Identity and Access Management Challenges in uPortal

Slides:



Advertisements
Similar presentations
Towards Common Identity Services Tom Barton University of Chicago.
Advertisements

Central Authentication Service Roadmap JA-SIG Winter 2004.
CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Starting with Gridsphere Albert Einstein Institute Gridsphere Installation.
Managing Content in uPortal Susan Bramhall Yale University ITS Technology and Planning.
New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.
UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.
UPortal Roadmap Patches, evolution, and revolution Andrew Petro, Yale University Eric Dalquist, Unicon.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
UPortal 3 – What's New? JA-SIG Conference, Spring 2008 uPortal What's New? Eric Dalquist University of Wisconsin - Madison.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
UNICON Warlock Portlets A.K.A. toro-portlets Andrew Wills JA-SIG 2007 Summer Conference, Denver Tuesday June 26th, 2007 © Copyright Unicon, Inc., 2006.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
Eric Westfall – Indiana University Jeremy Hanson – Iowa State University Building Applications with the KNS.
A Community of Learning Luminis Platform Workshop Creating a Personal User Experience Presented by: Steven Forman, SunGard Higher Education March 20 th,
Copyright 2000 eMation SECURITY - Controlling Data Access with
Developing Applications for SSO Justen Stepka Authentisoft, LLC
UPortal 101 JA-SIG Pre-conference Seminar Susan Bramhall & Andrew Petro Vancouver, BC, June 4, 2006.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
A Community of Learning Moving Forward with Luminis IV Presented by: Dan Bramer Plymouth State University March 20, 2007 Evaluation Code 1011.
Kuali Identity Management Overview. Why did we write KIM? Common Interface for Kuali Applications Provide a Fully-Functional Product A Single API for:
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC PUBLIC CO900G L03 - Design, Implement, and Manage FactoryTalk Security.
UPortal Roadmap Patches, evolution, and revolution Andrew Petro, Yale University Eric Dalquist, Unicon.
Introduction to Spring Web Flow Andrew Petro Software Developer Unicon, Inc. Jasig 2011 Westminster, CO 23 May 2011 © Copyright Unicon, Inc., Some.
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
UPortal 3: Sneak PreviewJA-SIG Winter Conference 2005 uPortal 3 sneak preview Eric Dalquist, Peter Kharchenko Unicon Inc.
KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions.
UPortal 3 RC2 PreviewJA-SIG Conference, Summer 2007 uPortal RC2 Preview Moving on Up Reviewing current work and future plans Standardizing the framework.
Prepared by Jim Farmer for the JA-SIG UK Meeting Monday, 26 January, 2004 University of Birmingham, United Kingdom The uPortal Roadmap.
UPortal Roadmap Patches, evolution, and revolution Andrew Petro, Yale University Eric Dalquist, Unicon.
Jasig CAS Roadmap Scott Battaglia Rutgers, the State University of New Jersey.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
The FederID project The First Identity Management and Federation Free Software.
Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University.
Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University.
ClearPass A CAS Extension Enabling Credential Replay Andrew Petro Unicon, Inc. Jasig 2010 San Diego, CA 09 March 2010 © Copyright Unicon, Inc.,
19 Copyright © 2008, Oracle. All rights reserved. Security.
Shibboleth Identity Provider Version 3
Using Your Own Authentication System with ArcGIS Online
Sakai ID & Access Management
Campus Administrator Training March 2, 2012
Consuming OAuth Services in Alfresco Share
Shibboleth Integration Fairfield University
SaaS Application Deep Dive
Grid accounting system
IBM Certified WAS 8.5 Administrator
ESA Single Sign On (SSO) and Federated Identity Management
PSC Group, LLc Office 365/SharePoint Online Migration traps and tricks
How to Create and Start a Test Session
uPortal Security and CAS
SharePoint Online Authentication Patterns
Community AAI with Check-In
The uPortal Roadmap uPortal Software Developers Meeting
Grid Computing Software Interface
Shawn Dorward – InterDyn Artis
Presentation transcript:

Identity and Access Management Challenges in uPortal Andrew Petro ACAMP Thursday 18 June 2009 © Copyright Unicon, Inc., 2006-2009. http://creativecommons.org/licenses/by-sa/3.0/us/

This session Continuing to explore identity services requirements, representatives from the Sakai and uPortal projects will provide overviews of their key challenges relating to identity and access management.

IdM and access control in uPortal today IdM and Portlet Standards Achieving Beyond Standards Delegated Authentication Challenges

What’s uPortal? Free and open source Java-implemented portal software by and for higher education. Hosts JSR 168 portlets Authentication, user attribute marshalling, groups, access control

What’s a portlet? It’s an indicator, self-service widget, small application, or whatever else running in a box in the portal.

What do I get for being a portlet? Authentication User Attributes Roles Access Control Hosting and provisioning Skinning Monitoring and error handling

Identity Management and Access Control in uPortal

Authentication Embeds and relies upon Jasig CAS by default

Browser flow on login 1. uPortal 2. CAS 3. uPortal

Sharing a store of users uPortal user store

User Attributes Drawn from LDAP and RDBMS Merged, cascaded, mapped, … Pluggable API Factored out as Jasig PersonDirectory Now used in CAS

Groups In-portal manually managed JIT via rules about user attributes LDAP / AD Filesystem batch extracts

Permissions Owned and registered by subsystems PRINCIPAL is [GRANTED | DENIED] permission to ACTIVITY [on OBJECT] Portal Administrators are granted permission to modify the membership of the Channel Publishers group

Permissions “Library administrators” are granted permission to modify the membership of the “Library Fragment Administrators” group.

Layout Templating Users with attribute “classYear” == 2010 should see the “Fourth Years” tab Users in the group “New to University” should see the “Getting Started” tab

IdM and Portlet Standards

Authentication JSR 168 API conveys a String username

User Attributes JSR 168 Portlet API conveys user attributes As declared in portlet.xml

Credentials? User attributes are whatever you want them to be Passwords? CAS Proxy Tickets? Shibboleth delegable SAML assertions Base64-encoded?

Roles JSR 168 supports an isUserInRole() uPortal answers this by checking for membership in a group mapped to the role

JSR 286 to the rescue? None of this changes.

Beyond JSR 168 Standards

“Limitations” of JSR 168 Conveys attributes, roles of the requesting user, but not other users.

User directory lookup Identity Swapper Attribute Swapper

Selecting users and groups Present use case

Using JSR 168 APIs Jasig Announcements Portlet

Not Using JSR 168 APIs (legacy) Announcements Channel Channel publishing workflow

Delegated Authentication

Use case

Use case

Delegated Authentication User authenticates to portal Portal authenticates to a backing service on behalf of the user Data from backing service informs portal http://www.flickr.com/photos/ntr23/730371240/

Password Replay Password-Protected Service PW Channel PW PW PW Portal Channel PW PW PW PW Password-Protected Service Channel PW PW PW PW Just one of these needs to be compromised, to attack user “forever”! Channel Password-Protected Service PW PW PW

Look Ma, No Password! Without a password to replay, how am I going to authenticate my portal to other applications? ?

Using CAS Optional support for making a Proxy CAS Ticket available to portlets using a user attribute

CAS and Password Replay See the Sacramento State ClearPass CAS and uPortal add-ons

Using Shibboleth Optional support for making the SAML assertion available to the portlet

Identity Management and Access Control Challenges in uPortal

Challenge: Unloved UIs Administrative UIs are unloved

Partial solution in progress

Challenge: JIT With Shibboleth, user attributes may be available only just-in-time with end user login. Contrast with expectations of being able to directory-lookup users.

Challenge: How about roles? uPortal has no formal concept of roles distinct from groups Of course you can use groups as roles But it doesn’t necessarily feel natural

Challenge: Maintaining code PersonDirectory, GaPs, custom UIs, Some shared code evident: CAS example Some sharing hoped for: reusable portlet Spring Web Flow workflows for group selection

Questions? Discussion? Save it! Andrew Petro apetro@unicon.net www.unicon.net/blog/3

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.