it’s time for a spa - events | internet2 · today’s(conversaon it’s time for a spa •...
TRANSCRIPT
IT’S TIME FOR A SPA
Jeff McCullough UC Berkeley
© 2015 Internet2
Long Term Departmental Accounts
Today’s conversa.on
It’s Time for a SPA
• Example SSO login. • Why SPA? • How do they work? • Issues and changes we’ve made. • Your input and questions…
© 2015 Internet2
[ 2 ]
[ 3 ]
© 2015 Internet2
Authenticating using CAS
[ 4 ]
© 2015 Internet2
Authenticating using CAS
Background
• Two previous implementations • SSO requirement • Integration with multiple systems
[ 5 ]
© 2015 Internet2
Use cases
Data storage for a team or department. Functional account for a position that changes frequently. Account for a program/department/team that needs to send/receive email and calendar events.
[ 6 ]
© 2015 Internet2
SPA Environment
[ 7 ]
© 2015 Internet2
How do SPAs differ from regular accounts?
Extra LDAP attributes LDAP groups Grouper groups Surrogate login
[ 8 ]
© 2015 Internet2
Extra attributes
• Create date • Expiration date – 5 years • User access group • Purpose • New affiliate type • (Department Number)
[ 9 ]
© 2015 Internet2
User access groups
• Grouper groups • LDAP groups
[ 10 ]
© 2015 Internet2
Authentication
• Surrogate login (SSO) • Kerb password (non UI app or AD) • Google Key
[ 11 ]
© 2015 Internet2
Surrogate login
• CAS login module (CAS/Shib) • SPA-ID+My-Account-ID • +My-Account-ID • Both use user’s password
[ 12 ]
© 2015 Internet2
Delegated Access within Apps
• Google • Box • Other systems
[ 13 ]
© 2015 Internet2
Authorization
• LDAP user group • Begins as a grouper group
[ 14 ]
© 2015 Internet2
SPA Admin
• List of SPA that have already been created • Create SPA / Delete SPA • Namespace checks • Sub-domains • Links for group admin and google account creation
[ 15 ]
© 2015 Internet2
Provisioning an account
• Using OpenIDM • > Kerberos • > AD • > LDAP • > Grouper
[ 16 ]
© 2015 Internet2
Surrogate login and groups
• Looks up all groups for user • Determines which groups are related to SPAs • Shows list to user • Logs user in as SPA using either CAS/Shib • Adds info to logs
[ 17 ]
© 2015 Internet2
Issues and changes…
• Previously had authorizer/owner. • Any employee. • The shell game.
[ 18 ]
© 2015 Internet2
Q/A
• What do you think? • Do you have an implemention of SPAs?
[ 19 ]
© 2015 Internet2