Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

History

advertisement 
Kevin Muller, Fordham University
Bill Thompson, Unicon
11th June 2012, 3:45 PM
Identity & Access Management
Background
June 10-15, 2012
Growing Community;
Growing Possibilities
2012 Jasig Sakai Conference
History
◦ 2007: Selected the Sun Identity Manager for IAM
◦ 2008: Launched the university portal, Luminis
(cont’d)
◦ 2009: Efforts began to migrate to & leverage native
Luminis account claiming, instead of the Sun IdM
◦ 2009: A new LDAP was developed, using replicated
information from the Luminis internal LDAP
Sun IdM was integrated with Sungard’s Banner ERP to
actively provision and synchronize accounts
Sun IdM was integrated via links on the Luminis portal
login page, to provide for account claiming and
password management
Luminis portal authenticated against the Sun Idm
LDAP, but replicated and stored password information
into Luminis upon login
Luminis keeps certain additional authentication data,
for use with single sign-on processing
2012 Jasig Sakai Conference
History
2
This effort was delayed, as the SunOne Directory
Server version (v5.2) does not support partial
replication
It was decided that a full replica would be used
instead, so that the project would not be delayed
further
The new LDAP schema was extended to include
eduPerson attributes
3
2012 Jasig Sakai Conference
4
History
(cont’d)
◦ 2010: Jasig CAS is selected as Fordham’s future
single sign-on (SSO) platform
◦ 2011: Fordham partners with Unicon to assist with
the installation and support of CAS
CAS is piloted to provide SSO to OrgSync, a student
activities portal
CAS is then selected to facilitate portal-initiated SSO to
Gmail & Google Apps for the student population
Why we decided to extend CAS
◦ 2012: Fordham partners with Unicon to extend the
basic CAS platform to support attribute-based
authorization control, in addition to authentication
2012 Jasig Sakai Conference
5
In 2012, Sungard (now Ellucian) announced
efforts to sunset the Luminis IV portal
For several years, their next portal release,
Luminis 5, has been delayed and stalled
2012 Jasig Sakai Conference
6
Old portal, old all-in-one architecture
◦ Therefore, we did not consider Luminis 5 as a
reasonable option for Fordham’s migration path
◦ Fordham’s Internet Services team began preliminary
design of a portal framework, using a combination
of public and secure content
Luminis presents role-based tabbed content
◦ Moving forward, we would seek to secure certain
attribute-based content leveraging CAS
2012 Jasig Sakai Conference
7
2012 Jasig Sakai Conference
8
New portal, secured through ABAC CAS
2012 Jasig Sakai Conference
9
Alumni events are also viewable by the public
2012 Jasig Sakai Conference
2012 Jasig Sakai Conference
11
Our vision is based upon a hybrid model
Content will be pulled from public, secured,
and dynamic secured sources
CAS will be the authentication method,
whenever possible
Secured content will be “locked down” to
appropriate attribute-based access
Dynamic content will be additionally checked
via userid, for finer-grained, ERP-based
access control
10
Alumni events administration is IIS secured
2012 Jasig Sakai Conference
12
Alumni events administration folder and
pages will now be controlled by authorized
attributes (roles) in the CAS configuration file
Technical Solution
ABAC for CAS
2012 Jasig Sakai Conference
Design Goals and Approach
13
2012 Jasig Sakai Conference
State Diagram
As simple as possible
Don’t fork, extend
Easy to configure
Leverage SWF-based login flow
Leverage Person Registry
Implement JSON-based Services Registry
2012 Jasig Sakai Conference
2012 Jasig Sakai Conference
State Diagram (cont’
(cont’d)
login-flow.xml
<action-state id="generateServiceTicket">
<!-- Custom service RBAC authorization check -->
<on-entry>
<evaluate expression="serviceAuthorizationAction"/>
</on-entry>
<evaluate expression="generateServiceTicketAction"/>
<transition on="success" to="warn"/>
<transition on="error" to="generateLoginTicket"/>
<transition on="gateway" to="gatewayServicesManagementCheck"/>
</action-state>
<!-- Service RBAC external redirect -->
<end-state id="serviceAuthorizationFailureRedirectView"
view="externalRedirect:${requestScope.authorizationFailureRedirectUrl}"/>
2012 Jasig Sakai Conference
2012 Jasig Sakai Conference
Like, groovy registry, man :)
servicesRegistry.conf
In-memory data store for the ServiceRegistry that reads the services definition
from /etc/cas/servicesRegistry.conf JSON file
{
"services":[
{
"id":"1",
"serviceId":"https://www.google.com",
"name":"GOOGLE",
"description":"Test Google service",
"evaluationOrder":"1",
"extraAttributes":{
"authzAttributes":{
"eduPersonAffiliation":["student_current", "alumni"]
},
"unauthorizedRedirectUrl":https://www.google.com?q=un
}
}
<lang:groovy id="serviceRegistryDao“
script-source="/WEB-INF/groovy/JsonServiceRegistryDao.groovy“
init-method="init">
<lang:property name="servicesConfigFile"
value="file:/etc/cas/servicesRegistry.conf"/>
</lang:groovy>
void init() {
def mapper = new ObjectMapper()
def servicesCollection
= mapper.readValue(servicesConfigFile.file, RegisteredServicesCollection.class)
this.delegateServiceRegistryDao.registeredServices = servicesCollection.services
}
{ more services...}
}
https://github.com/Unicon/cas-addons
2012 Jasig Sakai Conference
2012 Jasig Sakai Conference
As with many near-sourced efforts, transition
is sometimes tricky
◦ Some coordinated handoff and fine-tuning was
necessary for the new ABAC CAS to work as spec’ed
Since then, we have piloted ABAC CAS for:
◦ IIS-hosted secure content
◦ JSP Tomcat-hosted content
◦ And soon… PHP-based content, as well
How has it worked out so far?
2012 Jasig Sakai Conference
21
Plus, we’ve integrated the ABAC CAS security
into our future-scape Grails-based,
responsive web design initiative
2012 Jasig Sakai Conference
22
Out of the box, our only rework was to
integrate with our actual LDAP attribute data
◦ Development was performed without access to the
LDAP
◦ The Ellucian (formerly SungardHE) mobile connect
framework was considered CAS-friendly, but in
reality, proved difficult to extend
◦ However, the difficulty with integration was NOT
specifically related to the ABAC extensions
What worked well? What
surprises did we encounter?
2012 Jasig Sakai Conference
Grails-based framework integration also
posed some interesting challenges
23
2012 Jasig Sakai Conference
24
Questions, comments,
suggestions…
2012 Jasig Sakai Conference
Contact info:
Kevin – kemuller@fordham.edu
Bill –
wgthom@unicon.net
25
2012 Jasig Sakai Conference
26
Related documents
ePortfolios in Virginia Tech's First-Year Experiences Program
ePortfolios in Virginia Tech's First-Year Experiences Program
Julie Taylor - Learning and Innovation Forum 2014
Julie Taylor - Learning and Innovation Forum 2014
State Diagram (cont`d)
State Diagram (cont`d)
PersonRegistries-JASIG
PersonRegistries-JASIG
Community Schools, the Director - Coalition for Community Schools
Community Schools, the Director - Coalition for Community Schools
Graduate Student Teaching Skills Certification Checklist
Graduate Student Teaching Skills Certification Checklist
The course purpose is to study human behavior in organizations at
The course purpose is to study human behavior in organizations at
Large Aperture Millimeter/Submillimeter Telescopes in the ALMA Era
Large Aperture Millimeter/Submillimeter Telescopes in the ALMA Era
Guidelines for writing Project Report
Guidelines for writing Project Report
Reading and Class Schedule
Reading and Class Schedule
rvljasigsakai12
rvljasigsakai12
TestsAndQuizzes-WhatsNew2.9
TestsAndQuizzes-WhatsNew2.9
Download
advertisement