its ncid next generation (ng) project overview april 21, 2010
TRANSCRIPT
ITS NCID Next Generation (NG)
Project Overview April 21, 2010
Agenda Welcome & Introductions App Admin Migration Tasks Reverse Proxy Overview/Details Web Services/WSDL Details Model 2 Integration User DN Changes Application Vs. User Migration Roles & Resources Q&A
App Admin Migration Tasks All Models
Change Firewall Rules Functional & Load Testing
Model 1 Very Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules Move Public Facing SSL Certs Change Public DNS Settings
Web Services Request Creation of Application Service Account
Reverse Proxy Overview
Reverse Proxy
SSL 1 SSL 1 SSL 3
Load Balancer Web Application
Novell IDP Server
Public DNS Entry
Public SSL Cert Private (Self-Signed) SSL Cert& DNS Entry
User AuthenticationRedirect
SSL 2
SSL 2
Oracle Access Service
Public SSL Cert& DNS Entry
User AuthenticationRedirect
SSL 1
WebGateOracle API
Web Application
NCID Current Model-1
NCID NG Model-1
Model 1 NG Migration ChangesNCID NG Model 1 – Migration Changes
1. Implement Firewall Rules Limiting Access to Only the Proxy2. Disable WebGate
WebGateOracle API
1Reverse Proxy Web Application
2
User Access
1. Public SSL Cert Moved to Proxy.2. Public DNS Entry Moved to Load Balancer3. Private SSL Cert Installed on App/Web Server
Reverse Proxy Web Application
Public SSL Cert
Public DNS Entry
LoadBalancer
1
2
3
SSL 1 SSL 1 SSL 3
Private SSLCert
Very Important!Firewall Rules Required to Prevent Non-Proxy Access
Model 1 – NCID NG End State
Reverse Proxy
SSL 1 SSL 1 SSL 3
Load
BalancerWeb Application
Novell IDP Server
Public DNS
Entry
Public SSL Cert Private ( Self-
Signed ) SSL Cert
& DNS Entry
User AuthenticationRedirect
SSL 2
SSL 2
NCID NG Model 1
NCID NG – Web Services Web Services Methods Available
Validate User Login Credentials Check & Modify Group Membership User Search & View Using Search Criteria Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation - https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
Application Server
NCID NG WebServices
XML Response
NCID NG WSDL Identity
Vault
Web Service Call Detail
IDP Server
`
End User
IDP Server
Web Services
WSDLWSDL
WSDL
1. Authentication Request
2. Request WSDL
3. Redirect Request
LoadBalancer
4. Retrieve WSDL
5. Web Service Call
Web Service Call
Web ServerApplication
Account
Model 2 Integration
NCID NG Identity Directory Agency Web/App Server
Agency LDAP Directory
IDM Driver
Typical Attributes SynchronizedAD
· userPrincipalName, saMAccountName· GUID· password· userAccountControl
Typical Events MonitoredNCID AD
· Resources/Roles (NG) Group Membership· Account Lock Account Disabled· Change password Change Password· Account Expiration Account Disabled
User Relative DN Changes GUIDs Remain the Same
Relative DN pretext changes Current RDN:
Examples: (State) cn=User-guid,ou=Internal,ou=People,dc=NC(External) cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NCcn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
Examples: (Internal) cn=User-guid,ou=State,ou=Internal,ou=People,o=NCcn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
(External) cn=User-guid,ou=Business,ou=External,ou=People,o=NC cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User MigrationPart 1
All User Accounts Continuously Synchronized between NG & Current NCID
Application Migration Independent of Delegated Admin & User Account Self-Service Functions
Phased Migration of Applications Migrated Application Integrates with NG Migrated Application Authenticated by NG DA & User Function Migration Not a Pre-Requisite
Application Vs. User MigrationPart 2
Delegated Admin & User Account Self-Service Functions Migrated in Separate Phased Approach
Migrated Users Must Re-Select Challenge Questions & Provide Answers
Upon Migration, DA’s Will Provision New User Accounts
Groups Change to Roles User Accounts Assigned Roles
Very little difference in Point-and-Click Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end Roles Grant Access to Resources Resources Represent Applications
Functions remain the same for Model 1 authorization and for Model 2 synchronization
Questions & Answers Chat Questions- noted during presentation Open Question period Future Webinar Planned for Delegated Admin
Functions Additional Documentation & Training Will be Provided
on the NCID Website at https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
Submit Remedy Service Request With Additional Questions- [email protected]