Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enriching Identity Through Groups EDUCAUSE Distributed Access Management CAMP Joy Veronneau Cornell University, Identity Management November 8, 2006.

Published byAlexander Webster Modified over 9 years ago

Similar presentations

Presentation on theme: "Enriching Identity Through Groups EDUCAUSE Distributed Access Management CAMP Joy Veronneau Cornell University, Identity Management November 8, 2006."— Presentation transcript:

1 Enriching Identity Through Groups EDUCAUSE Distributed Access Management CAMP Joy Veronneau Cornell University, Identity Management November 8, 2006

2

3

4 A Little Bit of Background Examples of Groups at Cornell: –People allowed to download Eudora –Students –Employees –People allowed to access the Identity Management Request Tracking System –Chess club mailing list Cornell currently manages groups such as these with an in-house application called the “Permit Server”

5 Why Not LDAP Groups? We looked at doing this a couple of years ago, but our Directory data feeds aren’t robust enough….

6 Cornell’s Permit System Central Authorization at Cornell is generically handled by the Permit Server The Permit Server maps groups of NetIDs to “permits” A permit is just a string token, such as “cit.staff” or “cu.student”

7 A List-Based System PERMIT NAMELIST OF NETIDs cit.staffbbb1, cjm5, jtp5, rd29, jv11, … cu.employeeaba1, cjm5, jtp5, rd29, jv11, … cu.studentfbc4, gv455, rb553, tgm4, … cit.update.eudorafbc4, gv455, jtp5, rd29, jv11, … On the Permit Server, we might see something like this table:

8 How Permits are Used A service or resource may be restricted to users who hold specific permits Various applications (including CUWebAuth, our Apache module for doing web based authentication) know how to query the permit server and thus utilize the central authorization system Application administrators can choose to utilize centrally maintained permits, or they may opt to administer their own permit

9

10

11 Permits: High on Maintenance Regardless of whether or not a permit is centrally or locally maintained, the permit is maintained manually, except for a few provisioning scripts which cause a basic set of permits to be issued when NetIDs are created. Regularly scheduled “clean up” processes are in place to remove permits when a user’s association with the university changes - student graduates, student changes to employee, employee changes to student, or termination.

12 Speaking of High on Maintenance Try to buy a ticket to Slope Day if you are a Grad student…

13 Administrative UI designed in the 1990s No automatic memberships/roles No limitations, expirations Limited delegation features Users can’t see what permits they have No self-enrollment options Permits can’t do negative authorizations For example, an institution may want to offer a service to all active students but only within the United States due to export or other laws…. Permits: Low on Features MODERN

14 Permit Server Stats Cornell has approximately 60,000 active NetIDs. There are over 800 permits but only about 325 are active. Those active permits have about 300,000 memberships. On our busiest day, there were about 375,000 queries to the Permit Server - on that day the busiest minute was about 1650 queries.

15 We Love Permits… But… We recently had to restructure the on-line course registration application because it was crashing the Permit Server. We are starting to need more features, and a more modern system.

16 Introducing the Internet2 Grouper Initiative Cornell was following Grouper development efforts. Grouper seemed like it might be a possible replacement for the Permit Server. We looked into Grouper a little bit more and liked what we saw!

17 Grouper - a Group Management Service A common user interface and standard API for managing groups. Users can easily see what groups they are members of. Users can create and manage their own groups.

18 A Few of the Grouper Features that the Permit Server Doesn’t Have –basic group management by distributed authorities –subgroups –composite groups - groups whose membership is determined by the union, intersection, or relative complement of two other groups –traceback of indirect membership –a future version of Grouper will include aging of groups and memberships –Self enrollment and unenrollment –LDAP provisioning of group membership information –Uses existing repositories for subject sources

19 Cool Stuff Any user can log into Grouper and see what groups they are a member of. Currently at Cornell, users have no idea what permits they have… Groups can be subjects in Signet and then assigned limits/privileges. The LDAP Provisioning Connector will automatically provision your groups into your directory.

20 Grouper, Shibboleth, & Remote Authorities AuthN is handled outside of Grouper - go ahead and use Shibboleth, CAS, or your own SSO What about people not in local Identity Management systems? –Add a subject source pointing to a little database of ePPN & description (or whatever attributes are desired) of remote subjects to give restricted access to Grouper –Eg: check out the MyVocs.org project

21

22 Cornell Look and Feel Oracle 4 Subject Sources: NetIDs, GuestIDs, ServiceIDs, Admin Principals Yes Soon Yes FutureJune 2007

23 Example Grouper Screens (With the Cornell Style Sheet)

24

25

26

27

28 Grouper Migration Project at Cornell Initiation PlansProject PlanningProject Charters

29 Phase One Requirements

30 What Requirements? How to define the Namespace - stem hierarchy The Migration Plan What do we need to use for Subjects, subject sources, etc. GuestIDs? Directory Requirements UI requirements

31 What Requirements? User documentation requirements How to do group membership queries Logging Cleanup requirements - restore utility Infrastructure upgrades Availability, backups, monitoring, metrics Security Load testing

32 Permit Server - Simplest Diagram

33 Migration Strategy

34 Migration Plan Details Develop infrastructure that supports Grouper - LDAP modifications, other software modifications Migrate the Permit Database to the Grouper groups registry Put the shim in place Permit administration utility retired in favor of the Grouper UI Everything will just work Application administrators convert to native Grouper/LDAP queries when they are ready.

35 Designing Our Namespace Goals: –We want the new namespace to be better organized than the Permit Server namespace. –We want to be able to let each Cornell Unit decide how they want their stem to look, and how they want to administer it.

36 And the Winner Is… cu cuunitsaffiliates Arts & Sciences Alumni Affairs and Development Human Resources ROTC Paleontological Research

37 Group Membership Queries: Web Service or LDAP? Decided we need both Would LDAP Connector be ready in time? Web Services for updates LDAP for applications that come enabled for LDAP group lookups Still working on LDAP ACI protection scheme

38 Initial investigations: –Fit-Gap analysis between Permit Server System and Grouper –Early versions of Grouper running in test –Baseline discovery and use cases –Requirements gathering - over 30 meetings –Built and tested scripts to migrate permits into Grouper –Modified UI for Cornell look and feel Migration strategy: –Phased approach –Start with Permit Server replacement, as transparent to users as possible –Application administrators can switch to native Grouper at their convenience (if they don’t take *too* long - maybe a little over a year) –Addition of automatically provisioned groups comes later Work Accomplished to Date

39 Interesting Things we Found While Gathering Requirements for the Migration Project The Permit UI doesn’t do any error checking when you add NetIDs to a permit. One permit had quotes around all the NetIDs, i.e. “jv11” rather than jv11. Wasn’t going to migrate well. There are about 20 Kerberos admin principals in use that have permits but aren’t in the directory - we will have to create a directory branch just for those. We found 5 or 6 org charts when deciding how to build our namespace for our stem hierarchy. The permit server daemon was not logging every command. Our provisioning scripts were assigning quite a few permits that aren’t in use anymore. We gave several demos of Grouper and the campus is enthusiastic about the project. Requirements gathering takes a long time - at least two months.

40 Larger Tasks To Do Before Go-Live Load testing! Deciding on and implementing an ACI scheme for protecting group membership information in LDAP. Building a web service interface to the Grouper API - although a prototype is finished. Integrating our CUWebAuth Authorization software with native Grouper. Writing the permit shim.

41 Things to do Later, After the Migration Start populating groups automatically from systems of record - for example, class lists, departmental employees Signet

42 How Come You’re Not Done Yet? Phasing out Kerberos 4; will be Kerberos 5 only Integrating Active Directory with LDAP and Kerberos Provisioning Alumni Password Complexity Enforcement Campuswide GuestID system

43 Central Authorization, The Big Picture

44 Protect Your Grouper Database Password!

Download ppt "Enriching Identity Through Groups EDUCAUSE Distributed Access Management CAMP Joy Veronneau Cornell University, Identity Management November 8, 2006."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Cornell University Replacing a System that (sorta) Works Tom Parker Project Manager Identity Management Team Cornell University Central.

Cornell University Replacing a System that (sorta) Works Tom Parker Project Manager Identity Management Team Cornell University Central.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.

Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Peter Deutsch Director, I&IT Systems July 12, 2005

Peter Deutsch Director, I&IT Systems July 12, 2005
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Account Management, The Next Generation Unified Directories at the Rochester Institute of Technology Dan Tobin Matt Campbell.

Account Management, The Next Generation Unified Directories at the Rochester Institute of Technology Dan Tobin Matt Campbell.
Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.

Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
LDAP Management at Stony Brook Making Active Directory and PeopleSoft Work Together SUNY Technology Conference Rochester, New York Monday June 12, 2006.

LDAP Management at Stony Brook Making Active Directory and PeopleSoft Work Together SUNY Technology Conference Rochester, New York Monday June 12, 2006.
SubVersioN – the new Central Service at DESY by Marian Gawron.

SubVersioN – the new Central Service at DESY by Marian Gawron.
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
Chapter 2: Installing and Upgrading to Windows Server 2008 R2 BAI617.

Chapter 2: Installing and Upgrading to Windows Server 2008 R2 BAI617.
INFO 637Lecture #31 Software Engineering Process II Launching & Strategy INFO 637 Glenn Booker.

INFO 637Lecture #31 Software Engineering Process II Launching & Strategy INFO 637 Glenn Booker.
Version Control with Subversion. What is Version Control Good For? Maintaining project/file history - so you don’t have to worry about it Managing collaboration.

Version Control with Subversion. What is Version Control Good For? Maintaining project/file history - so you don’t have to worry about it Managing collaboration.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Similar presentations

Ads by Google