1 / 37

Understanding Single Sign-on

gigi
Download Presentation

Understanding Single Sign-on

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Understanding Single Sign-on Part 3 - “Halfway There” SSO Welcome. I am Andrew Bauserman. I have with me Scott Hayes. We work for IT at the College of William and Mary. In the way of background: Scott and I at William and Mary are coming from a Luminis campus portal. The campus has been building single sign-on using Luminis and CPIP for several years. We also have Windows Active Directory and Unix LDAP servers for authentication via Windows login, LDAP, and Kerberos protocols. Our Web Single Sign-on discussions began in Spring 2002 with our Portal roll-out, initially including SSO to Blackboard and Webmail. I’ve been using the CPIP SSO interface since Jan 2004, and several other forms of SSO since then. Scott has been our Luminis Engineer for the last several years. Welcome. I am Andrew Bauserman. I have with me Scott Hayes. We work for IT at the College of William and Mary. In the way of background: Scott and I at William and Mary are coming from a Luminis campus portal. The campus has been building single sign-on using Luminis and CPIP for several years. We also have Windows Active Directory and Unix LDAP servers for authentication via Windows login, LDAP, and Kerberos protocols. Our Web Single Sign-on discussions began in Spring 2002 with our Portal roll-out, initially including SSO to Blackboard and Webmail. I’ve been using the CPIP SSO interface since Jan 2004, and several other forms of SSO since then. Scott has been our Luminis Engineer for the last several years.

    2. “Halfway There” SSO If it were done when 'tis done, then 'twere well it were done quickly. (William Shakespeare, “Macbeth”) Last year’s presentation was called “Putting all the eggs in one basket”. It turns out that the title was more than just clever – it was somewhat prescient. Single sign-on has a great deal to do with this notion of putting everything in one place – and all of the convenience and inconvenience associated with having everything in one place. The notes for that presentation are still available for those who are interested... At least year’s Portal 2006 conference I attempted to explain the Luminis CPIP solution, a generic connector built off of that solution, and several “hacks” we had developed to provide various forms of SSO into closed/proprietary systems – all in ONE 90-minute session! Having reflected on SSO for another year, I decided upon a different approach. This year, I have expanded upon several of the types of SSO solutions we have used at W&M, devoting a session to each. Last year’s presentation was called “Putting all the eggs in one basket”. It turns out that the title was more than just clever – it was somewhat prescient. Single sign-on has a great deal to do with this notion of putting everything in one place – and all of the convenience and inconvenience associated with having everything in one place. The notes for that presentation are still available for those who are interested... At least year’s Portal 2006 conference I attempted to explain the Luminis CPIP solution, a generic connector built off of that solution, and several “hacks” we had developed to provide various forms of SSO into closed/proprietary systems – all in ONE 90-minute session! Having reflected on SSO for another year, I decided upon a different approach. This year, I have expanded upon several of the types of SSO solutions we have used at W&M, devoting a session to each.

    3. Understanding Single Sign-on Part 3 - “Halfway There” SSO Welcome. I hope you are finding the conference beneficial. I am Andrew Bauserman. I have with me Scott Hayes. We work for IT at the College of William and Mary. Scott and I at William and Mary are coming from a Luminis campus portal. The campus has been building single sign-on using CPIP for several years. Our Single Sign-on discussions began In Spring 2002 with our Portal roll-out (Blackboard, Webmail). I’ve personally been involved in the CPIP SSO code since Jan 2004. In this session we’ll be covering how the Luminis/Campus Pipeline Integration Protocol (CPIP) can provide a single sign-on solution. The concepts will work with other Single Sign-on systems as well. But the Luminis/CPIP connection form the basis for the solutions we’ve developed at William and Mary. Before we begin, I’d like to get an idea of who is here, and possibly gear my remarks accordingly. In particular, I’m interested in knowing: Show of hands: 1) Are you using Luminis? 2) Are you evaluating Luminis? 3) Are you using another portal? (Which?) 4) Are you using another Single Sign-on mechanism (such as Shibboleth or the Liberty Alliance framework)? 5) Do you have any Single Sign-on Applications at this time? (What?) Welcome. I hope you are finding the conference beneficial. I am Andrew Bauserman. I have with me Scott Hayes. We work for IT at the College of William and Mary. Scott and I at William and Mary are coming from a Luminis campus portal. The campus has been building single sign-on using CPIP for several years. Our Single Sign-on discussions began In Spring 2002 with our Portal roll-out (Blackboard, Webmail). I’ve personally been involved in the CPIP SSO code since Jan 2004. In this session we’ll be covering how the Luminis/Campus Pipeline Integration Protocol (CPIP) can provide a single sign-on solution. The concepts will work with other Single Sign-on systems as well. But the Luminis/CPIP connection form the basis for the solutions we’ve developed at William and Mary. Before we begin, I’d like to get an idea of who is here, and possibly gear my remarks accordingly. In particular, I’m interested in knowing: Show of hands: 1) Are you using Luminis? 2) Are you evaluating Luminis? 3) Are you using another portal? (Which?) 4) Are you using another Single Sign-on mechanism (such as Shibboleth or the Liberty Alliance framework)? 5) Do you have any Single Sign-on Applications at this time? (What?)

    4. “Halfway There” SSO I love deadlines. I especially like the whooshing sound they make as they go flying by. (Douglas Adams) So what’s our agenda today? I’ve made a bit of an outline of the things we’ll be talking about today, in case you’re one of those folks who follows along better if you know where we’re planning to end up...So what’s our agenda today? I’ve made a bit of an outline of the things we’ll be talking about today, in case you’re one of those folks who follows along better if you know where we’re planning to end up...

    5. “Halfway There” SSO Overview Methods of Handoff Portal as Gateway to Everything Careful What you Wish Outages, portal infrastructure, and mitigating risk Review “Two-step” SSO solutions Network Infrastructure Types of Systems Implementaion The Easy Part, the Hard Part, and the Even Harder Part “Halfway There” SSO Security Concerns Summary of Topics… Let’s dive in...Summary of Topics… Let’s dive in...

    6. “Halfway There” SSO Prediction is especially difficult. Especially about the future. (Niels Bohr) We’re looking at making a framework for connecting to things you don’t have yet, and therefore cannot know how to connect to them... We’re looking at making a framework for connecting to things you don’t have yet, and therefore cannot know how to connect to them...

    7. “Two-Step” SSO Methods for Handoffs Several ways of getting external services to the user. Basic Links No authentication Links with simple identifiers “Bucket” sorting – parents vs. students, etc. (Secure) Single Sign-on (SSO) “Single Redirect” SSO “Two-step” SSO Other “Hacks” “Halfway There” “Closed Systems” Who are you? Does it matter? There are several type of content we might want to supply... Some of them depend upon who you are — others not so much. (Basic Links) Some might present things based on role if it is known, but aren’t secure info — so if you pretend to be something else, you just see a different set of public info... (simple identifiers) And then there are services where you really need to know that the person viewing and manipulating your data is *exactly* who he or she claims to be!Who are you? Does it matter? There are several type of content we might want to supply... Some of them depend upon who you are — others not so much. (Basic Links) Some might present things based on role if it is known, but aren’t secure info — so if you pretend to be something else, you just see a different set of public info... (simple identifiers) And then there are services where you really need to know that the person viewing and manipulating your data is *exactly* who he or she claims to be!

    8. “Halfway There” SSO One Ring to Rule them all... (Tolkien) You probably recognize this quote from The Lord of the Rings. I might be mixing metaphors a bit, but I thought it appropriate. We’ve created this portal that is now the authoritative source for information and services. We now have all the convenience *and* inconvenience associate with a single point of entry...You probably recognize this quote from The Lord of the Rings. I might be mixing metaphors a bit, but I thought it appropriate. We’ve created this portal that is now the authoritative source for information and services. We now have all the convenience *and* inconvenience associate with a single point of entry...

    9. “Halfway There” SSO Portal as Gateway to Everything The authoritative source for information and services Course Registration, Course Evals, Grades Admission, Financial Aid, HR, Payroll Facilities Management, Other Admin Apps Course Management System (Blackboard) Announcements and News (RSS) Webmail Calendars Discussion Boards Auxiliaries (Bookstore, Express Card, Copy Co) Blogs, Wikis, and other Cool Things Before we get too deep into specific examples, let’s talk about all of these “eggs” we’re putting into our proverbial “basket”... The portal is our “basket”, which we want to be the primary gateway though which the campus community will access all manner of Web-based campus systems and services. We want this portal to be the authoritative source for information and services to the campus. It’s the “one stop shop” where members of the campus community can find all of the Web Services your campus provides. **Single Sign-on** is the mechanism by which the portal can “consume” or link to resources external to the portal itself. So, here’s a sample list of systems and services you might be running on your campus. It’s not meant to be exhaustive. But it’s a fair representation of what we’ve done or plan to do at William and Mary. As I’ve indicated, we use Banner as our main Enterprise Information System and Luminis as our Portal. SunGard owns both Luminis and Banner — so they supply the connector between these applications and the portal. Blackboard is also a bit special in that (for an exorbitant fee) they can build the CPIP SSO connector for you. The rest of these systems pretty much require a bit more work on our part to build the connector... So we can summarize the types of connectors as: Provided Connectors (Banner/Course Registration) Purchased Connectors (Blackboard) Developed CPIP Connectors (Webmail, CourseEvals) Other Connectors (For “difficult” systems)Before we get too deep into specific examples, let’s talk about all of these “eggs” we’re putting into our proverbial “basket”... The portal is our “basket”, which we want to be the primary gateway though which the campus community will access all manner of Web-based campus systems and services. We want this portal to be the authoritative source for information and services to the campus. It’s the “one stop shop” where members of the campus community can find all of the Web Services your campus provides. **Single Sign-on** is the mechanism by which the portal can “consume” or link to resources external to the portal itself. So, here’s a sample list of systems and services you might be running on your campus. It’s not meant to be exhaustive. But it’s a fair representation of what we’ve done or plan to do at William and Mary. As I’ve indicated, we use Banner as our main Enterprise Information System and Luminis as our Portal. SunGard owns both Luminis and Banner — so they supply the connector between these applications and the portal. Blackboard is also a bit special in that (for an exorbitant fee) they can build the CPIP SSO connector for you. The rest of these systems pretty much require a bit more work on our part to build the connector... So we can summarize the types of connectors as: Provided Connectors (Banner/Course Registration) Purchased Connectors (Blackboard) Developed CPIP Connectors (Webmail, CourseEvals) Other Connectors (For “difficult” systems)

    10. “Halfway There” SSO ...and in the darkness bind them. (Tolkien) So here’s the other half of that Lord of the Rings quote. Again, appropriate to our conversation of the portal being the authoritative source for information and services. In this case, darkness indicates...`So here’s the other half of that Lord of the Rings quote. Again, appropriate to our conversation of the portal being the authoritative source for information and services. In this case, darkness indicates...`

    11. “Halfway There” SSO Careful What You Wish... The authoritative source for information and services The Portal is Down Scheduled Maintenance Upgrades and patches “Unscheduled” Maintenance Server goes down Portal goes down CPIP cannot connect Now what? The portal is down. The portal is the authoritative source for information and services. And it is DOWN ?!?! What external services are available (and how people get directed to them) is directly related to how you implement single sign-on within your portal. Let’s go back over our list of systems: * Services provided by the portal itself will be unavailable. At William and Mary, this includes the student personal and group calendars and discussion areas, campus-wide and targeted announcements, and the convenience of subscribed headlines within the portal. * Other services which were built with tight integration into the portal which may also be difficult to access. At William and Mary this includes the Course Evaluations system. * Some systems that have more complex integrations (we’ll talk about a bit later) An example of this at William and Mary is the Copy Center system The portal is down. The portal is the authoritative source for information and services. And it is DOWN ?!?! What external services are available (and how people get directed to them) is directly related to how you implement single sign-on within your portal. Let’s go back over our list of systems: * Services provided by the portal itself will be unavailable. At William and Mary, this includes the student personal and group calendars and discussion areas, campus-wide and targeted announcements, and the convenience of subscribed headlines within the portal. * Other services which were built with tight integration into the portal which may also be difficult to access. At William and Mary this includes the Course Evaluations system. * Some systems that have more complex integrations (we’ll talk about a bit later) An example of this at William and Mary is the Copy Center system

    12. “Halfway There” SSO In theory there is no difference between theory and practice. In practice there is. (Yogi Berra) Yogi Berra is a pretty insightful guy. In theory, we want to make our portal the authoritative source for information and services for the campus. In practice, we need to mitigate the risk of “putting all the eggs in one basket.” Things happen. The system will eventually be down. What is the emergency plan?Yogi Berra is a pretty insightful guy. In theory, we want to make our portal the authoritative source for information and services for the campus. In practice, we need to mitigate the risk of “putting all the eggs in one basket.” Things happen. The system will eventually be down. What is the emergency plan?

    13. Mitigating Risk

More Related