PEPPI CONSORTIUMGÉANT-TRUSTBROKER: SIMPLIFYING IDENTITY & ACCESS MANAGEMENT FOR INTERNATIONAL RESEARCH PROJECTS AND HIGHER EDUCATION COMMUNITIES

Daniela Pöhn, Stefan Metzger and Wolfgang Hommel

Most national research and education networks (NRENs) have set up authentication and authorization infrastructures (AAIs), also known as federations, to ensure that ICT services can be used across higher education institutions’ (HEIs‘) borders. For example, the German federation DFN-AAI allows students from various universities to enroll in eLearning courses provided by other German universities (Hommel, 2009). Most European federations are technically based on the SAML standard and implemented using open source software like Shibboleth or simpleSAMLphp. However, users can only access third party services whose service providers (SPs) are members of the same federation as their home organization, which is also referred to as their identity provider (IDP). Therefor, given national federations, international groups of users, e.g., researchers in a multi-national EC-funded project, cannot access each others’ ICT services, such as a project-wide Wiki collaboration web server, without additional efforts simply because crossing federation borders is not possible technically.
In the past, many HEI members with a demand for international identity & access management (I&AM) have often worked around this problem in one of two less elegant ways: They either created local user accounts for their external project partners at each service, which does not scale well, or they created community-specific new federations, which were not defined by geographical but by any other arbitrary criteria, such as membership in a scientific community or project. However, neither of these solutions are user- and administration-friendly, but instead increase the overall management complexity and are considered burdensome overhead. To overcome the limits imposed by national federations, the pan-European research and education network Géant meanwhile initiated eduGAIN (see (Géant, 2014)), which is an umbrella inter-federation (i.e., a federation-of-federations) that enables Inter-AAI user authentication and authorization (AuthNZ). More than 20 federations world-wide already have joined eduGAIN, making it one of the most important eScience-enabling software infrastructures as of today.
eduGAIN, however, comes at the price of increased contractual complexity, and, on the technical side, has only standardized the common denominator of its federation members regarding which information about users IDPs make available to SPs. In practice, this means that there is no guarantee that users from an IDP in federation A can successfully use a service provided by an SP in federation B, even if both of them are in eduGAIN, in the same way as if the IDP and the SP were in the same (national) federation. Thus, while eduGAIN is certainly a success and enables the use of many services across federations’ borders, its adoption turned out to process slower than initially hoped for and the created inter-federation by itself is not completely sufficient for more complex services that need more detailed user information from IDPs.
Géant has therefore initiated a project complementary to eduGAIN: Géant-TrustBroker (GNTB) will enable the on-demand creation of virtual federations and put the end users in control of connecting arbitrary SPs to their own IDP even when they are not in the same federation or eduGAIN. GNTB optionally supports the fully automated setup of technical SP-IDP relationships so that users can immediately start using new services provided by federation-external SPs instead of having to wait until the SP and IDP administrators have set up the AAI software configuration manually. Manual intervention is only necessary when organizational trust-building measures, such as signing a formal contract between SP and IDP, are necessary, e.g., for commercial services that require high liability.
In this article, we present the concepts of GNTB from the perspective of a HEI that operates an IDP for its users, assuming that the IDP already is a member of at least one federation, typically the national NREN’s AAI. We first discuss the motivation for GNTB from both the end users’ and the HEIs’ perspectives and show how GNTB can be used stand-alone or in conjunction with eduGAIN. We then give an overview over the functionality and technical workflows that GNTB implements, again with a focus on the IDP side. GNTB is currently being developed in Géant’s GN3plus project and will be available for pilot use in 2015; we therefore conclude this article with a summary of what has been achieved so far and an outlook to our ongoing work.

IMPROVING HIGHER EDUCATION NETWORK SECURITY BY AUTOMATING SCAN RESULT EVALUATION WITH DR. PORTSCAN

Felix Von Eye, Wolfgang Hommel, Stefan Metzger and Daniela Pöhn

In most higher education institutions (HEIs), IT systems are still operated in a decentralized manner at least partially: Although a central data center or IT department typically provides basic IT services such as email servers, many faculties and chairs operate, for example, web servers and file servers on their own. As there often is no campus-wide asset management or configuration management database available, this results in a lack of a big picture, i.e., nobody really knows who is operating which IT services for whom in total throughout the HEI. Problems arise when network services, i.e., servers that can be accessed, e.g., via the Internet, are compromised, either by external attackers or by insider threats. While many faculties succeed in basically setting up their own network service machines, e.g., a web server including a database server for a learning management system, only few of them are aware of typical information security issues and know how to harden their server machine installations to protect them against the usual attacks. To remedy this partial lack of know-how, an increasing number of HEIs set up a central security team tasked with monitoring, analyzing, and continuously improving information security across the campus.

In this article, we present an open source tool, which we developed to facilitate asset management and risk analysis of network services in research and education networks: Dr. Portscan is a delta-reporting tool for network port scans, which are often used for active-probing-based asset discovery, allow for a basic risk assessment, and can be used as a basis for fully-fledged vulnerability management. Dr. Portscan orchestrates the execution of an arbitrary number of port scans, e.g., based on the well-known nmap tool, from various locations inside and outside an HEI’s campus network, aggregates and consolidates these port scan results, analyzes which changes have been made compared to the previous state, and can alert the security staff about new or unknown network services on the campus that need more detailed manual investigation.

Dr. Portscan cannot only be used by each HEI individually, but based on agreements between HEIs, security teams at multiple HEIs can collaborate to provide each other with external perspectives on their network services. Dr. Portscan is meanwhile also used in the pan-European CELTIC project SASER – Safe and Secure European Routing – to analyze the basic security properties of active network components, especially routers and network gateways, of the participating internet service providers.

DISTRIBUTED USER MANAGED ACCESS TO INTERNET RESOURCES

Roland Hedberg

More and more individuals have information on online services. The norm so far has been that that such information is public, open to anyone to view/use. Eventually this has to change, people will start realizing that public access to all publish information is not in the individuals best interest.
Information that once was thought just fun to publish might a couple of years down the line have a negative impact on the future of a person.

Therefor individuals must be able to control who (other persons as well as other services) can do what with what. And to do this in a standardized way that many, if not all, services can support.

To that end a working group was created a number of years ago by the Kantara Initiative (http://kantarainitiative.org) to try to:
”develop a set of draft specifications that enable an individual to control the authorization of data sharing and service access made between online services on the individual’s behalf, and to facilitate the development of interoperable implementation of these specifications by others.”

The name of the working group is User-Managed Access (UMA).

WE PUBLISH, YOU SUBSCRIBE – HUBBUB AS A NATURAL HABITAT FOR STUDENTS AND ACADEMIC TEACHERS

Janina Mincer-Daszkiewicz

Mobile applications are becoming a popular tool providing access to information stored in student management information systems (SMIS). There is no question of whether to allow such access, the question is how to deliver information in real time (instantly), in a user friendly manner, without exposing university servers to crashes in peak hours. The solution is publish-subscribe protocol, where information is not pulled by a subscriber (information consumer), but is pushed by a publisher (information provider) to all subscribers (with the help of the hub). Data confidentiality is ensured by the OAuth protocol. The subject of this paper are new methods of public API for USOS, which implement publish-subscribe paradigm, and a notification daemon which plays the role of the hub. USOS comes from University Study-Oriented System, product of MUCI consortium, which is deployed in 40 HEIs in Poland.

OPEN API’S IN INFORMATION SYSTEMS FOR HIGHER EDUCATION

Ricardo Barata, Sergio Silva, Luis Cruz and Luis Guerra E Silva For many years now information systems have played a central role in the daily operation of any higher education institution. Most institutions already have a wide range of applications at their disposal, from Learning Management to Course Management systems as well as other Administrative systems. In some cases these systems are proprietary applications, and users can only use them “as is”. Even in cases where these systems are open source, it is difficult, if not impossible, for the users to contribute back to the system with anything other than a bug report or a feature request. Consequently these systems evolve very slowly, and their development is typically dictated by the priorities of each school, identified by their respective boards. This results in hindered system innovation and a waste of potential resources, especially in schools that have engineering or computer science courses. In recent years the massification of handheld devices (such as smartphones and tablets) coupled with the availability of relatively easy to use software development kits widened this gap of wasted resources. In December 2013 our school, Instituto Superior Técnico (IST), released the first version of an open API for its academic information system, which is an instance of the open-source project FenixEdu With this API anyone can now develop their own applications using the data stored in the academic information system, without having to be limited to the particular technology adopted for its implementation. This API also allows for easier integration with other systems. We hope this open API will promote creativity while harnessing the potential development capabilities of the entire community, from students, to teachers, to third party software vendors.

THE IMPLEMENTATION OF A NATIONAL STUDENT EXCLUSION REGISTER IN NORWAY

Asbjørn Reglund Thorsen, Geir Magne Vangen and Agnethe Sidselrud There is high awareness in the Higher Education sector in Norway that cheating, plagiarism and other academic misconduct must be dealt with early in the students’ education cycle, in order to prevent serious consequences of plagiarism in scientific publishing and scientific fraud. The Ministry of Higher Education in Norway introduced the Universities and University Colleges Act in 2005, making it mandatory for the Higher Education institutions (HEIs) to inform each other about decisions of formal exclusion of students. In the following years HEIs developed a number of different routines to comply with the new regulation. The different routines and big variation of communication channels that were used, neither ensured accuracy of the information, nor necessary level of personal data security in the information exchanged amongst institutions. To cope with this complex challenge, the Ministry initiated the process of establishing a national student exclusion register. The register is supposed to contain data about students excluded due to cheating and plagiarism/attempted cheating, use of false documents or other academic misconduct. The register is expected to provide better routines for informing third party (i.e. other universities and colleges) and to prevent that excluded students get admission at another HEI in Norway. Another objective is to prevent admission to a HEI based on false documents.

This paper aims to present the technical solution for the Exclusion Register as well as the challenges in the implementation process due to complex legal and regulatory requirements.