Single Sign On Single sign on, more than a single step. Robert Stockton, [email protected] Introduction The initial plan: Single Sign-on for all our resources Remove students having to sign in again to Athens as they forget and believe some resources are not available Allow direct links to material from VLE Single point of contact for resources for staff
and students Provide a platform for Context aware personalised messages for staff and students Challenges No budget for high end connect it all together solutions Limited knowledge in house Didnt want to break anything on the way! Original Setup Services in multiple locations Not always obvious what we provide Many logon boxes to use, encourages people to type credentials in
anywhere they see a logon box Mixture of: LDAP authentication Athens DA authentication ADFS Proprietary logons Student records Email (ADFS) Moodle LoginsLoginsLogins!
Security: we are teaching users to use any box they get presented with. Panopto Staff Directory ClickView Student Downloads Initial working diagram
Outdated original AthensDA Setup, which used a WAYF Show Resource via browser to the user Wrexham Glyndwr My Athens Portal Yes Is the user authorised? (Open Athens) No Attempt to
Access Resource Student / Staff Authenticated against AD via a classic ASP page hosted at Glyndwr The vision Centralise authentication services in one place Remove multiple login boxs Standardise username presentation: some times we have @glyndwr.ac.uk or @mail.glyndwr.ac.uk or just student ID without e-mail details
Entry credential once only Improve security, build a platform for 2 Factor Auth So where next We approached ProofID for some guidance and consultancy They advised there was no single solution (without buying a expensive commercial product) which would provide SAML2 and ADFS intergration at the time. We decided to move forward with SAML2 for Library resources and Moodle so links between the two worked better when providing click through reading lists etc. We implemented SAML2 using ProofID (Salford software) but had issues and delays and also needed to move all SPs from Athens federation to the Shib federation.
In the process of talking to Eduserve about moving. Eduserve now promised they had a single solution which married ADFS and SAML2, not on the table when we started with ProofID. So back to Eduserv The solution would use ADFS for authentication for the SAML2 process. Killing two birds with one stone. Create ADFS linked with Open Athens SAML2 Create a user portal with OpenAthens SP which would be the landing logon for all users
Our setup with Athens and ADFS and Athens SP ADFS https://gufs.glyndwr.ac.uk/adfs/ls/ Show resource Student / Staff Attempt to Access Portal
Access Portal site Yes Attempt to access a resource Access Glyndwr Resource
Example Email Open athens etc No Attribute release Username SAML token exists?
Athens SP Trust Setup between Our ADFS and OpenAthens Federation and UK access Management Federation Project go live date Project Start date June 2015 Beta testing completed August 2015 Go live date was for Sept 15/16 academic year
Go live now this summer ready for 16/17 Why the delay? Problems ADFS Personalisation When logging into a resource via an OpenAthens an ID (5 digit number) is attached to the account. This identifies users in external resources. Initial thought that this would affect all our resources thankfully only three resources were affect
First Attempt to go live - We didnt realise that the legacy OpenAthens ID would be a problem, Reversed out change (quickly) - Added an attribute into Active Directory with the old ID - Released this via ADFS Second Attempt to go live - DawsonEra Worked Successfully - ScienceDirect Worked Successfully - Refworks Unsuccessful Reversal Required
Third Attempt to go live -Looked at options launch with a dual login (Old and new Athens) to get around Refworks problem of not allowing two IDs. This was not a runner in the end. Needed to fix Refworks issue. Refworks Refworks has personalization i.e. user account for those that use it. Changing token ID would orphan accounts Students have left for the summer so no asking them to archive references during handover. This has taken since Nov 2015 to resolve with constant chasing Refworks didnt support standard attributes so we could not seamlessly use old
DA attribute and new ADFS attribute to keep bookmarks 5 digit ID code with DA now we use new ID code. Other SPs such as Dawsons Era and Science direct worked fine. We not want to loose all student refworks details (would not look good) Refworks has given us a list of accounts with name and e-mail address (some are private e-mail not university) They have not actual Student ID with the account. We had to manually logon to several thousand accounts, export references ready to import after handover! Delays with the project Athen SP We had to wait for our test environment to be setup (month, had to move ADFS in their registration space)
It took some time to work out the flow of traffic to the new MyUni Portal (Dev time month) Configuration issues not knowing the Athens SP product All these did add to the delay of the project Other issues We are going to be the first institute to switch over from Athens DA to ADFS authentication (Over 40 institutions in the UK still using DA) Always nice to be the first? Eduserv had their own technical issues
implementing the test environment So where are we now myuni.glyndwr.ac.uk Centralised Portal without SSO Simplified logon for ADFS users Modified ADFS logon script Users of ADFS no longer have to type in [email protected] or staff with [email protected] They can just type in S123456 or staffname and password.
See Technet: Advanced Customization of AD FS Sign-in Pages https://technet.microsoft.com/en-us/library/dn636121(v=ws.11).aspx Have we finished? No But were almost there SSO planed to all be working by July What next - The future Location specific headers - Wrexham - London - Staff
Multi-Factor Authentication with ADFS to improve security Customised information to all our students and staff Question s?
KAME PIM-SM for multicast, 6WIND IPv6 QoS/VPN UKERNA (UK) academic IPv6 deployment study Jointly by Southampton, UCL, Lancaster Management, DNS and address assignment issues QoS-enabling multicast services (vic/rat) Transition tools study: how to migrate a University IPsec and VPNs Wireless...
Preparing Students for Global Citizenship in the Foreign Language Classroom: Teacher Perceptions and Beliefs about Teaching Culture and the Effects of these Beliefs on Instructional Practices in an Era of Standards-based Instruction A Design Map for a Dissertation Proposal Melissa...
inhibits prokaryotic peptidyl transferase. Streptomycin. inhibits prokaryotic initiation, also induces mRNA misreading. Tetracycline. inhibits prok. aminoacyl-tRNA binding to the ribosome small subunit. Erythromycin. inhibits prokaryotic translocation through the ribosome large subunit. Fusidic acid
MDOT-AERO gives to Finance to key into our MAIN system, approves and mails or send EFT - 3-10 days. E-Invoice/ProjectWise. Consultant submits invoice in ProjectWise - 10 minutes. Airport receives e-mail with link to invoice. Airport opens ProjectWise, review and...
Biological Evolution of the Saussurean Sign as a Component of the Language Acquisition Device James R. Hurford University of Edinburgh, Scotland Presented by Laurel Preston May 17, 2006 Linguistics 580, Professor Lewis Overview Purpose Assumptions Machinery Simulations Results Discussion Simulation...
Modern Gothic. There are modern adaptations of the term "gothic" Gothic - literature that combine elements of both Romanticism and Horror; exploration of the surrealism of human nature. Usually these elements combine to form mysteries, ghost stories, spiritual awakenings, delving...
Ready to download the document? Go ahead and hit continue!