Advanced Access Management presenting a case study of

advertisement
Studies in Advanced Access
Management
April 22nd 2008
Internet2 Spring member meeting
Caleb Racey
Newcastle University
UK
http://gfivo.ncl.ac.uk
Context: Who Am I
• Team Leader Middleware team, Newcastle
University
• 8 years experience of Systems Admin for Web
• 5 years working on SSO issues
• 4 years with shibboleth
• 1 year with grouper
Context: Newcastle university
•
•
•
•
•
UK University
4,700 staff 17,000 students
Research Intensive
Medical School
Centralised IT service
Context: identity experiences
No central directory
No central identity source
Identity management is adhoc
Deployment by advocacy rather than policy
Large mature shibboleth deployment
10% of entities registered in UK federation
Shib used more internally than externally
Context: What is grouper
• System for managing group information
• Collaborative effort from internet2
• API for managing groups
– Supports “group math”
– Uses subject API
• UI + webservice + shell interfaces onto API
http://middleware.internet2.edu/dir/groups/grouper/
Newcastle’s grouper deployment
GFIVO: JISC funded 2 year project
Agenda
• What problem are we trying to solve
• What we hope to gain
• Why we want grouper
• What we are doing
• Lessons learned
1/4
What problem are we trying to solve
Access control to systems
Targeted Information flow:
• the right information to the right people.
Mess of group information in apps
• most have their own group management
• same groups replicated many times (differently)
– duplication of effort
– valuable business information inaccessible
– User confusion
Growing federated nature of identity and applications
Shib has exposed our weak ID management
What do we hope to gain
Technically
Centralised reusable group management
Lower app development times
Better user experience
Consistency in service
Greater control for helpdesk
Intangibles
Greater user awareness of:
access control
personal identity information
Democratisation access control
Why we want grouper
• Group info key to identity management in HE
• Mature Developed by people active in group
management for years
• Good Community of developers/users
• Supports multiple user interfaces
• Understands fragmented identity stores
• Federateable (via shib)
• Good licence (apache licence)
What we are doing
Incremental phased role out strategy
Federated use case from day 1
Setup loosely coupled raft of applications
No LDAP
No Signet
Where is existing group information
•
•
•
•
•
•
•
•
•
SAP ERP system
VLEs (blackboard, plone, moodle, coursework)
Email lists
Web site (Myprofiles)
Paper in offices
Reading lists
Library systems (aleph)
Sharepoint
Nowhere
• Face book!
Use cases (Phase I)
Research support:
• Research Wikis (federated)
• Blogs
• Email lists (federated)
• Sakai research platform (federated)
Teaching and learning:
• Podcasting of lectures (federated)
• Teaching wikis
Internal:
monitoring via nagios + munin
documentation wikis
1/2
Potential Use cases (Phase II??)
• Staff profile structuring
– Web publishing
– Research assessment
– Teaching assessment
• Shared File system control
• Door control
• Provisioning to Google Apps
• Reading lists
• Information portal
1st round: Simple integration via gsh
Grouper Shell (gsh)
• Command line interface onto grouper API
• Usage pattern familiar to systems administrators
• No user interaction (no need for further education)
• Good for replacing existing adhoc database based
systems
Easy first step
People can use grouper without knowing it
http://gfivo.ncl.ac.uk/sampleGroups.php
2nd Round: Webservices
Web service interface onto grouper API (more later)
Group management in the app
Management in the access denied page (403 page)
Simple user interface solving one problem
Gives control back to application developer
Maybe Sympa integration?
http://www.sympa.org/contribs/apache_authsympa
3rd Round: Grouper UI
Current phase
Deploy grouper UI
3rd phase because:
Grouper UI is complex to deploy
– Was Technology demonstrator
– Recently revamped (thanks to penn)
• Grouper UI is complex to develop
– Heavily abstracted
– Heavily configurable
Grouper webservices
New addition to grouper
• In grouper 1.3RC1
• Thanks Chris Hyzer for code contribution
• Based on Apache Axis
• SOAP and REST styles
• SOAP supports basic authentication+ WSSecurity support
3/4
WS-Security
• Provided by Apache Rampart
• Support for WS-security + WS-trust
• WS-sec = Auth via:
– username/password
– Kerberos
– SAML
– x509
• Enables integration with .NET and SAP, Java WSsecurity based stacks, PHP also supported
• May enable advanced SAML, WS-Sec, WS-trust
usecases (shib2??, Grid stuff??)
Lessons Learned: Benefits
Enables All levels of user
• Grouper UI for Power users
– Librarians, administrators, PAs
• Simple interface via webservices for users
– Staff, students
• Webservices for developers on non java platforms
– .NET, SAP, Python, PHP, Sympa
• Grouper API for java developers
• Grouper shell for Systems Admins
Lessons learned: benefits
Grouper fills large pre-existing gap
Grouper allows coherent interface onto incoherent
data architecture
People like access controlled apps
Federated use emerges from internal use
Lessons Learned: requirements
Skill sets prerequisites :
Java systems admin (tomcat etc)
Internal data architecture
shell scripting
WS use
not struts
Technical prerequisites:
Free standing mysql server (others supported)
Data Loader
Tomcat server
SSO (shib preferable)
Lessons Learned: Issues
Issues Avoided:
• Naming convention debates
– People are irrational about names
– People will argue about hierarchy structure endlessly
– The people who care most about structure are most
powerful
– Avoided by not exposing naming hierarchy….yet
Issues Encountered:
• Users don’t grasp the concepts:- stems, groups, indirect
membership
• solutions:
introduce them slowly
avoid use when possible
UI redesign (thanks Penn)
Lessons Learned: Issues
• Getting data from data stores
– Need for data loader
• Shib resolver reusable?
• Deprovisioning?
• Need for fast updating
• Grouper comes from an enterprise LDAP directory
mindset
• No one understands LDAP
• AD admins don’t even know AD = LDAP
• Shib took 4 years, will grouper?
ANY QUESTIONS?
http://gfivo.ncl.ac.uk/resources.php
Download