Identity and Access Management Challenges in uPortal Andrew Petro ACAMP Thursday 18 June 2009 © Copyright Unicon, Inc., 2006-2009. http://creativecommons.org/licenses/by-sa/3.0/us/
This session Continuing to explore identity services requirements, representatives from the Sakai and uPortal projects will provide overviews of their key challenges relating to identity and access management.
IdM and access control in uPortal today IdM and Portlet Standards Achieving Beyond Standards Delegated Authentication Challenges
What’s uPortal? Free and open source Java-implemented portal software by and for higher education. Hosts JSR 168 portlets Authentication, user attribute marshalling, groups, access control
What’s a portlet? It’s an indicator, self-service widget, small application, or whatever else running in a box in the portal.
What do I get for being a portlet? Authentication User Attributes Roles Access Control Hosting and provisioning Skinning Monitoring and error handling
Identity Management and Access Control in uPortal
Authentication Embeds and relies upon Jasig CAS by default
Browser flow on login 1. uPortal 2. CAS 3. uPortal
Sharing a store of users uPortal user store
User Attributes Drawn from LDAP and RDBMS Merged, cascaded, mapped, … Pluggable API Factored out as Jasig PersonDirectory Now used in CAS
Groups In-portal manually managed JIT via rules about user attributes LDAP / AD Filesystem batch extracts
Permissions Owned and registered by subsystems PRINCIPAL is [GRANTED | DENIED] permission to ACTIVITY [on OBJECT] Portal Administrators are granted permission to modify the membership of the Channel Publishers group
Permissions “Library administrators” are granted permission to modify the membership of the “Library Fragment Administrators” group.
Layout Templating Users with attribute “classYear” == 2010 should see the “Fourth Years” tab Users in the group “New to University” should see the “Getting Started” tab
IdM and Portlet Standards
Authentication JSR 168 API conveys a String username
User Attributes JSR 168 Portlet API conveys user attributes As declared in portlet.xml
Credentials? User attributes are whatever you want them to be Passwords? CAS Proxy Tickets? Shibboleth delegable SAML assertions Base64-encoded?
Roles JSR 168 supports an isUserInRole() uPortal answers this by checking for membership in a group mapped to the role
JSR 286 to the rescue? None of this changes.
Beyond JSR 168 Standards
“Limitations” of JSR 168 Conveys attributes, roles of the requesting user, but not other users.
User directory lookup Identity Swapper Attribute Swapper
Selecting users and groups Present use case
Using JSR 168 APIs Jasig Announcements Portlet
Not Using JSR 168 APIs (legacy) Announcements Channel Channel publishing workflow
Delegated Authentication
Use case
Use case
Delegated Authentication User authenticates to portal Portal authenticates to a backing service on behalf of the user Data from backing service informs portal http://www.flickr.com/photos/ntr23/730371240/
Password Replay Password-Protected Service PW Channel PW PW PW Portal Channel PW PW PW PW Password-Protected Service Channel PW PW PW PW Just one of these needs to be compromised, to attack user “forever”! Channel Password-Protected Service PW PW PW
Look Ma, No Password! Without a password to replay, how am I going to authenticate my portal to other applications? ?
Using CAS Optional support for making a Proxy CAS Ticket available to portlets using a user attribute
CAS and Password Replay See the Sacramento State ClearPass CAS and uPortal add-ons
Using Shibboleth Optional support for making the SAML assertion available to the portlet
Identity Management and Access Control Challenges in uPortal
Challenge: Unloved UIs Administrative UIs are unloved
Partial solution in progress
Challenge: JIT With Shibboleth, user attributes may be available only just-in-time with end user login. Contrast with expectations of being able to directory-lookup users.
Challenge: How about roles? uPortal has no formal concept of roles distinct from groups Of course you can use groups as roles But it doesn’t necessarily feel natural
Challenge: Maintaining code PersonDirectory, GaPs, custom UIs, Some shared code evident: CAS example Some sharing hoped for: reusable portlet Spring Web Flow workflows for group selection
Questions? Discussion? Save it! Andrew Petro apetro@unicon.net www.unicon.net/blog/3