june 10-15, 2012 growing community; growing possibilities kevin muller, fordham university bill...

Post on 04-Jan-2016

215 Views

Category:

Documents

2 Downloads

Preview:

Click to see full reader

TRANSCRIPT

June 10-15, 2012

Growing Community; Growing Possibilities

Kevin Muller, Fordham UniversityBill Thompson, Unicon

Identity & Access Management Background

2012 Jasig Sakai Conference 2

History◦ 2007: Selected the Sun Identity Manager for IAM◦ 2008: Launched the university portal, Luminis

Sun IdM was integrated with Sungard’s Banner ERP to actively provision and synchronize accounts

Sun IdM was integrated via links on the Luminis portal login page, to provide for account claiming and password management

Luminis portal authenticated against the Sun Idm LDAP, but replicated and stored password information into Luminis upon login

Luminis keeps certain additional authentication data, for use with single sign-on processing

2012 Jasig Sakai Conference 3

History (cont’d)

◦ 2009: Efforts began to migrate to & leverage native Luminis account claiming, instead of the Sun IdM

◦ 2009: A new LDAP was developed, using replicated information from the Luminis internal LDAP This effort was delayed, as the SunOne Directory

Server version (v5.2) does not support partial replication

It was decided that a full replica would be used instead, so that the project would not be delayed further

The new LDAP schema was extended to include eduPerson attributes

2012 Jasig Sakai Conference 4

History (cont’d)

◦ 2010: Jasig CAS is selected as Fordham’s future single sign-on (SSO) platform

◦ 2011: Fordham partners with Unicon to assist with the installation and support of CAS CAS is piloted to provide SSO to OrgSync, a student

activities portal CAS is then selected to facilitate portal-initiated SSO

to Gmail & Google Apps for the student population◦ 2012: Fordham partners with Unicon to extend

the basic CAS platform to support attribute-based authorization control, in addition to authentication

2012 Jasig Sakai Conference 5

Why we decided to extend CAS

2012 Jasig Sakai Conference 6

In 2012, Sungard (now Ellucian) announced efforts to sunset the Luminis IV portal

For several years, their next portal release, Luminis 5, has been delayed and stalled ◦ Therefore, we did not consider Luminis 5 as a

reasonable option for Fordham’s migration path◦ Fordham’s Internet Services team began

preliminary design of a portal framework, using a combination of public and secure content

Luminis presents role-based tabbed content◦ Moving forward, we would seek to secure certain

attribute-based content leveraging CAS

2012 Jasig Sakai Conference 7

Old portal, old all-in-one architecture

2012 Jasig Sakai Conference 8

New portal, secured through ABAC CAS

2012 Jasig Sakai Conference 9

Our vision is based upon a hybrid model Content will be pulled from public, secured,

and dynamic secured sources CAS will be the authentication method,

whenever possible Secured content will be “locked down” to

appropriate attribute-based access Dynamic content will be additionally

checked via userid, for finer-grained, ERP-based access control

2012 Jasig Sakai Conference 10

Alumni events are also viewable by the public

2012 Jasig Sakai Conference 11

Alumni events administration is IIS secured

2012 Jasig Sakai Conference 12

Alumni events administration folder and pages will now be controlled by authorized attributes (roles) in the CAS configuration file

2012 Jasig Sakai Conference 13

2012 Jasig Sakai Conference

Technical SolutionTechnical SolutionABAC for CAS

2012 Jasig Sakai Conference

As simple as possible Don’t fork, extend Easy to configure

Leverage SWF-based login flow Leverage Person Registry Implement JSON-based Services Registry

Design Goals and ApproachDesign Goals and Approach

2012 Jasig Sakai Conference

State DiagramState Diagram

2012 Jasig Sakai Conference

State Diagram State Diagram (cont’d)(cont’d)

2012 Jasig Sakai Conference

login-flow.xmllogin-flow.xml <action-state id="generateServiceTicket"> <!-- Custom service RBAC authorization check --> <on-entry> <evaluate expression="serviceAuthorizationAction"/> </on-entry> <evaluate expression="generateServiceTicketAction"/> <transition on="success" to="warn"/> <transition on="error" to="generateLoginTicket"/> <transition on="gateway" to="gatewayServicesManagementCheck"/> </action-state><!-- Service RBAC external redirect -->

<end-state id="serviceAuthorizationFailureRedirectView" view="externalRedirect:${requestScope.authorizationFailureRedirectUrl}"/>

2012 Jasig Sakai Conference

Like, groovy registry, Like, groovy registry, man :)man :)In-memory data store for the ServiceRegistry that reads the services definition from /etc/cas/servicesRegistry.conf JSON file

<lang:groovy id="serviceRegistryDao“ script-source="/WEB-INF/groovy/JsonServiceRegistryDao.groovy“ init-method="init"> <lang:property name="servicesConfigFile" value="file:/etc/cas/servicesRegistry.conf"/></lang:groovy>void init() { def mapper = new ObjectMapper() def servicesCollection = mapper.readValue(servicesConfigFile.file, RegisteredServicesCollection.class) this.delegateServiceRegistryDao.registeredServices = servicesCollection.services}

2012 Jasig Sakai Conference

{ "services":[ { "id":"1", "serviceId":"https://www.google.com", "name":"GOOGLE", "description":"Test Google service", "evaluationOrder":"1", "extraAttributes":{ "authzAttributes":{ "eduPersonAffiliation":["student_current", "alumni"] }, "unauthorizedRedirectUrl":https://www.google.com?q=un } }

{ more services...}}

servicesRegistry.confservicesRegistry.conf

https://github.com/Unicon/cas-addons

How has it worked out so far?

2012 Jasig Sakai Conference 21

As with many near-sourced efforts, transition is sometimes tricky◦ Some coordinated handoff and fine-tuning was

necessary for the new ABAC CAS to work as spec’ed

Since then, we have piloted ABAC CAS for:◦ IIS-hosted secure content◦ JSP Tomcat-hosted content◦ And soon… PHP-based content, as well

Plus, we’ve integrated the ABAC CAS security into our future-scape Grails-based, responsive web design initiative

2012 Jasig Sakai Conference 22

What worked well? What surprises did we encounter?

2012 Jasig Sakai Conference 23

Out of the box, our only rework was to integrate with our actual LDAP attribute data◦ Development was performed without access to

the LDAP Grails-based framework integration also

posed some interesting challenges◦ The Ellucian (formerly SungardHE) mobile connect

framework was considered CAS-friendly, but in reality, proved difficult to extend

◦ However, the difficulty with integration was NOT specifically related to the ABAC extensions

2012 Jasig Sakai Conference 24

Questions, comments, suggestions…

2012 Jasig Sakai Conference 25

Contact info:Kevin – kemuller@fordham.eduBill – wgthom@unicon.net

2012 Jasig Sakai Conference 26

top related