Upload
jeremy-rosenberg
View
58
Download
0
Tags:
Embed Size (px)
DESCRIPTION
The 2012 annual update to the BCNET Identity Management Working Group about Simon Fraser University's major initiatives.
Citation preview
BCNET 2012
SFU Identity ManagementCurrent and Planned Projects
• SFU IdAM Overview• InCommon Best Practices Analysis• CAS Upgrades• API Access Control• Alumni Account Integration• Group Management Re-architecture• Identity Messaging Re-architecture
About this Presentation
BCNET 2012
Authentication Services
BCNET 2012
Authorization Services
BCNET 2012
• SFU IdAM vs Bronze Assurance Requirements
• Resistance to Guessing Authentication Secret
• Protected Authentication Secrets
• Resist Eavesdropper
• Identity Record Qualification
InCommon Bronze Analysis
BCNET 2012
• CAS Upgrades• Upgrading from 3.3 to 3.4• Provides SAML Support• Running on vanilla tomcat
Jasig CAS
BCNET 2012
• API Access Control• REST APIs for public institutional data• CAS Integration• OAuth proof of concept
API Access Control
BCNET 2012
• Alumni Account Integration• Legacy system maintains a separate LDAP server• All users now keep a login only account• Merging alumni identity back into main account• Keep @sfu.ca forwarding for alumni
Alumni Account Integration
BCNET 2012
Alumni Account Integration
BCNET 2012
Alumni Account Integration
BCNET 2012
• Group Management Re-architecture• Installing Grouper 2.0 (
http://internet2.edu/grouper/)• Decoupling Maillist from Group Management• Creating permission management
opportunities• New LDAP Groups Structure (coming soon)
Grouper
BCNET 2012
Grouper
BCNET 2012
• Permission Management• Grouper provided• Decouple Provisioning from permissions
• An account doesn’t do anything by default• Permissions are added as assured
Permission Management
BCNET 2012
JMS at SFU
Introducing JMS
into the middleware layer
BCNET 2012
Background
• Meta-directory, Amaint, receives data from PS systems, creates computing accounts
• Accounts and changes pushed to LDAP, AD, WebCT, Zimbra via in-house “update daemon”
• Desire to move to modern standards-based mechanism to communicate changes
BCNET 2012
What is JMS?
• Java Messaging Services – but not limited to Java applications
• A standard for passing messages between applications in a loosely-coupled, asynchronous manner
• Can involve brokers, for queuing messages, and routers, for doing sophisticated handling of messages
BCNET 2012
Full-Featured Open Source Apps
• Apache ActiveMQ as Message Broker– Store and forward messages– Persistent storage across outages– Support for clustering and failover
• Apache Camel as Message Router- Huge built-in library of endpoints and functions
supported for processing messages- Packaged as a library that can be added to an
existing App (such as ActiveMQ)
BCNET 2012
Apache ActiveMQ
BCNET 2012
Apache Camel
BCNET 2012
Camel Integration
CamelCamel
Phase 1 implementation
BCNET 2012
AmaintAmaint
GrouperGrouper
AmaintAmaintActiveMQActiveMQ
CamelCamelUpdaterUpdater
LDAP
ADWebCT
XML
XML
XML
XML
JSON
The Future
• New LMS integration• More Event-driven communications• Syslog into JMS (e.g. sign-in events)• Workflow into Camel• PS Integration
BCNET 2012