Presentation is loading. Please wait.

Presentation is loading. Please wait.

June 10-15, 2012 Growing Community; Growing Possibilities Kevin Muller, Fordham University Bill Thompson, Unicon.

Published byThomasina Ford Modified over 9 years ago

Similar presentations

Presentation on theme: "June 10-15, 2012 Growing Community; Growing Possibilities Kevin Muller, Fordham University Bill Thompson, Unicon."— Presentation transcript:

1 June 10-15, 2012 Growing Community; Growing Possibilities Kevin Muller, Fordham University Bill Thompson, Unicon

2 Identity & Access Management Background 2012 Jasig Sakai Conference2

3  History ◦ 2007: Selected the Sun Identity Manager for IAM ◦ 2008: Launched the university portal, Luminis  Sun IdM was integrated with Sungard’s Banner ERP to actively provision and synchronize accounts  Sun IdM was integrated via links on the Luminis portal login page, to provide for account claiming and password management  Luminis portal authenticated against the Sun Idm LDAP, but replicated and stored password information into Luminis upon login  Luminis keeps certain additional authentication data, for use with single sign-on processing 2012 Jasig Sakai Conference3

4  History (cont’d) ◦ 2009: Efforts began to migrate to & leverage native Luminis account claiming, instead of the Sun IdM ◦ 2009: A new LDAP was developed, using replicated information from the Luminis internal LDAP  This effort was delayed, as the SunOne Directory Server version (v5.2) does not support partial replication  It was decided that a full replica would be used instead, so that the project would not be delayed further  The new LDAP schema was extended to include eduPerson attributes 2012 Jasig Sakai Conference4

5  History (cont’d) ◦ 2010: Jasig CAS is selected as Fordham’s future single sign-on (SSO) platform ◦ 2011: Fordham partners with Unicon to assist with the installation and support of CAS  CAS is piloted to provide SSO to OrgSync, a student activities portal  CAS is then selected to facilitate portal-initiated SSO to Gmail & Google Apps for the student population ◦ 2012: Fordham partners with Unicon to extend the basic CAS platform to support attribute-based authorization control, in addition to authentication 2012 Jasig Sakai Conference5

6 Why we decided to extend CAS 2012 Jasig Sakai Conference6

7  In 2012, Sungard (now Ellucian) announced efforts to sunset the Luminis IV portal  For several years, their next portal release, Luminis 5, has been delayed and stalled ◦ Therefore, we did not consider Luminis 5 as a reasonable option for Fordham’s migration path ◦ Fordham’s Internet Services team began preliminary design of a portal framework, using a combination of public and secure content  Luminis presents role-based tabbed content ◦ Moving forward, we would seek to secure certain attribute-based content leveraging CAS 2012 Jasig Sakai Conference7

8  Old portal, old all-in-one architecture 2012 Jasig Sakai Conference8

9  New portal, secured through ABAC CAS 2012 Jasig Sakai Conference9

10  Our vision is based upon a hybrid model  Content will be pulled from public, secured, and dynamic secured sources  CAS will be the authentication method, whenever possible  Secured content will be “locked down” to appropriate attribute-based access  Dynamic content will be additionally checked via userid, for finer-grained, ERP-based access control 2012 Jasig Sakai Conference10

11  Alumni events are also viewable by the public 2012 Jasig Sakai Conference11

12  Alumni events administration is IIS secured 2012 Jasig Sakai Conference12

13  Alumni events administration folder and pages will now be controlled by authorized attributes (roles) in the CAS configuration file 2012 Jasig Sakai Conference13

14 2012 Jasig Sakai Conference Technical Solution ABAC for CAS

15 2012 Jasig Sakai Conference  As simple as possible  Don’t fork, extend  Easy to configure  Leverage SWF-based login flow  Leverage Person Registry  Implement JSON-based Services Registry Design Goals and Approach

16 2012 Jasig Sakai Conference State Diagram

17 2012 Jasig Sakai Conference State Diagram (cont’d)

18 2012 Jasig Sakai Conference login-flow.xml <end-state id="serviceAuthorizationFailureRedirectView" view="externalRedirect:${requestScope.authorizationFailureRedirectUrl}"/>

19 2012 Jasig Sakai Conference Like, groovy registry, man :) In-memory data store for the ServiceRegistry that reads the services definition from /etc/cas/servicesRegistry.conf JSON file <lang:groovy id="serviceRegistryDao“ script-source="/WEB-INF/groovy/JsonServiceRegistryDao.groovy“ init-method="init"> <lang:property name="servicesConfigFile" value="file:/etc/cas/servicesRegistry.conf"/> void init() { def mapper = new ObjectMapper() def servicesCollection = mapper.readValue(servicesConfigFile.file, RegisteredServicesCollection.class) this.delegateServiceRegistryDao.registeredServices = servicesCollection.services }

20 2012 Jasig Sakai Conference { "services":[ { "id":"1", "serviceId":"https://www.google.com", "name":"GOOGLE", "description":"Test Google service", "evaluationOrder":"1", "extraAttributes":{ "authzAttributes":{ "eduPersonAffiliation":["student_current", "alumni"] }, "unauthorizedRedirectUrl":https://www.google.com?q=un } { more services...} } servicesRegistry.conf https://github.com/Unicon/cas-addons

21 How has it worked out so far? 2012 Jasig Sakai Conference21

22  As with many near-sourced efforts, transition is sometimes tricky ◦ Some coordinated handoff and fine-tuning was necessary for the new ABAC CAS to work as spec’ed  Since then, we have piloted ABAC CAS for: ◦ IIS-hosted secure content ◦ JSP Tomcat-hosted content ◦ And soon… PHP-based content, as well  Plus, we’ve integrated the ABAC CAS security into our future-scape Grails-based, responsive web design initiative 2012 Jasig Sakai Conference22

23 What worked well? What surprises did we encounter? 2012 Jasig Sakai Conference23

24  Out of the box, our only rework was to integrate with our actual LDAP attribute data ◦ Development was performed without access to the LDAP  Grails-based framework integration also posed some interesting challenges ◦ The Ellucian (formerly SungardHE) mobile connect framework was considered CAS-friendly, but in reality, proved difficult to extend ◦ However, the difficulty with integration was NOT specifically related to the ABAC extensions 2012 Jasig Sakai Conference24

25 Questions, comments, suggestions… 2012 Jasig Sakai Conference25

26 Contact info: Kevin – kemuller@fordham.edukemuller@fordham.edu Bill – wgthom@unicon.netwgthom@unicon.net 2012 Jasig Sakai Conference26

Download ppt "June 10-15, 2012 Growing Community; Growing Possibilities Kevin Muller, Fordham University Bill Thompson, Unicon."

Similar presentations

automated single login access to Novell storage resources

automated single login access to Novell storage resources
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Prepared by Dept. of Information Technology & Telecommunication, May 1, 2015 DoITT Identity Management Security, Provisioning, Authentication.

Prepared by Dept. of Information Technology & Telecommunication, May 1, 2015 DoITT Identity Management Security, Provisioning, Authentication.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Identity Management Choosing and Using Sun’s Identity Management Suite March 13 th, 2007 Kim Tracy Executive Director University Computing Services Northeastern.

Identity Management Choosing and Using Sun’s Identity Management Suite March 13 th, 2007 Kim Tracy Executive Director University Computing Services Northeastern.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Luminis Platform Product Roadmap The following slides represent a reference roadmap for the Luminis Platform solution. Question: What are the differences.

Luminis Platform Product Roadmap The following slides represent a reference roadmap for the Luminis Platform solution. Question: What are the differences.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
LDAP Management at Stony Brook Making Active Directory and PeopleSoft Work Together SUNY Technology Conference Rochester, New York Monday June 12, 2006.

LDAP Management at Stony Brook Making Active Directory and PeopleSoft Work Together SUNY Technology Conference Rochester, New York Monday June 12, 2006.
Understanding Active Directory

Understanding Active Directory
Chapter 11: Creating and Managing Shared Folders BAI617.

Chapter 11: Creating and Managing Shared Folders BAI617.
Campus Management Portal and Online Higher Education Cardean Learning Group.

Campus Management Portal and Online Higher Education Cardean Learning Group.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
DYNAMICS CRM AS AN xRM DEVELOPMENT PLATFORM Jim Novak Solution Architect Celedon Partners, LLC

DYNAMICS CRM AS AN xRM DEVELOPMENT PLATFORM Jim Novak Solution Architect Celedon Partners, LLC
Uniting Cultures, Technology & Applications A Case Study University of New Hampshire.

Uniting Cultures, Technology & Applications A Case Study University of New Hampshire.
Our Pilot Adventure with Luminis IV Leading the Way - Monday, October 6, 2008 - Our Pilot Adventure with Luminis IV Leading the Way Sri Giridharan, Manager.

Our Pilot Adventure with Luminis IV Leading the Way - Monday, October 6, Our Pilot Adventure with Luminis IV Leading the Way Sri Giridharan, Manager.
Auditing Authentication & Authorization in Banner

Auditing Authentication & Authorization in Banner
Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.

Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Similar presentations

Ads by Google