Event-Driven Architecture for Synchronizing Active Directory Groups Nathan Dors – University of Washington Eric Kool-Brown – University of.

Slides:

Advertisements

Similar presentations

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

Advertisements

Federal Student Aid Technical Architecture Initiatives Sandy England

Web Services Members Troy Tony Ellen Vincent. Web Services What is it Why is it useful What have been solved Demo Alternative technologies Question.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

Chapter 13 Embedded Systems

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Administering Active Directory

Nikolay Tomitov Technical Trainer SoftAcad.bg.  What are Amazon Web services (AWS) ?  What’s cool when developing with AWS ?  Architecture of AWS 

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

Maintaining and Updating Windows Server 2008

Understanding Active Directory

David Besemer, CTO On Demand Data Integration with Data Virtualization.

Understanding Active Directory

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 11 Slide 1 Architectural Design.

Overview of Active Directory Domain Services Lesson 1.

Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.

The GPAA RFP to implement Enterprise Data Management 1 GPAA15/2015.

Monitoring Latency Sensitive Enterprise Applications on the Cloud Shankar Narayanan Ashiwan Sivakumar.

Administrative Technology Services: Enterprise Applications

Designing Active Directory for Security

jpasswd A common password change client for Unix and NT Marty Wise Jefferson Lab October, 2000.

Uniting Cultures, Technology & Applications A Case Study University of New Hampshire.

USM Regional PeopleSoft Conference

September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Building Secure, Flexible and Scalable Environments using LDAP - SANS Orlando Sacha Faust PricewaterhouseCoopers

Virtual techdays INDIA │ august 2010 virtual techdays INDIA │ august 2010 Moving/Co-existing your messaging platform to the cloud with Exchange.

Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.

Nadir Saghar, Tony Pan, Ashish Sharma REST for Data Services.

Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.

Secure Networking Windows 2000 Distributed Security Services Sandeep Joshi Group 4.

Introduction to Microsoft Windows 2000 Integrated support for client/server and peer-to-peer networks Increased reliability, availability, and scalability.

Enterprise Integration Patterns CS3300 Fall 2015.

2.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 2: Examining.

Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Three Managing Recipients.

Module 1: Introduction to Active Directory

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Message Store CORE SYSTEMS MANAGEMENT AND AVAILABILITY INTEGRATION – COPPERPOINT.

11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4.

BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

1 Acquisition Automation – Challenges and Pitfalls Breakout Session # E11 Name: Jim Hargrove and Allen Edgar Date: Tuesday, July 31, 2012 Time: 2:30 pm-3:45.

Maintaining and Updating Windows Server 2008 Lesson 8.

1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.

Pilot Kafka Service Manuel Martín Márquez. Pilot Kafka Service Manuel Martín Márquez.

TV Broadcasting What to look for Architecture TV Broadcasting Solution

Enterprise Service Bus

Business Continuity & Disaster Recovery

SOFTWARE DESIGN AND ARCHITECTURE

Using Microsoft Identity Manger with SharePoint 2016 to fill the User Profile Sync Gap Max Fritz Senior Systems Consultant Now Micro.

Active Directory Administration

Part 3 Design What does design mean in different fields?

Cloud based Open Source Backup/Restore Tool

Microsoft 365 Business Customer Targeting 2/6/18

Business Continuity & Disaster Recovery

Storage & Digital Asset Management CIO Council Update

PSC Group, LLc Office 365/SharePoint Online Migration traps and tricks

MDM Enterprise.

What’s changed in the Shibboleth 1.2 Origin

Michael Stephenson DevOps empowered by Microsoft Flow

Brian Arkills Microsoft Solutions Architect

SOA in Action Chapter 10 B. Ramamurthy 1/16/2019.

Enterprise Integration

Remedy Integration Strategy Leverage the power of the industry’s leading service management solution via open APIs February 2018.

Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi

Session Abstract This session will provide an overview of the latest improvements and enhancements made to the Ed-Fi ODS/API in 2016, as well as a preview.

Presentation transcript:

Event-Driven Architecture for Synchronizing Active Directory Groups Nathan Dors – University of Washington Eric Kool-Brown – University of Washington

Active Directory in Higher Ed IT Granting access to Windows resources via Access Control List entries Best practice to use groups as ACE trustees rather than individual user accounts Groups being used as Exchange Distribution Lists Interop with Linux/Unix systems via LDAP, Kerberos, and SAMBA Customers continue to figure out new ways to use our AD services EDA & Syncing AD Groups

Connecting Access Management Systems The Vision Seamless information flow through IT systems Architectural agility for updating IT systems Traditional Solutions Domain-specific, hardwired, batch oriented Scheduled rather than real-time IDM Suites (OpenIDM, OIM, AD/FIM) Relatively heavyweight alternatives Enterprise Integration Patterns Guidance on how to roll your own heavyweight system Event Driven Architecture – a lightweight approach EDA & Syncing AD Groups

Event Driven Architecture EDA facilitates the transfer of information between producing and consuming systems It is a design pattern that decouples components An intermediate component: a message queue An intermediate format: a message schema Flexibility as to the propagation model It provides near real-time information propagation Components and systems can evolve independently The message schema is versioned EDA can facilitate a GR/DR capability if the queue is in the cloud EDA & Syncing AD Groups

Propagating Access Management Changes The UW uses Grouper as the groups data master There are multiple downstream consumers of Grouper changes AD changes used to be pulled via scheduled batch processes We switched to EDA via Apache ActiveMQ a year ago Requires in-house hardware and support We are moving to Amazon SNS and SQS AWS is an attractive option due to simplicity, flexibility, and reasonable cost Trivial to add new consumer queues to an SNS topic EDA & Syncing AD Groups

Information Security Considerations Group data risk assessment and classification Assessment conducted by Michael Brogan 2 years ago UW policy data classes: public, restricted, or confidential Groups have a hierarchical administrative model Admin controls on who can create groups and modify their attributes and membership Group data is signed and encrypted while in transit In addition to the SSL data channel encryption Groups with viewer restrictions cannot be Exchange -enabled EDA & Syncing AD Groups

UW AD as a Group Event Consumer Group Sync Agent is a Windows Service and reads from the ActiveMQ or SQS queue Periodic reconciliation compares Grouper data to AD data and adjusts the latter as needed Group viewership restrictions result in the updating of AD group ACLs Brian’s Hiding Data in AD Administrative model is enforced in Grouper, AD groups updated only by Group Sync (with a few exceptions) AD replication latency issues resolved by using domain controller affinity Event queues are abstracted as interfaces EDA & Syncing AD Groups

What's Next? Completing the switch over to Amazon SNS/SQS Implementations for other queues, e.g. Azure Message Bus? Using the message queue model for bi-directional group change flow (for those exceptional groups) Perhaps inserting a workflow processor in place of a simple queue Sharing code? EDA & Syncing AD Groups

Conclusion Happy with results, it’s very reliable and usually quite fast ~50k messages per month Course group creation at quarter start imposes an unusual load; ACL setting causes queue back ups Prioritizing interactive group changes over bulk updates Release course creation over a longer period of time Looking at other places were the EDA pattern can be applied EDA & Syncing AD Groups

Appendix EDA & Syncing AD Groups

EDA & Syncing AD Groups