June 10-15, 2012
Growing Community; Growing Possibilities
Kevin Muller, Fordham UniversityBill Thompson, Unicon
Identity & Access Management Background
2012 Jasig Sakai Conference 2
History◦ 2007: Selected the Sun Identity Manager for IAM◦ 2008: Launched the university portal, Luminis
Sun IdM was integrated with Sungard’s Banner ERP to actively provision and synchronize accounts
Sun IdM was integrated via links on the Luminis portal login page, to provide for account claiming and password management
Luminis portal authenticated against the Sun Idm LDAP, but replicated and stored password information into Luminis upon login
Luminis keeps certain additional authentication data, for use with single sign-on processing
2012 Jasig Sakai Conference 3
History (cont’d)
◦ 2009: Efforts began to migrate to & leverage native Luminis account claiming, instead of the Sun IdM
◦ 2009: A new LDAP was developed, using replicated information from the Luminis internal LDAP This effort was delayed, as the SunOne Directory
Server version (v5.2) does not support partial replication
It was decided that a full replica would be used instead, so that the project would not be delayed further
The new LDAP schema was extended to include eduPerson attributes
2012 Jasig Sakai Conference 4
History (cont’d)
◦ 2010: Jasig CAS is selected as Fordham’s future single sign-on (SSO) platform
◦ 2011: Fordham partners with Unicon to assist with the installation and support of CAS CAS is piloted to provide SSO to OrgSync, a student
activities portal CAS is then selected to facilitate portal-initiated SSO
to Gmail & Google Apps for the student population◦ 2012: Fordham partners with Unicon to extend
the basic CAS platform to support attribute-based authorization control, in addition to authentication
2012 Jasig Sakai Conference 5
Why we decided to extend CAS
2012 Jasig Sakai Conference 6
In 2012, Sungard (now Ellucian) announced efforts to sunset the Luminis IV portal
For several years, their next portal release, Luminis 5, has been delayed and stalled ◦ Therefore, we did not consider Luminis 5 as a
reasonable option for Fordham’s migration path◦ Fordham’s Internet Services team began
preliminary design of a portal framework, using a combination of public and secure content
Luminis presents role-based tabbed content◦ Moving forward, we would seek to secure certain
attribute-based content leveraging CAS
2012 Jasig Sakai Conference 7
Old portal, old all-in-one architecture
2012 Jasig Sakai Conference 8
New portal, secured through ABAC CAS
2012 Jasig Sakai Conference 9
Our vision is based upon a hybrid model Content will be pulled from public, secured,
and dynamic secured sources CAS will be the authentication method,
whenever possible Secured content will be “locked down” to
appropriate attribute-based access Dynamic content will be additionally
checked via userid, for finer-grained, ERP-based access control
2012 Jasig Sakai Conference 10
Alumni events are also viewable by the public
2012 Jasig Sakai Conference 11
Alumni events administration is IIS secured
2012 Jasig Sakai Conference 12
Alumni events administration folder and pages will now be controlled by authorized attributes (roles) in the CAS configuration file
2012 Jasig Sakai Conference 13
2012 Jasig Sakai Conference
Technical SolutionTechnical SolutionABAC for CAS
2012 Jasig Sakai Conference
As simple as possible Don’t fork, extend Easy to configure
Leverage SWF-based login flow Leverage Person Registry Implement JSON-based Services Registry
Design Goals and ApproachDesign Goals and Approach
2012 Jasig Sakai Conference
State DiagramState Diagram
2012 Jasig Sakai Conference
State Diagram State Diagram (cont’d)(cont’d)
2012 Jasig Sakai Conference
login-flow.xmllogin-flow.xml <action-state id="generateServiceTicket"> <!-- Custom service RBAC authorization check --> <on-entry> <evaluate expression="serviceAuthorizationAction"/> </on-entry> <evaluate expression="generateServiceTicketAction"/> <transition on="success" to="warn"/> <transition on="error" to="generateLoginTicket"/> <transition on="gateway" to="gatewayServicesManagementCheck"/> </action-state><!-- Service RBAC external redirect -->
<end-state id="serviceAuthorizationFailureRedirectView" view="externalRedirect:${requestScope.authorizationFailureRedirectUrl}"/>
2012 Jasig Sakai Conference
Like, groovy registry, Like, groovy registry, man :)man :)In-memory data store for the ServiceRegistry that reads the services definition from /etc/cas/servicesRegistry.conf JSON file
<lang:groovy id="serviceRegistryDao“ script-source="/WEB-INF/groovy/JsonServiceRegistryDao.groovy“ init-method="init"> <lang:property name="servicesConfigFile" value="file:/etc/cas/servicesRegistry.conf"/></lang:groovy>void init() { def mapper = new ObjectMapper() def servicesCollection = mapper.readValue(servicesConfigFile.file, RegisteredServicesCollection.class) this.delegateServiceRegistryDao.registeredServices = servicesCollection.services}
2012 Jasig Sakai Conference
{ "services":[ { "id":"1", "serviceId":"https://www.google.com", "name":"GOOGLE", "description":"Test Google service", "evaluationOrder":"1", "extraAttributes":{ "authzAttributes":{ "eduPersonAffiliation":["student_current", "alumni"] }, "unauthorizedRedirectUrl":https://www.google.com?q=un } }
{ more services...}}
servicesRegistry.confservicesRegistry.conf
https://github.com/Unicon/cas-addons
How has it worked out so far?
2012 Jasig Sakai Conference 21
As with many near-sourced efforts, transition is sometimes tricky◦ Some coordinated handoff and fine-tuning was
necessary for the new ABAC CAS to work as spec’ed
Since then, we have piloted ABAC CAS for:◦ IIS-hosted secure content◦ JSP Tomcat-hosted content◦ And soon… PHP-based content, as well
Plus, we’ve integrated the ABAC CAS security into our future-scape Grails-based, responsive web design initiative
2012 Jasig Sakai Conference 22
What worked well? What surprises did we encounter?
2012 Jasig Sakai Conference 23
Out of the box, our only rework was to integrate with our actual LDAP attribute data◦ Development was performed without access to
the LDAP Grails-based framework integration also
posed some interesting challenges◦ The Ellucian (formerly SungardHE) mobile connect
framework was considered CAS-friendly, but in reality, proved difficult to extend
◦ However, the difficulty with integration was NOT specifically related to the ABAC extensions
2012 Jasig Sakai Conference 24
Questions, comments, suggestions…
2012 Jasig Sakai Conference 25
Contact info:Kevin – [email protected] – [email protected]
2012 Jasig Sakai Conference 26