Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Session s083 01 - moving away from ip authentication

40 Aufrufe

Veröffentlicht am

What happens when university IT mandates that all patrons must login to library resources using two-factor authentications instead of IP authentication? What are major considerations when exploring solutions? Alternatives to IP authentication are presented. Lessons learned from implementing a solution using proxy server at a large university environment.
Presented at Electronic Resources & Libraries Conference 2017 in Austin Texas, April 4th, 2017.

Veröffentlicht in: Bildung
  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Session s083 01 - moving away from ip authentication

  1. 1. Moving away from IP Authentication May Yan may.yan@ryerson.ca @mayyan
  2. 2. ● IP Authentication preferred for all Electronic Resources ● Ezproxy server for off-campus access Our systems ● III Sierra ● Summon ● SFX ● Single Sign-on with Central Authentication Service (CAS) integration ○ Student emails ○ Electronic Resources ○ ILS renewals / patron accounts ○ Learning Management (D2L Brightspace)
  3. 3. Ransomware University IT systems and logins under attack Denial of Service Attacks Compromised Accounts Virus Sci-Hub notices Blocked IPs Excessive download notices
  4. 4. Ransomware
  5. 5. IT wants: 2 factor authentication/No IP authentication Two Factor Authentication Concerns ● Vendors cannot support this natively ● Increasing barriers to e-resources use ● Students and staff who do not have smart phones ● IT support for working with patrons who have problems using 2 factor process CANNOT DO THIS QUICKLY ● Want to wait until all university systems are using 2 factor (library doesn’t want to be singled out) ● Get plan in place to get fobs for all students who need it. (Who will pay?) What about using ezproxy and get all on campus users to login & no more IP authentication Concerns: ● Excessive download blocks from vendors impacting all patrons ● 1 point of failure for all resources ● Redirection of on campus vs off campus traffic must use same URL Benefit: ● CAS already setup for 2 factor, easy add for 2 factor when mandated.
  6. 6. Other Authentication Methods 1. Personal User Login/Password (Service Provider manages user authentication) 2. IP Authentication a. Proxy server redirects traffic after locally managed user authentication to vendor resources so that it appears to be from IP range of library b. Trusted Proxy Server c. VPN 3. Federated authentication through SAML a. OpenAthens (was Athens) b. Shibboleth (shibboleth.net) 4. Referring URL Authentication – an authenticated link to service provider from a secure or password protected web page. SP checks that this URL is registered to grant access. 5. Patterned IDs (library cards & barcodes) 6. Patron ID files (library cards & barcodes) 7. Cookie
  7. 7. Our Proposed Solutions Problem: One Point of failure 2 proxy servers: 1 for off-campus traffic, 1 for on-campus traffic Problem: Must maintain same URL for proxy links for both servers Local on-campus DNS mapping of proxy URL to on campus server Problem: Reduce risk when there are excessive download blocks from vendor “Algorithmic switching” between 3 IPs per server - to help mitigate whole server being blocked when there are excessive downloads
  8. 8. Timeline December 2016 Configuration, setup and testing January 2017 Requiring on-campus login started January 2017 February Update IP range on a few key resources for testing March Update IP range using vendor admin portal Start to contact vendors to update IP range
  9. 9. Lessons - During Setup ➢ Keep staff & librarians informed ➢ Keeping two configuration files in sync a challenge ➢ Setting up second server was more difficult than anticipated - not much experience in doing it.
  10. 10. Lesson - After Roll Out ➢ Single Sign-On doesn’t work for some on campus products - ARES opens up IE browser and students have to sign on again. ➢ Walk in guest accounts no longer works - must change them to ezproxy accounts and limit off campus use ➢ We can’t tell if the algorithmic swapping of IPs is working at all. (Need to do more testing) ➢ Inform staff and patrons of the change and why but not confuse them: we went for a “increase security as requested by CCS” message. ➢ Students have been good about the changes. ➢ Some faculty are NOT happy.
  11. 11. Benefits ➢ More ezproxy logs so we can do more with our assessment projects ○ Currently already a project to analyze resource use with grades ➢ Never could test our off campus access while on campus to mimic student experience, and now we can. ➢ A cheap solution to carry us over until there is better technology for our needs that is supported by all of our vendors.
  12. 12. Will this reduce our e-resources usage?