user management and sso for austrian government
DESCRIPTION
Austrian law mandates a standardized system for user management and single-sign-on for use in Austrian government institutions. The LFRZ is one of the main providers of conformant software solutions for this sector. We show how Magnolia was integrated into this system, and the challenges faced and overcome in doing so.TRANSCRIPT
Welcome.
Magnolia user management and SSO for Austrian government sector
Magnolia Conference 2012 – Technical Track
Presented by Richard Unger and Rihard Monovic
Presentation Title
Agenda
1 About RISE & LFRZ
2 SSO in Austrian government
3 Requirements and challenges
4 Implementation
3
About RISE and LFRZ
About RISE and LFRZ – Partnership
RISE partner for industry
LFRZ partner for government
5User management and SSO for Austrian government
About RISE
Corporation, www.rise-world.com TU Spin Off, founded 1987 TU Vienna, INSO – The Think Tank of RISE, 40 PhDs
Competences More than 300 world-class IT-engineers & architects Highly acknowledged R&D-enterprise in Europe Top-Developer (e.g. part of the world-wide Java-Eclipse provider community, component delivery) Specialists in IT-Infrastructure and IT-Integration Top-Experts in e.g. IT-Architecture, IT-Strategy, IT-Security, Usability, Transport IT, System-Performance
Locations HQ in Schwechat/Airport and Vienna offices in several countries RISE personell works world-wide
6User management and SSO for Austrian government
User management and SSO for Austrian government
About RISE - Project examples
2003 – 2006: ID Card for all Austrians + country-wide IT infrastructure 8 mio. electronic ID-Cards, 24.000 specially designed components for offices, delivered in 24 months
2005 – 2008: overall health network in Germany, architecture, planning and project/program management for the at that time largest IT project in Europe (1,8 billion €), design at CeBit 2005, leaded till 2008
2009 – 2012: country-wide ticketing for railway / public transport in Austria, 10 million tickets/year, highly complex interoperability, all access channels (clerk counter, pos-automat, internet, travel agent, mobile phone)
2007 – 2008: design and architecture of the government network plus the school&health network of Qatar, including NOC (network operating center) and SOC (security operating center)
1993 – today: IT infrastructure, software projects, rollouts, IT architec-tures for e.g. MoI, MoH, MoF, MoA, MoS, MoX… in several countries
7
User management and SSO for Austrian government
About RISE - Clients
AMS Österreich Oesterreichische Kontrollbank AG Bank Austria Treasury Merger & Systemupgrades Österreichische Universitäten – IT-Gesamtstrategie Bundesrechenzentrum – Test- und Multiprojektmanagement Bundesverwaltung – ELAK Einführung IT-Portfolio – Die Presse Dresdner Bank Bundesministerium für Gesundheit Berlin Justizministerium United Arabic Emirates ICT Qatar (gesamtes IKT-Portfolio) Usability- und Web-Strategie der indischen Regierung Qatar Foundation (Infrastruktur-Planung) e-Governement-Strategie Libyen
8
About LFRZ
“Land-, forst- & wasserwirtschaftliches Rechenzentrum GmbH” – www.lfrz.at
IT service provider located in Vienna owned by Austrian „ministry of agriculture“,
which is also the principal customer approx. 30 employees + external consultants focus is on GIS, SSO, custom application
development in Java, data integration, IT operations and CMS
9User management and SSO for Austrian government
About LFRZ - Clients
LFRZ’s principal customer, principal website www.lebensministerium.at
10User management and SSO for Austrian government
SSO in Austrian government
SSO in Austrian government
Principal customer – “Lebensministerium”
120 editors
30+ websites
different departments, different offices in different cities
existing SSO solution
windows login enables access to all assigned applications
12
SSO in Austrian government
SSO solution
“Portalverbund der Österreichischen Behörden”
use is mandated by law
standardized protocols, different implementations
de-central rights management
different portal providers, different application providers
13
SSO in Austrian government
SSO solution “Portalverbund”
Systems involved:“Proxy-based” solution, home-portal, application-portal
Role model: similar to J2EE: users have roles in an application
PVP protocol:SSO-information provided in HTTP headers
14
SSO in Austrian government
SSO solution “Portalverbund”
15
home-portal
application-portal application
user-infos in http-headers
user-infos in http-headers
Requirements and challenges
SSO – requirements and challenges
Manageable roles and groups
Old CMS had SSO Integration
Old CMS did not use ACLs
120 editors needed 700 groups !!!
Synchronization of Portalverbund LDAP and CMS
Incredibly confusing!
17
SSO – requirements and challenges
Requirements
SSO – automatic login
Roles and groups normally managed in magnolia roles and groups also via PVP headers, mappings
Permissions (ACLs) managed in magnolia
Automatic user creation on login “Preemptive” user creation from LDAP GUI
18
SSO – requirements and challenges
Challenges
Integrating SSO
How to handle Permissions (ACLs) Keeping roles and groups manageable
Implementing GUIs in magnolia
19
Implementation
SSO – implementation in Magnolia
Custom modules
vaadin-preintegration:use Vaadin in Magnolia 4.4.x
pvp-jaas:SSO integration, LDAP integration
21
SSO – implementation in Magnolia
Module pvp-jaas
LoginHandler
PVPCallback (JAAS callback)
PVPAuthenticationModule (JAAS module)
and: LDAP user page (Vaadin based GUI)
22
SSO – implementation in Magnolia
Module pvp-jaas
23
SSO – implementation in Magnolia
24
Module pvp-jaas
Configuration via content2bean
Group & role mappings possible
Auto-update of user infos(marriage, change of office, etc…)
SSO – implementation in Magnolia
LDAP user GUI (Vaadin)
25
SSO – implementation in Magnolia
Conclusion
Working well in production
Easy for editors, easy for admins
Customer manages users
LFRZ manages groups, roles & ACLs
Magnolia is now “Portalverbund”-compatible
26
Thank you!
Questions?