Your SlideShare is downloading. ×
Studies in advanced access mgmt: GFIVO project (Cal Racey)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Studies in advanced access mgmt: GFIVO project (Cal Racey)

1,666
views

Published on

Published in: Technology, Education

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,666
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1.
    • Caleb Racey
    • Newcastle University
    • UK
    • http://gfivo.ncl.ac.uk
    Studies in Advanced Access Management
  • 2. Context: Who Am I
    • Team Leader Middleware team, Newcastle University
    • 8 years experience of Systems Admin for Web
    • 5 years working on SSO issues
    • 4 years with shibboleth
    • 1 year with grouper
  • 3. Context: Newcastle university
    • UK University
    • 4,700 staff 17,000 students
    • Research Intensive
    • Medical School
    • Centralised IT service
  • 4. Context: identity experiences
    • No central directory
    • No central identity source
    • Identity management is adhoc
    • Deployment by advocacy rather than policy
    • Large mature shibboleth deployment
    • 10% of entities registered in UK federation
    • Shib used more internally than externally
  • 5. Context: What is grouper
    • System for managing group information
    • Collaborative effort from internet2
    • API for managing groups
      • Supports “group math”
      • Uses subject API
    • UI + webservice + shell interfaces onto API
    • http://middleware.internet2.edu/dir/groups/grouper/
  • 6. Newcastle’s grouper deployment
    • GFIVO: JISC funded 2 year project
    • Agenda
    • What problem are we trying to solve
    • What we hope to gain
    • Why we want grouper
    • What we are doing
    • Lessons learned
    1/4
  • 7. What problem are we trying to solve
    • Access control to systems
    • Targeted Information flow:
      • the right information to the right people.
    • Mess of group information in apps
      • most have their own group management
      • same groups replicated many times (differently)
      • duplication of effort
      • valuable business information inaccessible
      • User confusion
    • Growing federated nature of identity and applications
    • Shib has exposed our weak ID management
  • 8. What do we hope to gain
    • Technically
    • Centralised reusable group management
    • Lower app development times
    • Better user experience
    • Consistency in service
    • Greater control for helpdesk
    • Intangibles
    • Greater user awareness of:
    • access control
    • personal identity information
    • Democratisation access control
  • 9. Why we want grouper
    • Group info key to identity management in HE
    • Mature Developed by people active in group management for years
    • Good Community of developers/users
    • Supports multiple user interfaces
    • Understands fragmented identity stores
    • Federateable (via shib)
    • Good licence (apache licence)
  • 10. What we are doing
    • Incremental phased role out strategy
    • Federated use case from day 1
    • Setup loosely coupled raft of applications
    • No LDAP
    • No Signet
  • 11. Where is existing group information
    • SAP ERP system
    • VLEs (blackboard, plone, moodle, coursework)
    • Email lists
    • Web site (Myprofiles)
    • Paper in offices
    • Reading lists
    • Library systems (aleph)
    • Sharepoint
    • Nowhere
    • Face book!
  • 12. Use cases (Phase I)
    • Research support:
    • Research Wikis (federated)
    • Blogs
    • Email lists (federated)
    • Sakai research platform (federated)
    • Teaching and learning:
    • Podcasting of lectures (federated)
    • Teaching wikis
    • Internal:
    • monitoring via nagios + munin
    • documentation wikis
  • 13. Potential Use cases (Phase II??)
    • Staff profile structuring
      • Web publishing
      • Research assessment
      • Teaching assessment
    • Shared File system control
    • Door control
    • Provisioning to Google Apps
    • Reading lists
    • Information portal
    1/2
  • 14. 1st round: Simple integration via gsh
    • Grouper Shell (gsh)
    • Command line interface onto grouper API
    • Usage pattern familiar to systems administrators
    • No user interaction (no need for further education)
    • Good for replacing existing adhoc database based systems
    • Easy first step
    • People can use grouper without knowing it
    • http://gfivo.ncl.ac.uk/sampleGroups.php
  • 15. 2 nd Round: Webservices
    • Web service interface onto grouper API (more later)
    • Group management in the app
    • Management in the access denied page (403 page)
    • Simple user interface solving one problem
    • Gives control back to application developer
    • Maybe Sympa integration?
    • http://www.sympa.org/contribs/apache_authsympa
  • 16. 3rd Round: Grouper UI
    • Current phase
    • Deploy grouper UI
    • 3rd phase because:
    • Grouper UI is complex to deploy
      • Was Technology demonstrator
      • Recently revamped (thanks to penn)
    • Grouper UI is complex to develop
      • Heavily abstracted
      • Heavily configurable
  • 17. Grouper webservices
    • New addition to grouper
    • In grouper 1.3RC1
    • Thanks Chris Hyzer for code contribution
    • Based on Apache Axis
    • SOAP and REST styles
    • SOAP supports basic authentication+ WS-Security support
  • 18. WS-Security
    • Provided by Apache Rampart
    • Support for WS-security + WS-trust
    • WS-sec = Auth via:
      • username/password
      • Kerberos
      • SAML
      • x509
    • Enables integration with .NET and SAP, Java WS-security based stacks, PHP also supported
    • May enable advanced SAML, WS-Sec, WS-trust usecases (shib2??, Grid stuff??)
    3/4
  • 19. Lessons Learned: Benefits
    • Enables All levels of user
    • Grouper UI for Power users
      • Librarians, administrators, PAs
    • Simple interface via webservices for users
      • Staff, students
    • Webservices for developers on non java platforms
      • .NET, SAP, Python, PHP, Sympa
    • Grouper API for java developers
    • Grouper shell for Systems Admins
  • 20. Lessons learned: benefits
    • Grouper fills large pre-existing gap
    • Grouper allows coherent interface onto incoherent data architecture
    • People like access controlled apps
    • Federated use emerges from internal use
  • 21. Lessons Learned: requirements
    • Skill sets prerequisites :
    • Java systems admin (tomcat etc)
    • Internal data architecture
    • shell scripting
    • WS use
    • not struts
    • Technical prerequisites:
    • Free standing mysql server (others supported)
    • Data Loader
    • Tomcat server
    • SSO (shib preferable)
  • 22. Lessons Learned: Issues
    • Issues Avoided:
    • Naming convention debates
      • People are irrational about names
      • People will argue about hierarchy structure endlessly
      • The people who care most about structure are most powerful
      • Avoided by not exposing naming hierarchy….yet
    • Issues Encountered:
    • Users don’t grasp the concepts:- stems, groups, indirect membership
    • solutions:
    • introduce them slowly
    • avoid use when possible
    • UI redesign (thanks Penn)
  • 23. Lessons Learned: Issues
    • Getting data from data stores
      • Need for data loader
        • Shib resolver reusable?
        • Deprovisioning?
    • Need for fast updating
    • Grouper comes from an enterprise LDAP directory mindset
    • No one understands LDAP
    • AD admins don’t even know AD = LDAP
    • Shib took 4 years, will grouper?
  • 24.
    • ANY QUESTIONS?
    • http://gfivo.ncl.ac.uk/resources.php