june 10-15, 2012 growing community; growing possibilities kevin muller, fordham university bill...

June 10-15, 2012

Growing Community; Growing Possibilities

Kevin Muller, Fordham UniversityBill Thompson, Unicon

Identity & Access Management Background

2012 Jasig Sakai Conference 2

History◦ 2007: Selected the Sun Identity Manager for IAM◦ 2008: Launched the university portal, Luminis

Sun IdM was integrated with Sungard’s Banner ERP to actively provision and synchronize accounts

Sun IdM was integrated via links on the Luminis portal login page, to provide for account claiming and password management

Luminis portal authenticated against the Sun Idm LDAP, but replicated and stored password information into Luminis upon login

Luminis keeps certain additional authentication data, for use with single sign-on processing


History (cont’d)

◦ 2009: Efforts began to migrate to & leverage native Luminis account claiming, instead of the Sun IdM

◦ 2009: A new LDAP was developed, using replicated information from the Luminis internal LDAP This effort was delayed, as the SunOne Directory

Server version (v5.2) does not support partial replication

It was decided that a full replica would be used instead, so that the project would not be delayed further

The new LDAP schema was extended to include eduPerson attributes


History (cont’d)

◦ 2010: Jasig CAS is selected as Fordham’s future single sign-on (SSO) platform

◦ 2011: Fordham partners with Unicon to assist with the installation and support of CAS CAS is piloted to provide SSO to OrgSync, a student

activities portal CAS is then selected to facilitate portal-initiated SSO

to Gmail & Google Apps for the student population◦ 2012: Fordham partners with Unicon to extend

the basic CAS platform to support attribute-based authorization control, in addition to authentication


Why we decided to extend CAS


In 2012, Sungard (now Ellucian) announced efforts to sunset the Luminis IV portal

For several years, their next portal release, Luminis 5, has been delayed and stalled ◦ Therefore, we did not consider Luminis 5 as a

reasonable option for Fordham’s migration path◦ Fordham’s Internet Services team began

preliminary design of a portal framework, using a combination of public and secure content

Luminis presents role-based tabbed content◦ Moving forward, we would seek to secure certain

attribute-based content leveraging CAS


Old portal, old all-in-one architecture


New portal, secured through ABAC CAS


Our vision is based upon a hybrid model Content will be pulled from public, secured,

and dynamic secured sources CAS will be the authentication method,

whenever possible Secured content will be “locked down” to

appropriate attribute-based access Dynamic content will be additionally

checked via userid, for finer-grained, ERP-based access control


Alumni events are also viewable by the public


Alumni events administration is IIS secured


Alumni events administration folder and pages will now be controlled by authorized attributes (roles) in the CAS configuration file


2012 Jasig Sakai Conference

Technical SolutionTechnical SolutionABAC for CAS


As simple as possible Don’t fork, extend Easy to configure

Leverage SWF-based login flow Leverage Person Registry Implement JSON-based Services Registry

Design Goals and ApproachDesign Goals and Approach


State DiagramState Diagram


State Diagram State Diagram (cont’d)(cont’d)

login-flow.xmllogin-flow.xml <action-state id="generateServiceTicket">  <on-entry> <evaluate expression="serviceAuthorizationAction"/> </on-entry> <evaluate expression="generateServiceTicketAction"/> <transition on="success" to="warn"/> <transition on="error" to="generateLoginTicket"/> <transition on="gateway" to="gatewayServicesManagementCheck"/> </action-state>

<end-state id="serviceAuthorizationFailureRedirectView" view="externalRedirect:${requestScope.authorizationFailureRedirectUrl}"/>


Like, groovy registry, Like, groovy registry, man :)man :)In-memory data store for the ServiceRegistry that reads the services definition from /etc/cas/servicesRegistry.conf JSON file

<lang:groovy id="serviceRegistryDao“ script-source="/WEB-INF/groovy/JsonServiceRegistryDao.groovy“ init-method="init"> <lang:property name="servicesConfigFile" value="file:/etc/cas/servicesRegistry.conf"/></lang:groovy>void init() { def mapper = new ObjectMapper() def servicesCollection = mapper.readValue(servicesConfigFile.file, RegisteredServicesCollection.class) this.delegateServiceRegistryDao.registeredServices = servicesCollection.services}


{ "services":[ { "id":"1", "serviceId":"https://www.google.com", "name":"GOOGLE", "description":"Test Google service", "evaluationOrder":"1", "extraAttributes":{ "authzAttributes":{ "eduPersonAffiliation":["student_current", "alumni"] }, "unauthorizedRedirectUrl":https://www.google.com?q=un } }

{ more services...}}

servicesRegistry.confservicesRegistry.conf

https://github.com/Unicon/cas-addons

https://github.com/Unicon/cas-addons

How has it worked out so far?


As with many near-sourced efforts, transition is sometimes tricky◦ Some coordinated handoff and fine-tuning was

necessary for the new ABAC CAS to work as spec’ed

Since then, we have piloted ABAC CAS for:◦ IIS-hosted secure content◦ JSP Tomcat-hosted content◦ And soon… PHP-based content, as well

Plus, we’ve integrated the ABAC CAS security into our future-scape Grails-based, responsive web design initiative


What worked well? What surprises did we encounter?


Out of the box, our only rework was to integrate with our actual LDAP attribute data◦ Development was performed without access to

the LDAP Grails-based framework integration also

posed some interesting challenges◦ The Ellucian (formerly SungardHE) mobile connect

framework was considered CAS-friendly, but in reality, proved difficult to extend

◦ However, the difficulty with integration was NOT specifically related to the ABAC extensions


Questions, comments, suggestions…


Contact info:Kevin – [email protected] – [email protected]


june 10-15, 2012 growing community; growing possibilities kevin muller, fordham university bill...

Documents

jasig sakai conferencein

jasig sakai conferencewhy

jasig cas

portal framework

university portal

portal release

luminis portal login

portalinitiated sso