BCNET 2012

SFU Identity ManagementCurrent and Planned Projects

• SFU IdAM Overview• InCommon Best Practices Analysis• CAS Upgrades• API Access Control• Alumni Account Integration• Group Management Re-architecture• Identity Messaging Re-architecture

About this Presentation

BCNET 2012

Authentication Services

BCNET 2012

Authorization Services

BCNET 2012

• SFU IdAM vs Bronze Assurance Requirements

• Resistance to Guessing Authentication Secret

• Protected Authentication Secrets

• Resist Eavesdropper

• Identity Record Qualification

InCommon Bronze Analysis

BCNET 2012

• CAS Upgrades• Upgrading from 3.3 to 3.4• Provides SAML Support• Running on vanilla tomcat

Jasig CAS

BCNET 2012

• API Access Control• REST APIs for public institutional data• CAS Integration• OAuth proof of concept

API Access Control

BCNET 2012

• Alumni Account Integration• Legacy system maintains a separate LDAP server• All users now keep a login only account• Merging alumni identity back into main account• Keep @sfu.ca forwarding for alumni

Alumni Account Integration

BCNET 2012

Alumni Account Integration

BCNET 2012

Alumni Account Integration

BCNET 2012

• Group Management Re-architecture• Installing Grouper 2.0 (

http://internet2.edu/grouper/)• Decoupling Maillist from Group Management• Creating permission management

opportunities• New LDAP Groups Structure (coming soon)

Grouper

BCNET 2012

Grouper

BCNET 2012

• Permission Management• Grouper provided• Decouple Provisioning from permissions

• An account doesn’t do anything by default• Permissions are added as assured

Permission Management

BCNET 2012

JMS at SFU

Introducing JMS

into the middleware layer

BCNET 2012

Background

• Meta-directory, Amaint, receives data from PS systems, creates computing accounts

• Accounts and changes pushed to LDAP, AD, WebCT, Zimbra via in-house “update daemon”

• Desire to move to modern standards-based mechanism to communicate changes

BCNET 2012

What is JMS?

• Java Messaging Services – but not limited to Java applications

• A standard for passing messages between applications in a loosely-coupled, asynchronous manner

• Can involve brokers, for queuing messages, and routers, for doing sophisticated handling of messages

BCNET 2012

Full-Featured Open Source Apps

• Apache ActiveMQ as Message Broker– Store and forward messages– Persistent storage across outages– Support for clustering and failover

• Apache Camel as Message Router- Huge built-in library of endpoints and functions

supported for processing messages- Packaged as a library that can be added to an

existing App (such as ActiveMQ)

BCNET 2012

Apache ActiveMQ

BCNET 2012

Apache Camel

BCNET 2012

Camel Integration

CamelCamel

Phase 1 implementation

BCNET 2012

AmaintAmaint

GrouperGrouper

AmaintAmaintActiveMQActiveMQ

CamelCamelUpdaterUpdater

LDAP

ADWebCT

XML

XML

XML

XML

JSON

The Future

• New LMS integration• More Event-driven communications• Syslog into JMS (e.g. sign-in events)• Workflow into Camel• PS Integration

BCNET 2012