Identity and Access Management Challenges in uPortal

Identity and Access Management Challenges in uPortal

Identity and Access Management Challenges in uPortal Andrew Petro ACAMP

Thursday 18 June 2009 Copyright Unicon, Inc., 2006-2009. http://creativecommons.org/licenses/by-sa/3.0/us/

This session Continuing to explore identity services requirements, representatives from the Sakai and uPortal projects will provide overviews of their key challenges relating to identity and access management.

1. IdM and access control in uPortal today 2. IdM and Portlet Standards 3. Achieving Beyond Standards 4. Delegated Authentication 5. Challenges

Whats uPortal? Free and open source Java-implemented portal software by and for higher education. Hosts JSR 168 portlets Authentication, user attribute marshalling,

groups, access control Whats a portlet? Its an indicator, self-service widget, small application, or whatever else running in a box in the portal.

What do I get for being a portlet? Authentication User Attributes Roles Access Control

Hosting and provisioning Skinning Monitoring and error handling Identity Management and

Access Control in uPortal Authentication Embeds and relies upon Jasig CAS by default

Browser flow on login 1. uPortal 2. CAS

3. uPortal Sharing a store of users uPortal user

store User Attributes Drawn from LDAP and RDBMS Merged, cascaded, mapped, Pluggable API

Factored out as Jasig PersonDirectory Now used in CAS Groups In-portal manually managed JIT via rules about user attributes

LDAP / AD Filesystem batch extracts Permissions Owned and registered by subsystems PRINCIPAL is [GRANTED | DENIED]

permission to ACTIVITY [on OBJECT] Portal Administrators are granted permission to modify the membership of the Channel Publishers group

Permissions Library administrators are granted permission to modify the membership of the Library Fragment Administrators group. Layout Templating

Users with attribute classYear == 2010 should see the Fourth Years tab Users in the group New to University should see the Getting Started tab IdM and Portlet Standards

Authentication JSR 168 API conveys a String username User Attributes JSR 168 Portlet API conveys user attributes

As declared in portlet.xml Credentials? User attributes are whatever you want them to be Passwords?

CAS Proxy Tickets? Shibboleth delegable SAML assertions Base64-encoded? Roles JSR 168 supports an isUserInRole()

uPortal answers this by checking for membership in a group mapped to the role JSR 286 to the rescue? None of this changes.

Beyond JSR 168 Standards Limitations of JSR 168 Conveys attributes, roles of the requesting user, but not other users.

User directory lookup Identity Swapper Attribute Swapper Selecting users and groups Present use case

Using JSR 168 APIs Jasig Announcements Portlet Not Using JSR 168 APIs (legacy) Announcements Channel

Channel publishing workflow Delegated Authentication Use case

Use case Delegated Authentication User authenticates to portal Portal authenticates to a backing service on behalf of the user

Data from backing service informs portal http://www.flickr.com/photos/ntr23/730371240/ Password Replay

PW PW PW Channel

PW PW PW

Channel PW Portal Channel

PW PasswordProtected Service PW

PasswordProtected Service PW PasswordProtected

Service PW Look Ma, No Password! Without a password to replay, how am I going to authenticate my portal to other

applications? ? Using CAS Optional support for making a Proxy CAS

Ticket available to portlets using a user attribute CAS and Password Replay See the Sacramento State ClearPass CAS and uPortal add-ons

Using Shibboleth Optional support for making the SAML assertion available to the portlet Identity Management

and Access Control Challenges in uPortal Challenge: Unloved UIs Administrative UIs are unloved

Partial solution in progress Challenge: JIT With Shibboleth, user attributes may be available only just-in-time with end user login.

Contrast with expectations of being able to directory-lookup users. Challenge: How about roles? uPortal has no formal concept of roles distinct from groups

Of course you can use groups as roles But it doesnt necessarily feel natural Challenge: Maintaining code PersonDirectory, GaPs, custom UIs,

Some shared code evident: CAS example Some sharing hoped for: reusable portlet Spring Web Flow workflows for group selection Questions? Discussion? Save it!

Andrew Petro [email protected] www.unicon.net/blog/3

Recently Viewed Presentations

  • Exploring careers in Naviance - Fort Bend ISD

    Exploring careers in Naviance - Fort Bend ISD

    Elkins High School. ... Naviance is your way to communicate your strengths, career choices, colleges and careers you will pursue. Naviance Allows you to communicate with your counselors, teachers, College & career Readiness Advisor, colleges, scholarships, and even parents about...
  • video slide - San Jose State University

    video slide - San Jose State University

    Looking forward at … what happens when two waves combine, or interfere, in space. how to understand the interference pattern formed by the interference of two coherent light waves. how to calculate the intensity at various points in an interference...
  • Chemistry EOC Review Part 2: Atomic Structure and

    Chemistry EOC Review Part 2: Atomic Structure and

    From Mark Rosengarten's New York Regent's Powerpoint Chemistry EOC Review—Atomic Structure Rutherford Model The atom is made of a small, dense, positively charged nucleus with electrons at a distance, the vast majority of the volume of the atom is empty...
  • Waltzing Home From Work - johndraper

    Waltzing Home From Work - johndraper

    Broken Record Don't take the bait "I hear what you're saying…" Three strikes You're out! The One-minute lecture 30 seconds of feeling 10 seconds of silence 20 seconds of compassion The Teacher - An Instrument of Power by Haim Ginott...
  • KS3 Mathematics - Queen Elizabeth's Girls' School

    KS3 Mathematics - Queen Elizabeth's Girls' School

    Buy Mathswatch CD (Foundation/ Higher) Buy CGP revision guide and workbook. Download AQA past papers/ Complete specimen papers. Use the internet; BBC Bitesize, Samlearning, Mymaths. Ask their maths teacher.
  • Ion Names, Symbols & Charges

    Ion Names, Symbols & Charges

    ion names, symbols & charges dr. jerry e. sipe ivy tech community college * hg+ mercury(i) ion mercuric ion * mno4- permanganate ion * mg+2 magnesium ion * hg+2 mercury(ii) ion mercuric ion * so3-2 sulfite ion * nitrite ion...
  • Parallel Structure - SCCPSS

    Parallel Structure - SCCPSS

    Listen to the sound of the items in a list or the items being compared. Do you hear the same kinds of sounds? For example, is there a series of "-ing" words beginning each item? Or do your hear a...
  • Get Paid and Have Fun - Patriot High School

    Get Paid and Have Fun - Patriot High School

    It was my first summer job and it was such a fantastic opportunity. There were many perks to working for American Inline. The pay was great for a first job,I got more than enough hours to work, and the shifts...