Caleb Racey Newcastle University UK http://gfivo.ncl.ac.uk Studies in Advanced Access Management

Caleb Racey

Newcastle University

UK

http://gfivo.ncl.ac.uk

Context: Who Am I Team Leader Middleware team, Newcastle University 8 years experience of Systems Admin for Web 5 years working on SSO issues 4 years with shibboleth 1 year with grouper

Team Leader Middleware team, Newcastle University

8 years experience of Systems Admin for Web

5 years working on SSO issues

4 years with shibboleth

1 year with grouper

Context: Newcastle university UK University 4,700 staff 17,000 students Research Intensive Medical School Centralised IT service

UK University

4,700 staff 17,000 students

Research Intensive

Medical School

Centralised IT service

Context: identity experiences No central directory No central identity source Identity management is adhoc Deployment by advocacy rather than policy Large mature shibboleth deployment 10% of entities registered in UK federation Shib used more internally than externally

No central directory

No central identity source

Identity management is adhoc

Deployment by advocacy rather than policy

Large mature shibboleth deployment

10% of entities registered in UK federation

Shib used more internally than externally

Context: What is grouper System for managing group information Collaborative effort from internet2 API for managing groups Supports “group math” Uses subject API UI + webservice + shell interfaces onto API http://middleware.internet2.edu/dir/groups/grouper/

System for managing group information

Collaborative effort from internet2

API for managing groups

Supports “group math”

Uses subject API

UI + webservice + shell interfaces onto API

http://middleware.internet2.edu/dir/groups/grouper/

Newcastle’s grouper deployment GFIVO: JISC funded 2 year project Agenda What problem are we trying to solve What we hope to gain Why we want grouper What we are doing Lessons learned 1/4

GFIVO: JISC funded 2 year project

Agenda

What problem are we trying to solve

What we hope to gain

Why we want grouper

What we are doing

Lessons learned

What problem are we trying to solve Access control to systems Targeted Information flow: the right information to the right people. Mess of group information in apps most have their own group management same groups replicated many times (differently) duplication of effort valuable business information inaccessible User confusion Growing federated nature of identity and applications Shib has exposed our weak ID management

Access control to systems

Targeted Information flow:

the right information to the right people.

Mess of group information in apps

most have their own group management

same groups replicated many times (differently)

duplication of effort

valuable business information inaccessible

User confusion

Growing federated nature of identity and applications

Shib has exposed our weak ID management

What do we hope to gain Technically Centralised reusable group management Lower app development times Better user experience Consistency in service Greater control for helpdesk Intangibles Greater user awareness of: access control personal identity information Democratisation access control

Technically

Centralised reusable group management

Lower app development times

Better user experience

Consistency in service

Greater control for helpdesk

Intangibles

Greater user awareness of:

access control

personal identity information

Democratisation access control

Why we want grouper Group info key to identity management in HE Mature Developed by people active in group management for years Good Community of developers/users Supports multiple user interfaces Understands fragmented identity stores Federateable (via shib) Good licence (apache licence)

Group info key to identity management in HE

Mature Developed by people active in group management for years

Good Community of developers/users

Supports multiple user interfaces

Understands fragmented identity stores

Federateable (via shib)

Good licence (apache licence)

What we are doing Incremental phased role out strategy Federated use case from day 1 Setup loosely coupled raft of applications No LDAP No Signet

Incremental phased role out strategy

Federated use case from day 1

Setup loosely coupled raft of applications

No LDAP

No Signet

Where is existing group information SAP ERP system VLEs (blackboard, plone, moodle, coursework) Email lists Web site (Myprofiles) Paper in offices Reading lists Library systems (aleph) Sharepoint Nowhere Face book!

SAP ERP system

VLEs (blackboard, plone, moodle, coursework)

Email lists

Web site (Myprofiles)

Paper in offices

Reading lists

Library systems (aleph)

Sharepoint

Nowhere

Face book!

Use cases (Phase I) Research support: Research Wikis (federated) Blogs Email lists (federated) Sakai research platform (federated) Teaching and learning: Podcasting of lectures (federated) Teaching wikis Internal: monitoring via nagios + munin documentation wikis

Research support:

Research Wikis (federated)

Blogs

Email lists (federated)

Sakai research platform (federated)

Teaching and learning:

Podcasting of lectures (federated)

Teaching wikis

Internal:

monitoring via nagios + munin

documentation wikis

Potential Use cases (Phase II??) Staff profile structuring Web publishing Research assessment Teaching assessment Shared File system control Door control Provisioning to Google Apps Reading lists Information portal 1/2

Staff profile structuring

Web publishing

Research assessment

Teaching assessment

Shared File system control

Door control

Provisioning to Google Apps

Reading lists

Information portal

1st round: Simple integration via gsh Grouper Shell (gsh) Command line interface onto grouper API Usage pattern familiar to systems administrators No user interaction (no need for further education) Good for replacing existing adhoc database based systems Easy first step People can use grouper without knowing it http://gfivo.ncl.ac.uk/sampleGroups.php

Grouper Shell (gsh)

Command line interface onto grouper API

Usage pattern familiar to systems administrators

No user interaction (no need for further education)

Good for replacing existing adhoc database based systems

Easy first step

People can use grouper without knowing it

http://gfivo.ncl.ac.uk/sampleGroups.php

2 nd Round: Webservices Web service interface onto grouper API (more later) Group management in the app Management in the access denied page (403 page) Simple user interface solving one problem Gives control back to application developer Maybe Sympa integration? http://www.sympa.org/contribs/apache_authsympa

Web service interface onto grouper API (more later)

Group management in the app

Management in the access denied page (403 page)

Simple user interface solving one problem

Gives control back to application developer

Maybe Sympa integration?

http://www.sympa.org/contribs/apache_authsympa

3rd Round: Grouper UI Current phase Deploy grouper UI 3rd phase because: Grouper UI is complex to deploy Was Technology demonstrator Recently revamped (thanks to penn) Grouper UI is complex to develop Heavily abstracted Heavily configurable

Current phase

Deploy grouper UI

3rd phase because:

Grouper UI is complex to deploy

Was Technology demonstrator

Recently revamped (thanks to penn)

Grouper UI is complex to develop

Heavily abstracted

Heavily configurable

Grouper webservices New addition to grouper In grouper 1.3RC1 Thanks Chris Hyzer for code contribution Based on Apache Axis SOAP and REST styles SOAP supports basic authentication+ WS-Security support

New addition to grouper

In grouper 1.3RC1

Thanks Chris Hyzer for code contribution

Based on Apache Axis

SOAP and REST styles

SOAP supports basic authentication+ WS-Security support

WS-Security Provided by Apache Rampart Support for WS-security + WS-trust WS-sec = Auth via: username/password Kerberos SAML x509 Enables integration with .NET and SAP, Java WS-security based stacks, PHP also supported May enable advanced SAML, WS-Sec, WS-trust usecases (shib2??, Grid stuff??) 3/4

Provided by Apache Rampart

Support for WS-security + WS-trust

WS-sec = Auth via:

username/password

Kerberos

SAML

x509

Enables integration with .NET and SAP, Java WS-security based stacks, PHP also supported

May enable advanced SAML, WS-Sec, WS-trust usecases (shib2??, Grid stuff??)

Lessons Learned: Benefits Enables All levels of user Grouper UI for Power users Librarians, administrators, PAs Simple interface via webservices for users Staff, students Webservices for developers on non java platforms .NET, SAP, Python, PHP, Sympa Grouper API for java developers Grouper shell for Systems Admins

Enables All levels of user

Grouper UI for Power users

Librarians, administrators, PAs

Simple interface via webservices for users

Staff, students

Webservices for developers on non java platforms

.NET, SAP, Python, PHP, Sympa

Grouper API for java developers

Grouper shell for Systems Admins

Lessons learned: benefits Grouper fills large pre-existing gap Grouper allows coherent interface onto incoherent data architecture People like access controlled apps Federated use emerges from internal use

Grouper fills large pre-existing gap

Grouper allows coherent interface onto incoherent data architecture

People like access controlled apps

Federated use emerges from internal use

Lessons Learned: requirements Skill sets prerequisites : Java systems admin (tomcat etc) Internal data architecture shell scripting WS use not struts Technical prerequisites: Free standing mysql server (others supported) Data Loader Tomcat server SSO (shib preferable)

Skill sets prerequisites :

Java systems admin (tomcat etc)

Internal data architecture

shell scripting

WS use

not struts

Technical prerequisites:

Free standing mysql server (others supported)

Data Loader

Tomcat server

SSO (shib preferable)

Lessons Learned: Issues Issues Avoided: Naming convention debates People are irrational about names People will argue about hierarchy structure endlessly The people who care most about structure are most powerful Avoided by not exposing naming hierarchy….yet Issues Encountered: Users don’t grasp the concepts:- stems, groups, indirect membership solutions: introduce them slowly avoid use when possible UI redesign (thanks Penn)

Issues Avoided:

Naming convention debates

People are irrational about names

People will argue about hierarchy structure endlessly

The people who care most about structure are most powerful

Avoided by not exposing naming hierarchy….yet

Issues Encountered:

Users don’t grasp the concepts:- stems, groups, indirect membership

solutions:

introduce them slowly

avoid use when possible

UI redesign (thanks Penn)

Lessons Learned: Issues Getting data from data stores Need for data loader Shib resolver reusable? Deprovisioning? Need for fast updating Grouper comes from an enterprise LDAP directory mindset No one understands LDAP AD admins don’t even know AD = LDAP Shib took 4 years, will grouper?

Getting data from data stores

Need for data loader

Shib resolver reusable?

Deprovisioning?

Need for fast updating

Grouper comes from an enterprise LDAP directory mindset

No one understands LDAP

AD admins don’t even know AD = LDAP

Shib took 4 years, will grouper?

ANY QUESTIONS? http://gfivo.ncl.ac.uk/resources.php

ANY QUESTIONS?

http://gfivo.ncl.ac.uk/resources.php