April 22nd 2008 Internet2 Spring member meeting

Caleb RaceyNewcastle UniversityUK http://gfivo.ncl.ac.uk

Studies in Advanced Access Management

Context: Who Am I

• Team Leader Middleware team, Newcastle University

• 8 years experience of Systems Admin for Web

• 5 years working on SSO issues

• 4 years with shibboleth

• 1 year with grouper

Context: Newcastle university

• UK University • 4,700 staff 17,000 students • Research Intensive• Medical School • Centralised IT service

Context: identity experiences

No central directory

No central identity source

Identity management is adhoc

Deployment by advocacy rather than policy

Large mature shibboleth deployment

10% of entities registered in UK federation

Shib used more internally than externally

Context: What is grouper

• System for managing group information• Collaborative effort from internet2

• API for managing groups– Supports “group math”– Uses subject API

• UI + webservice + shell interfaces onto API

http://middleware.internet2.edu/dir/groups/grouper/

Newcastle’s grouper deployment

GFIVO: JISC funded 2 year project

Agenda• What problem are we trying to solve• What we hope to gain • Why we want grouper• What we are doing• Lessons learned

1/4

What problem are we trying to solve

Access control to systems

Targeted Information flow:• the right information to the right people.

Mess of group information in apps• most have their own group management• same groups replicated many times (differently)– duplication of effort– valuable business information inaccessible– User confusion

Growing federated nature of identity and applications

Shib has exposed our weak ID management

What do we hope to gain

Technically

Centralised reusable group management

Lower app development times

Better user experience

Consistency in service

Greater control for helpdesk

Intangibles

Greater user awareness of:

access control

personal identity information

Democratisation access control

Why we want grouper

• Group info key to identity management in HE• Mature Developed by people active in group

management for years• Good Community of developers/users• Supports multiple user interfaces• Understands fragmented identity stores• Federateable (via shib)• Good licence (apache licence)

What we are doing

Incremental phased role out strategy

Federated use case from day 1

Setup loosely coupled raft of applications

No LDAP

No Signet

Where is existing group information

• SAP ERP system • VLEs (blackboard, plone, moodle, coursework)• Email lists• Web site (Myprofiles)• Paper in offices• Reading lists• Library systems (aleph)• Sharepoint• Nowhere

• Face book!

Use cases (Phase I)

Research support:• Research Wikis (federated)• Blogs• Email lists (federated)• Sakai research platform (federated)

Teaching and learning:• Podcasting of lectures (federated)• Teaching wikis

Internal:

monitoring via nagios + munin

documentation wikis

Potential Use cases (Phase II??)

• Staff profile structuring– Web publishing– Research assessment– Teaching assessment

• Shared File system control• Door control • Provisioning to Google Apps• Reading lists• Information portal

1/2

1st round: Simple integration via gsh

Grouper Shell (gsh)• Command line interface onto grouper API• Usage pattern familiar to systems administrators • No user interaction (no need for further education)• Good for replacing existing adhoc database based

systems

Easy first step

People can use grouper without knowing it

http://gfivo.ncl.ac.uk/sampleGroups.php

2nd Round: Webservices

Web service interface onto grouper API (more later)

Group management in the app

Management in the access denied page (403 page)

Simple user interface solving one problem

Gives control back to application developer

Maybe Sympa integration?

http://www.sympa.org/contribs/apache_authsympa

3rd Round: Grouper UI

Current phase

Deploy grouper UI

3rd phase because:

Grouper UI is complex to deploy– Was Technology demonstrator – Recently revamped (thanks to penn)

• Grouper UI is complex to develop– Heavily abstracted– Heavily configurable

Grouper webservices

New addition to grouper • In grouper 1.3RC1• Thanks Chris Hyzer for code contribution• Based on Apache Axis• SOAP and REST styles• SOAP supports basic authentication+ WS-

Security support

WS-Security

• Provided by Apache Rampart • Support for WS-security + WS-trust• WS-sec = Auth via:

– username/password– Kerberos– SAML– x509

• Enables integration with .NET and SAP, Java WS-security based stacks, PHP also supported

• May enable advanced SAML, WS-Sec, WS-trust usecases (shib2??, Grid stuff??)

3/4

Lessons Learned: Benefits

Enables All levels of user• Grouper UI for Power users

– Librarians, administrators, PAs• Simple interface via webservices for users

– Staff, students • Webservices for developers on non java platforms

– .NET, SAP, Python, PHP, Sympa• Grouper API for java developers• Grouper shell for Systems Admins

Lessons learned: benefits

Grouper fills large pre-existing gap

Grouper allows coherent interface onto incoherent data architecture

People like access controlled apps

Federated use emerges from internal use

Lessons Learned: requirements

Skill sets prerequisites :

Java systems admin (tomcat etc)

Internal data architecture

shell scripting

WS use

not struts

Technical prerequisites:

Free standing mysql server (others supported)

Data Loader

Tomcat server

SSO (shib preferable)

Lessons Learned: Issues

Issues Avoided:• Naming convention debates

– People are irrational about names– People will argue about hierarchy structure endlessly– The people who care most about structure are most

powerful– Avoided by not exposing naming hierarchy….yet

Issues Encountered:• Users don’t grasp the concepts:- stems, groups, indirect

membership • solutions:

introduce them slowly avoid use when possibleUI redesign (thanks Penn)

Lessons Learned: Issues

• Getting data from data stores– Need for data loader

• Shib resolver reusable?• Deprovisioning?

• Need for fast updating

• Grouper comes from an enterprise LDAP directory mindset

• No one understands LDAP • AD admins don’t even know AD = LDAP

• Shib took 4 years, will grouper?

ANY QUESTIONS?

http://gfivo.ncl.ac.uk/resources.php