Migrating Single Sign On to CAS and Shibboleth George Hosler Information Technology 5/29/2013.

Slides:

Advertisements

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Advertisements

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Upgrading the Oracle Applications: Going Beyond the Technical Upgrade Atlanta OAUG March 19, 1999 Robert Cooney.

ERP Applications Selection in a Changing Marketplace Evaluation of Software Providers for Midsize Institutions Bill Reed Director, Special Projects Northern.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Ellucian Mobile: Don’t text and drive, kids!

Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Dspace – Digital Repository Dawn Petherick, University Web Services Team Manager Information Services, University of Birmingham MIDESS Dissemination.

Bear Access Fall 2006 Dan Bartholomew Lee Brink April 19, 2006.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

The Homegrown Single Sign On (SSO) Project at UM – St. Louis.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

Account Management, The Next Generation Unified Directories at the Rochester Institute of Technology Dan Tobin Matt Campbell.

National Aeronautics and Space Administration Implementing DSpace at NASA Langley Research Center 1 Greta Lowe Librarian NASA Langley Research Center

Learning Management Systems. students faculty content.

Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.

FileSecure Implementation Training Patch Management Version 1.1.

Portal … from the trenches! Deployment Patterns

Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.

 Wikipedia Says… “Single Sign On (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user.

BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,

Clarity Educational Community Get the Results You Need When You Need Them Transitioning to CA PPM On Demand Presented by: Joshua.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Shibboleth IdP Training: Productionalization January, 2009.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

CustomWare Asia Pacific Pty Ltd All Rights Reserved Integration Quality Assurance – WmUnit.

Integrating with UCSF’s Shibboleth system

INTEGRATION WITH OTHER IDM SOLUTIONS Remember… The primary goal of KIM was to build a service- oriented abstraction layer for Identity and Access Management.

Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Obtaining Help for Pharmacy Issues. Sign up for the Pharmacy ListServ Send a message to DO NOT add.

Obtaining Help for Pharmacy Issues and Submitting Enhancements 1.

© Blackboard, Inc. All rights reserved. Blackboard Learning System™ Vista Enterprise License The PowerLinks™ Kit Scott Stanley Washington DC 2006.

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

Presentation: SOAP/WS in a distributed object framework, Application Servers & AXIS SOAP.

Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.

CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

Using Grouper and Signet for Access Management Kathryn Huxtable GPN Annual Meeting 30 May 2008

A Community of Learning SUNGARD SUMMIT 2007 | sungardsummit.com 1 Extending SSO – CAS in Luminis Presented by: Zachary Tirrell Plymouth State University.

Continuous Integration and Code Review: how IT can help Alex Lossent – IT/PES – Version Control Systems 29-Sep st Forum1.

Shibboleth and IIS Integration Tips, Tricks, Alternatives

Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.

June 10-15, 2012 Growing Community; Growing Possibilities Kevin Muller, Fordham University Bill Thompson, Unicon.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch

December 19, 2006 OpenDS Enterprise Directory Services Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

CIT’s Web Single Sign-on Service SRM Report CUWebAuth Investigation Identity Management Team OIT/CIT Security April 16, 2007.

Copyright © 2006 by the University of Kansas Providing Intra-campus SSO Service Kathryn Huxtable Identity Management/Core Middleware Information Technology,

Cofax Scalability Document Version Scaling Cofax in General The scalability of Cofax is directly related to the system software, hardware and network.

© 2016 IBM Corporation Virtual Appliance migration self-assessment May 2016 IBM Security Identity Manager.

ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.

Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

Using Your Own Authentication System with ArcGIS Online

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Shibboleth Integration Fairfield University

Data and Applications Security Developments and Directions

Welcome to the 20th Anniversary of the IUG

Exam in just 24 hours!!! Pass your exam in first attempt by the help of our latest braindumps

Identity Federations - Installation and operation

Migrating Oracle Forms Using Oracle Application Express

Novell Netware Case Study.

What’s changed in the Shibboleth 1.2 Origin

Shibboleth 2.0 IdP Training: Introduction

Presentation transcript:

Migrating Single Sign On to CAS and Shibboleth George Hosler Information Technology 5/29/2013

Background: KU’s original Identity Management system (Account Information Management System – AIMS) was a “homegrown” implementation processing batch feeds from our Student, and HR systems. As well as feeds from KU Continuing Education and the KUMC Campus. AIMS utilized a custom-developed Single-Sign-On solution called Argus. Argus was integrated into a Shibboleth v1, Identity Provider, via a custom login handler. These systems comprised the first Single-Sign-On and Federation solutions at KU.

But over time: The AIMS/Argus/Shibboleth systems began to show their age A number of unmaintainable business processes made AIMS more and more difficult to support. Staffing changes, and poorly documented processes led to it’s ultimate demise. Argus provided client libraries for Perl and Java, but never grew to provide support for other languages. The Shibboleth Identity Provider was never upgraded, and became difficult to support and continue adding federated integrations.

The solution: In 2009 KU launched an effort to implement a new Identity Management solution AIMS was replaced with an installation of Novell Identity Manager, now NetIQ Identity Manager. The Argus/Shibboleth implementations were to be replaced with Sun OpenSSO. OpenSSO provided SAML responses, so the plan was to no longer utilize a separate Shibboleth Identity Provider. The new systems were implemented, and the project team set out migrating web applications to utilize OpenSSO.

But… We had the Identity Manager processing data from our systems of record, and provisioning accounts downstream, however OpenSSO began exhibiting stability problems. After the Oracle acquisition of Sun, Oracle made the decision to discontinue OpenSSO. We were on the latest release, with no upgrade or patches. The OpenSSO code base was picked up by the ForgeRock group and released as OpenAM So, to address our stability issues, and apply some patches, KU implemented OpenAM.

Of course the upgrade resolved everything, right? At first the new installation appeared to be completely stable, and the team proceeded with additional integrations: However, once we started adding large scale systems, OpenAM began to exhibit the same stability issues and integration work again halted. The core problem was that the servers running OpenAM would reach 100% CPU utilization, and then due to the synchronization between the OpenAM instances, all of the production servers would become unresponsive. After additional exhaustive investigation, KU engaged consultants to assist us in determining root cause of this problem.

Root Cause: Load Balanced LDAP Servers The consulting firm spent about a week reviewing our installation and configurations. They provided suggestions on changes that should resolve our stability issues based on “best practices”. The suggestions were implemented, and nothing changed. The consultant assigned to our case left the company, and no one else was assigned to us. In the meantime one of my staff came across a mailing list post describing how OpenAM did not support a load-balanced LDAP environment. That is exactly how KU is configured.

Back to the drawing board… Aside from stability, OpenAM had other challenges: 1.It ran inside Glassfish. KU did not have any other Glassfish installations, limiting in-house support capacities. 2.The OpenAM clients required special installation packages, not just a simple library or module to add on. 3.For Java web applications, you could not “hot-deploy” war files, resulting in a full service outage when deploying updates. 4.The OpenAM server could not serve SAML v1 responses and could not be easily integrated with legacy applications. 5.We were encountering problems integrating OpenAM with InCommon federation, delaying rollout of InCommon at KU.

CAS: Central Authentication Service KU has been running uPortal, from Jasig – now Apereo, since fall CAS is another Jasig/Apereo product, so we were already familiar with it. Additional information: As a common SSO solution in the higher education community, many of the products in the higher education space are already designed to integrate with CAS. CAS provides numerous client library implementations allowing for broader adoption. CAS runs inside the Tomcat container, which allows for better support expertise at KU.

Shibboleth: KU was already running an older version of Shibboleth, so there was “some” basic in-house knowledge. The Identity Provider could be configured to provide SAML v1 responses for easier integration with older applications and Service Providers. As with CAS, many of the products common to higher education are already designed to integrate with Shibboleth. Shibboleth provides simpler integration with federations like InCommon.

CAS and Shibboleth: Both implementations are Open Source products with active communities behind them. Both products are a better fit for KU’s core architecture. Most importantly, the Shibboleth Identity Provider can be configured to utilize CAS for login, allowing for complete integration. Achieving Single-Sign-On so that users logging into a CAS protected site won’t be prompted again for authentication when they visit a Shibboleth protected site, and vice-versa.

How do CAS and Shibboleth integrate: There are several options, KU utilized the “ Shibboleth IDP External Authentication via CAS plugin” option: 1.Configure the CAS filters in the “cas-authentication-facade” web.xml suitable for your CAS installation. 2.Configure the IDP External Login Handler in your IDP’s handler.xml 3.Add the IDP External Auth Servlet entries in your IDP’s web.xml 4.Build and copy the resulting.war file to your tomcat webapps and the resulting.jar file to the lib directory in your IDP webapp.

The route KU took: We were in a time crunch: KU had already devoted a significant amount of time trying to make OpenAM a feasible solution. Researchers and Scholars were clamoring for federation like InCommon. Maintaining multiple SSO systems had become a major undertaking. KU engaged Unicon to implement CAS, Shibboleth, and transfer knowledge back to KU staff for ongoing support: Unicon worked with KU on the early efforts for uPortal. Experts in OpenSource products for higher education. Their statement of work explicitly called out knowledge transfer back to KU staff.

Future areas of focus: Two factor authentication – Many two factor authentication solutions integrate directly with Shibboleth. However, integrating CAS has introduced a complication. KU needs to do some additional research on how to best integrate two factor solutions with our SSO implementation. ADFS – Services utilizing Active Directory Federation are becoming more common. Other institutions have successfully integrated ADFS into their SSO solutions, we need to investigate how this was done so we’re ready. One-Stop-Shop Portal – Rolling out new functionality to the web is resulting in “application sprawl”. Users are becoming confused about “where to go”. To help solve this, KU has launched an effort to route all general-user traffic through our portal. Having SSO options for all general use campus applications is a key factor to making this work.