The document summarizes current and planned identity and access management projects at Simon Fraser University. It discusses upgrading the central authentication system to a new version, implementing API access control using CAS and OAuth, integrating alumni accounts back into the main identity system, rearchitecting group management using Grouper, and introducing message-oriented middleware using Java Message Service and Apache Camel to improve communication between systems. This will help modernize SFU's identity management infrastructure.
2. •
•
•
•
•
•
•
SFU IdAM Overview
InCommon Best Practices Analysis
CAS Upgrades
API Access Control
Alumni Account Integration
Group Management Re-architecture
Identity Messaging Re-architecture
About this Presentation
BCNET 2012
3. SFU User Authentication Services
AUTHENTICATION
CLIENTS
WIRELESS
WEB APPS
APPLICATIONS
VOIP
IIS APPS /
TERM
SERVICES
WINDOWS LABS/
WORKSTATIONS
MAC LABS
UNIX
HOSTS
(EDUROAM)
SFU CAS
IMPLEMENTATION
AUTHENTICATION
SERVICES
Central
Authentication
Server
SFU RADIATOR
SERVER
RADIUS
web
sign-on
SFU LDAP
SERVERS
SFU WINDOWS
INFRASTRUCTURE
LDAP DIRECTORY
ACTIVE
DIRECTORY
FEDERATED
AUTHENTICATION
SFU SUN
SERVERS
EDUPASS.CA
LOGINS
SFU ACCOUNT SYSTEM
/P
AS
SW
D
AMAINT
ACCOUNTS
Authentication Services
BCNET 2012
ACCT
/ PASS
WD
CT
EXTERNAL USERS
AC
ACCOUNT REGISTRY
AND PROVISIONING
account / password
verification
AC C
multi-campus
wireless
authentication
ASS
T/P
Shibboleth
WD
NIS
local account /
password provisioning
4. SFU User Authorization Services
PeopleSoft Silo
ACCESS ENFORCEMENT
WEBCT
LON CAPA
WEB APPLICATIONS
ARCS query
AWSOME
SFU LDAP
SERVERS
Active
Directory
Groups
LDAP
EduPerson
Affiliations
accounts,
affiliations
group membership
MAILLIST2
group
membership
Course & Group
Control Lists
accounts,
affiliations,
enrollment
PeopleSoft Role
Data Stores
AMAINT
courses
to Amaint
Persons &
Affiliations
accounts, affiliations
AFFILIATION
TYPES
affiliations
SPONSORED
ACCOUNTS
FACULTY
Authorization Services
BCNET 2012
PeopleSoft
Access
Control
accounts,affiliations
PRIVILEGE &
ATTRIBUTE
REGISTRIES
EXTERNAL
ACCOUNTS
PEOPLESOFT
APPLICATIONS
LDAP Bind
SFU WINDOWS
INFRASTRUCTURE
Amaint
SOAP
Server
Application
Access
Control
Application
Privileges, Roles
& Users
APPLICATIONS
Web Services query
DATA DISTRIBUTION
& PROVISIONING
ARCS MANAGER
IIS APPS /
TERM SERVICES
STAFF
STUDENTS
& COURSES
5. • SFU IdAM vs Bronze Assurance Requirements
• Resistance to Guessing Authentication Secret
• Protected Authentication Secrets
• Resist Eavesdropper
• Identity Record Qualification
InCommon Bronze Analysis
BCNET 2012
6. • CAS Upgrades
• Upgrading from 3.3 to 3.4
• Provides SAML Support
• Running on vanilla tomcat
Jasig CAS
BCNET 2012
7. • API Access Control
• REST APIs for public institutional data
• CAS Integration
• OAuth proof of concept
API Access Control
BCNET 2012
8. • Alumni Account Integration
• Legacy system maintains a separate LDAP server
• All users now keep a login only account
• Merging alumni identity back into main account
• Keep @sfu.ca forwarding for alumni
Alumni Account Integration
BCNET 2012
9. Current Infrastructure
Alumni Email
Handler
Alumni Office
@alumni.sfu.ca
aliases
isAlumni
isAlumni
AEF
Amaint
Alumni
Credentials
All
Credentials
Alumni LDAP
AD
All
Credentials
LDAP
External Address
SOAP Call
Radius
CAS
Login
SIMS
Alumni Account Integration
BCNET 2012
10. Proposed Infrastructure
Alumni Office
Alumni Email
Handler
isAlumni
AEF
@alumni.sfu.ca
aliases
isAlumni
Amaint
External
Email
All
All
Credentials Credentials
AD
LDAP
CAS
Radius
Login
External Address
SOAP Call
SIMS
Alumni Account Integration
BCNET 2012
11. • Group Management Re-architecture
• Installing Grouper 2.0 (
http://internet2.edu/grouper/)
• Decoupling Maillist from Group Management
• Creating permission management
opportunities
• New LDAP Groups Structure (coming soon)
Grouper
BCNET 2012
13. • Permission Management
• Grouper provided
• Decouple Provisioning from permissions
• An account doesn’t do anything by default
• Permissions are added as assured
Permission Management
BCNET 2012
15. • Meta-directory, Amaint, receives data from PS
systems, creates computing accounts
• Accounts and changes pushed to LDAP, AD,
WebCT, Zimbra via in-house “update
daemon”
• Desire to move to modern standards-based
mechanism to communicate changes
Background
BCNET 2012
16. • Java Messaging Services – but not limited to
Java applications
• A standard for passing messages between
applications in a loosely-coupled,
asynchronous manner
• Can involve brokers, for queuing messages,
and routers, for doing sophisticated handling
of messages
What is JMS?
BCNET 2012
17. • Apache ActiveMQ as Message Broker
– Store and forward messages
– Persistent storage across outages
– Support for clustering and failover
• Apache Camel as Message Router
- Huge built-in library of endpoints and functions
supported for processing messages
- Packaged as a library that can be added to an
existing App (such as ActiveMQ)
Full-Featured Open Source Apps
BCNET 2012
21. •
•
•
•
•
New LMS integration
More Event-driven communications
Syslog into JMS (e.g. sign-in events)
Workflow into Camel
PS Integration
The Future
BCNET 2012
Notas do Editor
Our password checking mechanism does not ensure sufficiently strong passwords
No policy covering 3rd-party app authenticating with SFU credentials
SFU has some services that do unencrypted logins.
SFU does not currently maintain any record of how a given user's identity was verified upon credential creation.