1 / 16

Using Grouper and Signet for Access Management

Learn about Grouper for creating and managing groups efficiently, and Signet for complex permission management across the enterprise. Discover installation tips, configuration guides, and insights into user experiences.

jseverson
Download Presentation

Using Grouper and Signet for Access Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Grouper and Signet for Access Management Kathryn Huxtable GPN Annual Meeting 30 May 2008 kathryn@kathrynhuxtable.org

  2. Grouper for Groups Management • Create and manage groups of other groups and entities from your identity management systems. • Allow “group math”, that is, union, intersection, and relative complement to produce new groups. • Provide access to groups information via an API and via web services. • Provision Groups data to LDAP directory.

  3. What’s New in Grouper 1.3.0? • Web services access to Grouper API. • New API calls to improve usability. • Improved web user interface. • Better performance with large groups. • Better performance with large numbers of groups.

  4. What’s Still Missing? • Group loading from identity management criteria. • Instantaneous updates of LDAP when group membership changes. • Simpler user interface for basic users, e.g. administrative assistants.

  5. Quick installation • Have a working tomcat installation. • Get the “quick start” from the wiki and unpack into a directory. • Follow the installation instructions in README.html to build grouper and configure tomcat, and install grouper into tomcat. • Start the built-in database and tomcat • Open a browser and go to your local grouper.

  6. Installation for Actual Use • Download the API and the UI. Unpack to the same root directory. • Configure the files in the API’s conf directory. • Build the API. • Build the UI. • Configure a working tomcat for grouper login (CAS, Shibboleth, Tomcat login, etc.). • Install the UI to a working tomcat.

  7. Configuring the API • Files are in conf directory. • Edit grouper.hibernate.properties to include type and location of database and authentication information. • Edit grouper.properties to specify default group permissions and to specify the “wheel” group. • Edit log4j.properties to specify log level and location. • Edit sources.xml to specify external entity lookup. • Edit ehcache.xml and grouper.ehcache.xml for database cache tuning. (I’ve never done this.)

  8. Who is Using Grouper? • Duke. • KU, but it’s converting to Sun Identity Manager. • Cornell is close to rollout. • Brown is ready to convert from their homegrown grouper. • About a dozen other universities have pilot programs.

  9. Signet for Permissions Management • Manage complex permissions structure, including delegation, expiration, scope, and limits. • Reimplementation of Stanford Access Manager for general use. • Structured web interface for management. • Provide access to permissions via API and via LDAP directory.

  10. What is not in version 1.2.2? • Prerequisites, e.g. having taken a web examination or attended training. • Conditions, e.g. being an employee in a particular department, or having a particular position number.

  11. Quick Installation • Get the “quick start” from the wiki and unpack into a directory. • Go to the “demo” directory and run “start_demo.sh” or “start_demo.bat”. • Browse to http://localhost:8080/signet • Log in as user “kmart” with password “signet”.

  12. Signet’s Promise • Scaleable privilege management. • Integrated with identity management system. • Unify privilege management across the enterprise.

  13. Signet’s Current State • Without prerequisites it lacks some functionality, but it could be hacked into the LDAP directory. • Without conditions other than dates, it lacks the links with enterprise information systems that would really make it useful. • Design of the privileges is clunky and I haven’t seen any sign that it will be improved.

  14. Who is Using Signet? • No one. • Stanford wants more features before they replace Stanford Access Manager with Signet. • People express interest, but there seems to be a barrier of understanding, exacerbated by the lack of features.

  15. Essential Links • Grouper main pagehttp://grouper.internet2.edu • Grouper wikihttps://wiki.internet2.edu/confluence/display/GrouperWG/Home • Grouper users mailing listgrouper-users@internet2.edu

  16. Essential Links (cont.) • Signet main pagehttp://signet.internet2.edu • Signet wikihttps://wiki.internet2.edu/confluence/display/SignetWG/Home • Signet users mailing listsignet-users@internet2.edu

More Related