• Like
Google Apps - SSO and Identity Management at the University of Cambridge
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Google Apps - SSO and Identity Management at the University of Cambridge

  • 2,002 views
Published

Slides from a talk on SSO and Identity Management for Google Apps at the University of Cambridge. Presented at the Google Apps for Education UK User Group meeting on 15th February 2011 at …

Slides from a talk on SSO and Identity Management for Google Apps at the University of Cambridge. Presented at the Google Apps for Education UK User Group meeting on 15th February 2011 at Loughborough University (http://guug11.lboro.ac.uk/)

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,002
On SlideShare
0
From Embeds
0
Number of Embeds
5

Actions

Shares
Downloads
10
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Introduce self\nQuestions welcome as-and-when\nA SSO and IdM case study. About May->September 2010\n
  • University of Cambridge is an unusual place - some of this may not apply to you\n
  • We do have some useful building blocks\nNote that we didn’t use Shib (will explain why later)\n
  • Have e-mail, websites\nDon’t have Docs equivalent, or chat, but don’t have any demand either\nDo have demand for a calendar - go for that as ‘extended pilot’\n
  • Use of cam.ac.uk domain a nod to possible future gmail\n
  • ANNIMATION\ngAuth is an ‘invisible’ service, hence dotted outline\nAll this is ‘old’ hat’ web redirection authentication\nMost of this is invisible to users\n
  • ANNIMATION\ngAuth is an ‘invisible’ service, hence dotted outline\nAll this is ‘old’ hat’ web redirection authentication\nMost of this is invisible to users\n
  • ANNIMATION\ngAuth is an ‘invisible’ service, hence dotted outline\nAll this is ‘old’ hat’ web redirection authentication\nMost of this is invisible to users\n
  • ANNIMATION\ngAuth is an ‘invisible’ service, hence dotted outline\nAll this is ‘old’ hat’ web redirection authentication\nMost of this is invisible to users\n
  • ANNIMATION\ngAuth is an ‘invisible’ service, hence dotted outline\nAll this is ‘old’ hat’ web redirection authentication\nMost of this is invisible to users\n
  • ANNIMATION\ngAuth is an ‘invisible’ service, hence dotted outline\nAll this is ‘old’ hat’ web redirection authentication\nMost of this is invisible to users\n
  • ANNIMATION\ngAuth is an ‘invisible’ service, hence dotted outline\nAll this is ‘old’ hat’ web redirection authentication\nMost of this is invisible to users\n
  • ANNIMATION\ngAuth is an ‘invisible’ service, hence dotted outline\nAll this is ‘old’ hat’ web redirection authentication\nMost of this is invisible to users\n
  • Google code now marked ‘deprecated’, but what we used earlier\nDidn’t use Raven Shib because a) still 1.3; and b) needs ‘special’ config; and c)wanted to do other things\nHaving our T&Cs was useful for DPA etc. compliance\n\n
  • ANNIMATION\nOn the way back through gAuth, having worked out who we have\nCreate if doesn’t exits, update else\nCreate seems to work reliabably (slightly to my surprise!) \nJava version of API, to integrate with gAuth SSO code\n\n
  • ANNIMATION\nOn the way back through gAuth, having worked out who we have\nCreate if doesn’t exits, update else\nCreate seems to work reliabably (slightly to my surprise!) \nJava version of API, to integrate with gAuth SSO code\n\n
  • ANNIMATION\nOn the way back through gAuth, having worked out who we have\nCreate if doesn’t exits, update else\nCreate seems to work reliabably (slightly to my surprise!) \nJava version of API, to integrate with gAuth SSO code\n\n
  • ANNIMATION\nOn the way back through gAuth, having worked out who we have\nCreate if doesn’t exits, update else\nCreate seems to work reliabably (slightly to my surprise!) \nJava version of API, to integrate with gAuth SSO code\n\n
  • ANNIMATION\nOn the way back through gAuth, having worked out who we have\nCreate if doesn’t exits, update else\nCreate seems to work reliabably (slightly to my surprise!) \nJava version of API, to integrate with gAuth SSO code\n\n
  • ANNIMATION\nOn the way back through gAuth, having worked out who we have\nCreate if doesn’t exits, update else\nCreate seems to work reliabably (slightly to my surprise!) \nJava version of API, to integrate with gAuth SSO code\n\n
  • ANNIMATION\nOn the way back through gAuth, having worked out who we have\nCreate if doesn’t exits, update else\nCreate seems to work reliabably (slightly to my surprise!) \nJava version of API, to integrate with gAuth SSO code\n\n
  • ANNIMATION\nOn the way back through gAuth, having worked out who we have\nCreate if doesn’t exits, update else\nCreate seems to work reliabably (slightly to my surprise!) \nJava version of API, to integrate with gAuth SSO code\n\n
  • ANIMATION\nAlso wanted/needed to support non-Web access\nVery like ‘application-specific passwords’ in new Two-step verification\nBorrowed ‘Token’ idea from eduroam - always retrievable\n
  • ANIMATION\nAlso wanted/needed to support non-Web access\nVery like ‘application-specific passwords’ in new Two-step verification\nBorrowed ‘Token’ idea from eduroam - always retrievable\n
  • Need to clean up departed users (DPA if nothing else)\n Except our users tend to come back!\nLoss of Raven not good enough --> because of Token\nForced into gAuth database to store retrievable token \nMain gAuth code also enforces consistency\n\n
  • Not Heartbeat because of Slony issues\n
  • \n
  • Max ~400 users/week, ~750/month\nNote Saturday/Sunday\n
  • cam.ac.uk was ‘Comunity Managed’ edition\n a problem because a) users might have left; and b) included Docs/Sites\n couldn’t check departed users till agreement signed\nMore conflicting accounts than expected\n User confusion, + Calendar restriction\nWanted to use google.cam.ac.uk to allow for mslive.cam.ac.uk. Couldn’t.\nStill some re-authentication problems on iPhone. Caching?\nDon’t under-estimate the support cost, if you provide support\n
  • \n

Transcript

  • 1. SSO and Identity Management: What we did Jon WarbrickUniversity of Cambridge Computing Service jw35@cam.ac.uk / @jw35
  • 2. The Universityof Cambridge 100+ departments 32 colleges 40,000 users “A loose affiliation of warring fiefdoms”
  • 3. Handy building blocks• University Computing Service • that doesn’t set policy• User Administration Database• Raven: Web Authentication system • including a Shibboleth IdP• A 2008 UCS trial of Google Apps
  • 4. What do we want? A Calendar! Perhaps other things, later...
  • 5. General Plan• Google Apps for Education • but just Calendar• Use cam.ac.uk domain• Web SSO using Raven• Automatically available to everyone• Minimum ongoing staff involvement• Rollout September, for October, 2010
  • 6. Web authentication
  • 7. Web authentication
  • 8. Web authentication SAML SSO service gAuth
  • 9. Web authentication SAML SSO service gAuth
  • 10. Web authentication SAML SSO service gAuth
  • 11. gAuth• Based on Google example Java SAML code • SAML, but not Shibboleth• Java Webapp, runs in Tomcat• Also displays T&Cs page, and email reminder first time through• And some other things ...
  • 12. Account creation gAuth
  • 13. Account creation gAuth
  • 14. Account creation gAuthProvisioning API
  • 15. Account creation gAuthProvisioning API
  • 16. Non-web authentication
  • 17. Non-web authentication
  • 18. Account management gAuth Raven feedUser admin. database reconcile- reconcile- admin google Status: Google •[Unknown] •Current •Blacklisted •Cancelled •[Deleted]
  • 19. Implementation• gAuth: Java webapp in Tomcat• Batch processing: Java run by cron (!)• (Live/stanby) pair of VMs on Xen cluster• Local Postgress database; Slony1 replication• Manual service address transition
  • 20. Deployed October 2010 Number of Accounts http://www-uxsup.csx.cam.ac.uk/~jw35/google-usage/
  • 21. Deployed October 2010 Unique users per day http://www-uxsup.csx.cam.ac.uk/~jw35/google-usage/
  • 22. Plain sailing?• Pre-existing cam.ac.uk domain• Conflicting accounts• ‘g’ ‘o’ ‘o’ ‘g’ ‘l’ ‘e’ not allowed in domain names• iPhones• Support. Don’t forget the support
  • 23. Any questions?
  • 24. Any questions? Jon WarbrickUniversity of Cambridge Computing Service jw35@cam.ac.uk / @jw35