Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

State Diagram (cont`d)

advertisement 
Kevin Muller, Fordham University
Bill Thompson, Unicon
June 10-15, 2012
Growing Community;
Growing Possibilities
Identity & Access Management
Background
2012 Jasig Sakai Conference
2

History
◦ 2007: Selected the Sun Identity Manager for IAM
◦ 2008: Launched the university portal, Luminis
 Sun IdM was integrated with Sungard’s Banner ERP to
actively provision and synchronize accounts
 Sun IdM was integrated via links on the Luminis portal
login page, to provide for account claiming and
password management
 Luminis portal authenticated against the Sun Idm
LDAP, but replicated and stored password information
into Luminis upon login
 Luminis keeps certain additional authentication data,
for use with single sign-on processing
2012 Jasig Sakai Conference
3

History
(cont’d)
◦ 2009: Efforts began to migrate to & leverage native
Luminis account claiming, instead of the Sun IdM
◦ 2009: A new LDAP was developed, using replicated
information from the Luminis internal LDAP
 This effort was delayed, as the SunOne Directory
Server version (v5.2) does not support partial
replication
 It was decided that a full replica would be used
instead, so that the project would not be delayed
further
 The new LDAP schema was extended to include
eduPerson attributes
2012 Jasig Sakai Conference
4

History
(cont’d)
◦ 2010: Jasig CAS is selected as Fordham’s future
single sign-on (SSO) platform
◦ 2011: Fordham partners with Unicon to assist with
the installation and support of CAS
 CAS is piloted to provide SSO to OrgSync, a student
activities portal
 CAS is then selected to facilitate portal-initiated SSO to
Gmail & Google Apps for the student population
◦ 2012: Fordham partners with Unicon to extend the
basic CAS platform to support attribute-based
authorization control, in addition to authentication
2012 Jasig Sakai Conference
5
Why we decided to extend CAS
2012 Jasig Sakai Conference
6


In 2012, Sungard (now Ellucian) announced
efforts to sunset the Luminis IV portal
For several years, their next portal release,
Luminis 5, has been delayed and stalled
◦ Therefore, we did not consider Luminis 5 as a
reasonable option for Fordham’s migration path
◦ Fordham’s Internet Services team began preliminary
design of a portal framework, using a combination
of public and secure content

Luminis presents role-based tabbed content
◦ Moving forward, we would seek to secure certain
attribute-based content leveraging CAS
2012 Jasig Sakai Conference
7

Old portal, old all-in-one architecture
2012 Jasig Sakai Conference
8

New portal, secured through ABAC CAS
2012 Jasig Sakai Conference
9





Our vision is based upon a hybrid model
Content will be pulled from public, secured,
and dynamic secured sources
CAS will be the authentication method,
whenever possible
Secured content will be “locked down” to
appropriate attribute-based access
Dynamic content will be additionally checked
via userid, for finer-grained, ERP-based
access control
2012 Jasig Sakai Conference
10

Alumni events are also viewable by the public
2012 Jasig Sakai Conference
11

Alumni events administration is IIS secured
2012 Jasig Sakai Conference
12

Alumni events administration folder and
pages will now be controlled by authorized
attributes (roles) in the CAS configuration file
2012 Jasig Sakai Conference
13
Technical Solution
ABAC for CAS
2012 Jasig Sakai Conference
Design Goals and Approach






As simple as possible
Don’t fork, extend
Easy to configure
Leverage SWF-based login flow
Leverage Person Registry
Implement JSON-based Services Registry
2012 Jasig Sakai Conference
State Diagram
2012 Jasig Sakai Conference
State Diagram (cont’d)
2012 Jasig Sakai Conference
login-flow.xml
<action-state id="generateServiceTicket">
<!-- Custom service RBAC authorization check -->
<on-entry>
<evaluate expression="serviceAuthorizationAction"/>
</on-entry>
<evaluate expression="generateServiceTicketAction"/>
<transition on="success" to="warn"/>
<transition on="error" to="generateLoginTicket"/>
<transition on="gateway" to="gatewayServicesManagementCheck"/>
</action-state>
<!-- Service RBAC external redirect -->
<end-state id="serviceAuthorizationFailureRedirectView"
view="externalRedirect:${requestScope.authorizationFailureRedirectUrl}"/>
2012 Jasig Sakai Conference
Like, groovy registry, man :)
In-memory data store for the ServiceRegistry that reads the services definition
from /etc/cas/servicesRegistry.conf JSON file
<lang:groovy id="serviceRegistryDao“
script-source="/WEB-INF/groovy/JsonServiceRegistryDao.groovy“
init-method="init">
<lang:property name="servicesConfigFile"
value="file:/etc/cas/servicesRegistry.conf"/>
</lang:groovy>
void init() {
def mapper = new ObjectMapper()
def servicesCollection
= mapper.readValue(servicesConfigFile.file, RegisteredServicesCollection.class)
this.delegateServiceRegistryDao.registeredServices = servicesCollection.services
}
2012 Jasig Sakai Conference
servicesRegistry.conf
{
"services":[
{
"id":"1",
"serviceId":"https://www.google.com",
"name":"GOOGLE",
"description":"Test Google service",
"evaluationOrder":"1",
"extraAttributes":{
"authzAttributes":{
"eduPersonAffiliation":["student_current", "alumni"]
},
"unauthorizedRedirectUrl":https://www.google.com?q=un
}
}
{ more services...}
}
https://github.com/Unicon/cas-addons
2012 Jasig Sakai Conference
How has it worked out so far?
2012 Jasig Sakai Conference
21

As with many near-sourced efforts, transition
is sometimes tricky
◦ Some coordinated handoff and fine-tuning was
necessary for the new ABAC CAS to work as spec’ed

Since then, we have piloted ABAC CAS for:
◦ IIS-hosted secure content
◦ JSP Tomcat-hosted content
◦ And soon… PHP-based content, as well

Plus, we’ve integrated the ABAC CAS security
into our future-scape Grails-based,
responsive web design initiative
2012 Jasig Sakai Conference
22
What worked well? What
surprises did we encounter?
2012 Jasig Sakai Conference
23

Out of the box, our only rework was to
integrate with our actual LDAP attribute data
◦ Development was performed without access to the
LDAP

Grails-based framework integration also
posed some interesting challenges
◦ The Ellucian (formerly SungardHE) mobile connect
framework was considered CAS-friendly, but in
reality, proved difficult to extend
◦ However, the difficulty with integration was NOT
specifically related to the ABAC extensions
2012 Jasig Sakai Conference
24
Questions, comments,
suggestions…
2012 Jasig Sakai Conference
25
Contact info:
Kevin – kemuller@fordham.edu
Bill –
wgthom@unicon.net
2012 Jasig Sakai Conference
26
Related documents
Julie Taylor - Learning and Innovation Forum 2014
Julie Taylor - Learning and Innovation Forum 2014
History
History
PersonRegistries-JASIG
PersonRegistries-JASIG
Large Aperture Millimeter/Submillimeter Telescopes in the ALMA Era
Large Aperture Millimeter/Submillimeter Telescopes in the ALMA Era
rvljasigsakai12
rvljasigsakai12
TestsAndQuizzes-WhatsNew2.9
TestsAndQuizzes-WhatsNew2.9
IT Ecosystem
IT Ecosystem
Redesign of Main Assessments Page
Redesign of Main Assessments Page
jasigsakai12 uPortal 4 in Action
jasigsakai12 uPortal 4 in Action
The Collaboration & Learning Environment for Higher
The Collaboration & Learning Environment for Higher
PowerPoint: Implementing CAS Standards at
PowerPoint: Implementing CAS Standards at
FileNewTemplate - Primary Computing
FileNewTemplate - Primary Computing
Download
advertisement