WebISO Survey of Technologies & Requirements Nathan Dors University of Washington CAMP, June 4-6, 2003 Copyright 2003 Nathan Dors. This work is the intellectual.

Slides:

Advertisements

Similar presentations

WebISO PanelEducause SAC Implementing Single Sign On Technologies for Campus Portals Panel Nathan Dors, Project Lead Security/Middleware Unit Univ.

Advertisements

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

The Academic Computing Assessment Data Repository: A New (Free) Tool for Program Assessment Heather Stewart, Director, Institute for Technology Development,

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Copyright Sylvia Maxwell and Michael White, This work is the intellectual property of the author. Permission is granted for this material to be shared.

1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

Identity Management: The Legacy and Real Solutions Project Overview.

University of Washington CUMREC 2003 Uncompromised Web Applications: Variety Without Chaos University of Washington CUMREC 2003 Copyright University of.

Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.

Darrel S. Huish Katherine J. Ranes Arizona State University Lessons Learned During the First Year of myASU, a Large Institution Portal Copyright Darrel.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Sharing MU's SharePoint Experience 2005 Midwest Regional Conference Innovative Use of Technology: Getting IT Done Wednesday, March 23, 2005.

Lynette Olson, Assessment & Effectiveness Director & Gary Langer, Associate Vice Chancellor, Office of the Chancellor, Minnesota State Colleges and Universities.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Copyright Copyright Ian Taylor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

GWEB “The George Washington University Enterprise Portal Solution” - GWEB.GWU.EDU - Francesco de Leo Copyright Francesco de Leo, This work is the.

Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.

Moving Your Paperwork Online University of California, Irvine presents PayQuest Copyright UC,Irvine This work is the.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages.

Middleware 101 Dave Tomcheck UC Irvine. Overview Drivers and Assumptions Objectives The Components of the Business Architecture Implications for Stakeholders.

Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.

USCGrid A (Very Quick) Introduction To PubCookie

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma

E-Michigan Web Development 1. 2 What Is It? A web based collaboration tool that is internal to state government and accessible only from within the state.

Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.

Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)

Shibboleth: An Introduction

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

January 9, 2002 Internet2 WebISO Project RL "Bob" Morgan, University of Washington.

Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Portals and Web Standards Lessons Learned and Applied David Cook Copyright The University of Texas at Austin This work is the.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

Holly Eggleston, UCSD Beyond the IP Address: Shibboleth and Electronic Resources InCommon Library/Shibboleth Project.

Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Renee Woodten Frost Internet2/University of Michigan.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.

Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.

NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.

Copyright Michael White and Sylvia Maxwell, This work is the intellectual property of the author. Permission is granted for this material to be shared.

NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Mark Luker, EDUCAUSE Copyright Mark Luker, This work is the intellectual.

John O’Keefe Director of Academic Technology & Network Services

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

ESA Single Sign On (SSO) and Federated Identity Management

Open Source Web Initial Sign-On Packages

Central Authentication Service

Managing Enterprise Directories: Operational Issues

Presentation transcript:

WebISO Survey of Technologies & Requirements Nathan Dors University of Washington CAMP, June 4-6, 2003 Copyright 2003 Nathan Dors. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

CAMP - June 4-6, Talk Overview Use scenarios Requirements Architectures Target-side models Available packages WebISO “service” deployment issues WebISO case study & numbers

CAMP - June 4-6, Use Scenarios An employee uses the campus portal to access her benefits information and to post her vacation dates on her online calendar, both in the same web browsing session. During a break, a student at the union bldg uses a public terminal to check his web- based and review his course schedule.

CAMP - June 4-6, Use Scenarios++ A library patron uses a public kiosk computer to browse resources provided by the university. Entitlements may be based on physical presence as well as affiliation. A doctor who is on faculty sets up a web- based quiz for a course and then reviews online patient information. The latter requires more rigorous means of authentication.

CAMP - June 4-6, Use Scenarios extreme A law student attempts to browse a licensed database of legal extracts on an external vendor’s website. The vendor and university are both piloting Shibboleth for inter-realm authorization.

CAMP - June 4-6, We Deduce That… The primary use environment is the Web Interesting uses require authentication But a few uses may not Multi-tasking is common in users Many uses beyond central IT control We need a security framework for web-based authentication!

CAMP - June 4-6, Defining WebISO WebISOs are systems designed to allow users, with standard Web browsers, to authenticate to web-based services across many Web servers, using a standard (typically username/password-based) central authentication service.

CAMP - June 4-6, WebISO Goals Provide organization-wide authn infra Expand middleware deployment Establish common level of security Centralize authentication services Normalize authentication practices –For applications –For end users

CAMP - June 4-6, WebISO Requirements Secure Usable Scalable Dependable Deployable Comprendable Extensible Supportable Flexible Affordable

CAMP - June 4-6, WebISO Requirements++ Work with standard Web browsers Leverage central authentication services Reduce exposure of user passwords Support single sign-on user experience Integrate with common app frameworks Deliver authentication info to applications

CAMP - June 4-6, WebISO Requirements extreme Provide multi-tiered authentication Solve inter-institutional sign-on

CAMP - June 4-6, Integration Requirements Static web sites Legacy applications Open Source applications No-source applications Non-web-based applications

CAMP - June 4-6, Architecture: Components Authentication service Weblogin service –Web front-end to authn service –Makes authn assertions Web application agent (WAA) –WebISO integration layer –Receives and digests assertions Web application Web browser

CAMP - June 4-6, Architecture: Messaging How is the assertion made exactly? Methods –SAML POST browser profile –Artifacts put in the URLs –Sent in cookies –Back-channel service-to-service calls Formats –Many unique formats –Convergence toward SAML format?

CAMP - June 4-6, Sequence I: Direct Assertion

CAMP - June 4-6, Sequence II: Back Channel

CAMP - June 4-6, Architecture: Challenges Multi-tier scenarios (Source: Andrew Newman, Yale University) –Impersonation: mid-tier pretends to be the user –Delegation: unauthenticated mid-tier presents credentials on behalf of user –Proxy: fully authenticated mid-tier asserts credentials (the user’s and its own) –Or, if need be, “whatever works” Session management Global logout

CAMP - June 4-6, Target-side (WAA) Models Container-based approach –Apache module –Java servlet filter –ISAPI filter Code library (API) approach

CAMP - June 4-6, WAA Container-based Approach Pros –Supports many languages at once –No WebISO code in apps –REMOTE_USER is standardish –Encourages consistent practices Cons –Clunky and inflexible to some developers

CAMP - June 4-6, WAA Code Library Approach Pros –More flexible for developers –Better control of application flow –Web server independent Cons –Maintenance concerns –Less normalizating –Static content needs a shim

CAMP - June 4-6, But What Do Applications Get From A WebISO system? Authentication information –A principal: userid or –Authentication type? –Last Authenticated info? –SSO lifetime info? Additional attributes? –Sometimes, yes –In the wild, WebISOs do many things

CAMP - June 4-6, WebISO Software Pubcookie (Open Source project) CAS (Yale) Cosign (Michigan) Shibboleth (Internet2) Many others… –A-Select –Bluestem –Sun ONE Identity Server

CAMP - June 4-6, Supporting Your Local WebISO What do you need beyond the software? What are the technology management issues? What makes your WebISO system into a campus WebISO “service”?

CAMP - June 4-6, WebISO “Service” Components WebISO system infrastructure Service level agreement & description –Internal, for your own good –Public, to set expectations Sysadmin/developer support –Installation guides –Policy & use guidelines, best practices –Where’s the authorization? End-user support/education Web design & usability testing

CAMP - June 4-6, WebISO “Service” Management Use Policy Examples –Who can use the service? –When is it okay to override SSO? –Application design standards (e.g. logout buttons, language usage, other best practices) –Recommended session timeouts Privacy & Security –University Policy on Privacy –Logging of authn/identity info (HIPAA, FERPA implications) –Auditability

CAMP - June 4-6, WebISO “Service” Management Cont. Growth Issues –Campus growth, outreach, and new affiliations expand underlying authentication services –Guest accounts and other exceptions too Growth Implications for WebISO services –Must plan for additional server capacity –Must communicate that AuthN is not AuthZ!! –Pressure for more AuthZ services

CAMP - June 4-6, Case Study: UWash Central authn: Kerberos V, SecurID WebISO system: Pubcookie (pre-3.0 currently) Core team “roles” –Sponsor –Overseer (Internet Architect) –Project Manager –Evangelist –Developers (2) –Hard to add up FTEs Others –sysadmins, support staff, usability engineers, writers

CAMP - June 4-6, UWash: Weblogin stats ~77,000 authentications per day 1.9 apps per authentication (SSO usage) 210 participating application servers 41 participating departments 350+ enabled applications

CAMP - June 4-6, UWash: Interesting Apps Integrated portal webmail employee self-service student services (registration, etc) Catalyst learning-management system wireless access faculty/staff/student/dept/course web servers hiring/payroll processing JPMorgan for procurement/travelcards ealumni.com for student/alum mentoring

CAMP - June 4-6, The End For more information and to participate in the discussion