team

                            ICDL 2004, New Delhi                  12
          How does it work?

              Hmmmm…. It’s magic. 
after Michael Gettes, Duke University & Shibboleth Project Team

              (or: You can ask me later)
                            ICDL 2004, New Delhi                  13
         How does it work?

after SWITCH, Switzerland
                            ICDL 2004, New Delhi   14
    Who else is interested?
• US NSF (they have paid for most of it)
• SWITCH, Switzerland (they have a whole-
  country Shibboleth Federation already)
• SURF, Netherlands
• Many resource owners (they need to
  follow what their market is doing)
• Many software suppliers (WebCT,
  Blackboard, uPortal)
                ICDL 2004, New Delhi    15
     Challenges for Libraries
• Reliable Access Management will be a
• “installing Shibboleth” is easy, but…
• To do Access Management, a university or
  library also needs:
  – Identity Management: directories of users and
    attributes (and all the technical infrastructure)
  – Policies on user privacy and vendor licences
  – To collaborate, forming national or international
    federations for access to resources
• Middleware is invisible (when it works!) – so
  justifying costs to management is not easy
                      ICDL 2004, New Delhi              16

Project info:


           ICDL 2004, New Delhi        17

To top