For the Pragmatic the UHIMS Ecosystem for Identity

For the Pragmatic, the UHIMS Ecosystem (for Identity and Access Management) Michael Hodges ITS, Identity and Access Management University of Hawaii © 2015 1

What to talk about today? • • • What is Pragmatic Programming? The UHIMS Ecosystem Solutions Ecosystem Enhancements Under Way UHIMS Dreams and Blue Sky Visions Looking ahead, UH joins Internet 2’s TIER University of Hawaii © 2015 2

What is Pragmatic Programming? • A book – “The Pragmatic Programmer, From Journeyman to Master” • A mindset that will help you – – – Keep it DRY KISS better Decouple by design Minimize technical debt Future-proof apps University of Hawaii © 2015 3

What is Pragmatic Programming? • Keep it DRY – Don’t Repeat Yourself– a design principle. • Write code once, reference it as needed. – Don’t reinvent the wheel, if possible. – Leverage UHIMS solutions that fit your needs (it will be well worth the learning curve). – DRY requires good planning. University of Hawaii © 2015 4

What is Pragmatic Programming? • A mindset that will help you – – – Keep it DRY KISS better Decouple by design Minimize technical debt Future-proof apps University of Hawaii © 2015 5

What is Pragmatic Programming? • KISS better – Keep It Simple and Short – a design principle – Small, simple software subcomponents reduce complexity, are easier to manage. – Create only the subcomponents that you must create; keep your custom code footprint as small as possible. – Embrace integration, leverage existing solutions. University of Hawaii © 2015 6

What is Pragmatic Programming? • A mindset that will help you – – – Keep it DRY KISS better Decouple by design Minimize technical debt Future-proof apps University of Hawaii © 2015 7

What is Pragmatic Programming? • Decouple by design – Utilize Message Brokering • Increase availability/uptime • Increase flexibility – Conceptualize apps as • Message producers, and • Message consumers University of Hawaii © 2015 8

What is Pragmatic Programming? • Decouple by design University of Hawaii © 2015 9

What is Pragmatic Programming? • A mindset that will help you – – – Keep it DRY KISS better Decouple by design Minimize technical debt Future-proof apps University of Hawaii © 2015 10

What is Pragmatic Programming? • Minimize technical debt – Technical debt: the things you should have taken care of in your code, but didn’t, e. g. : • deferred features, deferred documentation, deferred regression tests, performance, etc. – Software entropy (a related concept) • Unaddressed technical debt increases software entropy • Utilized software will be modified. • Modified software increases in complexity (unless successfully refactored). University of Hawaii © 2015 11

What is Pragmatic Programming? • A mindset that will help you – – – Keep it DRY KISS better Decouple by design Minimize technical debt Exceed expectations Future-proof apps University of Hawaii © 2015 12

What is Pragmatic Programming? • Future-proof (one must try) – Align with the expanding UHIMS • • Emerging Group/Authorization management practices. Emerging 2 nd factor authentication options. Future End-User profile management. Future attribute release consent options. – Leverage the work of other project teams • College of Ed’s Word. Press plugin, Authorizer. • Bursar’s hosted e. Commerce solution. • Internet 2 community. – Anticipate TIER, an Internet 2 IAM project • TIER: Trust and Identity in Education and Research. • Includes: Certs, Assurance, MFA, Shib, Grouper, COmanage, edu. Person, edu. Org, MACE Registries, IAM for higher ed. University of Hawaii © 2015 13

What is Pragmatic Programming? • Practical Pragmatic Examples – Report writing, output data to a csv file for import to Excel. – CAS for authentication. – CAS attributes for authorization. – UH Groupings for authorization, anywhere that the “is member of” question comes up. – UH Message Broker to separate apps that publish (liberate) information from apps that consume information. University of Hawaii © 2015 14

The UHIMS Ecosystem • A non-chronological review of the development of the UHIMS Ecosystem University of Hawaii © 2015 15

UHIMS Ecosystem (circa 2015) Revised 03/11/2015 Systems of Record Banner My. Grant University of Hawaii © 2015, TI-SYS-IAM Admin Updates KFS Person Events SECE Person Directory Updates PS HR Person Events RCUH Directory Services Auth. N/Z Services Applications

UHIMS Ecosystem (circa 2015) Revised 03/11/2015 Systems of Record Banner My. Grant University of Hawaii © 2015, TI-SYS-IAM Admin Updates KFS Person Events SECE UHIMS Person Registry Person Directory Updates PS HR Person Events RCUH Directory Services Auth. N/Z Services Applications

The UHIMS Ecosystem • The roles UHIMS aggregates: • staff. civil. Service • • • • staff. executive staff. apt staff. casual staff. overload staff. no. Details staff. non. Compensated faculty. community. College faculty. university faculty. medical faculty. researcher faculty. specialist faculty. county. Agent faculty. librarian faculty. law faculty. emeritus • • • • faculty. overload faculty. no. Details faculty. course. Instructor faculty. lecturer faculty. teaching. Assistant faculty. research. Assistant student. Employee. work. Study student. Employee. student. Hire student. graduate. law student. graduate. medical student. graduate. no. Details student. undergraduate. no. Details student. other. apprenticeship student. other. continuing. Education student. other. post. Baccalaureate University of Hawaii © 2015 • • • student. other. professional student. other. vocational student. other. undeclared non. Credit. Student. no. Details non. Credit. Student. etc pre. Student. no. Details pre. Student. accepted pre. Student. applicant ohana retiree other 18

UHIMS Ecosystem (circa 2015) Revised 03/11/2015 Systems of Record Banner My. Grant University of Hawaii © 2015, TI-SYS-IAM Admin Updates KFS Person Events SECE UHIMS Person Registry Person Directory Updates PS HR Person Events RCUH Directory Services Auth. N/Z Services Applications

UHIMS Ecosystem (circa 2015) Revised 03/11/2015 Systems of Record Banner My. Grant University of Hawaii © 2015, TI-SYS-IAM API BMT UHIMC WPMS VIA Admin Updates KFS Person Events SECE UHIMS Person Registry Person Directory Updates PS HR Person Events RCUH Directory Services LDAP Auth. N/Z Services RADIUS Auth. N 389 DS Applications Campus Wireless CAS 3 Auth. N Web Apps registered

UHIMS Ecosystem (circa 2015) Revised 03/11/2015 Systems of Record Banner My. Grant University of Hawaii © 2015, TI-SYS-IAM API BMT UHIMC WPMS VIA Admin Updates KFS Person Events SECE UHIMS Person Registry Person Directory Updates PS HR Person Events RCUH Directory Services LDAP Auth. N/Z Services RADIUS Auth. N 389 DS Applications Campus Wireless Shib Id. P Auth. N Google @UH CAS 3 Web Apps Auth. N federated Web Apps registered

UHIMS Ecosystem (circa 2015) Revised 03/11/2015 Systems of Record Banner My. Grant UHIMS Person Registry PR CON API Msg Broker [ exchanges ] PR PR CON University of Hawaii © 2015, TI-SYS-IAM BMT UHIMC WPMS VIA Admin Updates KFS Message Consumer Person Events SECE CON Directory Services Person Directory Updates PS HR Message Producer Person Events RCUH PR LDAP Auth. N/Z Services RADIUS Auth. N 389 DS Applications Campus Wireless Shib Id. P Auth. N Google @UH CAS 3 Web Apps Auth. N federated Web Apps registered

UHIMS Ecosystem (circa 2015) Revised 03/11/2015 Systems of Record Banner My. Grant UHIMS Person Registry PR CON API Msg Broker [ exchanges ] PR PR CON University of Hawaii © 2015, TI-SYS-IAM BMT UHIMC WPMS VIA UH Groupings Admin Updates KFS Message Consumer Person Events SECE CON Directory Services Person Directory Updates PS HR Message Producer Person Events RCUH PR Auth. N/Z Services Applications LISTSERV lists LDAP RADIUS Auth. N 389 DS Campus Wireless Shib Id. P Auth. N Google @UH CAS 3 Web Apps Auth. N Grouper Auth. Z federated Web Apps registered

UHIMS Ecosystem (circa 2015) Revised 03/11/2015 Systems of Record Banner My. Grant UHIMS Person Registry PR CON API Msg Broker [ exchanges ] PR PR CON University of Hawaii © 2015, TI-SYS-IAM BMT UHIMC WPMS VIA ACER UH Groupings Admin Updates KFS Message Consumer Person Events SECE CON Directory Services Person Directory Updates PS HR Message Producer Person Events RCUH PR Auth. N/Z Services Applications LISTSERV lists LDAP RADIUS Auth. N 389 DS Campus Wireless Shib Id. P Auth. N Google @UH CAS 3 Web Apps Auth. N Grouper Auth. Z federated Web Apps registered

UHIMS Ecosystem (circa 2015) Revised 03/11/2015 Systems of Record Banner My. Grant UHIMS Person Registry PR CON API Msg Broker [ exchanges ] PR PR CON University of Hawaii © 2015, TI-SYS-IAM BMT UHIMC WPMS VIA ACER UH Groupings Admin Updates KFS Message Consumer Person Events SECE CON Directory Services Person Directory Updates PS HR Message Producer Person Events RCUH PR Auth. N/Z Services Applications LISTSERV lists Campus One. Card LDAP RADIUS Auth. N 389 DS Campus Wireless Shib Id. P Auth. N Google @UH CAS 3 Web Apps Auth. N Grouper Auth. Z federated Web Apps registered

UHIMS Ecosystem (circa 2015) Revised 03/11/2015 Systems of Record Banner My. Grant UHIMS Person Registry PR CON API Msg Broker [ exchanges ] PR PR CON University of Hawaii © 2015, TI-SYS-IAM BMT UHIMC WPMS VIA ACER UH Groupings Admin Updates KFS Message Consumer Person Events SECE CON Directory Services Person Directory Updates PS HR Message Producer Person Events RCUH PR Auth. N/Z Services Applications LISTSERV lists Campus One. Card AD Auth. N only Campus AD domains LDAP RADIUS Auth. N 389 DS Campus Wireless Shib Id. P Auth. N Google @UH CAS 3 Web Apps Auth. N Grouper Auth. Z federated Web Apps registered

UHIMS Ecosystem Solutions • Authentication Solutions: – CAS – Shibboleth – LDAP • Authorization Solutions: – – ACER Grouper UH Groupings and the UH Group Store UHIMS Events • Decoupling Solutions: – UH Message Broker University of Hawaii © 2015 27

UHIMS Ecosystem Solutions, Authentication Solutions • CAS – Central Authentication Service – Used by UH Apps for Authentication – Default Attribute Release Policy • UH Data Governance policies apply (E 2. 215). • IAM and the Data Governance Committee (DGC) have created SOPs for standard requests. • Non-standard requests, such as for hosted apps, must first be approved by the DGC. • https: //www. hawaii. edu/bwiki/display/UHIAM/CAS+Default+Attribute+Rele ase+Policy • http: //www. hawaii. edu/uhdatagov/ University of Hawaii © 2015 28

UHIMS Ecosystem Solutions, Authentication Solutions • CAS – Central Authentication Service – Attributes useful for Authorization: • edu. Person. Affiliation (faculty) • edu. Person. Org. DN (kauaicc) • uh. Org. Affiliation (edu. Person. Org. Dn=kauaicc, edu. Person. Affiliation=faculty) • uh. Acknowledgement (general. Confidentiality. Notice=20141231 T 000000) University of Hawaii © 2015 29

UHIMS Ecosystem Solutions, Authentication Solutions • CAS – Central Authentication Services – Web App Form, URLs must be registered • https: //www. hawaii. edu/bwiki/display/UHIAM/Web+App+Registration+Form – Developer Documentation • https: //www. hawaii. edu/bwiki/display/UHIAM/CAS 3+Developer+Documenta tion University of Hawaii © 2015 30

UHIMS Ecosystem Solutions, Authentication Solutions • CAS – Central Authentication Services – Infrastructure Load Balancer health checks CAS (active) CAS (hot standby) University of Hawaii © 2015 CAS (manual standby) 31

UHIMS Ecosystem Solutions, Authentication Solutions • Shibboleth Identity Provider (UH Id. P) – Used by non-UH apps for federated authentication – Attribute Release Policy • Tailored to the minimal requirements. • Targeted IDs used where possible to protect privacy – Federated apps must be registered • Exception is apps in the Research and Scholarship category – Infrastructure • Identical to CAS University of Hawaii © 2015 32

UHIMS Ecosystem Solutions, Authentication Solutions • LDAP, lightweight directory access protocol – Deprecated for authentication, use CAS • Exceptions are scrutinized. • CAS attribute release policy is continually enhanced to mitigate need. – Default Attribute Release Policy • Identical to CAS • Also subject to the IAM Data Governance Framework University of Hawaii © 2015 33

UHIMS Ecosystem Solutions, Authorization Solutions • Grouper – Addresses the fundamental “is member of” requirement and provides rich logic. For example, • Is person a member of ITS, sits on the 6 th floor of the ITC building, is currently taking credit classes, and therefore eligible for a tuition waiver? – Provides a UI and API. – Internet 2 software, very active project. – Very popular in the higher ed community. – A component of TIER University of Hawaii © 2015 34

UHIMS Ecosystem Solutions, Authorization Solutions • A UH Grouping: – Is a simple or complex expression of group membership – Is composed of 3 groups, conceptually: • Basis, Include, Exclude – Has 1 or more Owners – Has 0 or more Members – Has properties that an Owner can configure – Is reusable, can serve multiple purposes • Application authorization (who can do what) • LISTSERV list publication (email notifications) University of Hawaii © 2015 35

UHIMS Ecosystem Solutions, Authorization Solutions • A UH Grouping example, UH Hilo email discussion list: – Basis group: all UH Hilo faculty • Automatically kept current by UHIMS – Include group: (may be empty) • Others that would like to participate, such as RCUH employees at UH Hilo. – Exclude group: (may be empty) • Those that wish to be left out of the discussions. University of Hawaii © 2015 36

UHIMS Ecosystem Solutions, Authorization Solutions UH Grouping Basis Include Exclude University of Hawaii © 2015 37

UHIMS Ecosystem Solutions, Authorization Solutions UH Grouping Objective: implement a campus mailing list Basis: UHH Faculty Include: a few RCUH Employees Exclude: several dissatisfied individuals University of Hawaii © 2015 38

UHIMS Ecosystem Solutions, Authorization Solutions • What can UH Grouping be used for? – Email LISTSERV List management • No need to manual manage the entire list – Complex role-based permissions management. – Opt-in/out services, when members are suitably allowed. – Any combination of the above (reuse) University of Hawaii © 2015 39

UHIMS Ecosystem Solutions, Authorization Solutions • UH Grouping limitations? – Currently, members must have a UH Number. University of Hawaii © 2015 40

UHIMS Ecosystem Solutions, Authorization Solutions • UHIMS Events: – UH Person Identity Messages published to the UH Message Broker. – A convenient way to receive identity, affiliation, and contact information. – Use for automatically updating on-board application authorization information. University of Hawaii © 2015 41

UHIMS Ecosystem Solutions, Decoupling Solutions • UH Message Broker: – Uses Rabbit. MQ, an open-source project – Simple to set up – Scalable • Behind India’s 1. 2 B person biometric database. – Separates message producers from message consumers – Messages are stored in Exchanges University of Hawaii © 2015 42

UHIMS Ecosystem Solutions, Decoupling Solutions • UH Message Broker implementations: – Banner producer, student enrollment and degree objective information. – HCC AD consumer, UHIMS Events – KFS consumer, UHIMS Events – my. Grant consumer, UHIMS Events – My. UH consumer, UHIMS Events – SECE producer, SECE events – UHIMS consumer, Banner & SECE events – UHIMS producer, UHIMS Events University of Hawaii © 2015 43

Ecosystem Enhancements Under Way, 12 -18 months • Multifactor Authentication – Initially for faculty, staff (students later) • UH Message Broker Infrastructure – Clustering for high availability • CAS/Shib Infrastructure – Shib support for the CAS protocol – Clustering for high availability • IAM Data Element Dictionary additions – uh. Scoped. Home. Org (primary campus, Banner/PS) – uh. Member. Of. Grouping (advanced Auth. Z) • UH Groupings UI improvements University of Hawaii © 2015 44

UHIMS Dreams & Blue Sky Visions • Multifactor Authentication – To protect all of our servers, inside and outside the data center. – As a requirement for all of our Admin apps. – As an opt-in service for the entire UH community. University of Hawaii © 2015 45

UHIMS Dreams & Blue Sky Visions • UH Groupings used ubiquitously – Comprehensive use of custom and automatic groups – Comprehensive enterprise-wide audit reports revealing who has access to what. – Automated enterprise provisioning/deprovisioning across all (applicable) apps. – Very easy to use for IT staff and users. University of Hawaii © 2015 46

UHIMS Dreams & Blue Sky Visions • UH Groupings, more publication destinations: – LDAP groups – Laulima groups – Google groups • The exclusive LISTSERV list management mechanism (as a capability). University of Hawaii © 2015 47

UHIMS Dreams & Blue Sky Visions • Hands-on App Developer Workshops – CAS Authentication, externalized Auth. N – UH Groupings, externalized Auth. Z – UH Message Broker, messaging/decoupling – UHIMS Events University of Hawaii © 2015 48

UHIMS Dreams & Blue Sky Visions • ACER Integration – A full function Acknowledgements and Certifications management solution. – System-wide online General Confidentiality Notices acceptance assertions. – System-wide online criminal background check assertions. – ACER enforcement for app access Authorizations. University of Hawaii © 2015 49

UHIMS Dreams & Blue Sky Visions • Personal Profile Management – View access to directory information. – Ability to change select directory information as needed. – Access to Group memberships. – Ability to opt-in/out of Groups as permitted. – Access to attribute release policies. – Ability to opt-in/out attribute release policies as permitted. University of Hawaii © 2015 50

For the Pragmatic, the UHIMS Ecosystem Michael Hodges ITS, Identity and Access Management University of Hawaii © 2015 51