user management and sso for austrian government

Welcome.

Magnolia user management and SSO for Austrian government sector

Magnolia Conference 2012 – Technical Track

Presented by Richard Unger and Rihard Monovic

Presentation Title

Agenda

1 About RISE & LFRZ

2 SSO in Austrian government

3 Requirements and challenges

4 Implementation

3

About RISE and LFRZ

About RISE and LFRZ – Partnership

RISE partner for industry

LFRZ partner for government

5User management and SSO for Austrian government

About RISE

Corporation, www.rise-world.com TU Spin Off, founded 1987 TU Vienna, INSO – The Think Tank of RISE, 40 PhDs

Competences More than 300 world-class IT-engineers & architects Highly acknowledged R&D-enterprise in Europe Top-Developer (e.g. part of the world-wide Java-Eclipse provider community, component delivery) Specialists in IT-Infrastructure and IT-Integration Top-Experts in e.g. IT-Architecture, IT-Strategy, IT-Security, Usability, Transport IT, System-Performance

Locations HQ in Schwechat/Airport and Vienna offices in several countries RISE personell works world-wide


User management and SSO for Austrian government

About RISE - Project examples

2003 – 2006: ID Card for all Austrians + country-wide IT infrastructure 8 mio. electronic ID-Cards, 24.000 specially designed components for offices, delivered in 24 months

2005 – 2008: overall health network in Germany, architecture, planning and project/program management for the at that time largest IT project in Europe (1,8 billion €), design at CeBit 2005, leaded till 2008

2009 – 2012: country-wide ticketing for railway / public transport in Austria, 10 million tickets/year, highly complex interoperability, all access channels (clerk counter, pos-automat, internet, travel agent, mobile phone)

2007 – 2008: design and architecture of the government network plus the school&health network of Qatar, including NOC (network operating center) and SOC (security operating center)

1993 – today: IT infrastructure, software projects, rollouts, IT architec-tures for e.g. MoI, MoH, MoF, MoA, MoS, MoX… in several countries

7

User management and SSO for Austrian government

About RISE - Clients

AMS Österreich Oesterreichische Kontrollbank AG Bank Austria Treasury Merger & Systemupgrades Österreichische Universitäten – IT-Gesamtstrategie Bundesrechenzentrum – Test- und Multiprojektmanagement Bundesverwaltung – ELAK Einführung IT-Portfolio – Die Presse Dresdner Bank Bundesministerium für Gesundheit Berlin Justizministerium United Arabic Emirates ICT Qatar (gesamtes IKT-Portfolio) Usability- und Web-Strategie der indischen Regierung Qatar Foundation (Infrastruktur-Planung) e-Governement-Strategie Libyen

8

About LFRZ

“Land-, forst- & wasserwirtschaftliches Rechenzentrum GmbH” – www.lfrz.at

IT service provider located in Vienna owned by Austrian „ministry of agriculture“,

which is also the principal customer approx. 30 employees + external consultants focus is on GIS, SSO, custom application

development in Java, data integration, IT operations and CMS


About LFRZ - Clients

LFRZ’s principal customer, principal website www.lebensministerium.at


SSO in Austrian government


Principal customer – “Lebensministerium”

120 editors

30+ websites

different departments, different offices in different cities

existing SSO solution

windows login enables access to all assigned applications

12


SSO solution

“Portalverbund der Österreichischen Behörden”

use is mandated by law

standardized protocols, different implementations

de-central rights management

different portal providers, different application providers

13


SSO solution “Portalverbund”

Systems involved:“Proxy-based” solution, home-portal, application-portal

Role model: similar to J2EE: users have roles in an application

PVP protocol:SSO-information provided in HTTP headers

14


SSO solution “Portalverbund”

15

home-portal

application-portal application

user-infos in http-headers

user-infos in http-headers

Requirements and challenges

SSO – requirements and challenges

Manageable roles and groups

Old CMS had SSO Integration

Old CMS did not use ACLs

120 editors needed 700 groups !!!

Synchronization of Portalverbund LDAP and CMS

Incredibly confusing!

17


Requirements

SSO – automatic login

Roles and groups normally managed in magnolia roles and groups also via PVP headers, mappings

Permissions (ACLs) managed in magnolia

Automatic user creation on login “Preemptive” user creation from LDAP GUI

18


Challenges

Integrating SSO

How to handle Permissions (ACLs) Keeping roles and groups manageable

Implementing GUIs in magnolia

19

Implementation

SSO – implementation in Magnolia

Custom modules

vaadin-preintegration:use Vaadin in Magnolia 4.4.x

pvp-jaas:SSO integration, LDAP integration

21


Module pvp-jaas

LoginHandler

PVPCallback (JAAS callback)

PVPAuthenticationModule (JAAS module)

and: LDAP user page (Vaadin based GUI)

22


Module pvp-jaas

23


24

Module pvp-jaas

Configuration via content2bean

Group & role mappings possible

Auto-update of user infos(marriage, change of office, etc…)


LDAP user GUI (Vaadin)

25


Conclusion

Working well in production

Easy for editors, easy for admins

Customer manages users

LFRZ manages groups, roles & ACLs

Magnolia is now “Portalverbund”-compatible

26

Thank you!

Questions?

user management and sso for austrian government

Technology