June 10-15, 2012 Growing Community; Growing Possibilities Kevin Muller, Fordham University Bill Thompson, Unicon

Identity & Access Management Background 2012 Jasig Sakai Conference2

 History ◦ 2007: Selected the Sun Identity Manager for IAM ◦ 2008: Launched the university portal, Luminis  Sun IdM was integrated with Sungard’s Banner ERP to actively provision and synchronize accounts  Sun IdM was integrated via links on the Luminis portal login page, to provide for account claiming and password management  Luminis portal authenticated against the Sun Idm LDAP, but replicated and stored password information into Luminis upon login  Luminis keeps certain additional authentication data, for use with single sign-on processing 2012 Jasig Sakai Conference3

 History (cont’d) ◦ 2009: Efforts began to migrate to & leverage native Luminis account claiming, instead of the Sun IdM ◦ 2009: A new LDAP was developed, using replicated information from the Luminis internal LDAP  This effort was delayed, as the SunOne Directory Server version (v5.2) does not support partial replication  It was decided that a full replica would be used instead, so that the project would not be delayed further  The new LDAP schema was extended to include eduPerson attributes 2012 Jasig Sakai Conference4

 History (cont’d) ◦ 2010: Jasig CAS is selected as Fordham’s future single sign-on (SSO) platform ◦ 2011: Fordham partners with Unicon to assist with the installation and support of CAS  CAS is piloted to provide SSO to OrgSync, a student activities portal  CAS is then selected to facilitate portal-initiated SSO to Gmail & Google Apps for the student population ◦ 2012: Fordham partners with Unicon to extend the basic CAS platform to support attribute-based authorization control, in addition to authentication 2012 Jasig Sakai Conference5

Why we decided to extend CAS 2012 Jasig Sakai Conference6

 In 2012, Sungard (now Ellucian) announced efforts to sunset the Luminis IV portal  For several years, their next portal release, Luminis 5, has been delayed and stalled ◦ Therefore, we did not consider Luminis 5 as a reasonable option for Fordham’s migration path ◦ Fordham’s Internet Services team began preliminary design of a portal framework, using a combination of public and secure content  Luminis presents role-based tabbed content ◦ Moving forward, we would seek to secure certain attribute-based content leveraging CAS 2012 Jasig Sakai Conference7

 Old portal, old all-in-one architecture 2012 Jasig Sakai Conference8

 New portal, secured through ABAC CAS 2012 Jasig Sakai Conference9

 Our vision is based upon a hybrid model  Content will be pulled from public, secured, and dynamic secured sources  CAS will be the authentication method, whenever possible  Secured content will be “locked down” to appropriate attribute-based access  Dynamic content will be additionally checked via userid, for finer-grained, ERP-based access control 2012 Jasig Sakai Conference10

 Alumni events are also viewable by the public 2012 Jasig Sakai Conference11

 Alumni events administration is IIS secured 2012 Jasig Sakai Conference12

 Alumni events administration folder and pages will now be controlled by authorized attributes (roles) in the CAS configuration file 2012 Jasig Sakai Conference13

2012 Jasig Sakai Conference Technical Solution ABAC for CAS

2012 Jasig Sakai Conference  As simple as possible  Don’t fork, extend  Easy to configure  Leverage SWF-based login flow  Leverage Person Registry  Implement JSON-based Services Registry Design Goals and Approach

2012 Jasig Sakai Conference State Diagram

2012 Jasig Sakai Conference State Diagram (cont’d)

2012 Jasig Sakai Conference login-flow.xml <end-state id="serviceAuthorizationFailureRedirectView" view="externalRedirect:${requestScope.authorizationFailureRedirectUrl}"/>

2012 Jasig Sakai Conference Like, groovy registry, man :) In-memory data store for the ServiceRegistry that reads the services definition from /etc/cas/servicesRegistry.conf JSON file <lang:groovy id="serviceRegistryDao“ script-source="/WEB-INF/groovy/JsonServiceRegistryDao.groovy“ init-method="init"> <lang:property name="servicesConfigFile" value="file:/etc/cas/servicesRegistry.conf"/> void init() { def mapper = new ObjectMapper() def servicesCollection = mapper.readValue(servicesConfigFile.file, RegisteredServicesCollection.class) this.delegateServiceRegistryDao.registeredServices = servicesCollection.services }

2012 Jasig Sakai Conference { "services":[ { "id":"1", "serviceId":" "name":"GOOGLE", "description":"Test Google service", "evaluationOrder":"1", "extraAttributes":{ "authzAttributes":{ "eduPersonAffiliation":["student_current", "alumni"] }, "unauthorizedRedirectUrl": } { more services...} } servicesRegistry.conf

How has it worked out so far? 2012 Jasig Sakai Conference21

 As with many near-sourced efforts, transition is sometimes tricky ◦ Some coordinated handoff and fine-tuning was necessary for the new ABAC CAS to work as spec’ed  Since then, we have piloted ABAC CAS for: ◦ IIS-hosted secure content ◦ JSP Tomcat-hosted content ◦ And soon… PHP-based content, as well  Plus, we’ve integrated the ABAC CAS security into our future-scape Grails-based, responsive web design initiative 2012 Jasig Sakai Conference22

What worked well? What surprises did we encounter? 2012 Jasig Sakai Conference23

 Out of the box, our only rework was to integrate with our actual LDAP attribute data ◦ Development was performed without access to the LDAP  Grails-based framework integration also posed some interesting challenges ◦ The Ellucian (formerly SungardHE) mobile connect framework was considered CAS-friendly, but in reality, proved difficult to extend ◦ However, the difficulty with integration was NOT specifically related to the ABAC extensions 2012 Jasig Sakai Conference24

Questions, comments, suggestions… 2012 Jasig Sakai Conference25

Contact info: Kevin – Bill – 2012 Jasig Sakai Conference26