Update on Institutional Identity Management Priorities at SFU

230 views
146 views

Published on

The 2012 annual update to the BCNET Identity Management Working Group about Simon Fraser University's major initiatives.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
230
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Our password checking mechanism does not ensure sufficiently strong passwords
    No policy covering 3rd-party app authenticating with SFU credentials
    SFU has some services that do unencrypted logins.
    SFU does not currently maintain any record of how a given user's identity was verified upon credential creation.
  • Update on Institutional Identity Management Priorities at SFU

    1. 1. SFU Identity Management Current and Planned Projects BCNET 2012
    2. 2. • • • • • • • SFU IdAM Overview InCommon Best Practices Analysis CAS Upgrades API Access Control Alumni Account Integration Group Management Re-architecture Identity Messaging Re-architecture About this Presentation BCNET 2012
    3. 3. SFU User Authentication Services AUTHENTICATION CLIENTS WIRELESS WEB APPS APPLICATIONS VOIP IIS APPS / TERM SERVICES WINDOWS LABS/ WORKSTATIONS MAC LABS UNIX HOSTS (EDUROAM) SFU CAS IMPLEMENTATION AUTHENTICATION SERVICES Central Authentication Server SFU RADIATOR SERVER RADIUS web sign-on SFU LDAP SERVERS SFU WINDOWS INFRASTRUCTURE LDAP DIRECTORY ACTIVE DIRECTORY FEDERATED AUTHENTICATION SFU SUN SERVERS EDUPASS.CA LOGINS SFU ACCOUNT SYSTEM /P AS SW D AMAINT ACCOUNTS Authentication Services BCNET 2012 ACCT / PASS WD CT EXTERNAL USERS AC ACCOUNT REGISTRY AND PROVISIONING account / password verification AC C multi-campus wireless authentication ASS T/P Shibboleth WD NIS local account / password provisioning
    4. 4. SFU User Authorization Services PeopleSoft Silo ACCESS ENFORCEMENT WEBCT LON CAPA WEB APPLICATIONS ARCS query AWSOME SFU LDAP SERVERS Active Directory Groups LDAP EduPerson Affiliations accounts, affiliations group membership MAILLIST2 group membership Course & Group Control Lists accounts, affiliations, enrollment PeopleSoft Role Data Stores AMAINT courses to Amaint Persons & Affiliations accounts, affiliations AFFILIATION TYPES affiliations SPONSORED ACCOUNTS FACULTY Authorization Services BCNET 2012 PeopleSoft Access Control accounts,affiliations PRIVILEGE & ATTRIBUTE REGISTRIES EXTERNAL ACCOUNTS PEOPLESOFT APPLICATIONS LDAP Bind SFU WINDOWS INFRASTRUCTURE Amaint SOAP Server Application Access Control Application Privileges, Roles & Users APPLICATIONS Web Services query DATA DISTRIBUTION & PROVISIONING ARCS MANAGER IIS APPS / TERM SERVICES STAFF STUDENTS & COURSES
    5. 5. • SFU IdAM vs Bronze Assurance Requirements • Resistance to Guessing Authentication Secret • Protected Authentication Secrets • Resist Eavesdropper • Identity Record Qualification InCommon Bronze Analysis BCNET 2012
    6. 6. • CAS Upgrades • Upgrading from 3.3 to 3.4 • Provides SAML Support • Running on vanilla tomcat Jasig CAS BCNET 2012
    7. 7. • API Access Control • REST APIs for public institutional data • CAS Integration • OAuth proof of concept API Access Control BCNET 2012
    8. 8. • Alumni Account Integration • Legacy system maintains a separate LDAP server • All users now keep a login only account • Merging alumni identity back into main account • Keep @sfu.ca forwarding for alumni Alumni Account Integration BCNET 2012
    9. 9. Current Infrastructure Alumni Email Handler Alumni Office @alumni.sfu.ca aliases isAlumni isAlumni AEF Amaint Alumni Credentials All Credentials Alumni LDAP AD All Credentials LDAP External Address SOAP Call Radius CAS Login SIMS Alumni Account Integration BCNET 2012
    10. 10. Proposed Infrastructure Alumni Office Alumni Email Handler isAlumni AEF @alumni.sfu.ca aliases isAlumni Amaint External Email All All Credentials Credentials AD LDAP CAS Radius Login External Address SOAP Call SIMS Alumni Account Integration BCNET 2012
    11. 11. • Group Management Re-architecture • Installing Grouper 2.0 ( http://internet2.edu/grouper/) • Decoupling Maillist from Group Management • Creating permission management opportunities • New LDAP Groups Structure (coming soon) Grouper BCNET 2012
    12. 12. Grouper BCNET 2012
    13. 13. • Permission Management • Grouper provided • Decouple Provisioning from permissions • An account doesn’t do anything by default • Permissions are added as assured Permission Management BCNET 2012
    14. 14. Introducing JMS into the middleware layer JMS at SFU BCNET 2012
    15. 15. • Meta-directory, Amaint, receives data from PS systems, creates computing accounts • Accounts and changes pushed to LDAP, AD, WebCT, Zimbra via in-house “update daemon” • Desire to move to modern standards-based mechanism to communicate changes Background BCNET 2012
    16. 16. • Java Messaging Services – but not limited to Java applications • A standard for passing messages between applications in a loosely-coupled, asynchronous manner • Can involve brokers, for queuing messages, and routers, for doing sophisticated handling of messages What is JMS? BCNET 2012
    17. 17. • Apache ActiveMQ as Message Broker – Store and forward messages – Persistent storage across outages – Support for clustering and failover • Apache Camel as Message Router - Huge built-in library of endpoints and functions supported for processing messages - Packaged as a library that can be added to an existing App (such as ActiveMQ) Full-Featured Open Source Apps BCNET 2012
    18. 18. Apache ActiveMQ BCNET 2012
    19. 19. Apache Camel Camel Integration BCNET 2012
    20. 20. Amaint Amaint XML N SO J XML Amaint Amaint ActiveMQ ActiveMQ Camel Camel Camel Camel XML XML Grouper Grouper Phase 1 implementation BCNET 2012 LDAP Updater Updater AD WebCT
    21. 21. • • • • • New LMS integration More Event-driven communications Syslog into JMS (e.g. sign-in events) Workflow into Camel PS Integration The Future BCNET 2012

    ×