Security Middleware Update IS Development Staff Forum December 8, 2004
History, Purpose, Scope Formed July, 2003 by C&C Directors Consolidate & integrate related projects –ASTRA –Pubcookie –Person Registry –White Pages Authorization, Authentication, Directories Identity Management at UW (and beyond)
The Art of Identity Management Presenter: Nathan Dors Contact:
Identity Management? “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” - The Burton Group (market research firm specializing in enterprise IT infrastructure) How does this compare with, and fit into, our conception of middleware?
Basic functions of IdM ReflectData of interest from SoR JoinMatch identity across SoR CredentialNetID, passwd, SecurID Manage Affil/GroupsBasic/flat AuthZ info Manage PrivilegesStructured AuthZ info ProvisionFor apps w/ attitude DeliverGet AuthZ info to app AuthenticateCheck identity claim AuthorizeMake allow/deny decision LogTrack usage for audit Source: Keith Hazelton, Univ of Wisconsin
IdM functions & big picture Reflect Join Credential Deliver (AuthN) Provision AuthZ Mng Grps Mng Priv Log Source: Keith Hazelton, Univ of Wisconsin; Tom Barton, Univ of Chicago
Communities for delivery Source: Keith Hazelton, Univ of Wisconsin
Services to Communities What is the reach of our middleware componentry? Pubcookie UW.EDS.Person ASTRA Shibboleth
Person Registry v2.0 for “Nantucket” Presenter: Anne Hopkins Contact:
Nantucket = Person Registry + EDS Person Registry (Shuksan) Windows Server App COM/.NET UW.Eds.Person EDS LDAP QUERY EDS PERSON QUERY Event Queue Manager PUBLISH PERSON DATA REALTIME Person Registry Backend Enterprise Directory Service IMPORT / UPDATE DATA DATA SOURCES QUEUE UPDATES FOR EDS Mango Data Dump (LDIF) BULK LOAD PERSON DATA
Nantucket Status In Beta Now: –UW.EDS.Person –EDS Person Data infrequently refreshed Pre-Production, end of Jan ‘05 –Nightly refresh of EDS Person Data Production release, Spring ‘05 –Real-time updates of EDS Person Data Questions to:
Enterprise Directory Services Presenter: Brad Greer Contact:
The Big Picture
What is EDS? The Enterprise Directory Service (EDS) provides for the publishing and retrieval of data items that are deemed to be of 'enterprise' interest. EDS directories are designed to be secure, scalable, based on standard protocols (LDAP), have no scheduled downtime, and able to accept real-time updates from multiple data sources.
What Is EDS- Part II EDS is not an application. EDS is a collection of data (directories), documentation, middleware - and a team of people to assist Developers in writing their applications. EDS also provides documentation and design help for C&C teams to Publish data into EDS directories.
Status? There are 4 Projects/Directories in-progress which include: –People (PersonReg) Plan to have nightly updates in production by end of January. Real-time updates will be implemented at future date. –Whitepages (staffdir, UWDir, staff/faculty dir) Production Server switchover to OpenLDAP planned for 12/22/04 –Groups (mod_uwa) New server hw ordered, Groups project working on design for migration to OpenLDAP. Servers to all use OpenLDAP (RH Linux) Dev, Eval, Production servers setup.
Status part II ISDev Certificate for directory access has been deployed and updated to all IS Dev workstations via nebula. UW.EDS.Person middleware component in beta test until EDS servers go into production (static data) EDS public web site under construction: www/computing/eds
EDS Web Site Organization EDS Directories Overview – there are now 4 directories! App Developer Info (LDAP+Middleware) –UW.EDS.Person - Design Doc/API/Examples –WhatamI V1 docs linked –Mod_uwa docs linked Data Publisher Info (TBD) Software –UW.EDS.Person middleware (people) –Whatami – link to info (people) –Mod_uwa - apache module (groups) –UWDir - VB application (whitepages) –Staffdir - perl script (whitepages)
Native LDAP or Middleware? Either can be used to access EDS directories Native LDAP requires more in-dept understanding of directory schema, authentication (certificates), LDAP protocol. Support for native LDAP will be less comprehensive than with middleware. UW.EDS.Person middleware provides object pooling, simple programming model, logging, and transparent server failover.
UW.EDS.Person Object What data is exposed in UW.EDS.Person 2.0? · UWRegID · UWPriorRegID · UWNetID · UWPriorNetID · UWEmployeeID · UWDevelopmentID · UWStudentSystemKey · UWStudentID · UWPersonRegisteredName · DisplayName · UWTest More details and usage examples on Web Site.
ASTRA Authorization Service Presenter: Rupert Berk Contact:
ASTRA: Usage Since Launch
ASTRA: Clients in Production SAGE Ariba System Administration E-Procurement Online Work Leave System Affirmative Action Department Tools for Time Schedule FS-Works Employee Self-Service
ASTRA: Recent Progress (2004) Technical –Microsoft.NET API –Web Service API Non-C&C or non-Windows clients –Automated PI import from FIN for FDI (eval) –Improved developer documentation Business –Door-to-door identification of departmental Delegators
ASTRA: Clients in Development Financial Desktop Space Inventory Management System Online Accident Reporting System Year End Tax Form VEBA PUC Maintenance Application Vendor Payment System
ASTRA: Current Work Technical –New API to allow apps to update span- of-control data –New monitoring tools –New configuration tools –New reconciliation mechanisms –New web interface Richer, more effective inquiries Integrated search and edit Context-sensitive help Business –More strategic identification of departmental Delegators
ASTRA: Clients in Discussion MyGradProgram Online Payroll Update System UW Project Tracker Cognos Tools (Data Warehouse) Keynes Applications (PAS, FIN, etc.)
ASTRA: Future plans Technical –More granular access control (multiple spans-of-control) –Separate development paths –Convert UI completely to.NET –Create administrative tools for developers –Use high-availability, high speed data store: EDS
ASTRA: People ASTRA Team –Ian Taylor, Manager –Rupert Berk, Project Manager –Heidi Berrysmith, Client Support, Business Analyst –Steve Suh, Developer –Ann Testroet, Developer –Aram Pierce, Developer ASTRA Advisory Group ASTRA USER Group
Pubcookie & Shibboleth Update Presenter: Nathan Dors Contact:
Pubcookie New functionality –POST-based cross-dns-domain messaging –Custom login messages –Keyserver supports wildcard certs –Keyserver supports Subject Alt Names Release info –3.2.0-beta1 available now (Unix/Apache only) –Running on production-test weblogin
Custom login messages Example: ESS login
Et tu, Pubcookie 3.1.1? The “Back to the Future” version –Some use on campus and UWMITS –Has showstoppers for ITI-AP deployment –Hence, not available on IS systems … sorry folks. Functionality of interest –“Variable” session reauthentication; e.g., “if user authenticated within N minutes, don’t re-prompt for password”
Shibboleth An architecture, project, and software for standards-based, federated login UW is a Shibboleth “Identity Provider” (IdP) –Running Shibboleth IdP 1.2 –User authentication by Pubcookie/weblogin –User attributes from ancestral EDS Group directory –Working with initial Server Providers –Participating in InCommon (R&E) federation; “authenticate locally, act federally”