This section describes the hardware and software architectures of the project prototype implementation. Due to some specifications modifications brought by client during the project progress and for good understanding and experience of OS based issues that can be faced when deployment Shibboleth, this project consists of two prototypes implementations:
- A primary prototype implemented within a simple ad-hoc network to first of all understand the behaviour of Shibboleth.
- The real time prototype implemented within ANS local network, through their local domain to test a closer scenario.
For the above reasons, there are two system architectures in this project on a basis of the prototype level.
5.3.1 Primary prototype architecture a) Hardware architecture
End User (Customer)
Admin User (System Admin)
Create, modify &
delete End User Request the
protected resource
Cancel the resource request
Access the resource Log into
application
Log into the whole system entities
Write some resource contents
Monitor activities
Maintain the system
Shibboleth-based Resource access and management System
The hardware architecture within the primary prototype consists of:
- To host physically the ANS Service Provider, 01 Intel core i3 computer with 300 G of HDD and 4G RAM memory is used as the SP Server.
- To host physically the ANS Identity Provider, 01 Intel core i7 computer with 700G of HDD and 8G RAM memory is used as the IdP Server.
The above hardware features do not mean a general requirement to deploy Shibboleth (since even a Pentium based computer can properly run the implementation); but merely what is being used.
Both physical servers are connected through a Wi-Fi ad-hoc network with the IEEE 802/11 standard. Each server can act as user client through its web browser or any computer can be linked to that ad-hoc network to behave like the end user. The figure 14 below shows a simple diagram of the ad-hoc/peer to peer network physical structure used to connect and deploy the two servers.
Figure 14: Physical structure of the primary prototype
It is also important to note that this could have been proceeded via a virtualization set up by using tools such as VMware workstations, Virtual Box or any. However, this would have led to some implementation issues such as clocking issues within virtualized hosts and the slowness of processes (it does not mean the implementation cannot be made
through a virtualisation environment). Besides by using different machines for the two servers, the deployment appears more realistic in the sense that for real life implementations, the SP and the IdP are generally at different physical sites.
b) Software architecture
The software architecture of the system implementation consists of several applications, each playing an important role in the sake of running the implementation. A failure of one single software element may affect the functioning of the entire system. This architecture resides on two windows- based operating systems on which the system required applications have to be installed and deployed.
On the Service Provider side
- Microsoft Windows 7 ultimate edition as Operating System of all other applications to perform the Service Provider.
- Microsoft Internet Information Services version 7 (IIS 7) to be deployed within Windows 7 in order to host the ANS Shibboleth based Service Provider, the SSL certificate, the first simple application to test the sign on.
- Shibboleth Service Provider version 2.5.2 to ”Shibbolize” web applications and therefore protect resources.
On the Identity Provider side
- Microsoft Windows 7 professional edition as the OS to perform all other applications helping to run the Identity Provider.
- Sun Java Client (JRE 7) as java processes’ compiler
- Apache Tomcat 6 not as a standard web server but just as a java servlets container with SSL enabled.
- Shibboleth Identity Provider version 2.4.0 to manage identities and provide authentication resources Users.
- OpenDJ 2.7 LDAP server as the database system to register, host users and link them to the IdP for authentication and authorisation
On the User Agent side
- A typical web browser integrating SSL certificates authorities or simply able to support HTTPS request; in any operating system.
The figure 15 below illustrates the software architecture of the system, showing the interaction between different components that allow the deployment of the SP and IdP.
Figure 15: Logical structure of the primary prototype
5.3.2 Real time prototype architecture a) Hardware architecture
The difference between the physical architecture in the primary prototype and in the the real time prototype resides on the characteristics and the features of machines to be used to deploy Shibboleth. In addition, there is no need to re-define the network architecture as there is already an existing local network with a local domain. Two Dell servers have been made available by ANS for the test scenario. Each server having 8GB memory with Intel processors performing with an i-Core architecture.
b) Software architecture
Within servers to be used in ANS local network, there were already server- based OS that are used with the following applications to deploy the real time prototype.
For the Service Provider - Windows 2008 Server R2
OpenDJ 2.7 LDAP Server
- Microsoft Internet Information Services version 7 (IIS 7) as the web server with an SSL certificate installed and enabled.
- Shibboleth Service Provider version 2.5.2
- Sun Java Client (JRE 7) to allow the use of OpenDJ 2.7 LDAP server
- OpenDJ 2.7 LDAP server as the IdP linked database system to register, host users and perform authentication and authorisation.
For the Identity Provider - Windows 2003 Server R2
- Sun Java Client (JRE 7) as java processes’ compiler and to allow the use of Tomcat & OpenDJ.
- Apache Tomcat 6 not as a standard web server but just as a java servlets container with SSL enabled.
- Shibboleth Identity Provider version 2.4.0 to manage identities and provide authentication to ANS resources Users.
Note: Windows 2003 Server does not support any version of OpenDJ, that is the reason of not using OpenDJ in the same than with the IdP software (the box running Windows 2003 server).
User Agent side
- A standard web browser with SSL enabled.
The figure 16 below illustrates the software architecture of the system in regard to the real time prototype implementation.
Figure 16: Logical structure of the real time prototype
OpenDJ 2.7 LDAP Server