for the pragmatic, the uhims ecosystem (for identity and access management) michael hodges its,...
Post on 22-Dec-2015
212 Views
Preview:
TRANSCRIPT
University of Hawaii © 2015 1
For the Pragmatic, the UHIMS Ecosystem
(for Identity and Access Management)
Michael HodgesITS, Identity and Access Management
University of Hawaii © 2015 2
• What is Pragmatic Programming?• The UHIMS Ecosystem• UHIMS Ecosystem Solutions• Ecosystem Enhancements Under Way• UHIMS Dreams and Blue Sky Visions• Looking ahead, UH joins Internet2’s TIER
What to talk about today?
University of Hawaii © 2015 3
• A book– “The Pragmatic Programmer, From Journeyman
to Master”
• A mindset that will help you– Keep it DRY– KISS better– Decouple by design– Minimize technical debt– Future-proof apps
What is Pragmatic Programming?
University of Hawaii © 2015 4
• Keep it DRY – Don’t Repeat Yourself– a design principle.
• Write code once, reference it as needed.
– Don’t reinvent the wheel, if possible.– Leverage UHIMS solutions that fit
your needs (it will be well worth the learning curve).
– DRY requires good planning.
What is Pragmatic Programming?
University of Hawaii © 2015 5
• A mindset that will help you– Keep it DRY– KISS better– Decouple by design– Minimize technical debt– Future-proof apps
What is Pragmatic Programming?
University of Hawaii © 2015 6
• KISS better– Keep It Simple and Short –
a design principle– Small, simple software subcomponents
reduce complexity, are easier to manage.– Create only the subcomponents that you
must create; keep your custom code footprint as small as possible.
– Embrace integration, leverage existing solutions.
What is Pragmatic Programming?
University of Hawaii © 2015 7
• A mindset that will help you– Keep it DRY– KISS better– Decouple by design– Minimize technical debt– Future-proof apps
What is Pragmatic Programming?
University of Hawaii © 2015 8
• Decouple by design– Utilize Message Brokering• Increase availability/uptime• Increase flexibility
– Conceptualize apps as• Message producers, and• Message consumers
What is Pragmatic Programming?
University of Hawaii © 2015 9
• Decouple by design
What is Pragmatic Programming?
University of Hawaii © 2015 10
• A mindset that will help you– Keep it DRY– KISS better– Decouple by design– Minimize technical debt– Future-proof apps
What is Pragmatic Programming?
University of Hawaii © 2015 11
• Minimize technical debt– Technical debt: the things you should have
taken care of in your code, but didn’t, e.g.:• deferred features, deferred documentation,
deferred regression tests, performance, etc.– Software entropy (a related concept)
• Unaddressed technical debt increases software entropy
• Utilized software will be modified.• Modified software increases in complexity
(unless successfully refactored).
What is Pragmatic Programming?
University of Hawaii © 2015 12
• A mindset that will help you– Keep it DRY– KISS better– Decouple by design– Minimize technical debt– Exceed expectations– Future-proof apps
What is Pragmatic Programming?
University of Hawaii © 2015 13
• Future-proof (one must try)– Align with the expanding UHIMS
• Emerging Group/Authorization management practices.• Emerging 2nd factor authentication options.• Future End-User profile management.• Future attribute release consent options.
– Leverage the work of other project teams • College of Ed’s WordPress plugin, Authorizer.• Bursar’s hosted eCommerce solution.• Internet2 community.
– Anticipate TIER, an Internet2 IAM project• TIER: Trust and Identity in Education and Research.• Includes: Certs, Assurance, MFA, Shib, Grouper, COmanage,
eduPerson, eduOrg, MACE Registries, IAM for higher ed.
What is Pragmatic Programming?
University of Hawaii © 2015 14
• Practical Pragmatic Examples– Report writing, output data to a csv file for
import to Excel.– CAS for authentication.– CAS attributes for authorization.– UH Groupings for authorization, anywhere
that the “is member of” question comes up.– UH Message Broker to separate apps that
publish (liberate) information from apps that consume information.
What is Pragmatic Programming?
University of Hawaii © 2015 15
The UHIMS Ecosystem
• A non-chronological review of the development of the UHIMS Ecosystem
Person Directory U
pdates
Admin U
pdates
Person Events Person Events
AuthN/Z Services
ApplicationsSystems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa 2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
Person Directory U
pdates
Admin U
pdates
Person Events Person Events
AuthN/Z Services
ApplicationsSystems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa 2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMSPerson Registry
University of Hawaii © 2015 18
The UHIMS Ecosystem
• staff.civilService • staff.executive • staff.apt • staff.casual • staff.overload• staff.noDetails• staff.nonCompensated • faculty.communityCollege • faculty.university • faculty.medical • faculty.researcher • faculty.specialist • faculty.countyAgent • faculty.librarian • faculty.law • faculty.emeritus
• faculty.overload • faculty.noDetails• faculty.courseInstructor • faculty.lecturer • faculty.teachingAssistant • faculty.researchAssistant• studentEmployee.workStudy• studentEmployee.studentHire• student.graduate.law • student.graduate.medical • student.graduate.noDetails • student.undergraduate.noDetails • student.other.apprenticeship • student.other.continuingEducation • student.other.postBaccalaureate • student.other.professional
• student.other.vocational • student.other.undeclared• nonCreditStudent.noDetails • nonCreditStudent.etc • preStudent.noDetails • preStudent.accepted • preStudent.applicant • ohana• retiree• other
• The roles UHIMS aggregates:
Person Directory U
pdates
Admin U
pdates
Person Events Person Events
AuthN/Z Services
ApplicationsSystems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa 2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMSPerson Registry
Person Directory U
pdates
Admin U
pdates
Person Events Person Events
AuthN/Z Services
ApplicationsSystems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa 2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMSPerson Registry
LDAP389DS
RADIUSAuthN
CAS3AuthN
CampusWireless
Web Appsregistered
UHIMC
BMT
WPMS
API
VIA
Person Directory U
pdates
Admin U
pdates
Person Events Person Events
AuthN/Z Services
ApplicationsSystems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa 2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMSPerson Registry
LDAP389DS
RADIUSAuthN
CAS3AuthN
CampusWireless
Web Appsregistered
UHIMC
BMT
WPMS
API
Shib IdPAuthN
Google@UH
Web Appsfederated
VIA
Person Directory U
pdates
Admin U
pdates
Person Events Person Events
AuthN/Z Services
ApplicationsSystems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa 2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMSPerson Registry
LDAP389DS
RADIUSAuthN
CAS3AuthN
CampusWireless
Web Appsregistered
UHIMC
BMT
WPMS
API
CON
CON
PR
PR
PR CON
Msg Broker[ exchanges ]
Message ProducerPR
CON Message Consumer
VIA
Google@UH
Web Appsfederated
Shib IdPAuthN
Person Directory U
pdates
Admin U
pdates
Person Events Person Events
AuthN/Z Services
ApplicationsSystems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa 2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMSPerson Registry
LDAP389DS
RADIUSAuthN
CAS3AuthN
CampusWireless
Web Appsregistered
UHIMC
BMT
WPMS
API
LISTSERVlists
CON
CON
PR
PR
PR CON
Msg Broker[ exchanges ]
Message ProducerPR
CON Message Consumer
Shib IdPAuthN
Google@UH
Web Appsfederated
VIA
UH Groupings
GrouperAuthZ
Person Directory U
pdates
Admin U
pdates
Person Events Person Events
AuthN/Z Services
ApplicationsSystems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa 2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMSPerson Registry
LDAP389DS
RADIUSAuthN
CAS3AuthN
CampusWireless
Web Appsregistered
UHIMC
BMT
WPMS
API
LISTSERVlists
CON
CON
PR
PR
PR CON
Msg Broker[ exchanges ]
Message ProducerPR
CON Message Consumer
Shib IdPAuthN
Google@UH
Web Appsfederated
VIA
ACER
UH Groupings
GrouperAuthZ
Person Directory U
pdates
Admin U
pdates
Person Events Person Events
AuthN/Z Services
ApplicationsSystems of Record
Directory Services
Banner
PS HR
RCUH
SECE
KFS
MyGrant
UHIMS Ecosystem (circa 2015)
University of Hawaii © 2015, TI-SYS-IAM
Revised 03/11/2015
UHIMSPerson Registry
LDAP389DS
RADIUSAuthN
CAS3AuthN
CampusWireless
Web Appsregistered
UHIMC
BMT
WPMS
API
LISTSERVlists
CON
CON
PR
PR
PR CON
Msg Broker[ exchanges ]
Message ProducerPR
CON Message Consumer
Shib IdPAuthN
Google@UH
Web Appsfederated
VIA
ACER
UH Groupings
GrouperAuthZ
CampusOneCard
Person Directory U
pdates
Admin U
pdates
Person Events Person Events
AuthN/Z Services
ApplicationsSystems of Record
Directory Services
Banner
PS HR
RCUH
GrouperAuthZ
LDAP389DS
ADAuthN only
LISTSERVlists
CAS3AuthN
Shib IdPAuthN
Web Appsregistered
Google@UH
CampusAD domains
RADIUSAuthN
UHIMC
ACER
VIA
BMT
WPMS
SECE
KFS
MyGrant
APIPR CON
CON
CON
UHIMS Ecosystem (circa 2015)
Message Producer
Web Appsfederated
CampusWireless
PR
CON Message Consumer
University of Hawaii © 2015, TI-SYS-IAM
PR
UH Groupings
PR
Msg Broker[ exchanges ]
CampusOneCard
UHIMSPerson Registry
Revised 03/11/2015
University of Hawaii © 2015 27
• Authentication Solutions: – CAS– Shibboleth– LDAP
• Authorization Solutions:– ACER– Grouper– UH Groupings and the UH Group Store– UHIMS Events
• Decoupling Solutions:– UH Message Broker
UHIMS Ecosystem Solutions
University of Hawaii © 2015 28
• CAS – Central Authentication Service– Used by UH Apps for Authentication– Default Attribute Release Policy
• UH Data Governance policies apply (E2.215).• IAM and the Data Governance Committee
(DGC) have created SOPs for standard requests.
• Non-standard requests, such as for hosted apps, must first be approved by the DGC.
• https://www.hawaii.edu/bwiki/display/UHIAM/CAS+Default+Attribute+Release+Policy
• http://www.hawaii.edu/uhdatagov/
UHIMS Ecosystem Solutions,Authentication Solutions
University of Hawaii © 2015 29
• CAS – Central Authentication Service– Attributes useful for Authorization:• eduPersonAffiliation (faculty)
• eduPersonOrgDN (kauaicc)
• uhOrgAffiliation (eduPersonOrgDn=kauaicc,eduPersonAffiliation=faculty)
• uhAcknowledgement (generalConfidentialityNotice=20141231T000000)
UHIMS Ecosystem Solutions,Authentication Solutions
University of Hawaii © 2015 30
• CAS – Central Authentication Services–Web App Form, URLs must be registered
• https://www.hawaii.edu/bwiki/display/UHIAM/Web+App+Registration+Form
– Developer Documentation• https://www.hawaii.edu/bwiki/display/UHIAM/
CAS3+Developer+Documentation
UHIMS Ecosystem Solutions,Authentication Solutions
University of Hawaii © 2015 31
CAS (manual standby)
• CAS – Central Authentication Services– Infrastructure
UHIMS Ecosystem Solutions,Authentication Solutions
Load Balancer
CAS (active)
CAS (hot standby)
healthchecks
University of Hawaii © 2015 32
• Shibboleth Identity Provider (UH IdP)– Used by non-UH apps for federated
authentication– Attribute Release Policy
• Tailored to the minimal requirements.• Targeted IDs used where possible to protect privacy
– Federated apps must be registered• Exception is apps in the Research and Scholarship
category
– Infrastructure• Identical to CAS
UHIMS Ecosystem Solutions,Authentication Solutions
University of Hawaii © 2015 33
• LDAP, lightweight directory access protocol– Deprecated for authentication, use CAS• Exceptions are scrutinized.• CAS attribute release policy is continually
enhanced to mitigate need.
– Default Attribute Release Policy• Identical to CAS• Also subject to the IAM Data Governance Framework
UHIMS Ecosystem Solutions,Authentication Solutions
University of Hawaii © 2015 34
• Grouper– Addresses the fundamental “is member of”
requirement and provides rich logic. For example, • Is person a member of ITS, sits on the 6th floor of
the ITC building, is currently taking credit classes, and therefore eligible for a tuition waiver?
– Provides a UI and API.– Internet2 software, very active project.– Very popular in the higher ed community.– A component of TIER
UHIMS Ecosystem Solutions,Authorization Solutions
University of Hawaii © 2015 35
• A UH Grouping:– Is a simple or complex expression of group
membership– Is composed of 3 groups, conceptually:
• Basis, Include, Exclude
– Has 1 or more Owners– Has 0 or more Members– Has properties that an Owner can configure– Is reusable, can serve multiple purposes
• Application authorization (who can do what)• LISTSERV list publication (email notifications)
UHIMS Ecosystem Solutions,Authorization Solutions
University of Hawaii © 2015 36
• A UH Grouping example, UH Hilo email discussion list:– Basis group: all UH Hilo faculty• Automatically kept current by UHIMS
– Include group: (may be empty)• Others that would like to participate, such as
RCUH employees at UH Hilo.
– Exclude group: (may be empty)• Those that wish to be left out of the
discussions.
UHIMS Ecosystem Solutions,Authorization Solutions
University of Hawaii © 2015 37
UHIMS Ecosystem Solutions,Authorization Solutions
Basis Include
Exclude
UH Grouping
University of Hawaii © 2015 38
UHIMS Ecosystem Solutions,Authorization Solutions
Basis: UHH
Faculty
Include: a few
RCUH Employees
Exclude: several
dissatisfied
individuals
Objective:implement a campus mailing list
UH Grouping
University of Hawaii © 2015 39
• What can UH Grouping be used for?– Email LISTSERV List management• No need to manual manage the entire list
– Complex role-based permissions management.
– Opt-in/out services, when members are suitably allowed.
– Any combination of the above (reuse)
UHIMS Ecosystem Solutions,Authorization Solutions
University of Hawaii © 2015 40
• UH Grouping limitations?– Currently, members must have a UH
Number.
UHIMS Ecosystem Solutions,Authorization Solutions
University of Hawaii © 2015 41
UHIMS Ecosystem Solutions,Authorization Solutions
• UHIMS Events:– UH Person Identity Messages published
to the UH Message Broker.– A convenient way to receive identity,
affiliation, and contact information.– Use for automatically updating on-board
application authorization information.
University of Hawaii © 2015 42
UHIMS Ecosystem Solutions,Decoupling Solutions
• UH Message Broker:– Uses RabbitMQ, an open-source project– Simple to set up– Scalable• Behind India’s 1.2B person biometric
database.
– Separates message producers from message consumers
–Messages are stored in Exchanges
University of Hawaii © 2015 43
UHIMS Ecosystem Solutions,Decoupling Solutions• UH Message Broker implementations:– Banner producer, student enrollment and
degree objective information.– HCC AD consumer, UHIMS Events – KFS consumer, UHIMS Events– myGrant consumer, UHIMS Events– MyUH consumer, UHIMS Events– SECE producer, SECE events – UHIMS consumer, Banner & SECE events– UHIMS producer, UHIMS Events
University of Hawaii © 2015 44
Ecosystem Enhancements Under Way, 12-18 months
• Multifactor Authentication– Initially for faculty, staff (students later)
• UH Message Broker Infrastructure– Clustering for high availability
• CAS/Shib Infrastructure– Shib support for the CAS protocol– Clustering for high availability
• IAM Data Element Dictionary additions– uhScopedHomeOrg (primary campus, Banner/PS)– uhMemberOfGrouping (advanced AuthZ)
• UH Groupings UI improvements
University of Hawaii © 2015 45
UHIMS Dreams & Blue Sky Visions
• Multifactor Authentication– To protect all of our servers, inside and
outside the data center.– As a requirement for all of our Admin
apps.– As an opt-in service for the entire UH
community.
University of Hawaii © 2015 46
UHIMS Dreams & Blue Sky Visions
• UH Groupings used ubiquitously– Comprehensive use of custom and
automatic groups– Comprehensive enterprise-wide audit
reports revealing who has access to what.
– Automated enterprise provisioning/deprovisioning across all (applicable) apps.
– Very easy to use for IT staff and users.
University of Hawaii © 2015 47
UHIMS Dreams & Blue Sky Visions
• UH Groupings, more publication destinations:– LDAP groups– Laulima groups– Google groups
• The exclusive LISTSERV list management mechanism (as a capability).
University of Hawaii © 2015 48
UHIMS Dreams & Blue Sky Visions
• Hands-on App Developer Workshops– CAS Authentication, externalized AuthN– UH Groupings, externalized AuthZ– UH Message Broker,
messaging/decoupling– UHIMS Events
University of Hawaii © 2015 49
UHIMS Dreams & Blue Sky Visions
• ACER Integration– A full function Acknowledgements and
Certifications management solution.– System-wide online General
Confidentiality Notices acceptance assertions.
– System-wide online criminal background check assertions.
– ACER enforcement for app access Authorizations.
University of Hawaii © 2015 50
UHIMS Dreams & Blue Sky Visions
• Personal Profile Management– View access to directory information.– Ability to change select directory
information as needed.– Access to Group memberships.– Ability to opt-in/out of Groups as
permitted.– Access to attribute release policies.– Ability to opt-in/out attribute release
policies as permitted.
University of Hawaii © 2015 51
For the Pragmatic, the UHIMS Ecosystem
Michael HodgesITS, Identity and Access Management
top related