Keeping access control while moving to the cloud

Keeping access control while moving to the cloud

d r o w s s Pa / 2 9 7 / m o c . g d n i c k d x a / e :/ r s d

p t e t r i h u : Req bcomic e w e s u Re Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph 2 Objectives

Intro: University of Guelph mail migration Review: Access Management in the Cloud Conclusion: Solutions and Lessons Learned Computing & Communications Services www.uoguelph.ca/ccs 3 University of Guelph mail migration p l e h t n e m e g a n a m s es c c A Can

Computing & Communications Services www.uoguelph.ca/ccs 4 ? Migration project highlights Migrating 36k undergraduate students Production Sep 1, 2014 Expanding from one to two mail systems Zimbra Collaboration Suite Google App s for Educatio n University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs5 Migration project challenges User: two mail systems - am I on Google or Zimbra? Or both? e l g n i

S a e v a h e w Can n i o p s acces University: policy confirmation before authorizing access to the service - how can we serve it to the users? ? w o fl N h t u a e h

t e z i m o t s u c e w Ca n University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs6 Access Management technologies s e c i v r e s d u o l c e h

t r fo Computing & Communications Services www.uoguelph.ca/ccs 7 Do you provide Web Access Management on your campus? Do you provide authentication for cloud services? How? Shibboleth? CAS? ADFS? Other SAML 2 or non-SAML? Custom SSO? 8 Why Web Access Management? Functions: authN, authZ, SSO, attrs, audit Benefits: Security: secured credentials Password Reuse xkcd.com/792 User experience: single identity, SSO Service Providers: friction - retention Identity providers: lower management cost University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs9

Cloud authentication: the early years SSO mostly as a custom solution Secret token exchanged between the parties Individual solutions high cost 10 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Cloud authentication: the protocols Gartner (2013) Gartner estimates a penetration well over 50% worldwide for SAML-based federations.. 11 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs ) C A B (R l o r t n C o

laims Consum C s s er (CC) ce c A d e s a B Attribute Based A Role ccess Control (A BAC) Security Assertion Marku p Language (SAML) What do I need to know? ) P T (O rd o w s s a P

e One Tim Identity Provider (Id P) ) T W ) J ( P n C ( e Relying Party (R k r o e T d i P) b v e o r W P N

Asserting Pa s O m S i J rty (AP) Cla S OA P 12 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Tech Primer SAML & OAuth HTTP & HTTPS HTTP - application protocol (RFC 2616) Stateless GET & POST SOAP & REST XML & JSON GET & POST HTTP & HTTPS methods in HTTP GET: resource retrieval, preserved in redirects POST: sends data to the server in the body, may be lost in redirects

e GET GET http://example.com/stocks.cgi?name=IBM http://example.com/stocks.cgi?name=IBM HTTP/1.1 HTTP/1.1 ns o p es r le POST POST https://example.com/authenticate https://example.com/authenticate HTTP/1.1 HTTP/1.1 p m Content-Type: Sa Content-Type: application/x-www-form-urlencoded application/x-www-form-urlencoded Content-Length: Content-Length: 31 31 username=jane&password=w0rld2u username=jane&password=w0rld2u HTTP/1.1 HTTP/1.1 302 302 Found Found

Location: Location: http://example.org/secure/docs/ http://example.org/secure/docs/ 13 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs eXtensible Markup Language Tech Primer SAML & OAuth SOAP & REST XML & JSON XML & JSON GET & POST free open standards HTTP & HTTPS JavaScript Object Notation John John Smith Smith true true

123 type="home">123 123-1234 123-1234 123 123-9999 123 123-9999 {{ "firstName": "firstName": "John", "John", "lastName": "Smith", "lastName": "Smith", "isAnalyst": "isAnalyst": true, true, "phone": "phone": [[ {{ "type": "type": "home", "home", "number": "number": 1234" 1234" }, },

{{ "type": "type": "fax", "fax", "number": "number": 9999" } 9999" } ]] }} "123 "123 123123"123 "123 123123- 14 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs a c i n u m m Co ro p n o i t

Tech Primer l o toc SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS SOAP & REST Arc l a r u t c e hit le y t s n g

i s de 15 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Example of a SOAP fault message (http://www.w3.org/TR/soap12-part1/#faultcodes) env:Sender m:MessageTimeout Sender Timeout P5M

Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS 16 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs REST (Roy Fielding 2000) Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS 17 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs s r t t a , Z

h t u a , N Auth Tech Primer Intende d fo r Authoriz ation SAML & OAuth SOAP & REST XML & JSON GET & POST SAML 2.0 & OAuth 2.0 HTTP & HTTPS pp A eb W e d i s

Web Brow r e v ser SSO Pr r e S ofile 18 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Service Provider (Google) SAML & OAuth GET https://mail.google.com/a/uoguelph.org SOAP & REST 1 XML & JSON 5 Users Gmail content returned 2 Tech Primer

4 GET https://idp.uoguelph.org/SSO?SAMLRequest=... POST https://www.google.com/a/uoguelph.org/acs 3 GET & POST HTTP & HTTPS Identity Provider 3 SAML Authentication Flow for Google Apps (Web Browser SSO Profile) 1) Browser requests Gmail content 2) Browser redirected to IdP with AuthnRequest 3) IdP identifies the user 4) Browser posts Response to Google with NameID 5) Google returns Gmail content 19 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Client/ Claims Consumer (web app) Accessing app content

1 2 6 5 SAML & OAuth SOAP & REST API calls Tech Primer 7 XML & JSON GET & POST HTTP & HTTPS 4 Request authZ code 3

Authorization Server (API Provider) OAuth 2 Authorization flow (Server Side Web App profile) 1) Browser accesses Claim Consumer (CC) 2) Browser redirected to the Authorization Server (AS) 3) User authenticates, AS issues Authorization Code 4) Browser redirected to CC with 5) CC posts to AS 6) CC receives JSON response with Access Token 7) CC makes an API call to the API Provider with Access Token 20 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs More on OAuth 2.0 and OpenID Connect Talk by Ryan Boyd http://www.youtube.com/watch?v=YLHyeSuBspI Getting started with OAuth 2.0 OReilly (2012) 21 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Solutions, lessons learned s p e t s t x e

n e h t and Computing & Communications Services www.uoguelph.ca/ccs 22 Challenge: where is my mail? Zimbra Staff, faculty, grads Multiple roles? Transient entitlements? Undergrads Gmail 23 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Solution: Single access point Zimbra Mail SSO Middleware determines the correct mail system and routes the user accordingly

Gmail 24 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Challenge: can we add a business process into the authN flow? Default Google Apps SAML2 AuthN Flow Service Provider (Google) 1 5 Users Gmail content returned 2 4 UofG Identity Provider 3 3 25 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Solution: insert middleware

d by e v r se s e i c li c) o 2 P a e th e (2 s r a m r w d le onfi d c i r M e

Us SSO l i a he M Service Provider (Google) 1 5 Users Gmail content returned 2a 4 2b 2c Mail SSO Middleware with the Policy engine UofG Identity Provider 3 3 26 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Mail SSO Middleware Session Request for Zimbra Session Request for Gmail Session Request for either Gmail or Zimbra Google Apps Zimbra AuthN Request SAML2 AuthN Request SAML2 AuthN Response Mail SSO Middleware OAM AuthN Request OAM User ID and Attrs SAML2 AuthN Request

UofG Shibboleth OAM User Identity OAM AuthN Request UofG Oracle Access Manager 27 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Availability expectations for WAM? Clustering? Standby infrastructure? 28 Next steps - opportunities Weak points? Efficiency? e h t o t n i

e l u n d o i o t a m c i y t c i n l e o h p t u e a h t r e d

l g a n Bu i a M s s Acce 29 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Takeaway points With Access Management we can: create a single access point for both email systems build a policy confirmation even into proprietary services With increasing dependencies comes increasing requirement on high availability. t n o d er b m e m rd And re our passwo

y reuse 30 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs Acknowledgements Universities already on Google Apps Thank you for sharing your experience with us. University of Guelph Gryph Mail SSO team: Fazil, Hugh, Jill, Leo, Matt, Paul, Rob, Saveena, and Zdenek Computing & Communications Services www.uoguelph.ca/ccs 31 External identities Predicts 2014: Identity and Access Management (Gartner): ..by 2020 60% identities interacting with the enterprise will come from external IdPs (up from 10% today) Are you using (or plan to) social identities on your campus? 32

Recently Viewed Presentations

  • Phylogenies and Emerging Viruses

    Phylogenies and Emerging Viruses

    Distantly related—FIV (felines—cats) Distinctive patterns. Populations of primates with SIV (and felines with FIV) are not regularly harmed by the virus. Why are some individuals (and populations) resistant to HIV? CCR5 gene. Chromosome 3.
  • OSP Brown OSP BrownBag Bag March 23, 2015

    OSP Brown OSP BrownBag Bag March 23, 2015

    Patrice Carroll. Director, Pre-Award Services. Office of Sponsored Projects. OSP Staffing Update. Shelly Hull named Manager . Subrecipient Monitoring. FFATA Reporting. Pre-Award Compliance . Biennial Inventory . Equipment Surplus and Disposals. Equipment Fabrication Accounts .
  • Shabbat Shalom Psalm 150 Sound of the Shofar

    Shabbat Shalom Psalm 150 Sound of the Shofar

    MA TOEVOO(How Lovely)How lovely are your tents, O Jacob, your dwelling places, O Israel.O LOrd, through Your abundant kindness I will enter Your house; in awe I will bow down toward Your Holy Sanctuary.
  • Base Plate --- Moment Connection Moment Connection Requires

    Base Plate --- Moment Connection Moment Connection Requires

    Column Splice --- Welded. Web Plate is Shop Welded. Column Splice --- Welded. After Lowering Upper Column. it is Field Welded. Web Bolts for Erection Fit-up. Moment Connection to Column Flange ---Field Welded. Web Plate is Shop Welded. to Column...
  • How can we help our children to become Ready for School?

    How can we help our children to become Ready for School?

    Teaching songs and nursery rhymes ... Early Years Foundation Stage is a very important stage as it helps your child get ready for school as well as preparing them for their future learning and successes. From when your child is...
  • Invertebrates

    Invertebrates

    is the most common example—the "cross-eyed worm" with . eyespots. Tapeworms. Planaria Diagram. Regeneration. Not all are gross! Roundworms . Phylum Nematoda--round. Almost all are . parasitic . and live in animals' intestines, but can travel to bloodstream, other parts...
  • Recruiting, Developing and Retaining IT Professionals MIS 5800

    Recruiting, Developing and Retaining IT Professionals MIS 5800

    Approximately one-half of the total scoring system was based on employee responses, with the remainder based on the survey of the company's benefits and other programs. This year's survey process was managed by Michele Peoples of IDG Research. -- Mari...
  • Cell Structure & Function

    Cell Structure & Function

    karyote =nucleus. Plasma membrane. Cytoplasm. Genetic Material. No true nucleus. Genetic material is not surrounded by membrane. No membrane- bound organelles. True nucleus with genetic material that is surrounded by a membrane. True organelleshave membranes surrounding them.