EZproxy Authentication
Transcription
EZproxy Authentication
Authentication for WorldShare Management Services Revised March 3, 2015 Table of Contents Purpose ................................................................................................................................................................................... 2 Certificates .............................................................................................................................................................................. 2 Information you send so OCLC can install a certificate ...................................................................................................... 2 Issues that cause loss of access to WMS ............................................................................................................................ 2 Scheduling an OCLC install of a certificate .......................................................................................................................... 2 Offline Circulation client ..................................................................................................................................................... 3 User Authentication (patron & staff) ...................................................................................................................................... 4 1 CAS Authentication .......................................................................................................................................................... 4 2 LDAP Authentication ........................................................................................................................................................ 5 Shibboleth Authentication .................................................................................................................................................. 6 EZproxy Authentication .......................................................................................................................................................... 7 1 OCLC IDM and EZproxy .................................................................................................................................................... 7 2 EZproxy and WMS Third Party Authentication (LDAP, CAS, or Shibboleth) .................................................................... 7 3 Before you begin .............................................................................................................................................................. 7 4 Integration process .......................................................................................................................................................... 7 5 Testing and Support ......................................................................................................................................................... 9 Purpose This document provides instructions to the library on how to set up CAS, LDAP, Shibboleth, or EZproxy authentication. Certificates Third-party authentication services (LDAP, CAS, Shibboleth, etc.) use webserver certificates for security handshakes with other services. In this context, there are two kinds of certificates: 1. Certificates created with a commercial Certificate Authority (CA). OCLC can recognize these without further information from you. 2. "Self Signed" certificates. OCLC needs the Certificate Authority your Information Technology department used to sign the certificate. Certificates are valid for a limited time. If self-signed certificates expire or are updated without informing OCLC, you lose access to WMS. Information you send so OCLC can install a certificate Your Information Technology department must send OCLC the Certificate Authority (CA) certificates for your third-party authentication services. Using CA certificates can reduce the risk of an expiring certificate causing a service outage. Before installing a certificate at your library, send this information to [email protected]: 1. CA certificates in Private Enhanced Mail (PEM) format 2. The expiration date and predicted date of installation of the certificate at your institution a. Certificates are usually valid from 1 to 5 years b. CA certificates can be valid for up to 20 years c. If sending self-signed certificates, make them valid for as long as possible (5 years minimum) 3. Any of the situations listed in Issues that cause loss of access to WMS Issues that cause loss of access to WMS To ensure access to WorldShare Management Services (WMS), you must notify OCLC ([email protected]) prior to any changes to your library’s self-signed certificates or configuration, such as: 1. 2. 3. 4. 5. 6. 7. Certificates expire Certificates are updated Certificates are changed, which means the CA certificates/intermediate (chained) certificates are no longer valid Updates to the bind user’s name or password Port changes IP address changes In some cases, OCLC needs to adjust firewall access a. If your LDAP configuration requires a bind user for interoperation, work with your IT department to choose a suitable duration and expiration date for the bind user. If the bind user expires, authentication to OCLC services will fail Scheduling an OCLC install of a certificate OCLC must schedule an install to update a certificate. Installs can usually be scheduled no sooner than two weeks after OCLC receives your email containing the information listed above. OCLC can install certificates in advance of their installation at your library without interrupting your access to WMS. If you have lost access to WMS as a result of an expired or updated certificate, send the information listed above to OCLC Support so OCLC can restore WMS. Authentication.docx 2 March 3, 2015 Offline Circulation client Install the Offline Circulation client as a precautionary measure. The client allows you to circulate items if WMS is not accessible. More information on Offline circulation is available here: 1. Set up the Offline Circulation client: http://www.oclc.org/support/help/circulation/default.htm#Checkin_checkout/offline_client.htm (Includes requesting a WS key) a. Set-up Offline Circulation Tutorial (sign in required): https://www.oclc.org/support/worldsharemanagement-services/tutorials/setting-offline-circulation-client-tutorial (Includes requesting a WS key) b. Using Offline Circulation Tutorial (sign in required): https://www.oclc.org/support/worldsharemanagement-services/tutorials/using-offline-circulation-tutorial Authentication.docx 3 March 3, 2015 User Authentication (patron & staff) 1 CAS Authentication Follow this checklist to set up your institution’s CAS system for patron and staff authentication. CAS versions other than CAS2 may not be supported. Contact OCLC to confirm support of your version of CAS. Test and production servers OCLC strongly recommends setting up a test server and a production server for security and patron privacy reasons. 1. Confirm OCLC access for your institution’s CAS server OCLC works with your institution to access your servers from these OCLC URLs: Environment Test OCLC server URL https://authn.sd00.worldcat-ci.dev.oclc.org/wayf/metaauth-ui/cmnd/protocol/acs/saml2 https://authn.sd00.worldcat-ci.dev.oclc.org/wayf/metaauth-ui/cmnd/protocol/acs/cas2 Production https://authn.sd00.worldcat.org/wayf/metaauth-ui/cmnd/protocol/acs/cas2 2. Provide contact information, URLs, account credentials, and IP addresses Send this information for your test or production accounts to your OCLC Implementation manager: a. Contact information for your CAS server administrator b. URLs for your CAS servers c. The range of IP addresses for CAS servers and any failover and backup environments (OCLC uses these addresses to ensure continuous service) d. Username and password for your CAS servers. Note: The username and password for your production server must be retained after set up is complete so OCLC can provide ongoing support. OCLC will set up the appropriate configuration to test authentication in test and production environments. Note: If a non-standard port is used, a firewall change is required. 3. Confirm connection to the test environment and approve access to CAS production server After OCLC confirms the connection to the test URLs, you approve access to your CAS production URLs. 4. Prepare for ongoing updates for your patron data files. Using CAS authentication with WMS requires that you provide the CAS identifier in your patron data file. Use the Patron Persona XML schema for sending patron data: https://www.oclc.org/support/worldshare-management-services/documentation/data-migration/patron-personaxsd-elements Required patron XSD element idAtSource Data We need to have a persistent identifier for each patron. Provide an eduPersonTargetedId if at all possible. http://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-direduperson-200806.html sourceSystem entityId uniquely indicating the system the patron data came from. If you do not already have one, OCLC can provide a suggestion. Note: Make sure that the production test user is always included in your patron data (from note in step 2d). Authentication.docx 4 March 3, 2015 Patrons who are not in your CAS system WMS currently offers single-source authentication. If there is no CAS record available, the patron record will have to be created in the WMS system. These users will not be able to log-in to WMS, but they can still check out items. 2 LDAP Authentication Follow this checklist to use your institution’s LDAP system for patron and staff authentication. OCLC only supports secure LDAP implementations. Contact OCLC to confirm support for your implementation of LDAP. Test and production servers OCLC strongly recommends setting up a test server and a production server for security and patron privacy reasons. Checklist 1) Open ports in your institution’s firewall for OCLC IP addresses: 132.174.8.0/24 and 132.174.100.8 (Production) 198.137.189.0/24 (Hot site and Pre-production testing) 132.174.100.114 and 132.174.255.6 (Development servers for first round of testing) 2) Provide URLs, IP addresses, credentials, and SSL and LDAP information Send this information for your test and production accounts to your OCLC Implementation Manager: a. Contact information for your LDAP administrator b. URL. If the production URL starts with “ldap:” rather than “ldaps:”, then LDAP with StartTLS will be assumed. c. Range of IPs for your LDAP server(s) (include the current server and any failover or backup environments) d. Credentials (username and password). Send bind user and passwords if they are required. Send test credentials for each environment to be integrated (test and production). The username and password for your production server must be retained after set up is complete so OCLC can provide ongoing support. e. Required SSL information i. Provide the Certificate Authority (CA) certificate(s) for the SSL server certificate for your LDAP server. Updated, expired, or changed certificates break LDAP. Notify OCLC of any certificate changes before making them. f. Required LDAP information: i. cnAttributeId: The name of the attribute you will use to supply a username ii. idAttributeId: The name of the attribute you will use to supply the persistent user id, which could be the same as above, but we would much prefer an opaque identifier such as a eduPersonTargetedId. iii. baseDN: please provide two examples of the distinguished name for users in your system. 3) Prepare for ongoing updates for your patron data files. Using LDAP authentication with WMS requires that you provide the LDAP account identifier in your patron data file. Use the Personas XML schema for sending patron data: https://www.oclc.org/support/worldshare-management-services/documentation/data-migration/patron-personaxsd-elements Required patron XSD element idAtSource sourceSystem Data This is the persistent id for the user as given in the idAttribute The entityId uniquely indicating the system the patron data came from. If you do not already have one, OCLC can provide a suggestion. Note: Make sure that the production test user’s patron data record is always included in your patron data file (from step 2d). Authentication.docx 5 March 3, 2015 Patrons who are not in your LDAP system WMS currently offers single-source authentication. If there is no LDAP record available, the patron record will have to be created in the WMS system. These users will not be able to log-in to WMS, but they can still check out items. Using EZproxy Contact [email protected] to request assistance. If you manage your own EZproxy server, OCLC will provide you with a configuration file that you can install on your server. If you are a Hosted EZproxy customer, OCLC will make the configuration changes on your behalf. See section “2 EZproxy Authentication” (below) for more information. Shibboleth Authentication OCLC provides authentication support for WMS using your Shibboleth Identity Provider (IdP). This configuration provides Shibboleth compliant interaction and does not require firewall changes at your institution. OCLC’s IDM looks like a standard Shibboleth Service Provider (SP) to your Shibboleth IdP. 1) Information required from your institution OCLC configure access in both a development and production environment. Each environment requires: a. Contact information for your Shibboleth administrator b. Shibboleth-related metadata. This metadata usually defines Shibboleth endpoints and contains the relevant security certificates. Normally this data also contains the IdP’s entity ID. c. Valid credentials (username and password) for testing d. Persistent Id which will be presented from Assertion/Subject/NameID from the institution’s SAML response 2) Information OCLC will give your institution a. The entity ID for our SP. It will be the same for the test and development environments. b. Shibboleth-related metadata 3) Implementation steps a. Exchange Shibboleth-related metadata as described above b. Confirm connectivity to development environment c. Ensure your patron data is loaded into the production environment (the production install cannot be performed until this step is complete) d. Confirm connectivity to production environment e. Negotiate production install date with OCLC f. Confirm any support for single logout as implied by the institution’s metadata 4) Prepare for ongoing updates for your patron data files. Using Shibboleth authentication with WMS requires that you provide the Shibboleth identifier in your patron data file. Use the Patron Persona XML schema for sending patron data: https://www.oclc.org/support/worldshare-management-services/documentation/data-migration/patronpersona-xsd-elements Required patron XSD element idAtSource sourceSystem Data This identifies your Shibboleth user to OCLC IDM. We expect this to be an eduPersonTargetedId. The entity ID of your IdP Note: Make sure that the test user is always included in your patron data. Patrons who are not in your Shibboleth system WMS currently offers single-source authentication. If there is no Shibboleth record available, the patron record will have to be created in the WMS system. These users will not be able to log-in to WMS, but they can still check out items. Authentication.docx 6 March 3, 2015 EZproxy Authentication 1 OCLC IDM and EZproxy The OCLC Identity Management Infrastructure (IDM) provides standards-based, scalable, secure authentication, authorization, and patron data services for Worldshare Management Services and other OCLC services. This infrastructure is implemented as a Shibboleth-compliant SAML V2 service. EZproxy is configured to authenticate to WMS using the Shibboleth authentication directives. In the EZproxy configuration, EZproxy serves as a Shibboleth Service Provider and the OCLC IDM infrastructure serves as the Identity Provider (IDP) for WorldShare Management Services. Note: EZproxy cannot be used as the Authentication source for WMS. 2 EZproxy and WMS Third Party Authentication (LDAP, CAS, or Shibboleth) If you are using WMS third party authentication and you are using your institution’s LDAP, CAS, or Shibboleth server for staff and patron authentication, then you can configure EZproxy using the following options: 1. LDAP If you are using your institution’s LDAP server, you can configure EZproxy either to directly access your LDAP server via EZproxy’s LDAP:: configuration statements or to access WMS. a. If you configure EZproxy to directly access your LDAP server, then your staff and patrons will see the EZproxy login screen and will enter their LDAP credentials. b. If you configure EZproxy to authenticate against WMS, then you have the added benefit of having single sign-on between EZproxy and WMS. Since WMS is configured to authenticate against your LDAP server, your staff and patrons will use their LDAP credentials in WMS and EZproxy. In this case, your EZproxy users will see the WMS login screen and will enter their LDAP credentials. 2. Shibboleth or CAS If you are using your institution’s Shibboleth or CAS server, then you configure EZproxy to directly access your institution’s Shibboleth or CAS server using EZproxy’s Shibboleth or CAS directives. 3 Before you begin This document assumes that your EZproxy administrator understands: Basic Shibboleth vocabulary and concepts How to configure Shibboleth Service Provider facilities using EZproxy How to configure Shibboleth authentication using EZproxy Security certificates EZproxy must be installed with a web server certificate so it can provide secure login (https/SSL). This certificate should not be a self-signed certificate. If you use Option ProxyByHostname, use a wild-card certificate. Shibboleth requires a certificate be installed into EZproxy for Shibboleth signing and encryption processes. Use the EZproxy Administer Certificates facility to generate a long-lived (5-10 year) self-signed certificate for this purpose. System requirements EZproxy version 5.6 or higher 4 Integration process In order to connect your EZproxy server (a Shibboleth Service Provider) to the IDM system used by WMS (a Shibboleth Identity Provider), the information below needs to be exchanged between OCLC and your institution. Authentication.docx 7 March 3, 2015 Information you send to OCLC 1. Send your Shibboleth 2.0 Assertion Consumer Service (ACS) URL to your WMS Implementation manager. a. Login to your institution’s EZproxy system as an Administrator. The ACS URL is on the Manage Shibboleth page. Example: Configuration Information Shibboleth 1.3 Assertion Consumer Service URL Shibboleth 2.0 Assertion Consumer Service URL https://login.vcfal.idm.oclc.org/Shibboleth.sso/SAML/POST https://login.vcfal.idm.oclc.org/Shibboleth.sso/SAML/POST Information OCLC sends you: This information is handled differently, depending on your version of EZproxy: EZproxy version Licensed (installed at institution) Hosted How changes are handled OCLC sends files as below OCLC changes files for you Procedure for licensed Ezproxy users If you are a licensed EZproxy site with EZproxy running at your institution, OCLC will supply you with the following files: a. Certificate and key that you will install as your Shibboleth encryption and signing key. Since the key needs to be private and secure, OCLC will arrange a secure transfer mechanism for you (the key will not be emailed). b. A metadata.xml file that contains the IDP metadata that EZproxy needs to access the IDP. Install these files: 1. Install the certificate and key into EZproxy. a. On the EZproxy Administration page, click Manage SSL (https) certificate. b. On the Manage SSL (https) Certificates page: i. Click Import Existing SSL Certificate and copy the certificate and key into the boxes. ii. Write down the certificate number (ID) for this newly-imported certificate. 2. Copy the metadata.xml file to the EZproxy installation directory. 3. In the config.txt file, make sure: a. The parameter file= contains metadata.xml. b. The entity ID supplied by OCLC that you used to configure your EZproxy server for Shibboleth is correct. c. The certificate ID of the certificate you imported is on the Cert= parameter. Example: ShibbolethMetadata \ -EntityID=urn:mace:oclc:idm:vcfalibrary \ -file=metadata.xml \ -Cert=2 4. In the user.txt configuration file, in the stanza below, make sure the IDP20 configuration statement contains the same entity ID as in the config.txt file: ::Shibboleth IDP20 urn:mace:oclc:idm:vcfalibrary (the entity ID supplied by OCLC) /Shibboleth 5. If the institution also uses Navigator, in the shibuser.txt configuration file the session variables must be populated for the userObject (only for Navigator Institutions). Contact OCLC for more details. Authentication.docx 8 March 3, 2015 5 Testing and Support Restart EZproxy and test with a patron credential from the WMS database. For support, please contact [email protected] or your WMS implementation team member. For full, detailed information, see the Shibboleth authentication directives at http://www.oclc.org/support/documentation/ezproxy/usr/shibboleth.htm. Authentication.docx 9 March 3, 2015