Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity and Access Management Challenges in uPortal

Published byPosy Stevens Modified over 6 years ago

Similar presentations

Presentation on theme: "Identity and Access Management Challenges in uPortal"— Presentation transcript:

1 Identity and Access Management Challenges in uPortal
Andrew Petro ACAMP Thursday 18 June 2009 © Copyright Unicon, Inc.,

2 This session Continuing to explore identity services requirements, representatives from the Sakai and uPortal projects will provide overviews of their key challenges relating to identity and access management.

3 IdM and access control in uPortal today
IdM and Portlet Standards Achieving Beyond Standards Delegated Authentication Challenges

4 What’s uPortal? Free and open source Java-implemented portal software by and for higher education. Hosts JSR 168 portlets Authentication, user attribute marshalling, groups, access control

5

6 What’s a portlet? It’s an indicator, self-service widget, small application, or whatever else running in a box in the portal.

7 What do I get for being a portlet?
Authentication User Attributes Roles Access Control Hosting and provisioning Skinning Monitoring and error handling

8 Identity Management and Access Control in uPortal

9 Authentication Embeds and relies upon Jasig CAS by default

10 Browser flow on login 1. uPortal 2. CAS 3. uPortal

11 Sharing a store of users
uPortal user store

12 User Attributes Drawn from LDAP and RDBMS Merged, cascaded, mapped, …
Pluggable API Factored out as Jasig PersonDirectory Now used in CAS

13 Groups In-portal manually managed JIT via rules about user attributes
LDAP / AD Filesystem batch extracts

14 Permissions Owned and registered by subsystems
PRINCIPAL is [GRANTED | DENIED] permission to ACTIVITY [on OBJECT] Portal Administrators are granted permission to modify the membership of the Channel Publishers group

15 Permissions “Library administrators” are granted permission to modify the membership of the “Library Fragment Administrators” group.

16 Layout Templating Users with attribute “classYear” == 2010 should see the “Fourth Years” tab Users in the group “New to University” should see the “Getting Started” tab

17 IdM and Portlet Standards

18 Authentication JSR 168 API conveys a String username

19 User Attributes JSR 168 Portlet API conveys user attributes
As declared in portlet.xml

20 Credentials? User attributes are whatever you want them to be
Passwords? CAS Proxy Tickets? Shibboleth delegable SAML assertions Base64-encoded?

21 Roles JSR 168 supports an isUserInRole()
uPortal answers this by checking for membership in a group mapped to the role

22 JSR 286 to the rescue? None of this changes.

23 Beyond JSR 168 Standards

24 “Limitations” of JSR 168 Conveys attributes, roles of the requesting user, but not other users.

25 User directory lookup Identity Swapper Attribute Swapper

26 Selecting users and groups
Present use case

27 Using JSR 168 APIs Jasig Announcements Portlet

28 Not Using JSR 168 APIs (legacy) Announcements Channel
Channel publishing workflow

29 Delegated Authentication

30 Use case

31 Use case

32 Delegated Authentication
User authenticates to portal Portal authenticates to a backing service on behalf of the user Data from backing service informs portal

33 Password Replay Password-Protected Service PW Channel PW PW PW
Portal Channel PW PW PW PW Password-Protected Service Channel PW PW PW PW Just one of these needs to be compromised, to attack user “forever”! Channel Password-Protected Service PW PW PW

34 Look Ma, No Password! Without a password to replay, how am I going to authenticate my portal to other applications? ?

35 Using CAS Optional support for making a Proxy CAS Ticket available to portlets using a user attribute

36 CAS and Password Replay
See the Sacramento State ClearPass CAS and uPortal add-ons

37 Using Shibboleth Optional support for making the SAML assertion available to the portlet

38 Identity Management and Access Control Challenges in uPortal

39 Challenge: Unloved UIs
Administrative UIs are unloved

40 Partial solution in progress

41 Challenge: JIT With Shibboleth, user attributes may be available only just-in-time with end user login. Contrast with expectations of being able to directory-lookup users.

42 Challenge: How about roles?
uPortal has no formal concept of roles distinct from groups Of course you can use groups as roles But it doesn’t necessarily feel natural

43 Challenge: Maintaining code
PersonDirectory, GaPs, custom UIs, Some shared code evident: CAS example Some sharing hoped for: reusable portlet Spring Web Flow workflows for group selection

44 Questions? Discussion? Save it!
Andrew Petro

Download ppt "Identity and Access Management Challenges in uPortal"

Similar presentations

Towards Common Identity Services Tom Barton University of Chicago.

Towards Common Identity Services Tom Barton University of Chicago.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.

CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Starting with Gridsphere Albert Einstein Institute Gridsphere Installation.

Starting with Gridsphere Albert Einstein Institute Gridsphere Installation.
Managing Content in uPortal Susan Bramhall Yale University ITS Technology and Planning.

Managing Content in uPortal Susan Bramhall Yale University ITS Technology and Planning.
New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.

New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.
UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.

UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.
UPortal Roadmap Patches, evolution, and revolution Andrew Petro, Yale University Eric Dalquist, Unicon.

UPortal Roadmap Patches, evolution, and revolution Andrew Petro, Yale University Eric Dalquist, Unicon.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
UPortal 3 – What's New? JA-SIG Conference, Spring 2008 uPortal 3.0.0 What's New? Eric Dalquist University of Wisconsin - Madison.

UPortal 3 – What's New? JA-SIG Conference, Spring 2008 uPortal What's New? Eric Dalquist University of Wisconsin - Madison.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
UNICON Warlock Portlets A.K.A. toro-portlets Andrew Wills JA-SIG 2007 Summer Conference, Denver Tuesday June 26th, 2007 © Copyright Unicon, Inc., 2006.

UNICON Warlock Portlets A.K.A. toro-portlets Andrew Wills JA-SIG 2007 Summer Conference, Denver Tuesday June 26th, 2007 © Copyright Unicon, Inc., 2006.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
Eric Westfall – Indiana University Jeremy Hanson – Iowa State University Building Applications with the KNS.

Eric Westfall – Indiana University Jeremy Hanson – Iowa State University Building Applications with the KNS.
A Community of Learning Luminis Platform Workshop Creating a Personal User Experience Presented by: Steven Forman, SunGard Higher Education March 20 th,

A Community of Learning Luminis Platform Workshop Creating a Personal User Experience Presented by: Steven Forman, SunGard Higher Education March 20 th,
Copyright 2000 eMation SECURITY - Controlling Data Access with

Copyright 2000 eMation SECURITY - Controlling Data Access with
Developing Applications for SSO Justen Stepka Authentisoft, LLC www.authentisoft.com.

Developing Applications for SSO Justen Stepka Authentisoft, LLC

Similar presentations

Ads by Google