Identity and Access
Management
Challenges in
uPortal
Andrew Petro
ACAMP
Thursday 18 June 2009
© Copyright Unicon, Inc., 2006-2009.
http://creativecommons.org/licenses/by-sa/3.0/us/
This session
• Continuing to explore identity services
requirements, representatives from the Sakai
and uPortal projects will provide overviews of
their key challenges relating to identity and
access management.
1. IdM and access control in uPortal today
2. IdM and Portlet Standards
3. Achieving Beyond Standards
4. Delegated Authentication
5. Challenges
What’s uPortal?
• Free and open source Java-implemented
portal software by and for higher education.
• Hosts JSR 168 portlets
• Authentication, user attribute marshalling,
groups, access control
What’s a portlet?
• It’s an indicator, self-service widget, small
application, or whatever else running in a box
in the portal.
What do I get for being a portlet?
• Authentication
• User Attributes
• Roles
• Access Control
• Hosting and provisioning
• Skinning
• Monitoring and error handling
Identity Management
and
Access Control
in
uPortal
Authentication
• Embeds and relies upon Jasig CAS by default
Browser flow on login
1. uPortal
2. CAS
3. uPortal
Sharing a store of users
uPortal
user
store
User Attributes
• Drawn from LDAP and RDBMS
• Merged, cascaded, mapped, …
• Pluggable API
• Factored out as Jasig PersonDirectory
• Now used in CAS
Groups
• In-portal manually managed
• JIT via rules about user attributes
• LDAP / AD
• Filesystem batch extracts
Permissions
• Owned and registered by subsystems
• PRINCIPAL is [GRANTED | DENIED]
permission to ACTIVITY [on OBJECT]
• Portal Administrators are granted permission
to modify the membership of the Channel
Publishers group
Permissions
• “Library administrators” are granted
permission to modify the membership of the
“Library Fragment Administrators” group.
Layout Templating
• Users with attribute “classYear” == 2010
should see the “Fourth Years” tab
• Users in the group “New to University” should
see the “Getting Started” tab
IdM and Portlet Standards
Authentication
• JSR 168 API conveys a String username
User Attributes
• JSR 168 Portlet API conveys user attributes
• As declared in portlet.xml
Credentials?
• User attributes are whatever you want them
to be
• Passwords?
• CAS Proxy Tickets?
• Shibboleth delegable SAML assertions
Base64-encoded?
Roles
• JSR 168 supports an isUserInRole()
• uPortal answers this by checking for
membership in a group mapped to the role
JSR 286 to the rescue?
• None of this changes.
Beyond JSR 168 Standards
“Limitations” of JSR 168
• Conveys attributes, roles of the requesting
user, but not other users.
User directory lookup
• Identity Swapper
• Attribute Swapper
Selecting users and groups
• Present use case
Using JSR 168 APIs
• Jasig Announcements Portlet
Not Using JSR 168 APIs
• (legacy) Announcements Channel
• Channel publishing workflow
Delegated Authentication
Use case
Use case
Delegated Authentication
• User authenticates to portal
• Portal authenticates to a backing service on
behalf of the user
• Data from backing service informs portal
http://www.flickr.com/photos/ntr23/730371240/
Password Replay
PW
PW
PW
Channel
PW
PW
PW
Channel
PW
Portal
Channel
PW
PasswordProtected
Service
PW
PasswordProtected
Service
PW
PasswordProtected
Service
PW
Look Ma, No Password!
• Without a password to replay, how am I going
to authenticate my portal to other
applications?
Using CAS
• Optional support for making a Proxy CAS
Ticket available to portlets using a user
attribute
CAS and Password Replay
• See the Sacramento State ClearPass CAS
and uPortal add-ons
Using Shibboleth
• Optional support for making the SAML
assertion available to the portlet
Identity Management
and
Access Control
Challenges in uPortal
Challenge: Unloved UIs
• Administrative UIs are unloved
Partial solution in progress
Challenge: JIT
• With Shibboleth, user attributes may be
available only just-in-time with end user login.
• Contrast with expectations of being able to
directory-lookup users.
Challenge: How about roles?
• uPortal has no formal concept of roles distinct
from groups
• Of course you can use groups as roles
• But it doesn’t necessarily feel natural
Challenge: Maintaining code
• PersonDirectory, GaPs, custom UIs,
• Some shared code evident: CAS example
• Some sharing hoped for: reusable portlet
Spring Web Flow workflows for group
selection
Questions? Discussion? Save it!
Andrew Petro
[email protected]
www.unicon.net/blog/3