CP RSS Channel
About Our Sponsors
Articles & Papers
Technology and Society
|Muradora GUI for Fedora Repository Uses SAML and XACML for Federated Identity.|
The DRAMA (Digital Repository Authorization Middleware Architecture) development team at MELCOE, Macquarie University, Sydney, Australia has announced the release of Muradora Version 1.0, described as a turnkey GUI for the Fedora Repository supporting federated identity and flexible access control.
Fedora is a "general purpose repository system developed jointly by Cornell University Information Science and the University of Virginia Library. The Fedora Project is devoted to the goal of providing open-source repository software and related services to serve as the foundation for many types of information management systems. The Fedora software is available under the terms of the Educational Community License 1.0 (ECL)." Fedora was selected for Muradora because it is widely used, is recognized as scalable (supporting more than one million objects), and has an excellent digital object model.
The project goals are to support collaboration between researchers for access and search across institutional protected repositories, with an easy to use and maintain access control system requiring little or no intervention from system administrators.
Muradora "incorporates a suite of software modules to deal with the needs for federated identity and flexible authorisation for repositories. The four key modules of Muradora are:
- Shibboleth authentication module for Fedora to support federated identity/single-sign-on, e.g., Australian Access Federation
- New flexible authorisation framework for Fedora based on the XACML open standard
- Extended XACML engine supporting DB XML for fast efficient management/ enforcement of policies, and a web service interface for XACML requests and responses; the extended XACML engine can be used by any software that employs XACML but requires an efficient management system for its XACML policies
- Java-based Web GUI front-end for Fedora
"The Muradora web GUI, by utilizing the other three modules, aims to showcase the power of having federated identity and flexible authorisation with the Fedora repository. A key advantage of Muradora is that the core Fedora repository can now have consistent access control policies for multiple front-ends even if they are hosted across multiple machines or spanning institutional boundaries. This is not possible with the traditional approach of having the GUI handle authentication and authorisation internally."
The Muradora web GUI makes use of XForms, the W3C standard for handling form inputs and validations. It can handle complex metadata schemas, and this provides a modular and pluggable GUI framework.
Muradora supports self-submission for authors and publishing permissions for administrators, using Dublin Core, MODS and MARC metadata. Hierarchical groupings of objects (based on user-defined RDF ontologies) and dynamic groupings of objects (based on criteria matching their metadata information) are supported. Access control is provided at different levels of granularity: at the repository level, at user-defined grouping levels (including hierarchical inheritance), at the object level, and at the level of individual datastreams within objects. The easy-to-use access control policy editor generates the necessary XACML policies, so that no direct XML editing is required. Muradora supports version control for repository objects. Data objects can be of heterogeneous data types, e.g., documents, and audio and visual objects, with annotations. Repository search, including full-text search, is supported.
Muradora is freely available under Apache 2 open source license; the associated dependency software is also available as open source. The development team has made available an ISO image as a "ready to go system" via download of the Live DVD and Easy DVD installation method.
DRAMA is part of RAMP (Research Activityflow and Middleware Priorities), a DEST funded project from the Systemic Infrastructure Initiative. RAMP is developing a flexible authorisation module for repositories using the XACML open standard and implementing this as the core of a new, fully open source Muradora front-end for Fedora.
From the October 11, 2007 announcement: "Muradora Version 1.0: A Web-based Repository Supporting Federated Identity and Flexible Access Control":
The DRAMA (Digital Repository Authorization Middleware Architecture) development team has announced the release of Muradora Version 1.0, a "Turnkey GUI for Fedora Repository Supporting Federated Identity and Flexible Access Control."
Muradora is an easy to use repository application that supports
federated identity (via Shibboleth authentication) and flexible
authorization (using XACML). Muradora leverages the modularity,
flexibility and scalability of the well-known Fedora repository.
Muradora's unique vision is one where Fedora forms the core back-end
repository, while different front-end applications (such as portlets or
standalone web interfaces) can all talk to the same instance of Fedora,
and yet maintain a consistent approach to access control.
The DRAMA team is happy to announce the V1.0 release of Muradora. Its
key features are:
"Out-of-the-box" or customized deployment options
Intuitive access control editor allows end-users to specify
their own access control criteria without editing any XML.
Hierarchical enforcement of access control policies. Access
control can be set at the collection level, object level or datastream
Metadata input and validation for any well-formed metadata
schema using XForms (a W3C standard). New metadata schemas can be
supported via XForms scripts (no Muradora code modification required).
Flexible and extensible architecture based on the well known
Java Spring enterprise framework.
Multiple deployments of Muradora (each customized for their own
specific purpose) can talk to the one instance of Fedora.
Freely available as open source software (Apache 2 license). All
dependent software is also open source.
Muradora utilises the new Digital Repository Authorization Middleware
Architecture (DRAMA Auth/Z Suite). It consists of the following components:
Extended XACML support with a native XML database (DB XML) for
efficient storing and querying of XACML policies. There is also a new
hierarchical policy combination algorithm to support hierarchical
enforcement while still allowing for fine-grained access control. These
extended XACML features can be used by any XACML-aware application,
especially those requiring better management of their policies.
Pluggable and extensible authorization infrastructure for
Fedora. This new architecture utilizes an interceptor pattern to remove
embedded authorization logic inside Fedora and allows new authorization
requirements to be added to the system without modifying any code inside
Support for federated identity with Shibboleth. The actual
Shibboleth authentication is done on the Fedora server itself. This is
different to the common approach of having the web interface handle
Shibboleth authentication which would prevent multiple web interfaces
talking to the same Fedora instance. Again this module is pluggable and
can be deployed on top of Fedora without any code modification. It can
also be used in conjunction with existing Fedora authentication modules.
Muradora and DRAMA Auth/Z suite can be downloaded separately and
installed together by following the deployment guide, available at:
However, due to configuration flexibility and the large number of
components, this installation method should be attempted only by
experienced Fedora administrators.
For other users, we recommend our Live DVD which integrates all
necessary components for an "out-of-the-box" repository. The Live DVD
can be used to try Muradora by booting the system from the DVD and
running the pre-installed system directly from the DVD (no changes are
made to the host computer's hard disk). Alternatively, the Live DVD can
install Muradora on a server following an easy installation procedure
that is based on Ubuntu Linux Distribution. The Muradora Live DVD can be
downloaded from the Muradora.org web site.
Software download: http://www.muradora.org/software
Acknowledgement: DRAMA (Digital Repository Authorization Middleware Architecture) is part of the RAMP project based at MELCOE, Macquarie University, Sydney, Australia. RAMP is funded by DEST under Backing Australia's Ability.
"Fedora open source software gives organizations a flexible service-oriented architecture for managing and delivering their digital content. At its core is a powerful digital object model that supports multiple views of each digital object and the relationships among digital objects. Digital objects can encapsulate locally-managed content or make reference to remote content. Dynamic views are possible by associating web services with objects. Digital objects exist within a repository architecture that supports a variety of management functions. All functions of Fedora, both at the object and repository level, are exposed as web services. These functions can be protected with fine-grained access control policies.
This unique combination of features makes Fedora an attractive solution in a variety of domains. Some examples of applications that are built upon Fedora include library collections management, multimedia authoring systems, archival repositories, institutional repositories, and digital libraries for education.
FOXML is a simple XML format that directly expresses the Fedora digital object model. As of Fedora 2.0, digital objects are stored internally in a Fedora repository in the FOXML format. In addition, FOXML can be used for ingesting and exporting objects to/from Fedora repositories...
Delivery of rich content is possible through a variety of technologies. But delivery is
only one aspect of a suite of content management tasks. Content needs to be created,
ingested, and stored. It needs to be aggregated and organized in collections. It must be
described with metadata. It must be available for reuse and refactoring. And, finally, it
must be preserved. Fedora is an open source digital repository system that meets these challenges. It does
this by combining a number of key features:
Powerful digital object model: The digital objects, or units of information, in
Fedora may combine any number and any variety of data streams. These data
streams can be local to the repository or may reference content anywhere on the
web. For example, one digital object may aggregate a scholarly document in
multiple text formats, and another may combine the text, images, and video that
are the basis of a rich web page.
Extensible metadata management: Because metadata and data are treated
uniformly in the digital object model, any number and variety of metadata formats
may be stored as data streams, alongside content, in a digital object.
Expressive inter-object relationships: Digital objects contain metadata that
can express any type of relationships such as membership in collections,
structural associations like articles in journals or pictures in albums, or taxonomic relationships. Relationship metadata is indexed and can be searched using
semantic web query languages.
Web service integration: Fedora fits in with n-tier applications because of two
types of web service integration: (1) Dynamic content delivery: Web services can be associated with any of
the data streams in a digital object. As a result, a digital object can
deliver dynamic content: the output of a web service processing data in
the digital object. A metadata crosswalk service can be associated
with a digital object that contains MODS metadata, making it possible to
deliver other metadata formats such as Dublin Core. (1) Management and Access APIs: A Fedora repository runs as a service within a web server. All of its functionality and all features of its digital
object model are accessible through well-defined REST and SOAP
interfaces. Thus, a Fedora repository can be easily integrated into a
variety of application environments with different user interfaces.
Version management: Fedora stores a history of all modifications to digital
objects. The full history is accessible through the Fedora access API.
Configurable security architecture: Access to all aspects of the Fedora
management and access API can be controlled by fine-grained XML-based
access-control policies. These policies define sets of rules to permit or deny
access by users and groups to repository operations.
OAI-PMH conformance: Fedora repositories are fully conformant with the
interoperability framework defined by the Open Archives Initiative Protocol for
Metadata Harvesting. The Fedora OAI-PMH service exploits Fedora's extensible
metadata management, supporting harvest of any form of metadata delivered by
Preservation worthy: Fedora repositories incorporate a number of features that
facilitate the complex tasks associated with digital preservation. Internally all
Fedora digital objects are represented in the file system as files in an open XML
format. These XML files include data and metadata for the objects plus
relationships to services and other objects. The entire structure of a Fedora
repository can be rebuilt from the information in these files. In addition, Fedora
repositories are compliant with the Reference Model for an Open Archival
Information System (OAIS) due to their ability to ingest and disseminate
Submission Information Packages (SIPS) and Dissemination Information
Packages (DIPS) in standard container formats such as METS and MPEG-DIDL.
"The Research Activityflow and Middleware Priorities (RAMP) project seeks to improve national research effectiveness by addressing two of the most challenging components of the DEST/JISC E-Framework for Education and Research and the DEST Accessibility Framework — the areas of people-oriented workflows for research processes, and open standards authorisation for protected repositories.
A key focus of the RAMP project is capturing eResearch activityflows so that they can be analysed, shared, re-used and adapted. This will lead to a national website providing a library of 'actionable' best practice activityflows for common research processes. This approach draws on the success of capturing and sharing 'Learning Designs' within e-learning, and applies it to the challenges of people-based workflow in eResearch. This work will be complemented by theoretical analysis of workflow standards and languages as applied to eResearch.
The second challenging component of the E-Framework that RAMP addresses is open standards authorisation (using XACML — Extensible Access Control Markup Language). There is an increasing need for flexible management of protected content as part of repositories such as Institutional Repositories, E-Reserves, etc, but most approaches to protected content rely on hardwired or proprietary authorisation mechanisms that are inefficient, costly, inflexible and promote system lock-in. The RAMP project will address the need for open standards authorisation through the creation of a generalised XACML authorisation module that could potentially be adopted by any repository system. This module will be implemented and tested initially using the Fedora repository, based on existing work on Fedora and XACML from MAMS and ARROW. Subsequent implementation with other repository systems will be explored.
The final stage of RAMP will unify the workflow and authorisation components through a 'fusion' project to explore interaction and integration between these two areas, and their overall combined impact on the E-Framework. This fusion project will lay the groundwork for potential future work in unified workflow and authorisation services, and their interaction with other E-Framework services..."
MAMS (Meta Access Management System) Project: Macquarie University is the lead University on the Meta Access Management System (MAMS) Project. This project allows for the integration of multiple solutions to managing authentication, authorisation and identities, together with common services for digital rights, search services and metadata management. See the project documents for more information.
RUBRIC Project and the Toolkit: The RUBRIC project (Regional Universities Building Research Infrastructure Collaboratively) is sponsored by the Australian Commonwealth Department of Education, Science and Training (DEST). The RUBRIC Project is recognition that regional and smaller universities have a need to access, manage and disseminate research information in the same way as the large established research universities but often face significant challenges in developing appropriate and sustainable infrastructure. See the reference documents for more information.
- Announcement 2007-10-11: "Muradora Version 1.0: A Web-based Repository Supporting Federated Identity and Flexible Access Control"
- Muradora Wiki
- Muradora Software Download
- Muradora demonstration
- RAMP Content Management System
- RAMP Deployment Guides
- Macquarie University's E-Learning Centre Of Excellence (MELCOE)
- Meta Access Management System (MAMS) Project
- Australian Access Federation Project
- Muradora and RAMP documentation:
- DRAMA Project Overview. [source .DOC, cache]
- "Digital Repository and Authorization Middleware Architecture." By Chi Nguyen. Conference Presentation (2007-09-20).
- Muradora: A Turnkey GUI for Fedora Repository Supporting Federated Identity and Flexible Access Control." By Chi Nguyen (Project Manager, RAMP Project, MELCOE, Macquarie University). Presented at October 11, 2007 at IDEA 2007 (Integrated Education Infrastructure: Innovation and Use of Technology in Education, Brisbane Convention and Exhibition Centre).
- RAMP Proposal and Overview. [cache]
- "Federated Authentication and Authorization for Fedora." An extended abstract, submitted to the Fedora User Conference, January 2007, San Antonio, TX. Discusses Shibboleth, SAML, XACML.
- RAMP Support for RQF Repositories
- CORDRA 2006 Presentation: Federated ID and Access Management for Higher Education in Australia. By Chi Nguyen. Presentation given at CORDRA (Memphis) 2006. OpenOffice format. 56 slides.
- Shibboleth: a standards-based, open source middleware software which provides Web Single SignOn (SSO) across or within organizational boundaries. The Shibboleth software implements the OASIS SAML v1.1 specification, providing a federated Single-SignOn and attribute exchange framework.
- SAML: an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML consists of a set of specifications and XML schemas, which together define how to construct, exchange, consume, interpret, and extend security assertions for a variety of purposes.
- XACML: enables the use of arbitrary attributes in policies, role-based access control, security labels, time/date-based policies, indexable policies, "deny" policies, and dynamic policies — all without requiring changes to the applications that use XACML. Adoption of XACML across vendor and product platforms provides the opportunity for organizations to perform access and access policy audits directly across such systems.
|Receive daily news updates from Managing Editor, Robin Cover.|