Identity and Access Management Challenges in uPortal
Identity and Access Management Challenges in uPortal Andrew Petro ACAMP
Thursday 18 June 2009 Copyright Unicon, Inc., 2006-2009. http://creativecommons.org/licenses/by-sa/3.0/us/
This session Continuing to explore identity services requirements, representatives from the Sakai and uPortal projects will provide overviews of their key challenges relating to identity and access management.
1. IdM and access control in uPortal today 2. IdM and Portlet Standards 3. Achieving Beyond Standards 4. Delegated Authentication 5. Challenges
Whats uPortal? Free and open source Java-implemented portal software by and for higher education. Hosts JSR 168 portlets Authentication, user attribute marshalling,
groups, access control Whats a portlet? Its an indicator, self-service widget, small application, or whatever else running in a box in the portal.
What do I get for being a portlet? Authentication User Attributes Roles Access Control
Hosting and provisioning Skinning Monitoring and error handling Identity Management and
Access Control in uPortal Authentication Embeds and relies upon Jasig CAS by default
Browser flow on login 1. uPortal 2. CAS
3. uPortal Sharing a store of users uPortal user
store User Attributes Drawn from LDAP and RDBMS Merged, cascaded, mapped, Pluggable API
Factored out as Jasig PersonDirectory Now used in CAS Groups In-portal manually managed JIT via rules about user attributes
LDAP / AD Filesystem batch extracts Permissions Owned and registered by subsystems PRINCIPAL is [GRANTED | DENIED]
permission to ACTIVITY [on OBJECT] Portal Administrators are granted permission to modify the membership of the Channel Publishers group
Permissions Library administrators are granted permission to modify the membership of the Library Fragment Administrators group. Layout Templating
Users with attribute classYear == 2010 should see the Fourth Years tab Users in the group New to University should see the Getting Started tab IdM and Portlet Standards
Authentication JSR 168 API conveys a String username User Attributes JSR 168 Portlet API conveys user attributes
As declared in portlet.xml Credentials? User attributes are whatever you want them to be Passwords?
CAS Proxy Tickets? Shibboleth delegable SAML assertions Base64-encoded? Roles JSR 168 supports an isUserInRole()
uPortal answers this by checking for membership in a group mapped to the role JSR 286 to the rescue? None of this changes.
Beyond JSR 168 Standards Limitations of JSR 168 Conveys attributes, roles of the requesting user, but not other users.
User directory lookup Identity Swapper Attribute Swapper Selecting users and groups Present use case
Using JSR 168 APIs Jasig Announcements Portlet Not Using JSR 168 APIs (legacy) Announcements Channel
Channel publishing workflow Delegated Authentication Use case
Use case Delegated Authentication User authenticates to portal Portal authenticates to a backing service on behalf of the user
Data from backing service informs portal http://www.flickr.com/photos/ntr23/730371240/ Password Replay
PW PW PW Channel
PW PW PW
Channel PW Portal Channel
PW PasswordProtected Service PW
PasswordProtected Service PW PasswordProtected
Service PW Look Ma, No Password! Without a password to replay, how am I going to authenticate my portal to other
applications? ? Using CAS Optional support for making a Proxy CAS
Ticket available to portlets using a user attribute CAS and Password Replay See the Sacramento State ClearPass CAS and uPortal add-ons
Using Shibboleth Optional support for making the SAML assertion available to the portlet Identity Management
and Access Control Challenges in uPortal Challenge: Unloved UIs Administrative UIs are unloved
Partial solution in progress Challenge: JIT With Shibboleth, user attributes may be available only just-in-time with end user login.
Contrast with expectations of being able to directory-lookup users. Challenge: How about roles? uPortal has no formal concept of roles distinct from groups
Of course you can use groups as roles But it doesnt necessarily feel natural Challenge: Maintaining code PersonDirectory, GaPs, custom UIs,
Some shared code evident: CAS example Some sharing hoped for: reusable portlet Spring Web Flow workflows for group selection Questions? Discussion? Save it!
Elkins High School. ... Naviance is your way to communicate your strengths, career choices, colleges and careers you will pursue. Naviance Allows you to communicate with your counselors, teachers, College & career Readiness Advisor, colleges, scholarships, and even parents about...
Looking forward at … what happens when two waves combine, or interfere, in space. how to understand the interference pattern formed by the interference of two coherent light waves. how to calculate the intensity at various points in an interference...
From Mark Rosengarten's New York Regent's Powerpoint Chemistry EOC Review—Atomic Structure Rutherford Model The atom is made of a small, dense, positively charged nucleus with electrons at a distance, the vast majority of the volume of the atom is empty...
Broken Record Don't take the bait "I hear what you're saying…" Three strikes You're out! The One-minute lecture 30 seconds of feeling 10 seconds of silence 20 seconds of compassion The Teacher - An Instrument of Power by Haim Ginott...
Buy Mathswatch CD (Foundation/ Higher) Buy CGP revision guide and workbook. Download AQA past papers/ Complete specimen papers. Use the internet; BBC Bitesize, Samlearning, Mymaths. Ask their maths teacher.
ion names, symbols & charges dr. jerry e. sipe ivy tech community college * hg+ mercury(i) ion mercuric ion * mno4- permanganate ion * mg+2 magnesium ion * hg+2 mercury(ii) ion mercuric ion * so3-2 sulfite ion * nitrite ion...
It was my first summer job and it was such a fantastic opportunity. There were many perks to working for American Inline. The pay was great for a first job,I got more than enough hours to work, and the shifts...
Ready to download the document? Go ahead and hit continue!