it’s time for a spa - events | internet2 · today’s(conversaon it’s time for a spa •...

IT’S TIME FOR A SPA

Jeff McCullough UC Berkeley

© 2015 Internet2

Long Term Departmental Accounts

Today’s  conversa.on

It’s Time for a SPA

•  Example SSO login. •  Why SPA? •  How do they work? •  Issues and changes we’ve made. •  Your input and questions…

© 2015 Internet2

[ 2 ]

[ 3 ]

© 2015 Internet2

Authenticating using CAS

[ 4 ]

© 2015 Internet2

Authenticating using CAS

Background

•  Two previous implementations •  SSO requirement •  Integration with multiple systems

[ 5 ]

© 2015 Internet2

Use cases

Data storage for a team or department. Functional account for a position that changes frequently. Account for a program/department/team that needs to send/receive email and calendar events.

[ 6 ]

© 2015 Internet2

SPA Environment

[ 7 ]

© 2015 Internet2

How do SPAs differ from regular accounts?

Extra LDAP attributes LDAP groups Grouper groups Surrogate login

[ 8 ]

© 2015 Internet2

Extra attributes

•  Create date •  Expiration date – 5 years •  User access group •  Purpose •  New affiliate type •  (Department Number)

[ 9 ]

© 2015 Internet2

User access groups

•  Grouper groups •  LDAP groups

[ 10 ]

© 2015 Internet2

Authentication

•  Surrogate login (SSO) •  Kerb password (non UI app or AD) •  Google Key

[ 11 ]

© 2015 Internet2

Surrogate login

•  CAS login module (CAS/Shib) •  SPA-ID+My-Account-ID •  +My-Account-ID •  Both use user’s password

[ 12 ]

© 2015 Internet2

Delegated Access within Apps

•  Google •  Box •  Other systems

[ 13 ]

© 2015 Internet2

Authorization

•  LDAP user group •  Begins as a grouper group

[ 14 ]

© 2015 Internet2

SPA Admin

•  List of SPA that have already been created •  Create SPA / Delete SPA •  Namespace checks •  Sub-domains •  Links for group admin and google account creation

[ 15 ]

© 2015 Internet2

Provisioning an account

•  Using OpenIDM •  > Kerberos •  > AD •  > LDAP •  > Grouper

[ 16 ]

© 2015 Internet2

Surrogate login and groups

•  Looks up all groups for user •  Determines which groups are related to SPAs •  Shows list to user •  Logs user in as SPA using either CAS/Shib •  Adds info to logs

[ 17 ]

© 2015 Internet2

Issues and changes…

•  Previously had authorizer/owner. •  Any employee. •  The shell game.

[ 18 ]

© 2015 Internet2

Q/A

•  What do you think? •  Do you have an implemention of SPAs?

[ 19 ]

© 2015 Internet2