for the pragmatic, the uhims ecosystem (for identity and access management) michael hodges its,...

University of Hawaii © 2015 1

For the Pragmatic, the UHIMS Ecosystem

(for Identity and Access Management)

Michael HodgesITS, Identity and Access Management


• What is Pragmatic Programming?• The UHIMS Ecosystem• UHIMS Ecosystem Solutions• Ecosystem Enhancements Under Way• UHIMS Dreams and Blue Sky Visions• Looking ahead, UH joins Internet2’s TIER

What to talk about today?


• A book– “The Pragmatic Programmer, From Journeyman

to Master”

• A mindset that will help you– Keep it DRY– KISS better– Decouple by design– Minimize technical debt– Future-proof apps

What is Pragmatic Programming?


• Keep it DRY – Don’t Repeat Yourself– a design principle.

• Write code once, reference it as needed.

– Don’t reinvent the wheel, if possible.– Leverage UHIMS solutions that fit

your needs (it will be well worth the learning curve).

– DRY requires good planning.



• KISS better– Keep It Simple and Short –

a design principle– Small, simple software subcomponents

reduce complexity, are easier to manage.– Create only the subcomponents that you

must create; keep your custom code footprint as small as possible.

– Embrace integration, leverage existing solutions.



• Decouple by design– Utilize Message Brokering• Increase availability/uptime• Increase flexibility

– Conceptualize apps as• Message producers, and• Message consumers



• Decouple by design



• Minimize technical debt– Technical debt: the things you should have

taken care of in your code, but didn’t, e.g.:• deferred features, deferred documentation,

deferred regression tests, performance, etc.– Software entropy (a related concept)

• Unaddressed technical debt increases software entropy

• Utilized software will be modified.• Modified software increases in complexity

(unless successfully refactored).



• A mindset that will help you– Keep it DRY– KISS better– Decouple by design– Minimize technical debt– Exceed expectations– Future-proof apps



• Future-proof (one must try)– Align with the expanding UHIMS

• Emerging Group/Authorization management practices.• Emerging 2nd factor authentication options.• Future End-User profile management.• Future attribute release consent options.

– Leverage the work of other project teams • College of Ed’s WordPress plugin, Authorizer.• Bursar’s hosted eCommerce solution.• Internet2 community.

– Anticipate TIER, an Internet2 IAM project• TIER: Trust and Identity in Education and Research.• Includes: Certs, Assurance, MFA, Shib, Grouper, COmanage,

eduPerson, eduOrg, MACE Registries, IAM for higher ed.



• Practical Pragmatic Examples– Report writing, output data to a csv file for

import to Excel.– CAS for authentication.– CAS attributes for authorization.– UH Groupings for authorization, anywhere

that the “is member of” question comes up.– UH Message Broker to separate apps that

publish (liberate) information from apps that consume information.



The UHIMS Ecosystem

• A non-chronological review of the development of the UHIMS Ecosystem

Person Directory U

pdates

Admin U

pdates

Person Events Person Events

AuthN/Z Services

ApplicationsSystems of Record

Directory Services

Banner

PS HR

RCUH

SECE

KFS

MyGrant

UHIMS Ecosystem (circa 2015)

University of Hawaii © 2015, TI-SYS-IAM

Revised 03/11/2015

Person Directory U

pdates

Admin U

pdates


AuthN/Z Services


Directory Services

Banner

PS HR

RCUH

SECE

KFS

MyGrant



Revised 03/11/2015

UHIMSPerson Registry


The UHIMS Ecosystem

• staff.civilService • staff.executive • staff.apt • staff.casual • staff.overload• staff.noDetails• staff.nonCompensated • faculty.communityCollege • faculty.university • faculty.medical • faculty.researcher • faculty.specialist • faculty.countyAgent • faculty.librarian • faculty.law • faculty.emeritus

• faculty.overload • faculty.noDetails• faculty.courseInstructor • faculty.lecturer • faculty.teachingAssistant • faculty.researchAssistant• studentEmployee.workStudy• studentEmployee.studentHire• student.graduate.law • student.graduate.medical • student.graduate.noDetails • student.undergraduate.noDetails • student.other.apprenticeship • student.other.continuingEducation • student.other.postBaccalaureate • student.other.professional

• student.other.vocational • student.other.undeclared• nonCreditStudent.noDetails • nonCreditStudent.etc • preStudent.noDetails • preStudent.accepted • preStudent.applicant • ohana• retiree• other

• The roles UHIMS aggregates:

Person Directory U

pdates

Admin U

pdates


AuthN/Z Services


Directory Services

Banner

PS HR

RCUH

SECE

KFS

MyGrant



Revised 03/11/2015


Person Directory U

pdates

Admin U

pdates


AuthN/Z Services


Directory Services

Banner

PS HR

RCUH

SECE

KFS

MyGrant



Revised 03/11/2015


LDAP389DS

RADIUSAuthN

CAS3AuthN

CampusWireless

Web Appsregistered

UHIMC

BMT

WPMS

API

VIA

Person Directory U

pdates

Admin U

pdates


AuthN/Z Services


Directory Services

Banner

PS HR

RCUH

SECE

KFS

MyGrant



Revised 03/11/2015


LDAP389DS

RADIUSAuthN

CAS3AuthN

CampusWireless

Web Appsregistered

UHIMC

BMT

WPMS

API

Shib IdPAuthN

Google@UH

Web Appsfederated

VIA

Person Directory U

pdates

Admin U

pdates


AuthN/Z Services


Directory Services

Banner

PS HR

RCUH

SECE

KFS

MyGrant



Revised 03/11/2015


LDAP389DS

RADIUSAuthN

CAS3AuthN

CampusWireless

Web Appsregistered

UHIMC

BMT

WPMS

API

CON

CON

PR

PR

PR CON

Msg Broker[ exchanges ]

Message ProducerPR

CON Message Consumer

VIA

Google@UH

Web Appsfederated

Shib IdPAuthN

Person Directory U

pdates

Admin U

pdates


AuthN/Z Services


Directory Services

Banner

PS HR

RCUH

SECE

KFS

MyGrant



Revised 03/11/2015


LDAP389DS

RADIUSAuthN

CAS3AuthN

CampusWireless

Web Appsregistered

UHIMC

BMT

WPMS

API

LISTSERVlists

CON

CON

PR

PR

PR CON


Message ProducerPR


Shib IdPAuthN

Google@UH

Web Appsfederated

VIA

UH Groupings

GrouperAuthZ

Person Directory U

pdates

Admin U

pdates


AuthN/Z Services


Directory Services

Banner

PS HR

RCUH

SECE

KFS

MyGrant



Revised 03/11/2015


LDAP389DS

RADIUSAuthN

CAS3AuthN

CampusWireless

Web Appsregistered

UHIMC

BMT

WPMS

API

LISTSERVlists

CON

CON

PR

PR

PR CON


Message ProducerPR


Shib IdPAuthN

Google@UH

Web Appsfederated

VIA

ACER

UH Groupings

GrouperAuthZ

Person Directory U

pdates

Admin U

pdates


AuthN/Z Services


Directory Services

Banner

PS HR

RCUH

SECE

KFS

MyGrant



Revised 03/11/2015


LDAP389DS

RADIUSAuthN

CAS3AuthN

CampusWireless

Web Appsregistered

UHIMC

BMT

WPMS

API

LISTSERVlists

CON

CON

PR

PR

PR CON


Message ProducerPR


Shib IdPAuthN

Google@UH

Web Appsfederated

VIA

ACER

UH Groupings

GrouperAuthZ

CampusOneCard

Person Directory U

pdates

Admin U

pdates


AuthN/Z Services


Directory Services

Banner

PS HR

RCUH

GrouperAuthZ

LDAP389DS

ADAuthN only

LISTSERVlists

CAS3AuthN

Shib IdPAuthN

Web Appsregistered

Google@UH

CampusAD domains

RADIUSAuthN

UHIMC

ACER

VIA

BMT

WPMS

SECE

KFS

MyGrant

APIPR CON

CON

CON


Message Producer

Web Appsfederated

CampusWireless

PR



PR

UH Groupings

PR


CampusOneCard


Revised 03/11/2015


• Authentication Solutions: – CAS– Shibboleth– LDAP

• Authorization Solutions:– ACER– Grouper– UH Groupings and the UH Group Store– UHIMS Events

• Decoupling Solutions:– UH Message Broker

UHIMS Ecosystem Solutions


• CAS – Central Authentication Service– Used by UH Apps for Authentication– Default Attribute Release Policy

• UH Data Governance policies apply (E2.215).• IAM and the Data Governance Committee

(DGC) have created SOPs for standard requests.

• Non-standard requests, such as for hosted apps, must first be approved by the DGC.

• https://www.hawaii.edu/bwiki/display/UHIAM/CAS+Default+Attribute+Release+Policy

• http://www.hawaii.edu/uhdatagov/

UHIMS Ecosystem Solutions,Authentication Solutions

https://www.hawaii.edu/bwiki/display/UHIAM/CAS+Default+Attribute+Release+Policy




• CAS – Central Authentication Service– Attributes useful for Authorization:• eduPersonAffiliation (faculty)

• eduPersonOrgDN (kauaicc)

• uhOrgAffiliation (eduPersonOrgDn=kauaicc,eduPersonAffiliation=faculty)

• uhAcknowledgement (generalConfidentialityNotice=20141231T000000)



• CAS – Central Authentication Services–Web App Form, URLs must be registered

• https://www.hawaii.edu/bwiki/display/UHIAM/Web+App+Registration+Form

– Developer Documentation• https://www.hawaii.edu/bwiki/display/UHIAM/

CAS3+Developer+Documentation



CAS (manual standby)

• CAS – Central Authentication Services– Infrastructure


Load Balancer

CAS (active)

CAS (hot standby)

healthchecks


• Shibboleth Identity Provider (UH IdP)– Used by non-UH apps for federated

authentication– Attribute Release Policy

• Tailored to the minimal requirements.• Targeted IDs used where possible to protect privacy

– Federated apps must be registered• Exception is apps in the Research and Scholarship

category

– Infrastructure• Identical to CAS



• LDAP, lightweight directory access protocol– Deprecated for authentication, use CAS• Exceptions are scrutinized.• CAS attribute release policy is continually

enhanced to mitigate need.

– Default Attribute Release Policy• Identical to CAS• Also subject to the IAM Data Governance Framework



• Grouper– Addresses the fundamental “is member of”

requirement and provides rich logic. For example, • Is person a member of ITS, sits on the 6th floor of

the ITC building, is currently taking credit classes, and therefore eligible for a tuition waiver?

– Provides a UI and API.– Internet2 software, very active project.– Very popular in the higher ed community.– A component of TIER

UHIMS Ecosystem Solutions,Authorization Solutions


• A UH Grouping:– Is a simple or complex expression of group

membership– Is composed of 3 groups, conceptually:

• Basis, Include, Exclude

– Has 1 or more Owners– Has 0 or more Members– Has properties that an Owner can configure– Is reusable, can serve multiple purposes

• Application authorization (who can do what)• LISTSERV list publication (email notifications)



• A UH Grouping example, UH Hilo email discussion list:– Basis group: all UH Hilo faculty• Automatically kept current by UHIMS

– Include group: (may be empty)• Others that would like to participate, such as

RCUH employees at UH Hilo.

– Exclude group: (may be empty)• Those that wish to be left out of the

discussions.




Basis Include

Exclude

UH Grouping



Basis: UHH

Faculty

Include: a few

RCUH Employees

Exclude: several

dissatisfied

individuals

Objective:implement a campus mailing list

UH Grouping


• What can UH Grouping be used for?– Email LISTSERV List management• No need to manual manage the entire list

– Complex role-based permissions management.

– Opt-in/out services, when members are suitably allowed.

– Any combination of the above (reuse)



• UH Grouping limitations?– Currently, members must have a UH

Number.




• UHIMS Events:– UH Person Identity Messages published

to the UH Message Broker.– A convenient way to receive identity,

affiliation, and contact information.– Use for automatically updating on-board

application authorization information.


UHIMS Ecosystem Solutions,Decoupling Solutions

• UH Message Broker:– Uses RabbitMQ, an open-source project– Simple to set up– Scalable• Behind India’s 1.2B person biometric

database.

– Separates message producers from message consumers

–Messages are stored in Exchanges


UHIMS Ecosystem Solutions,Decoupling Solutions• UH Message Broker implementations:– Banner producer, student enrollment and

degree objective information.– HCC AD consumer, UHIMS Events – KFS consumer, UHIMS Events– myGrant consumer, UHIMS Events– MyUH consumer, UHIMS Events– SECE producer, SECE events – UHIMS consumer, Banner & SECE events– UHIMS producer, UHIMS Events


Ecosystem Enhancements Under Way, 12-18 months

• Multifactor Authentication– Initially for faculty, staff (students later)

• UH Message Broker Infrastructure– Clustering for high availability

• CAS/Shib Infrastructure– Shib support for the CAS protocol– Clustering for high availability

• IAM Data Element Dictionary additions– uhScopedHomeOrg (primary campus, Banner/PS)– uhMemberOfGrouping (advanced AuthZ)

• UH Groupings UI improvements


UHIMS Dreams & Blue Sky Visions

• Multifactor Authentication– To protect all of our servers, inside and

outside the data center.– As a requirement for all of our Admin

apps.– As an opt-in service for the entire UH

community.



• UH Groupings used ubiquitously– Comprehensive use of custom and

automatic groups– Comprehensive enterprise-wide audit

reports revealing who has access to what.

– Automated enterprise provisioning/deprovisioning across all (applicable) apps.

– Very easy to use for IT staff and users.



• UH Groupings, more publication destinations:– LDAP groups– Laulima groups– Google groups

• The exclusive LISTSERV list management mechanism (as a capability).



• Hands-on App Developer Workshops– CAS Authentication, externalized AuthN– UH Groupings, externalized AuthZ– UH Message Broker,

messaging/decoupling– UHIMS Events



• ACER Integration– A full function Acknowledgements and

Certifications management solution.– System-wide online General

Confidentiality Notices acceptance assertions.

– System-wide online criminal background check assertions.

– ACER enforcement for app access Authorizations.



• Personal Profile Management– View access to directory information.– Ability to change select directory

information as needed.– Access to Group memberships.– Ability to opt-in/out of Groups as

permitted.– Access to attribute release policies.– Ability to opt-in/out attribute release

policies as permitted.


For the Pragmatic, the UHIMS Ecosystem

Michael HodgesITS, Identity and Access Management

for the pragmatic, the uhims ecosystem (for identity and access management) michael hodges its,...

Documents