For the Pragmatic, the UHIMS Ecosystem (for Identity and Access Management) Michael Hodges ITS, Identity and Access Management University of Hawaii © 20151.

Slides:



Advertisements
Similar presentations
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Advertisements

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Grouper beginnings at the University of Hawaii Michael Hodges, Manager, Enterprise Middleware, Identity and Access Management.
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
Understanding Active Directory
Identity & Access Management DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Managing LOB Applications by Using System Center Operations Manager Published: March 2007.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Understanding Active Directory
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
SWITCHaai Team Federated Identity Management.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Implementing Secure Shared File Access
ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
The University of Wisconsin University Directory Service UDS A repository of people information Has been in production for about a year. Serves White pages,
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
Identity Management Report By Jean Carreon and Marlon Gonzales.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Group Management at Brown James Cramton Brown University April 24, 2007.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
Web Services Based on SOA: Concepts, Technology, Design by Thomas Erl MIS 181.9: Service Oriented Architecture 2 nd Semester,
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Windows Role-Based Access Control Longhorn Update
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
State of e-Authentication in Higher Education August 20, 2004.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.
E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.
ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Attribute Release and Scalable Consent \. Part of the original vision for federated identity and necessary for it to succeed Federated identity is less.
Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Ad-hoc Lists / Opt-In Problem Definition Access rules for many applications and services cannot be derived from an authoritative source and must therefore.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Using Your Own Authentication System with ArcGIS Online
Group Services CIO Council Update
LIGO Identity and Access Management
UH Groupings Julio Polo Enterprise Middleware, Identity and Access Management Information Technology Services
I2/NMI Update: Signet, Grouper, & GridShib
Central Authorization System (Grouper) June 2009
Identity & Access Management
Brian Arkills Microsoft Solutions Architect
This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.
PLANNING A SECURE BASELINE INSTALLATION
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

For the Pragmatic, the UHIMS Ecosystem (for Identity and Access Management) Michael Hodges ITS, Identity and Access Management University of Hawaii © 20151

What is Pragmatic Programming? The UHIMS Ecosystem UHIMS Ecosystem Solutions Ecosystem Enhancements Under Way UHIMS Dreams and Blue Sky Visions Looking ahead, UH joins Internet2’s TIER University of Hawaii © What to talk about today?

A book – “The Pragmatic Programmer, From Journeyman to Master” A mindset that will help you – Keep it DRY – KISS better – Decouple by design – Minimize technical debt – Future-proof apps University of Hawaii © What is Pragmatic Programming?

Keep it DRY – Don’t Repeat Yourself– a design principle. Write code once, reference it as needed. – Don’t reinvent the wheel, if possible. – Leverage UHIMS solutions that fit your needs (it will be well worth the learning curve). – DRY requires good planning. University of Hawaii © What is Pragmatic Programming?

A mindset that will help you – Keep it DRY – KISS better – Decouple by design – Minimize technical debt – Future-proof apps University of Hawaii © What is Pragmatic Programming?

KISS better – Keep It Simple and Short – a design principle – Small, simple software subcomponents reduce complexity, are easier to manage. – Create only the subcomponents that you must create; keep your custom code footprint as small as possible. – Embrace integration, leverage existing solutions. University of Hawaii © What is Pragmatic Programming?

A mindset that will help you – Keep it DRY – KISS better – Decouple by design – Minimize technical debt – Future-proof apps University of Hawaii © What is Pragmatic Programming?

Decouple by design – Utilize Message Brokering Increase availability/uptime Increase flexibility – Conceptualize apps as Message producers, and Message consumers University of Hawaii © What is Pragmatic Programming?

Decouple by design University of Hawaii © What is Pragmatic Programming?

A mindset that will help you – Keep it DRY – KISS better – Decouple by design – Minimize technical debt – Future-proof apps University of Hawaii © What is Pragmatic Programming?

Minimize technical debt – Technical debt: the things you should have taken care of in your code, but didn’t, e.g.: deferred features, deferred documentation, deferred regression tests, performance, etc. – Software entropy (a related concept) Unaddressed technical debt increases software entropy Utilized software will be modified. Modified software increases in complexity (unless successfully refactored). University of Hawaii © What is Pragmatic Programming?

A mindset that will help you – Keep it DRY – KISS better – Decouple by design – Minimize technical debt – Exceed expectations – Future-proof apps University of Hawaii © What is Pragmatic Programming?

Future-proof (one must try) – Align with the expanding UHIMS Emerging Group/Authorization management practices. Emerging 2 nd factor authentication options. Future End-User profile management. Future attribute release consent options. – Leverage the work of other project teams College of Ed’s WordPress plugin, Authorizer. Bursar’s hosted eCommerce solution. Internet2 community. – Anticipate TIER, an Internet2 IAM project TIER: Trust and Identity in Education and Research. Includes: Certs, Assurance, MFA, Shib, Grouper, COmanage, eduPerson, eduOrg, MACE Registries, IAM for higher ed. University of Hawaii © What is Pragmatic Programming?

Practical Pragmatic Examples – Report writing, output data to a csv file for import to Excel. – CAS for authentication. – CAS attributes for authorization. – UH Groupings for authorization, anywhere that the “is member of” question comes up. – UH Message Broker to separate apps that publish (liberate) information from apps that consume information. University of Hawaii © What is Pragmatic Programming?

University of Hawaii © The UHIMS Ecosystem A non-chronological review of the development of the UHIMS Ecosystem

Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015

Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry

University of Hawaii © The UHIMS Ecosystem staff.civilService staff.executive staff.apt staff.casual staff.overload staff.noDetails staff.nonCompensated faculty.communityCollege faculty.university faculty.medical faculty.researcher faculty.specialist faculty.countyAgent faculty.librarian faculty.law faculty.emeritus faculty.overload faculty.noDetails faculty.courseInstructor faculty.lecturer faculty.teachingAssistant faculty.researchAssistant studentEmployee.workStudy studentEmployee.studentHire student.graduate.law student.graduate.medical student.graduate.noDetails student.undergraduate.noDetails student.other.apprenticeship student.other.continuingEducation student.other.postBaccalaureate student.other.professional student.other.vocational student.other.undeclared nonCreditStudent.noDetails nonCreditStudent.etc preStudent.noDetails preStudent.accepted preStudent.applicant ohana retiree other The roles UHIMS aggregates:

Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry

Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API VIA

Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API Shib IdP AuthN UH Web Apps federated VIA

Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API CON PR CON Msg Broker [ exchanges ] Message Producer PR CON Message Consumer VIA UH Web Apps federated Shib IdP AuthN

Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API LISTSERV lists CON PR CON Msg Broker [ exchanges ] Message Producer PR CON Message Consumer Shib IdP AuthN UH Web Apps federated VIA UH Groupings Grouper AuthZ Grouper AuthZ

Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API LISTSERV lists CON PR CON Msg Broker [ exchanges ] Message Producer PR CON Message Consumer Shib IdP AuthN UH Web Apps federated VIA ACER UH Groupings Grouper AuthZ Grouper AuthZ

Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API LISTSERV lists CON PR CON Msg Broker [ exchanges ] Message Producer PR CON Message Consumer Shib IdP AuthN UH Web Apps federated VIA ACER UH Groupings Grouper AuthZ Grouper AuthZ Campus OneCard

Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH Grouper AuthZ Grouper AuthZ LDAP 389DS AD AuthN only LISTSERV lists CAS3 AuthN Shib IdP AuthN Web Apps registered UH Campus AD domains RADIUS AuthN UHIMC ACER VIA BMT WPMS SECE KFS MyGrant API PR CON UHIMS Ecosystem (circa 2015) Message Producer Web Apps federated Campus Wireless PR CON Message Consumer University of Hawaii © 2015, TI-SYS-IAM PR UH Groupings PR Msg Broker [ exchanges ] Campus OneCard UHIMS Person Registry Revised 03/11/2015

Authentication Solutions: – CAS – Shibboleth – LDAP Authorization Solutions: – ACER – Grouper – UH Groupings and the UH Group Store – UHIMS Events Decoupling Solutions: – UH Message Broker University of Hawaii © UHIMS Ecosystem Solutions

CAS – Central Authentication Service – Used by UH Apps for Authentication – Default Attribute Release Policy UH Data Governance policies apply (E2.215). IAM and the Data Governance Committee (DGC) have created SOPs for standard requests. Non-standard requests, such as for hosted apps, must first be approved by the DGC. ase+Policy ase+Policy University of Hawaii © UHIMS Ecosystem Solutions, Authentication Solutions

CAS – Central Authentication Service – Attributes useful for Authorization: eduPersonAffiliation (faculty) eduPersonOrgDN (kauaicc) uhOrgAffiliation (eduPersonOrgDn=kauaicc,eduPersonAffiliation=faculty) uhAcknowledgement (generalConfidentialityNotice= T000000) University of Hawaii © UHIMS Ecosystem Solutions, Authentication Solutions

CAS – Central Authentication Services – Web App Form, URLs must be registered – Developer Documentation tion University of Hawaii © UHIMS Ecosystem Solutions, Authentication Solutions

CAS (manual standby) CAS – Central Authentication Services – Infrastructure University of Hawaii © UHIMS Ecosystem Solutions, Authentication Solutions Load Balancer CAS (active) CAS (hot standby) health checks

Shibboleth Identity Provider (UH IdP) – Used by non-UH apps for federated authentication – Attribute Release Policy Tailored to the minimal requirements. Targeted IDs used where possible to protect privacy – Federated apps must be registered Exception is apps in the Research and Scholarship category – Infrastructure Identical to CAS University of Hawaii © UHIMS Ecosystem Solutions, Authentication Solutions

LDAP, lightweight directory access protocol – Deprecated for authentication, use CAS Exceptions are scrutinized. CAS attribute release policy is continually enhanced to mitigate need. – Default Attribute Release Policy Identical to CAS Also subject to the IAM Data Governance Framework University of Hawaii © UHIMS Ecosystem Solutions, Authentication Solutions

Grouper – Addresses the fundamental “is member of” requirement and provides rich logic. For example, Is person a member of ITS, sits on the 6 th floor of the ITC building, is currently taking credit classes, and therefore eligible for a tuition waiver? – Provides a UI and API. – Internet2 software, very active project. – Very popular in the higher ed community. – A component of TIER University of Hawaii © UHIMS Ecosystem Solutions, Authorization Solutions

A UH Grouping: – Is a simple or complex expression of group membership – Is composed of 3 groups, conceptually: Basis, Include, Exclude – Has 1 or more Owners – Has 0 or more Members – Has properties that an Owner can configure – Is reusable, can serve multiple purposes Application authorization (who can do what) LISTSERV list publication ( notifications) University of Hawaii © UHIMS Ecosystem Solutions, Authorization Solutions

A UH Grouping example, UH Hilo discussion list: – Basis group: all UH Hilo faculty Automatically kept current by UHIMS – Include group: (may be empty) Others that would like to participate, such as RCUH employees at UH Hilo. – Exclude group: (may be empty) Those that wish to be left out of the discussions. University of Hawaii © UHIMS Ecosystem Solutions, Authorization Solutions

University of Hawaii © UHIMS Ecosystem Solutions, Authorization Solutions Basis Include Exclude UH Grouping

University of Hawaii © UHIMS Ecosystem Solutions, Authorization Solutions Basis: UHH Faculty Include: a few RCUH Employees Exclude: several dissatisfied individuals Objective: implement a campus mailing list UH Grouping

What can UH Grouping be used for? – LISTSERV List management No need to manual manage the entire list – Complex role-based permissions management. – Opt-in/out services, when members are suitably allowed. – Any combination of the above (reuse) University of Hawaii © UHIMS Ecosystem Solutions, Authorization Solutions

UH Grouping limitations? – Currently, members must have a UH Number. University of Hawaii © UHIMS Ecosystem Solutions, Authorization Solutions

University of Hawaii © UHIMS Ecosystem Solutions, Authorization Solutions UHIMS Events: – UH Person Identity Messages published to the UH Message Broker. – A convenient way to receive identity, affiliation, and contact information. – Use for automatically updating on-board application authorization information.

University of Hawaii © UHIMS Ecosystem Solutions, Decoupling Solutions UH Message Broker: – Uses RabbitMQ, an open-source project – Simple to set up – Scalable Behind India’s 1.2B person biometric database. – Separates message producers from message consumers – Messages are stored in Exchanges

University of Hawaii © UHIMS Ecosystem Solutions, Decoupling Solutions UH Message Broker implementations: – Banner producer, student enrollment and degree objective information. – HCC AD consumer, UHIMS Events – KFS consumer, UHIMS Events – myGrant consumer, UHIMS Events – MyUH consumer, UHIMS Events – SECE producer, SECE events – UHIMS consumer, Banner & SECE events – UHIMS producer, UHIMS Events

Ecosystem Enhancements Under Way, months Multifactor Authentication – Initially for faculty, staff (students later) UH Message Broker Infrastructure – Clustering for high availability CAS/Shib Infrastructure – Shib support for the CAS protocol – Clustering for high availability IAM Data Element Dictionary additions – uhScopedHomeOrg (primary campus, Banner/PS) – uhMemberOfGrouping (advanced AuthZ) UH Groupings UI improvements University of Hawaii ©

University of Hawaii © UHIMS Dreams & Blue Sky Visions Multifactor Authentication – To protect all of our servers, inside and outside the data center. – As a requirement for all of our Admin apps. – As an opt-in service for the entire UH community.

University of Hawaii © UHIMS Dreams & Blue Sky Visions UH Groupings used ubiquitously – Comprehensive use of custom and automatic groups – Comprehensive enterprise-wide audit reports revealing who has access to what. – Automated enterprise provisioning/deprovisioning across all (applicable) apps. – Very easy to use for IT staff and users.

University of Hawaii © UHIMS Dreams & Blue Sky Visions UH Groupings, more publication destinations: – LDAP groups – Laulima groups – Google groups The exclusive LISTSERV list management mechanism (as a capability).

University of Hawaii © UHIMS Dreams & Blue Sky Visions Hands-on App Developer Workshops – CAS Authentication, externalized AuthN – UH Groupings, externalized AuthZ – UH Message Broker, messaging/decoupling – UHIMS Events

University of Hawaii © UHIMS Dreams & Blue Sky Visions ACER Integration – A full function Acknowledgements and Certifications management solution. – System-wide online General Confidentiality Notices acceptance assertions. – System-wide online criminal background check assertions. – ACER enforcement for app access Authorizations.

University of Hawaii © UHIMS Dreams & Blue Sky Visions Personal Profile Management – View access to directory information. – Ability to change select directory information as needed. – Access to Group memberships. – Ability to opt-in/out of Groups as permitted. – Access to attribute release policies. – Ability to opt-in/out attribute release policies as permitted.

For the Pragmatic, the UHIMS Ecosystem Michael Hodges ITS, Identity and Access Management University of Hawaii ©

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.