Authentication in the Library

Last week, Paul and I sat down to list the IT resources that the library offer to staff and students are and how they authenticate users. We also identified services that allow us to customise the sign in experience in order to achieve at least stage one of our strategy for consistent sign in:

1) To ensure a single, consistent identity for each person, all library (and ICT) applications that we operate internally must have Active Directory sign-in instead of local databases. Almost all of our applications achieve this already.
(source Linkey bid document – section 3.1)

Before proceeding there is some jargon to explain:

  • SAM – A SAM (security accounts manager) ID is a user’s AD username. For staff this will generally be the first letter of their forename + their surname – e.g. for me this is abilbie. For students this is their student number – e.g. 01234567.
  • Password – This a user’s AD password.
  • Employee ID – for staff this is the ID number from our employee database. For students this is the same as their SAM ID.
  • SafeCom PIN – SafeCom is our printing authentication service we use here at the university. Each staff and student has their own PIN number which they use with their employee ID.

This is the list we came up with:

  1. Horizon Information Portal (HIP) – This service allows staff and students to interact with things they’ve borrowed or want to borrow, for example renewing and reserving books and viewing fines. We can edit XSL files which allow us to change the design of HIP. We can also add JavaScript files. HIP authenticates with a user’s employee ID and PIN number.
  2. library.lincoln.ac.uk – Hosted on our WordPress platform. We can completely customise every aspect of the site. Users sign in with their SAM ID and password.
  3. Blackboard – Our VLE. If a user is signed in it will provide infomation about their library account plus they can pay any fines. Digitised material stored is also stored in and access is granted based on a students’ course. Users sign in with their SAM ID and password.
  4. Clio – inter-library loans management website. Users sign in with their SAM ID and password. We can completely customise the experience.
  5. EPrints – our research repository. EPrints is open source so we can change anything. Users sign in with their SAM ID and password.
  6. EZProxy – allows for e-resources access based on IP address proxying. EZProxy is LDAP capable however it can inherit Blackboard/SharePoint authentication sessions. We can completely customise the experience.
  7. Open Athens LA (Local Authentication) – Enables users to securely access to online resources. Provides Athens->Athens, and Athens/SAML->UK Federation->SAML authentication. Users sign in with their SAM ID and password. This should be installed in the coming weeks. We think we can customise the experience.
  8. Resources that have their own username + password. A very subset of online resources the library subscribe don’t work with Athens or EZProxy and so give us a username and password to use. Users are directed to these services through our SharePoint site and are authenticate with these services in two ways:
  9. The username and password are automatically injected into the service’s authentication screen with a JavaScript script or
  10. The user is a presented with a 401 dialog and they have to manually enter the username and password.
  11. Thin Clients – The GCW library on the Brayford campus over the summer had a number of thin client computers installed. When physically in front of the computer users’ authenticate with their SAM ID and password but because these machines use virtual instances we could provide a “desktop in the browser” experience via UAG.
  12. Find it @ Lincoln – A search engine of journals and databases that we subscribe to that is hosted remotely by Ebsco. Authentication is delegated to EZProxy.
  13. RefWorks – Allows users to collect references. Authentication is via Athens. We can’t customise the look and feel of RefWorks itself but we hope we can customise how our Open Athens LA looks.
  14. Aspire – Reading List software provided by Talis. Authentication is via Athens. See above note about customising Athens LA.
  15. Journals A to Z / OpenURL resolver – As above
  16. Databases – A combination of Athens and EZProxy authentication.
  17. Printing – The physical printers in the library require authentication using a user’s employee ID and their PIN number.
  18. Self service kiosks – These kiosks authenticate users by requiring them to scan their staff/student card (which has a code 39 barcode of their employee ID and then typing in their PIN onscreen. We can’t customise this experience.
  19. Print top up kiosks – These kiosks authenticate users by requiring them to type in their SAM ID and password. We can’t customise this experience.

Visually of this looks like:

http://i.imgur.com/nEKo4.png

When the UAG is installed we should be able to easily hook up services that require SAM ID and password over LDAP. Other services that use alternative authentication such as HIP will require us to write some middleware that will translate between SAM ID + password to employee ID + PIN.

Assuming it is as simple as that, then when these services are hooked up to the UAG then the map will look like this:

http://i.imgur.com/dyV6C.png

The model assumes that eventually the UAG will be like a Gateway for users to access most resources.

LDAP inject means that once a user has authenticated with the UAG their SAM ID and password will be stored in a session, and then when the user visits a service that uses LDAP authentication to the AD, UAG will inject their username and password into the sign-in form and click the submit button for them. At the end of the day single sign-in is essentially a user experience which takes some of the pain with accessing resources away from them.

What is Microsoft Forefront Unified Access Gateway (UAG)?

Microsoft Forefront Unified Access Gateway (UAG) is a piece of server side software which provides secure access to corporate networks, systems and applications. It incorporates a number of different access technologies including VPN, HTTP reverse proxies and the Microsoft-developed technologies DirectAccess and Remote Desktop Services. Remote clients can access these corporate resources through a special web site that is hosted on an IIS server which is bound to the UAG software.

UAG includes built integrations for Microsoft Exchange Server (2003, 2007 and 2010), SharePoint Server (2003, 2007 and 2010), Remote Desktop Services and Citrix Presentational Services. It also includes a technology called SSL-VPN which allows for authentication integration with most 3rd party and custom software.

UAG can use a number of different authentication sources including Active Directory, LDAP, RADIUS and SecurID. Finally it can also “speak” SAML and ADFS.

Microsoft identifies a number of benefits of using UAG:

Forefront Unified Access Gateway (UAG) is designed to provide secure remote access in a way that extends application intelligence, security and control, and ease of use. Key benefits include:

Anywhere Access

Forefront UAG makes it easier to deliver secure remote access to your applications and resources, and improve employee and partner productivity, by combining an intelligent access policy engine with a variety of connectivity options including SSL VPN and Direct Access. Forefront UAG:

Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
Delivers simple and secure access optimised for applications such as SharePoint, Exchange, and Dynamics CRM.
Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.

Integrated Security

Forefront UAG improves the security in remote access scenarios by enforcing granular access controls and policies that are tailored to the applications being published, the identity of the user, and the health status of the device being used. Forefront UAG further improves security by enabling strong authentication to applications and mitigating the risks of downloaded data from unmanaged devices. Forefront UAG:

Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
Easily integrates with Active Directory and enables a variety of strong authentication methods.
Limits exposure and prevent data leakage to unmanaged endpoints.

Simplified Management

Forefront UAG offers a single platform through which to deliver and manage remote access. With built in policies and configurations for common applications and devices, you can gain more control, more efficient management, greater visibility, and lower total cost of ownership. Forefront UAG:

Consolidates remote access infrastructure and management.
Simplifies deployment and ongoing tasks through wizards and built-in policies.
Reduces support costs by delivering a simplified connectivity experience for users.

Source: http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

How UAG can help us

At the university we have a number of existing web based applications which will benefit from having UAG integration.

We currently have SharePoint and Exchange 2003 installations (which will soon be upgraded to 2010) which UAG can natively integrate with.

We use Blackboard Learn as our LMS and Zendesk as our support desk software, both of which have can use SAML for single sign on.

We are also looking into potentially using UAG as the access point for Windows 7 thin client access.

How can UAG work with OAuth?

As UAG can use SAML to communicate with services it means that we can use the OAuth 2.0 assertions specification to create a translation framework between SAML assertions and OAuth tokens. This will extend some of the work that we’ve originally done on our OAuth server and the updated code will be published.

One of the outcomes of this project will be a case study (with open source code examples) on how UAG and an OAuth server can work together (though because we don’t know how this may work at the moment it could be that it turns out they can’t work together…) and on this blog we will document our experience.