- 1. Implementing a Production HA Shibboleth IDP service Rhys
Smith, Cardiff University
2. Outline
- Implementing a production service
- Conforming to Tech' Recommendations
3. Implementing a ProdN Service
- Institutions planning a real-world production Shib IDP
deployment:
-
- Think beyond simple technical details
-
- Consider higher level issues of design
-
- Including HA and resiliency issues
-
- When your IDP server breaks (and it will), you're (technical
terminology coming up) screwed!
4. Cardiff's setup idp.cardiff.ac.uk idp1.cf.ac.uk idp2.cf.ac.uk
(NetScaler) hashib Shared Memory idp3.cf.ac.uk hashib Shared Memory
5. Cardiff's setup (con't)
- idp1 & idp2 - Physical servers - PowerEdge
- idp3 - VM on VMWare-ESX infrastructure; primarily for
development, only occasionally in service
- Server up/down checking via idp.xml:
-
- ...Shibboleth_StatusHandler... .+/shibbolethidp/Status
-
- AVAILABLE if everything has loaded OK
6. Cardiff's setup (con't)
-
- Standard server stuff (CPU usage, memory usage, Temperatures,
etc)
-
- Custom perl scripts parse Shib log files
-
- Exposed via custom SNMP OIDs
- Cacti (open source) monitoring solution already in place
- email me for a copy of scripts/cacti templates, etc.
7. Cardiff's setup (con't) 8. Tech' Recommendations
- Metadata (the list of who is on the federation:
-
- CRON job to update overnight, every night
-
- Haven't implemented eduPerson in directory, use own attributes
and map to eduPerson schema using resolver.xml
9. Tech' Recommendations (con't)
- eduPersonScopedAffiliation:
-
- Mapped to CardiffFAMAffiliation attribute in our directory
(webauth tree)
-
- Provisioned by our IDM sytem
-
- member if current staff, current student, current training
grade doctor, manually made member in IDM web interface
-
- staff/student similarly IDM driven
10. Tech' Recommendations (con't)
-
- Simply using PersistentIDAttributeDefinition, linked to IDM
IdentityNumber
-
- Dynamically cryptographically creates an opaque, consistent
TargetedID per user per resource
-
- Mapped to cn attribute in our directory
11. Tech' Recommendations (con't)
-
- Mapped to CardiffFamEntitlements attribute in our
directory
-
- Provisioned by our IDM system where possible
-
- Manually administered via IDM web interface otherwise
12. Tech' Recommendations (con't)
- Attribute Release Policies
-
- Set to release minimum information (scopedAffiliation and
TargetedID) unless specifically set otherwise
-
- Release more if desired on a case by case basis
13. Authentication Options
-
- Tomcat a lot more user friendly for your users
14. 15. Shibboleth at Cardiff University Zo Young Subject
Librarian 16. Overview
- Promotion and Communication
- What has happened so far?
- Whats going to happen next?
17. Auditing of resources
- Resources tested for shibboleth compliance.
-
- Westlaw generic usernames and passwords until new platform
released
-
- Lexis Nexis Professional should be moved to Butterworths
- Alerts, Saved Searches and Personalisation.
18. Promotion and Communication
- Emails about shibboleth/CU Login sent to all Information
services staff
- Presentation on changes given to all library and helpdesk
staff
- Documentation sent to all 18 libraries
- Web page Off campus access
- Changes to databases page
- Subject Librarians cascaded information to all new students and
staff
19. What has happened so far?
-
- New Training Grade Doctors
-
- Users with expired accounts or problems
- 53.35 % of access to Athens e-resources is by CU login
20. Whats going to happen next?
- 2 ndJuly changes to website to encourage remaining Athens users
to switch
- Email to users with active Athens accounts
- Monitor use of Athens accounts over the next year and contact
individual users to migrate.
- April 08 All Athens accounts expire
21. 22. 23. the end
-
- clarification of any points
-
- meaningful discussion about shib
-
- meaningless discussion about stanley cup finals...