Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT’s Web Single Sign-on Service SRM Report CUWebAuth Investigation Identity Management Team OIT/CIT Security April 16, 2007.

Published byJonathan Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "CIT’s Web Single Sign-on Service SRM Report CUWebAuth Investigation Identity Management Team OIT/CIT Security April 16, 2007."— Presentation transcript:

1 CIT’s Web Single Sign-on Service SRM Report CUWebAuth Investigation Identity Management Team OIT/CIT Security April 16, 2007

2 Topics Products in question Review how we arrived at this juncture Present results of our research in terms of service goals Make recommendation Obtain your support

3 Components: Web Single Sign-on CUWebAuth Software installed on individual web servers Enables the application’s use of CIT’s authentication service via SideCar OR CUWebLogin CUWebLogin Infrastructure component (two servers) Handles authentication on behalf of the web-based service

4 FebMarAprMayJun Kerberos 5 Upgrade: Where Are We Now? DecJanFebMarAprMayJunJulAugSepOctNovDecJan Campus Rollout Complete K4 Shutdown PS Student Launch You Are Here Discretionary migration window 6/14 Identity Management Rollout 20072008

5 FebMarAprMayJun Where Are We Now? DecJanFebMarAprMayJunJulAugSepOctNovDecJan Campus Rollout Complete K4 Shutdown PS Student Launch You Are Here Code review (4 code bases) Discretionary migration window 6/14 Identity Management Rollout 20072008

6 FebMarAprMayJun Where Are We Now? DecJanFebMarAprMayJunJulAugSepOctNovDecJan 6/14 Identity Management Rollout Campus Rollout Complete K4 Shutdown PS Student Launch You Are Here Code review (4 code bases) Security audit (new vulnerabilities) Discretionary migration window 20072008

7 FebMarAprMayJun Where Are We Now? DecJanFebMarAprMayJunJulAugSepOctNovDecJan 6/14 Identity Management Rollout Campus Rollout Complete K4 Shutdown PS Student Launch You Are Here Code review (4 code bases) Security audit (new vulnerabilities) Rollout requirements (PS launch) Discretionary migration window 20072008

8 FebMarAprMayJun Where Are We Now? DecJanFebMarAprMayJunJulAugSepOctNovDecJan PS Student Launch Campus Rollout Complete You Are Here K4 Shutdown Discretionary migration window 6/14 Identity Management Rollout Code review (4 code bases) Security audit (new vulnerabilities) Rollout requirements (PS launch) 20072008

9 FebMarAprMayJun Where Are We Now? DecJanFebMarAprMayJunJulAugSepOctNovDecJan PS Student Launch K4 Shutdown You Are Here Discretionary migration window 6/14 Identity Management Rollout Code review (4 code bases) Security audit (new vulnerabilities) Rollout requirements (PS launch) 20072008 Campus Rollout Complete

10 FebMarAprMayJun Where Are We Now? DecJanFebMarAprMayJunJulAugSepOctNovDecJan 20072008 PS Student Launch K4 Shutdown You Are Here Discretionary migration window 6/14 Identity Management Rollout Code review (4 code bases) Security audit (new vulnerabilities) Rollout requirements (PS launch) Campus Rollout Complete

11 FebMarAprMayJun Where Are We Now? DecJanFebMarAprMayJunJulAugSepOctNovDecJan PS Student Launch K4 Shutdown You Are Here window of opportunity Discretionary migration window 6/14 Identity Management Rollout Code review (4 code bases) Security audit (new vulnerabilities) Rollout requirements (PS launch) 20072008 Campus Rollout Complete

12 The Reasonable Options CUWA/CUWL 1.5 – Attempt to fix what we have CUWA/CUWL 2.0 – Re-build it the way it should be Move to an outside solution -Yale CAS -Stanford WebAuth -CoSign

13 Service goals considered Impact of change on campus developer community Minimal work required to migrate to new versions Support for required functionality Predictability of user experience Long-term viability of CIT’s authentication solution for web- based services Performance and scalability as use of CUWA and CUWL increase Support for new server operating systems and web servers (Apache, IIS) Support for future enhancements to authentication and authorization Security of central authentication services Efficient use of scarce CIT resources

14 FebMarAprMayJun Recommendation DecJanFebMarAprMayJunJulAugSepOctNovDecJan 9/1 Identity Management Rollout PS Student Launch Develop CUWebAuth 2.0 CUWebAuth 2.0 Implementation Fall 2007 deployment Increase migration window Discretionary migration window 2007 2008 K4 Shutdown Campus Rollout Complete Early Adopters

15 1. Why not go with CUWA 1.5? Condition of 8-year-old code has become a support burden Significant work required for even minor changes Impact of change on other portions of code difficult to test prior to release, results in more problems for campus service providers More bugs and security vulnerabilities as a result Currently requires 2 FTE’s Increasing campus dependency on CUWebLogin = scalability and performance issues SideCar limitations and scheduled retirement Preference for web-based applications

16 2. What do we get by writing CUWA 2.0? Product that is easier to maintain Simpler protocol Legacy dependencies eliminated Less code duplication (one code base instead of four) More extensible code (and all within local control) More secure protocol More scalable web single sign-on solution No loss of required functions and features Relatively minimal impact on campus developers

17 3. Will we have to give up other work? Overall development effort not much different -CUWA 1.5 estimated 23.8 FTE weeks -CUWA 2.0 estimated 25.6 FTE weeks CUWA 1.5 work requires the skill-set of four members of current IdM team CUWA 2.0 work will require skill-set of only two members of current IdM team CUWA 2.0 choice frees up skill set required for key projects like Active Directory, PS/STARS, Automated Provisioning, Grouper/Signet

18 4. Would an outside solution be smarter? Assessment is “no” based on more than 100 hrs of research Alternatives may offer short-term wins for IdM development team But would have significantly higher impact on user community Using these solutions off-the-shelf, without mods: -we give up features we currently have (ex: POST data support) -or we accept the same vulnerabilities we have with CUWA 1.5 Making mods to these outside solutions -may take as much or more time as re-writing CUWA 2.0 -requires unknown level of cooperation with other institutions -may cause entanglements and dependencies beyond our control

19 5. What are the longer-term implications? Lower maintenance cost, from 2 FTE’s to 1 Better security More predictable user experience Positions us better for future enhancements to authentication and authorization services Opportunity for open-source release

20 Summary Pros and Cons Webauth 1.5 Lowest short-term risk Limited benefit Webauth 2.0 Best long term solution Slightly more short- term work CAS Great java integration. Most expensive for the rest of campus. Security not great. Stanford Lowest deployment cost for Identity Management Complex infrastructure and missing features

21 Questions?

22 http://identity.cit.cornell.edu/projects/index.html

23 Identity Management aadssupport@cornell.edu

Download ppt "CIT’s Web Single Sign-on Service SRM Report CUWebAuth Investigation Identity Management Team OIT/CIT Security April 16, 2007."

Similar presentations

THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.

THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.
Oracle IDM at First National Bank

Oracle IDM at First National Bank
Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:

Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:
SINGLE SIGN-ON. Definition - SSO Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order.

SINGLE SIGN-ON. Definition - SSO Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order.
Risks  All projects have some degree of risk  Risks are issues that can cause problems  Delay in schedule  Increased project costs  Technical risk.

Risks  All projects have some degree of risk  Risks are issues that can cause problems  Delay in schedule  Increased project costs  Technical risk.
Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.

Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.
Optimizing the User Experience Throughout the Infrastructure Consolidation Process Dan Smith, Enterprise Solutions Manager, GTSI Chris Theon, Practice.

Optimizing the User Experience Throughout the Infrastructure Consolidation Process Dan Smith, Enterprise Solutions Manager, GTSI Chris Theon, Practice.
UT System ERP Planning Project Financial Area Representatives April 22, 2009.

UT System ERP Planning Project Financial Area Representatives April 22, 2009.
UPortal.Cornell Using uPortal to integrate disparate campus systems Jon Atherton, Cornell Information Technologies

UPortal.Cornell Using uPortal to integrate disparate campus systems Jon Atherton, Cornell Information Technologies
SYSchange for z/OS By Pristine Software April 2009 Thomas Phillips April 2009 SYSchange Pristine Software.

SYSchange for z/OS By Pristine Software April 2009 Thomas Phillips April 2009 SYSchange Pristine Software.
1 IS371 WEEK 8 Last and Final Assignment Application Development Alternatives to Application Development Instructor Online Evaluations.

1 IS371 WEEK 8 Last and Final Assignment Application Development Alternatives to Application Development Instructor Online Evaluations.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
Chapter Thirteen Maintaining and Upgrading a Network.

Chapter Thirteen Maintaining and Upgrading a Network.
Design, Implementation and Maintenance

Design, Implementation and Maintenance
Greg Pierce| Concerto Cloud Services Which Cloud is Right for Microsoft CRM?

Greg Pierce| Concerto Cloud Services Which Cloud is Right for Microsoft CRM?
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.

SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.
Accelerating Product and Service Innovation © 2013 IBM Corporation IBM Integrated Solution for System z Development (ISDz) Henk van der Wijk 23 Januari.

Accelerating Product and Service Innovation © 2013 IBM Corporation IBM Integrated Solution for System z Development (ISDz) Henk van der Wijk 23 Januari.

Similar presentations

Ads by Google