Presentation is loading. Please wait.

Presentation is loading. Please wait.

For the Pragmatic, the UHIMS Ecosystem (for Identity and Access Management) Michael Hodges ITS, Identity and Access Management University of Hawaii © 20151.

Published byJessica Johnson Modified over 9 years ago

Similar presentations

Presentation on theme: "For the Pragmatic, the UHIMS Ecosystem (for Identity and Access Management) Michael Hodges ITS, Identity and Access Management University of Hawaii © 20151."— Presentation transcript:

1 For the Pragmatic, the UHIMS Ecosystem (for Identity and Access Management) Michael Hodges ITS, Identity and Access Management University of Hawaii © 20151

2 What is Pragmatic Programming? The UHIMS Ecosystem UHIMS Ecosystem Solutions Ecosystem Enhancements Under Way UHIMS Dreams and Blue Sky Visions Looking ahead, UH joins Internet2’s TIER University of Hawaii © 20152 What to talk about today?

3 A book – “The Pragmatic Programmer, From Journeyman to Master” A mindset that will help you – Keep it DRY – KISS better – Decouple by design – Minimize technical debt – Future-proof apps University of Hawaii © 20153 What is Pragmatic Programming?

4 Keep it DRY – Don’t Repeat Yourself– a design principle. Write code once, reference it as needed. – Don’t reinvent the wheel, if possible. – Leverage UHIMS solutions that fit your needs (it will be well worth the learning curve). – DRY requires good planning. University of Hawaii © 20154 What is Pragmatic Programming?

5 A mindset that will help you – Keep it DRY – KISS better – Decouple by design – Minimize technical debt – Future-proof apps University of Hawaii © 20155 What is Pragmatic Programming?

6 KISS better – Keep It Simple and Short – a design principle – Small, simple software subcomponents reduce complexity, are easier to manage. – Create only the subcomponents that you must create; keep your custom code footprint as small as possible. – Embrace integration, leverage existing solutions. University of Hawaii © 20156 What is Pragmatic Programming?

7 A mindset that will help you – Keep it DRY – KISS better – Decouple by design – Minimize technical debt – Future-proof apps University of Hawaii © 20157 What is Pragmatic Programming?

8 Decouple by design – Utilize Message Brokering Increase availability/uptime Increase flexibility – Conceptualize apps as Message producers, and Message consumers University of Hawaii © 20158 What is Pragmatic Programming?

9 Decouple by design University of Hawaii © 20159 What is Pragmatic Programming?

10 A mindset that will help you – Keep it DRY – KISS better – Decouple by design – Minimize technical debt – Future-proof apps University of Hawaii © 201510 What is Pragmatic Programming?

11 Minimize technical debt – Technical debt: the things you should have taken care of in your code, but didn’t, e.g.: deferred features, deferred documentation, deferred regression tests, performance, etc. – Software entropy (a related concept) Unaddressed technical debt increases software entropy Utilized software will be modified. Modified software increases in complexity (unless successfully refactored). University of Hawaii © 201511 What is Pragmatic Programming?

12 A mindset that will help you – Keep it DRY – KISS better – Decouple by design – Minimize technical debt – Exceed expectations – Future-proof apps University of Hawaii © 201512 What is Pragmatic Programming?

13 Future-proof (one must try) – Align with the expanding UHIMS Emerging Group/Authorization management practices. Emerging 2 nd factor authentication options. Future End-User profile management. Future attribute release consent options. – Leverage the work of other project teams College of Ed’s WordPress plugin, Authorizer. Bursar’s hosted eCommerce solution. Internet2 community. – Anticipate TIER, an Internet2 IAM project TIER: Trust and Identity in Education and Research. Includes: Certs, Assurance, MFA, Shib, Grouper, COmanage, eduPerson, eduOrg, MACE Registries, IAM for higher ed. University of Hawaii © 201513 What is Pragmatic Programming?

14 Practical Pragmatic Examples – Report writing, output data to a csv file for import to Excel. – CAS for authentication. – CAS attributes for authorization. – UH Groupings for authorization, anywhere that the “is member of” question comes up. – UH Message Broker to separate apps that publish (liberate) information from apps that consume information. University of Hawaii © 201514 What is Pragmatic Programming?

15 University of Hawaii © 201515 The UHIMS Ecosystem A non-chronological review of the development of the UHIMS Ecosystem

16 Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015

17 Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry

18 University of Hawaii © 201518 The UHIMS Ecosystem staff.civilService staff.executive staff.apt staff.casual staff.overload staff.noDetails staff.nonCompensated faculty.communityCollege faculty.university faculty.medical faculty.researcher faculty.specialist faculty.countyAgent faculty.librarian faculty.law faculty.emeritus faculty.overload faculty.noDetails faculty.courseInstructor faculty.lecturer faculty.teachingAssistant faculty.researchAssistant studentEmployee.workStudy studentEmployee.studentHire student.graduate.law student.graduate.medical student.graduate.noDetails student.undergraduate.noDetails student.other.apprenticeship student.other.continuingEducation student.other.postBaccalaureate student.other.professional student.other.vocational student.other.undeclared nonCreditStudent.noDetails nonCreditStudent.etc preStudent.noDetails preStudent.accepted preStudent.applicant ohana retiree other The roles UHIMS aggregates:

19 Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry

20 Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API VIA

21 Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API Shib IdP AuthN Google @ UH Web Apps federated VIA

22 Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API CON PR CON Msg Broker [ exchanges ] Message Producer PR CON Message Consumer VIA Google @ UH Web Apps federated Shib IdP AuthN

23 Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API LISTSERV lists CON PR CON Msg Broker [ exchanges ] Message Producer PR CON Message Consumer Shib IdP AuthN Google @ UH Web Apps federated VIA UH Groupings Grouper AuthZ Grouper AuthZ

24 Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API LISTSERV lists CON PR CON Msg Broker [ exchanges ] Message Producer PR CON Message Consumer Shib IdP AuthN Google @ UH Web Apps federated VIA ACER UH Groupings Grouper AuthZ Grouper AuthZ

25 Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH SECE KFS MyGrant UHIMS Ecosystem (circa 2015) University of Hawaii © 2015, TI-SYS-IAM Revised 03/11/2015 UHIMS Person Registry LDAP 389DS RADIUS AuthN CAS3 AuthN Campus Wireless Web Apps registered UHIMC BMT WPMS API LISTSERV lists CON PR CON Msg Broker [ exchanges ] Message Producer PR CON Message Consumer Shib IdP AuthN Google @ UH Web Apps federated VIA ACER UH Groupings Grouper AuthZ Grouper AuthZ Campus OneCard

26 Person Directory Updates Admin Updates Person Events AuthN/Z Services Applications Systems of Record Directory Services Banner PS HR RCUH Grouper AuthZ Grouper AuthZ LDAP 389DS AD AuthN only LISTSERV lists CAS3 AuthN Shib IdP AuthN Web Apps registered Google @ UH Campus AD domains RADIUS AuthN UHIMC ACER VIA BMT WPMS SECE KFS MyGrant API PR CON UHIMS Ecosystem (circa 2015) Message Producer Web Apps federated Campus Wireless PR CON Message Consumer University of Hawaii © 2015, TI-SYS-IAM PR UH Groupings PR Msg Broker [ exchanges ] Campus OneCard UHIMS Person Registry Revised 03/11/2015

27 Authentication Solutions: – CAS – Shibboleth – LDAP Authorization Solutions: – ACER – Grouper – UH Groupings and the UH Group Store – UHIMS Events Decoupling Solutions: – UH Message Broker University of Hawaii © 201527 UHIMS Ecosystem Solutions

28 CAS – Central Authentication Service – Used by UH Apps for Authentication – Default Attribute Release Policy UH Data Governance policies apply (E2.215). IAM and the Data Governance Committee (DGC) have created SOPs for standard requests. Non-standard requests, such as for hosted apps, must first be approved by the DGC. https://www.hawaii.edu/bwiki/display/UHIAM/CAS+Default+Attribute+Rele ase+Policy https://www.hawaii.edu/bwiki/display/UHIAM/CAS+Default+Attribute+Rele ase+Policy http://www.hawaii.edu/uhdatagov/ University of Hawaii © 201528 UHIMS Ecosystem Solutions, Authentication Solutions

29 CAS – Central Authentication Service – Attributes useful for Authorization: eduPersonAffiliation (faculty) eduPersonOrgDN (kauaicc) uhOrgAffiliation (eduPersonOrgDn=kauaicc,eduPersonAffiliation=faculty) uhAcknowledgement (generalConfidentialityNotice=20141231T000000) University of Hawaii © 201529 UHIMS Ecosystem Solutions, Authentication Solutions

30 CAS – Central Authentication Services – Web App Form, URLs must be registered https://www.hawaii.edu/bwiki/display/UHIAM/Web+App+Registration+Form – Developer Documentation https://www.hawaii.edu/bwiki/display/UHIAM/CAS3+Developer+Documenta tion University of Hawaii © 201530 UHIMS Ecosystem Solutions, Authentication Solutions

31 CAS (manual standby) CAS – Central Authentication Services – Infrastructure University of Hawaii © 201531 UHIMS Ecosystem Solutions, Authentication Solutions Load Balancer CAS (active) CAS (hot standby) health checks

32 Shibboleth Identity Provider (UH IdP) – Used by non-UH apps for federated authentication – Attribute Release Policy Tailored to the minimal requirements. Targeted IDs used where possible to protect privacy – Federated apps must be registered Exception is apps in the Research and Scholarship category – Infrastructure Identical to CAS University of Hawaii © 201532 UHIMS Ecosystem Solutions, Authentication Solutions

33 LDAP, lightweight directory access protocol – Deprecated for authentication, use CAS Exceptions are scrutinized. CAS attribute release policy is continually enhanced to mitigate need. – Default Attribute Release Policy Identical to CAS Also subject to the IAM Data Governance Framework University of Hawaii © 201533 UHIMS Ecosystem Solutions, Authentication Solutions

34 Grouper – Addresses the fundamental “is member of” requirement and provides rich logic. For example, Is person a member of ITS, sits on the 6 th floor of the ITC building, is currently taking credit classes, and therefore eligible for a tuition waiver? – Provides a UI and API. – Internet2 software, very active project. – Very popular in the higher ed community. – A component of TIER University of Hawaii © 201534 UHIMS Ecosystem Solutions, Authorization Solutions

35 A UH Grouping: – Is a simple or complex expression of group membership – Is composed of 3 groups, conceptually: Basis, Include, Exclude – Has 1 or more Owners – Has 0 or more Members – Has properties that an Owner can configure – Is reusable, can serve multiple purposes Application authorization (who can do what) LISTSERV list publication (email notifications) University of Hawaii © 201535 UHIMS Ecosystem Solutions, Authorization Solutions

36 A UH Grouping example, UH Hilo email discussion list: – Basis group: all UH Hilo faculty Automatically kept current by UHIMS – Include group: (may be empty) Others that would like to participate, such as RCUH employees at UH Hilo. – Exclude group: (may be empty) Those that wish to be left out of the discussions. University of Hawaii © 201536 UHIMS Ecosystem Solutions, Authorization Solutions

37 University of Hawaii © 201537 UHIMS Ecosystem Solutions, Authorization Solutions Basis Include Exclude UH Grouping

38 University of Hawaii © 201538 UHIMS Ecosystem Solutions, Authorization Solutions Basis: UHH Faculty Include: a few RCUH Employees Exclude: several dissatisfied individuals Objective: implement a campus mailing list UH Grouping

39 What can UH Grouping be used for? – Email LISTSERV List management No need to manual manage the entire list – Complex role-based permissions management. – Opt-in/out services, when members are suitably allowed. – Any combination of the above (reuse) University of Hawaii © 201539 UHIMS Ecosystem Solutions, Authorization Solutions

40 UH Grouping limitations? – Currently, members must have a UH Number. University of Hawaii © 201540 UHIMS Ecosystem Solutions, Authorization Solutions

41 University of Hawaii © 201541 UHIMS Ecosystem Solutions, Authorization Solutions UHIMS Events: – UH Person Identity Messages published to the UH Message Broker. – A convenient way to receive identity, affiliation, and contact information. – Use for automatically updating on-board application authorization information.

42 University of Hawaii © 201542 UHIMS Ecosystem Solutions, Decoupling Solutions UH Message Broker: – Uses RabbitMQ, an open-source project – Simple to set up – Scalable Behind India’s 1.2B person biometric database. – Separates message producers from message consumers – Messages are stored in Exchanges

43 University of Hawaii © 201543 UHIMS Ecosystem Solutions, Decoupling Solutions UH Message Broker implementations: – Banner producer, student enrollment and degree objective information. – HCC AD consumer, UHIMS Events – KFS consumer, UHIMS Events – myGrant consumer, UHIMS Events – MyUH consumer, UHIMS Events – SECE producer, SECE events – UHIMS consumer, Banner & SECE events – UHIMS producer, UHIMS Events

44 Ecosystem Enhancements Under Way, 12-18 months Multifactor Authentication – Initially for faculty, staff (students later) UH Message Broker Infrastructure – Clustering for high availability CAS/Shib Infrastructure – Shib support for the CAS protocol – Clustering for high availability IAM Data Element Dictionary additions – uhScopedHomeOrg (primary campus, Banner/PS) – uhMemberOfGrouping (advanced AuthZ) UH Groupings UI improvements University of Hawaii © 201544

45 University of Hawaii © 201545 UHIMS Dreams & Blue Sky Visions Multifactor Authentication – To protect all of our servers, inside and outside the data center. – As a requirement for all of our Admin apps. – As an opt-in service for the entire UH community.

46 University of Hawaii © 201546 UHIMS Dreams & Blue Sky Visions UH Groupings used ubiquitously – Comprehensive use of custom and automatic groups – Comprehensive enterprise-wide audit reports revealing who has access to what. – Automated enterprise provisioning/deprovisioning across all (applicable) apps. – Very easy to use for IT staff and users.

47 University of Hawaii © 201547 UHIMS Dreams & Blue Sky Visions UH Groupings, more publication destinations: – LDAP groups – Laulima groups – Google groups The exclusive LISTSERV list management mechanism (as a capability).

48 University of Hawaii © 201548 UHIMS Dreams & Blue Sky Visions Hands-on App Developer Workshops – CAS Authentication, externalized AuthN – UH Groupings, externalized AuthZ – UH Message Broker, messaging/decoupling – UHIMS Events

49 University of Hawaii © 201549 UHIMS Dreams & Blue Sky Visions ACER Integration – A full function Acknowledgements and Certifications management solution. – System-wide online General Confidentiality Notices acceptance assertions. – System-wide online criminal background check assertions. – ACER enforcement for app access Authorizations.

50 University of Hawaii © 201550 UHIMS Dreams & Blue Sky Visions Personal Profile Management – View access to directory information. – Ability to change select directory information as needed. – Access to Group memberships. – Ability to opt-in/out of Groups as permitted. – Access to attribute release policies. – Ability to opt-in/out attribute release policies as permitted.

51 For the Pragmatic, the UHIMS Ecosystem Michael Hodges ITS, Identity and Access Management University of Hawaii © 201551

Download ppt "For the Pragmatic, the UHIMS Ecosystem (for Identity and Access Management) Michael Hodges ITS, Identity and Access Management University of Hawaii © 20151."

Similar presentations

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Grouper beginnings at the University of Hawaii Michael Hodges, Manager, Enterprise Middleware, Identity and Access Management.

Grouper beginnings at the University of Hawaii Michael Hodges, Manager, Enterprise Middleware, Identity and Access Management.
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
Understanding Active Directory

Understanding Active Directory
Identity & Access Management DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart.

Identity & Access Management DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Managing LOB Applications by Using System Center Operations Manager Published: March 2007.

Managing LOB Applications by Using System Center Operations Manager Published: March 2007.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Understanding Active Directory

Understanding Active Directory
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Implementing Secure Shared File Access

Implementing Secure Shared File Access
ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.

ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Similar presentations

Ads by Google