1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing &...
-
Upload
keira-peer -
Category
Documents
-
view
222 -
download
3
Transcript of 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing &...
![Page 1: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/1.jpg)
1
Keeping access control while moving to the cloud
Presented by Zdenek Nejedly
Computing & Communications Services
University of Guelph
Required reading
Password Reuse webcomic: https://xkcd.com/792/
![Page 2: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/2.jpg)
2
Keeping access control while moving to the cloud
Presented by Zdenek Nejedly
Computing & Communications Services
University of Guelph
![Page 3: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/3.jpg)
3
Objectives
Computing & Communications Services www.uoguelph.ca/ccs
• Intro: University of Guelph mail migration
• Review: Access Management in the Cloud
• Conclusion: Solutions and Lessons Learned
![Page 4: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/4.jpg)
4
University of Guelph mail migration
Computing & Communications Services www.uoguelph.ca/ccs
Can Access management help ?
![Page 5: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/5.jpg)
5
Migration project highlights
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
• Migrating 36k undergraduate students• Production Sep 1, 2014• Expanding from one to two mail systems
Google Apps for Education
Zimbra Collaboration Suite
![Page 6: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/6.jpg)
6
Migration project challenges
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
• User: two mail systems - am I on Google or Zimbra? Or both?
• University: policy confirmation before authorizing access to the service - how can we serve it to the users?
Can we have a Single access point?
Can we customize the authN flow?
![Page 7: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/7.jpg)
7
Access Management technologies
Computing & Communications Services www.uoguelph.ca/ccs
for the cloud services
![Page 8: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/8.jpg)
8
• Do you provide Web Access Management on your campus?
• Do you provide authentication for cloud services? How?• Shibboleth? CAS? ADFS?• Other SAML 2 or non-SAML?• Custom SSO?
![Page 9: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/9.jpg)
9University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
Why Web Access Management?
Functions:• authN, authZ, SSO, attrs, audit
Benefits:• Security: secured credentials
• Password Reuse xkcd.com/792
• User experience: single identity, SSO• Service Providers: friction - retention• Identity providers: lower management cost
![Page 10: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/10.jpg)
10University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
Cloud authentication: the early years
• SSO mostly as a custom solution
• Secret token exchanged between the parties
• Individual solutions
high cost
![Page 11: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/11.jpg)
11University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
Cloud authentication: the protocols
• Gartner (2013) “…Gartner estimates a penetration well over 50% worldwide for SAML-based federations..”
![Page 12: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/12.jpg)
12University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
SOAP
Attribute Based Access Control (ABAC)Security Assertion Markup Language (SAML)
Role Based Access Control (RBAC)
One Time Password (OTP)
Relying Party (RP)Asserting Party (AP)
Identity Provider (IdP)
Claims Consumer (CC)
Claims Provider (CP)
JSON Web Token (JWT)
What do I need to know?
![Page 13: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/13.jpg)
13
• HTTP & HTTPS• HTTP - application protocol (RFC 2616)• Stateless
• GET & POST• methods in HTTP• GET: resource retrieval, preserved in redirects• POST: sends data to the server in the body, may be lost in redirects
Tech Primer
SAML & OAuth
SOAP & REST
XML & JSON
GET & POST
HTTP & HTTPS
Sample response
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
GET http://example.com/stocks.cgi?name=IBM HTTP/1.1
POST https://example.com/authenticate HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 31username=jane&password=w0rld2u
HTTP/1.1 302 FoundLocation: http://example.org/secure/docs/
![Page 14: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/14.jpg)
14
XML & JSON • free open standards
{ "firstName": "John", "lastName": "Smith", "isAnalyst": true, "phone": [ { "type": "home", "number": "123 123-1234" }, { "type": "fax", "number": "123 123-9999" } ]}
<person> <firstName>John</firstName> <lastName>Smith</lastName> <isAnalyst>true</isAnalyst> <phoneNumbers> <phone type="home">123 123-1234</phone> <phone type=“cell">123 123-9999</phone> </phoneNumbers></person>
Tech Primer
SAML & OAuth
SOAP & REST
XML & JSON
GET & POST
HTTP & HTTPS
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
eXtensible Markup Language
JavaScript Object Notation
![Page 15: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/15.jpg)
15
SOAP & REST
Tech Primer
SAML & OAuth
SOAP & REST
XML & JSON
GET & POST
HTTP & HTTPS
Architectural design sty
le
Communication protocol
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
![Page 16: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/16.jpg)
16
Example of a SOAP fault message (http://www.w3.org/TR/soap12-part1/#faultcodes)
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:m="http://www.example.org/timeouts"
xmlns:xml="http://www.w3.org/XML/1998/namespace"> <env:Body> <env:Fault> <env:Code> <env:Value>env:Sender</env:Value> <env:Subcode> <env:Value>m:MessageTimeout</env:Value> </env:Subcode> </env:Code> <env:Reason> <env:Text xml:lang="en">Sender Timeout</env:Text> </env:Reason> <env:Detail> <m:MaxTime>P5M</m:MaxTime> </env:Detail> </env:Fault> </env:Body></env:Envelope>
Tech Primer
SAML & OAuth
SOAP & REST
XML & JSON
GET & POST
HTTP & HTTPS
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
![Page 17: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/17.jpg)
17
REST (Roy Fielding 2000)Tech Primer
SAML & OAuth
SOAP & REST
XML & JSON
GET & POST
HTTP & HTTPS
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
![Page 18: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/18.jpg)
18
SAML 2.0 & OAuth 2.0
Tech Primer
SAML & OAuth
SOAP & REST
XML & JSON
GET & POST
HTTP & HTTPS
Intended for Authorization AuthN, authZ, attrs
Web Browser SSO Profile Server-side Web App
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
![Page 19: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/19.jpg)
19
Tech Primer
SAML & OAuth
SOAP & REST
XML & JSON
GET & POST
HTTP & HTTPS
GET https://mail.google.com/a/uoguelph.org
GEThttps://idp.uoguelph.org/SSO?SAMLRequest=...
POSThttps://www.google.com/a/uoguelph.org/acs
Identity Provider
Service Provider (Google)
User’s Gmail content returned
SAML Authentication Flow for Google Apps (Web Browser SSO Profile)
1) Browser requests Gmail content
2) Browser redirected to IdP with AuthnRequest3) IdP identifies the user
4) Browser posts Response to Google with NameID5) Google returns Gmail content
3
1
2
3
4
5
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
![Page 20: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/20.jpg)
20
Tech Primer
SAML & OAuth
SOAP & REST
XML & JSON
GET & POST
HTTP & HTTPS
Accessing app content
Authorization Server (API Provider)
Client/ Claims Consumer (web app)
OAuth 2 Authorization flow (Server Side Web App profile)
1) Browser accesses Claim Consumer (CC)
2) Browser redirected to the Authorization Server (AS)
3) User authenticates, AS issues Authorization Code 4) Browser redirected to CC with 5) CC posts to AS
6) CC receives JSON response with Access Token 7) CC makes an API call to the API Provider with Access Token
Request authZ code
API calls
1
2
3
4
5 6 7
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
![Page 21: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/21.jpg)
21
More on OAuth 2.0 and OpenID Connect
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
• Talk by Ryan Boyd
http://www.youtube.com/watch?v=YLHyeSuBspI
Getting started with OAuth 2.0O’Reilly (2012)
![Page 22: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/22.jpg)
22
Solutions, lessons learned
Computing & Communications Services www.uoguelph.ca/ccs
and the next steps
![Page 23: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/23.jpg)
23
Challenge: where is my mail?
Staff, faculty, grads
Undergrads
Multiple roles?Transient entitlements?
Zimbra
Gmail
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
![Page 24: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/24.jpg)
24
Solution: Single access point
Zimbra
Gmail
Mail SSO Middleware determines the correct mail system and routes the user accordingly
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
![Page 25: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/25.jpg)
25
Challenge: can we add a business process into the authN flow?
Default Google Apps
SAML2 AuthN Flow
UofG Identity Provider
Service Provider (Google)
User’s Gmail content returned
3
1
2
3
4
5
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
![Page 26: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/26.jpg)
26
Solution: insert middleware
UofG Identity Provider
Service Provider (Google)
User’s Gmail content returned
3
1
2a
3
4
5
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
2b2c
MailSSO Middlewarewith the Policy engine
User confirms the Policies served by
the Mail SSO Middleware (2a-2c)
![Page 27: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/27.jpg)
27
Mail SSOMiddleware
Session Request for either Gmail or Zimbra
OAM AuthN Request
OAM User ID and
Attrs
Session Request for Gmail
SAML2AuthN Request
OAMUser Identity
SAML2AuthN Request
OAMAuthN Request
Mail SSO Middleware
UofG Oracle Access
Manager
Google Apps
Zimbra
UofG Shibboleth
SAML2AuthN Response
Session Requestfor Zimbra
AuthN Request
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
![Page 28: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/28.jpg)
28
Availability expectations for WAM?
• Clustering?• Standby infrastructure?
![Page 29: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/29.jpg)
29
Next steps - opportunities
• Weak points? • Efficiency?
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
Build the policy module into the
Access Manager authentication
![Page 30: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/30.jpg)
30
Takeaway pointsWith Access Management we can:• create a single access point for both email
systems• build a policy confirmation even into
proprietary services
With increasing dependencies comes increasing requirement on high availability.
University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs
And remember - don’t
reuse your password
![Page 31: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/31.jpg)
31Computing & Communications Services www.uoguelph.ca/ccs
Universities already on Google Apps - Thank you for sharing your experience with us.
University of Guelph Gryph Mail SSO team:Fazil, Hugh, Jill, Leo, Matt, Paul, Rob, Saveena, and Zdenek
Acknowledgements
![Page 32: 1 Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph Required reading.](https://reader035.fdocuments.net/reader035/viewer/2022062404/5516c3a4550346a25b8b61ba/html5/thumbnails/32.jpg)
32
External identities
Predicts 2014: Identity and Access Management (Gartner): “..by 2020 60% identities interacting with the enterprise will come from external IdPs (up from 10% today)…”
Are you using (or plan to) social identities on your campus?