<ul><li>Caleb Racey </li></ul><ul><li>Newcastle University </li></ul><ul><li>UK  </li></ul><ul><li>http://gfivo.ncl.ac.uk ...
Context: Who Am I  <ul><li>Team Leader Middleware team,  Newcastle University  </li></ul><ul><li>8 years experience of Sys...
Context: Newcastle university <ul><li>UK University  </li></ul><ul><li>4,700 staff 17,000 students  </li></ul><ul><li>Rese...
Context: identity experiences <ul><li>No central directory  </li></ul><ul><li>No central identity source </li></ul><ul><li...
Context: What is grouper <ul><li>System for managing group information </li></ul><ul><li>Collaborative effort from interne...
Newcastle’s grouper deployment  <ul><li>GFIVO:  JISC funded 2 year project </li></ul><ul><li>Agenda </li></ul><ul><li>What...
What problem are we trying to solve <ul><li>Access control to systems </li></ul><ul><li>Targeted Information flow: </li></...
What do we hope to gain <ul><li>Technically </li></ul><ul><li>Centralised reusable group management </li></ul><ul><li>Lowe...
Why we want grouper  <ul><li>Group info key to identity management in HE </li></ul><ul><li>Mature Developed by people acti...
What we are doing <ul><li>Incremental phased role out strategy </li></ul><ul><li>Federated use case from day 1 </li></ul><...
Where is existing group information  <ul><li>SAP  ERP system  </li></ul><ul><li>VLEs (blackboard, plone, moodle, coursewor...
Use cases  (Phase I) <ul><li>Research support: </li></ul><ul><li>Research Wikis (federated) </li></ul><ul><li>Blogs </li><...
Potential Use cases  (Phase II??) <ul><li>Staff profile structuring </li></ul><ul><ul><li>Web publishing </li></ul></ul><u...
1st round: Simple integration via gsh <ul><li>Grouper Shell (gsh) </li></ul><ul><li>Command line interface onto grouper AP...
2 nd  Round: Webservices  <ul><li>Web service interface onto grouper API (more later) </li></ul><ul><li>Group management i...
3rd Round: Grouper UI  <ul><li>Current phase </li></ul><ul><li>Deploy grouper UI  </li></ul><ul><li>3rd phase because: </l...
Grouper webservices <ul><li>New addition to grouper  </li></ul><ul><li>In grouper 1.3RC1 </li></ul><ul><li>Thanks Chris Hy...
WS-Security <ul><li>Provided by Apache Rampart  </li></ul><ul><li>Support for WS-security + WS-trust </li></ul><ul><li>WS-...
Lessons Learned: Benefits <ul><li>Enables All levels of user </li></ul><ul><li>Grouper UI for Power users  </li></ul><ul><...
Lessons learned: benefits <ul><li>Grouper fills large pre-existing  gap </li></ul><ul><li>Grouper  allows coherent interfa...
Lessons Learned: requirements <ul><li>Skill sets prerequisites : </li></ul><ul><li>Java systems admin (tomcat etc) </li></...
Lessons Learned: Issues <ul><li>Issues Avoided: </li></ul><ul><li>Naming convention debates  </li></ul><ul><ul><li>People ...
Lessons Learned: Issues <ul><li>Getting data from data stores </li></ul><ul><ul><li>Need for data loader </li></ul></ul><u...
<ul><li>ANY QUESTIONS? </li></ul><ul><li>http://gfivo.ncl.ac.uk/resources.php </li></ul>
Upcoming SlideShare
Loading in...5
×

Studies in advanced access mgmt: GFIVO project (Cal Racey)

1,720

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,720
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Studies in advanced access mgmt: GFIVO project (Cal Racey)

  1. 1. <ul><li>Caleb Racey </li></ul><ul><li>Newcastle University </li></ul><ul><li>UK </li></ul><ul><li>http://gfivo.ncl.ac.uk </li></ul>Studies in Advanced Access Management
  2. 2. Context: Who Am I <ul><li>Team Leader Middleware team, Newcastle University </li></ul><ul><li>8 years experience of Systems Admin for Web </li></ul><ul><li>5 years working on SSO issues </li></ul><ul><li>4 years with shibboleth </li></ul><ul><li>1 year with grouper </li></ul>
  3. 3. Context: Newcastle university <ul><li>UK University </li></ul><ul><li>4,700 staff 17,000 students </li></ul><ul><li>Research Intensive </li></ul><ul><li>Medical School </li></ul><ul><li>Centralised IT service </li></ul>
  4. 4. Context: identity experiences <ul><li>No central directory </li></ul><ul><li>No central identity source </li></ul><ul><li>Identity management is adhoc </li></ul><ul><li>Deployment by advocacy rather than policy </li></ul><ul><li>Large mature shibboleth deployment </li></ul><ul><li>10% of entities registered in UK federation </li></ul><ul><li>Shib used more internally than externally </li></ul>
  5. 5. Context: What is grouper <ul><li>System for managing group information </li></ul><ul><li>Collaborative effort from internet2 </li></ul><ul><li>API for managing groups </li></ul><ul><ul><li>Supports “group math” </li></ul></ul><ul><ul><li>Uses subject API </li></ul></ul><ul><li>UI + webservice + shell interfaces onto API </li></ul><ul><li>http://middleware.internet2.edu/dir/groups/grouper/ </li></ul>
  6. 6. Newcastle’s grouper deployment <ul><li>GFIVO: JISC funded 2 year project </li></ul><ul><li>Agenda </li></ul><ul><li>What problem are we trying to solve </li></ul><ul><li>What we hope to gain </li></ul><ul><li>Why we want grouper </li></ul><ul><li>What we are doing </li></ul><ul><li>Lessons learned </li></ul>1/4
  7. 7. What problem are we trying to solve <ul><li>Access control to systems </li></ul><ul><li>Targeted Information flow: </li></ul><ul><ul><li>the right information to the right people. </li></ul></ul><ul><li>Mess of group information in apps </li></ul><ul><ul><li>most have their own group management </li></ul></ul><ul><ul><li>same groups replicated many times (differently) </li></ul></ul><ul><ul><li>duplication of effort </li></ul></ul><ul><ul><li>valuable business information inaccessible </li></ul></ul><ul><ul><li>User confusion </li></ul></ul><ul><li>Growing federated nature of identity and applications </li></ul><ul><li>Shib has exposed our weak ID management </li></ul>
  8. 8. What do we hope to gain <ul><li>Technically </li></ul><ul><li>Centralised reusable group management </li></ul><ul><li>Lower app development times </li></ul><ul><li>Better user experience </li></ul><ul><li>Consistency in service </li></ul><ul><li>Greater control for helpdesk </li></ul><ul><li>Intangibles </li></ul><ul><li>Greater user awareness of: </li></ul><ul><li>access control </li></ul><ul><li>personal identity information </li></ul><ul><li>Democratisation access control </li></ul>
  9. 9. Why we want grouper <ul><li>Group info key to identity management in HE </li></ul><ul><li>Mature Developed by people active in group management for years </li></ul><ul><li>Good Community of developers/users </li></ul><ul><li>Supports multiple user interfaces </li></ul><ul><li>Understands fragmented identity stores </li></ul><ul><li>Federateable (via shib) </li></ul><ul><li>Good licence (apache licence) </li></ul>
  10. 10. What we are doing <ul><li>Incremental phased role out strategy </li></ul><ul><li>Federated use case from day 1 </li></ul><ul><li>Setup loosely coupled raft of applications </li></ul><ul><li>No LDAP </li></ul><ul><li>No Signet </li></ul>
  11. 11. Where is existing group information <ul><li>SAP ERP system </li></ul><ul><li>VLEs (blackboard, plone, moodle, coursework) </li></ul><ul><li>Email lists </li></ul><ul><li>Web site (Myprofiles) </li></ul><ul><li>Paper in offices </li></ul><ul><li>Reading lists </li></ul><ul><li>Library systems (aleph) </li></ul><ul><li>Sharepoint </li></ul><ul><li>Nowhere </li></ul><ul><li>Face book! </li></ul>
  12. 12. Use cases (Phase I) <ul><li>Research support: </li></ul><ul><li>Research Wikis (federated) </li></ul><ul><li>Blogs </li></ul><ul><li>Email lists (federated) </li></ul><ul><li>Sakai research platform (federated) </li></ul><ul><li>Teaching and learning: </li></ul><ul><li>Podcasting of lectures (federated) </li></ul><ul><li>Teaching wikis </li></ul><ul><li>Internal: </li></ul><ul><li>monitoring via nagios + munin </li></ul><ul><li>documentation wikis </li></ul>
  13. 13. Potential Use cases (Phase II??) <ul><li>Staff profile structuring </li></ul><ul><ul><li>Web publishing </li></ul></ul><ul><ul><li>Research assessment </li></ul></ul><ul><ul><li>Teaching assessment </li></ul></ul><ul><li>Shared File system control </li></ul><ul><li>Door control </li></ul><ul><li>Provisioning to Google Apps </li></ul><ul><li>Reading lists </li></ul><ul><li>Information portal </li></ul>1/2
  14. 14. 1st round: Simple integration via gsh <ul><li>Grouper Shell (gsh) </li></ul><ul><li>Command line interface onto grouper API </li></ul><ul><li>Usage pattern familiar to systems administrators </li></ul><ul><li>No user interaction (no need for further education) </li></ul><ul><li>Good for replacing existing adhoc database based systems </li></ul><ul><li>Easy first step </li></ul><ul><li>People can use grouper without knowing it </li></ul><ul><li>http://gfivo.ncl.ac.uk/sampleGroups.php </li></ul>
  15. 15. 2 nd Round: Webservices <ul><li>Web service interface onto grouper API (more later) </li></ul><ul><li>Group management in the app </li></ul><ul><li>Management in the access denied page (403 page) </li></ul><ul><li>Simple user interface solving one problem </li></ul><ul><li>Gives control back to application developer </li></ul><ul><li>Maybe Sympa integration? </li></ul><ul><li>http://www.sympa.org/contribs/apache_authsympa </li></ul>
  16. 16. 3rd Round: Grouper UI <ul><li>Current phase </li></ul><ul><li>Deploy grouper UI </li></ul><ul><li>3rd phase because: </li></ul><ul><li>Grouper UI is complex to deploy </li></ul><ul><ul><li>Was Technology demonstrator </li></ul></ul><ul><ul><li>Recently revamped (thanks to penn) </li></ul></ul><ul><li>Grouper UI is complex to develop </li></ul><ul><ul><li>Heavily abstracted </li></ul></ul><ul><ul><li>Heavily configurable </li></ul></ul>
  17. 17. Grouper webservices <ul><li>New addition to grouper </li></ul><ul><li>In grouper 1.3RC1 </li></ul><ul><li>Thanks Chris Hyzer for code contribution </li></ul><ul><li>Based on Apache Axis </li></ul><ul><li>SOAP and REST styles </li></ul><ul><li>SOAP supports basic authentication+ WS-Security support </li></ul>
  18. 18. WS-Security <ul><li>Provided by Apache Rampart </li></ul><ul><li>Support for WS-security + WS-trust </li></ul><ul><li>WS-sec = Auth via: </li></ul><ul><ul><li>username/password </li></ul></ul><ul><ul><li>Kerberos </li></ul></ul><ul><ul><li>SAML </li></ul></ul><ul><ul><li>x509 </li></ul></ul><ul><li>Enables integration with .NET and SAP, Java WS-security based stacks, PHP also supported </li></ul><ul><li>May enable advanced SAML, WS-Sec, WS-trust usecases (shib2??, Grid stuff??) </li></ul>3/4
  19. 19. Lessons Learned: Benefits <ul><li>Enables All levels of user </li></ul><ul><li>Grouper UI for Power users </li></ul><ul><ul><li>Librarians, administrators, PAs </li></ul></ul><ul><li>Simple interface via webservices for users </li></ul><ul><ul><li>Staff, students </li></ul></ul><ul><li>Webservices for developers on non java platforms </li></ul><ul><ul><li>.NET, SAP, Python, PHP, Sympa </li></ul></ul><ul><li>Grouper API for java developers </li></ul><ul><li>Grouper shell for Systems Admins </li></ul>
  20. 20. Lessons learned: benefits <ul><li>Grouper fills large pre-existing gap </li></ul><ul><li>Grouper allows coherent interface onto incoherent data architecture </li></ul><ul><li>People like access controlled apps </li></ul><ul><li>Federated use emerges from internal use </li></ul>
  21. 21. Lessons Learned: requirements <ul><li>Skill sets prerequisites : </li></ul><ul><li>Java systems admin (tomcat etc) </li></ul><ul><li>Internal data architecture </li></ul><ul><li>shell scripting </li></ul><ul><li>WS use </li></ul><ul><li>not struts </li></ul><ul><li>Technical prerequisites: </li></ul><ul><li>Free standing mysql server (others supported) </li></ul><ul><li>Data Loader </li></ul><ul><li>Tomcat server </li></ul><ul><li>SSO (shib preferable) </li></ul>
  22. 22. Lessons Learned: Issues <ul><li>Issues Avoided: </li></ul><ul><li>Naming convention debates </li></ul><ul><ul><li>People are irrational about names </li></ul></ul><ul><ul><li>People will argue about hierarchy structure endlessly </li></ul></ul><ul><ul><li>The people who care most about structure are most powerful </li></ul></ul><ul><ul><li>Avoided by not exposing naming hierarchy….yet </li></ul></ul><ul><li>Issues Encountered: </li></ul><ul><li>Users don’t grasp the concepts:- stems, groups, indirect membership </li></ul><ul><li>solutions: </li></ul><ul><li>introduce them slowly </li></ul><ul><li>avoid use when possible </li></ul><ul><li>UI redesign (thanks Penn) </li></ul>
  23. 23. Lessons Learned: Issues <ul><li>Getting data from data stores </li></ul><ul><ul><li>Need for data loader </li></ul></ul><ul><ul><ul><li>Shib resolver reusable? </li></ul></ul></ul><ul><ul><ul><li>Deprovisioning? </li></ul></ul></ul><ul><li>Need for fast updating </li></ul><ul><li>Grouper comes from an enterprise LDAP directory mindset </li></ul><ul><li>No one understands LDAP </li></ul><ul><li>AD admins don’t even know AD = LDAP </li></ul><ul><li>Shib took 4 years, will grouper? </li></ul>
  24. 24. <ul><li>ANY QUESTIONS? </li></ul><ul><li>http://gfivo.ncl.ac.uk/resources.php </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×