Update on Institutional Identity Management Priorities at SFU
-
Upload
jeremy-rosenberg -
Category
Technology
-
view
58 -
download
0
description
Transcript of Update on Institutional Identity Management Priorities at SFU
BCNET 2012
SFU Identity ManagementCurrent and Planned Projects
• SFU IdAM Overview• InCommon Best Practices Analysis• CAS Upgrades• API Access Control• Alumni Account Integration• Group Management Re-architecture• Identity Messaging Re-architecture
About this Presentation
BCNET 2012
Authentication Services
BCNET 2012
Authorization Services
BCNET 2012
• SFU IdAM vs Bronze Assurance Requirements
• Resistance to Guessing Authentication Secret
• Protected Authentication Secrets
• Resist Eavesdropper
• Identity Record Qualification
InCommon Bronze Analysis
BCNET 2012
• CAS Upgrades• Upgrading from 3.3 to 3.4• Provides SAML Support• Running on vanilla tomcat
Jasig CAS
BCNET 2012
• API Access Control• REST APIs for public institutional data• CAS Integration• OAuth proof of concept
API Access Control
BCNET 2012
• Alumni Account Integration• Legacy system maintains a separate LDAP server• All users now keep a login only account• Merging alumni identity back into main account• Keep @sfu.ca forwarding for alumni
Alumni Account Integration
BCNET 2012
Alumni Account Integration
BCNET 2012
Alumni Account Integration
BCNET 2012
• Group Management Re-architecture• Installing Grouper 2.0 (
http://internet2.edu/grouper/)• Decoupling Maillist from Group Management• Creating permission management
opportunities• New LDAP Groups Structure (coming soon)
Grouper
BCNET 2012
Grouper
BCNET 2012
• Permission Management• Grouper provided• Decouple Provisioning from permissions
• An account doesn’t do anything by default• Permissions are added as assured
Permission Management
BCNET 2012
JMS at SFU
Introducing JMS
into the middleware layer
BCNET 2012
Background
• Meta-directory, Amaint, receives data from PS systems, creates computing accounts
• Accounts and changes pushed to LDAP, AD, WebCT, Zimbra via in-house “update daemon”
• Desire to move to modern standards-based mechanism to communicate changes
BCNET 2012
What is JMS?
• Java Messaging Services – but not limited to Java applications
• A standard for passing messages between applications in a loosely-coupled, asynchronous manner
• Can involve brokers, for queuing messages, and routers, for doing sophisticated handling of messages
BCNET 2012
Full-Featured Open Source Apps
• Apache ActiveMQ as Message Broker– Store and forward messages– Persistent storage across outages– Support for clustering and failover
• Apache Camel as Message Router- Huge built-in library of endpoints and functions
supported for processing messages- Packaged as a library that can be added to an
existing App (such as ActiveMQ)
BCNET 2012
Apache ActiveMQ
BCNET 2012
Apache Camel
BCNET 2012
Camel Integration
CamelCamel
Phase 1 implementation
BCNET 2012
AmaintAmaint
GrouperGrouper
AmaintAmaintActiveMQActiveMQ
CamelCamelUpdaterUpdater
LDAP
ADWebCT
XML
XML
XML
XML
JSON
The Future
• New LMS integration• More Event-driven communications• Syslog into JMS (e.g. sign-in events)• Workflow into Camel• PS Integration
BCNET 2012