Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1

Click here to load reader

  • date post

    20-Dec-2015
  • Category

    Documents

  • view

    215
  • download

    0

Embed Size (px)

Transcript of Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1

  • Slide 1
  • Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1
  • Slide 2
  • Using PennGroups Overview of Grouper Grouper versions and roadmap Grouper at Penn Secure Space example Atlassian example eForms example PHP use case Grouper UI: groups, permissions, etc Grouper client example Grouper privileges Survey 6/17/2015ISC2
  • Slide 3
  • Using PennGroups Overview of Grouper Tom Bartons recent presentation 6/17/2015ISC3
  • Slide 4
  • Using PennGroups Penn Roadmap Hopefully uses for central permissions E.g. warehouse permissions E.g. PennCommunity Direct permissions Always available read-only web services Shibboleth entitlement group membership integration PennCommunity Direct getPerson WS secure attributes FAST permissions integration?
  • Slide 5
  • Using PennGroups Atlas Penns Identity Management Strategy 6/17/20155 PennKey PennCard Ancillary Affiliates (Temp, VFAC, CHOP, etc..) Ancillary Affiliates (Temp, VFAC, CHOP, etc..) Penn Names Penn Community Penn Directory UPHS SRS PennGroups 3rd Party Apps 3rd Party Apps In-House Apps In-House Apps AuthZ Decisions via LDAP or WS HR
  • Slide 6
  • Using PennGroups Penn: example folder structure
  • Slide 7
  • Using PennGroups Getting started with PennGroups When School/Center is purchasing or developing a new system LSP (local support provider)/ application developer contacts Central IT LSP/developer and Central IT collaborate to: Establish authorization use cases for the specific application Determine access method (LDAP or Web Services) Determine best approach for group creation and maintenance School/Center fills out access forms Central IT consults with LSP/developer on group hierarchy structure
  • Slide 8
  • Using PennGroups PennGroups use cases PTO Paid Time Off Penn Groups provides the flexibility so that the user selects their approver for time off. Warehouse Apps Penn groups provides a feed for org based security based on active status School of Engineering and Applied Science Affiliate level groups - faculty members, staff members, students, undergrads, grads, PhD students Class level groups - everyone enrolled in every SEAS course, and several ad-hoc groups. Ad hoc groups generated and maintained via specific applications and business rules.
  • Slide 9
  • Using PennGroups PennGroups architecture
  • Slide 10
  • Using PennGroups PennGroups UI Grouper has a built in user interface Penn generally uses the default UI, though: We customized the authentication to use Penns single signon We added custom code to require users to be in a grouper group to be able to log in (not everyone allowed) Penn did a facelift for the Grouper 1.3 release in Spring 2008, improving the usability and help documentation We have a separate app to run the grouper loader in a webapp and register kerberos principals (add in subject database, and keep track of who owns it)
  • Slide 11
  • Using PennGroups PennGroups ancillary UI
  • Slide 12
  • Using PennGroups PennGroups ancillary UI (continued)
  • Slide 13
  • Using PennGroups Penns experience with Grouper Live for 3+ years 77 thousand groups 2.7 million memberships 54 kerberos service principals allowed to use LDAP/WS Some apps share, some are orphans
  • Slide 14
  • Using PennGroups Components used at Penn UI Lite-UI WS Client SQL interface We have our own secure LDAP feed External users GSH Notifications
  • Slide 15
  • Using PennGroups Components used at Penn (continued) Hooks (lightly) Rules (lightly) Permissions (lightly) Permissions UI Subject picker UI Kuali Rice Grouper integration module Atlassian (Confluence / Jira) integration module Loader Encrypted passwords
  • Slide 16
  • Using PennGroups Penns Secure Space Penn launched Secure Space in Fall 2010 Initially it was for PennKey holders only Last month we released a version which uses Grouper external users
  • Slide 17
  • Using PennGroups Penns Secure Space (continued) Secure Space is built on Grouper with three groups per space: admins, users, readonly When logging in, the grouper client / WS is used to cache the list of groups for user On create/delete space, GC/WS is used to create/delete groups Group memberships are managed via the membership lite UI screen
  • Slide 18
  • Using PennGroups Penns Secure Space (continued) Penns Grouper has rules to only allow external users in certain SS folders Penns Grouper external users must be invited to be able to register SecureSpace uses InCommon EPPN is required for external users External users self-register their name, email, institution
  • Slide 19
  • Using PennGroups Penns Secure Space (continued) Penn installed Shibboleth Discovery Service (DS/WAYF), customized: Pennify Support channel Make it easy for Penn users Recommend ProtectNetwork for users who dont have an InCommon account which releases EPPN
  • Slide 20
  • Using PennGroups Penns Secure Space (continued) Grouper shows external users with different icon, and description: [unverifiedInfo] First Last - institution [externalUserId] [email protected] External users do not show in results for groups which do not allow external users Demo
  • Slide 21
  • Using PennGroups FAST PennGroups integration FAST can link a FAST group to a PennGroup in the fastConfig FAST_ADMIN asserts that users are in the ISC org to be an admin (can be overridden in fastConfig) Contractors can be added in Group in PennGroups PennKey to PennId translation uses PennCommmunity first, and if failure, then LDAP FAST PennGroups membership called are also redundant
  • Slide 22
  • Using PennGroups Atlassian Grouper connector Penn using in production since Dec 2010, requires Grouper 1.6+ Implements the OpenSymphony osuser interfaces: Credentials provider (optional?) Access provider Profile provider (optional?)
  • Slide 23
  • Using PennGroups Atlassian Grouper connector (continued) Map a root folder for Confluence or Jira Groups (unnamespaced) are in that folder Can create/delete groups from atlassian, though sometimes there are issues we just create/use from Grouper XMPP messaging from Grouper to Atlassian for real time updates Fail-safe cache so if Grouper is down, Atlassian is up Note, cache at Penn configured to last 24 hours, failsafe cache lasts 48 hours
  • Slide 24
  • Using PennGroups Atlassian Grouper connector (continued) If you have LDAP groups with memberOf and member, you can use Atlassian LDAP groups If not, you can use this Two-way editing is nice (if it works) If no anonymous access, there is a REMOTE_USER authenticator too
  • Slide 25
  • Using PennGroups Atlassian Grouper demo See Group in Atlassian See Group in Grouper (lite UI) Edit membership in Grouper See Group unchanged in Atlassian See logs, after 2 minutes a message will appear from Grouper XMPP notifications Group is now changed in Atlassian Change group back, see message and change
  • Slide 26
  • Using PennGroups Atlassian Grouper future Penn ISC is happy with it Could have better cache clearing Currently it clears all groups, and with large deployments and lots of groups, and lots of membership updates, it can be a performance issue Fix two way membership changes This used to work, then stopped working, and we just use Grouper (show demo)
  • Slide 27
  • Using PennGroups Atlassian Grouper Penn config Show Penn config for atlassian connector
  • Slide 28
  • Using PennGroups Penn eForms: Paper form screenshot In 2009 Penn wanted to convert paper access management forms to eForms 28 6/17/2015, 2009 Internet2
  • Slide 29
  • Using PennGroups Penn eForms: Paper form screenshot (continued) 29 6/17/2015, 2009 Internet2
  • Slide 30
  • Using PennGroups 30 6/17/2015, 2009 Internet2 Penn eForms: How to connect Rice to Grouper? Add two jars to Rice (grouperRice.jar and grouperClient.jar) Add and configure grouper.client.properties Configure Rice spring override to group and/or identity service Setup a Grouper folder for the Rice root
  • Slide 31
  • Using PennGroups 31 6/17/2015, 2009 Internet2 Rice request grouperRice.jar Kuali DB Rice server Grouper Registry Grouper WS server Grouper.client.properties grouperClient.jar Penn eForms: Kuali Rice overridable services
  • Slide 32
  • Using PennGroups 32 6/17/2015, 2009 Internet2 Grouper WS server Grouper.client.properties grouperClient.jar REST LDAP Penn eForms: Grouper client One jar (no conflicts with existing libraries) Supports all of Grouper WS API Command line example java jar grouperClient.jar --operation=hasMemberWs --groupName=aStem:aGroup --subjectIds=1234567 Java library example new GcHasMember().assignGroupName("aStem:aGroup).addSubjectId("1234567").execute();
  • Slide 33
  • Using PennGroups Initiator fills out form Grouper Registry Kuali DB Get members to route to and emails Grouper WS Routes to approver group Routes to approver groupN Final Add a member to a Grouper group/role and/or assign permissions On login to Rice, get subject details Archive the document data, and workflow history One in group approves 1 3 4 5 Grouper UI Person / org pickers 2 Penn eForms: workflow with Grouper
  • Slide 34