The full Shibboleth based architecture that would be required for a fully functioning LionShare network across institutions in the UK is not yet in place. To asses the feasibility of LionShare under these circumstances it was decided that SPIRE should have a ‘3 pronged’ approach with each prong acting as a proof of concept for each aspect of the overall feasibility of LionShare. Below are some brief notes on what is involved in each prong. DW=David White, DM=Derek Morr, MT=Mike Taylor, AV=Alex Valentine
Three Pronged Approach:
Prong 1. Early Adopter LionShare:
An authentication system which is independent of Oxfords security system so that SPIRE can offer profiles to interested parties outside of Oxford University.
- Set-up:
Based on a Active Directory Realm rather than the separate Kerberos / LDAP system in the University.
- Elements:
AD realm running on windows server 2003 (MT)
A SASL-CA server running on Linux (SUSI) to provide certs for LionShare (DM)
A specific build of the LionShare client to connect to AD and to inc the early adopter SASL-CA (AV)
- Challenges:
First install of Active Directory based LionShare outside of Penn State
Version of Kerberos in SUSE was Swedish not the one from MIT
Key Tabs were easy to control because it was our Active Directory but his could be a challenge if the domain is controlled by another group
SASL-CA server was set-up by (DM), we don’t know of any SASL-CA that hasn’t been installed by the original developer although now we have example config files etc it might be possible for us.
- Proves:
This prong allows SPIRE to encourage an early adopter community for LionShare to see how people react / use the software.
That LionShare can work with AD which makes it more feasible for smaller institutions. Especially those that work with windows based authentication already.
- Omits:
The ability for the user to create access permissions to shares files which is only available with Shib.
The tie-in of LionShare to the core of an HE institution.
Prong 2:Oxford LionShare:
The allows users who are members of Oxford University to use LionShare by authenticating using Oxfords ‘single sign-on’ system, Herald.
- Elements:
SASL-CA on Linux for Oxford (DM)
A specific build of LionShare to talk to the Oxford SASL-CA (AV)
A connection to the Oxford LDAP via Kerberos (DM)
- Challenges:
Getting permission to connect to the LDAP
Getting the right key(?) information
General communication with OUCS
Kerberos version (Swiss not American)
- Proves:
That LionShare can tie into the core of an HE institutions systems. Can use the single sign-on of the University.
- Omits:
Shib: because Oxford does not have Shib running at this level yet which means that access controls will not work. Does not allow non-Oxford members to log-on.
Prong 3:Shib test
LionShare connected to the SDSS test Shib federation. We did not have time to set this up during the week Alex and Derek were visiting from Penn State. Below are notes on what need to be done to set-up this Shibboleth version of LionShare.
- Set-up:
Another SASL-CA(?)
Send certain info to Fiona to become an idp for the SDSS federation
Easier to be our own idp than to work with Francisico who is the other person to connect to SDSS in Oxford (What is the name of his project?)
Install Shib 1.3
Thanks to Steve Carmody and others (?) for allowing this.
We have been trusted and so some of the paper-work is not necessary
Need new build of LionShare for this?
- Challenges:
Having to do this while AV and DM are in Penn State!
- Proves:
That LionShare can work with Shib, gives us an opportunity to test the access control options.
- Omits:
Everyone outside the SDSS realm.
