Jasig 2010 Identity Management Track

I was looking over the Jasig 2010 conference schedule and was struck by how much applies to identity management.

A proposed conference itinerary

Here's just one idea of a schedule of presentations to consume at the Jasig conference focusing on identity management topics:

Sunday March 07 2010

Pre-Conference Seminar on Identity Management Re-Architecture

Start the conference out right with an intensive pre-conference seminar from 1pm to 4:30pm on Laying the Foundation for your IdM re-Architecture! as presented by lead CAS developer Scott Battaglia, Strategy Director and past Information Security Officer Jens Haeusser, Senior Technical Specialist Paul Zablosky, and Senior Director for Integration Tom Barton.

This seminar walks you through the basics of the process of moving from an ad-hoc structure to a more planned architecture using various Jasig institutions as case studies. Along the way, we'll look at solutions in the open source area that are starting to address the needs of the higher education community as they move to a more mature architecture.

Topics to be covered include:

• Internet2's middleware model


• Mapping of leading open source & commercial products to the Internet2 model


• Terminology that works in technical & management paradigms


• Governance


• InCommon Silver assessment framework and Levels of Assurance


• Creating an Identity Management roadmap for your institution

Monday March 08 2010

Breakfast

Meals, and the company in which to enjoy meals, have been traditionally excellent at Jasig conferences, and I expect Jasig 2010 will be no different.

Keynote

Start the main portion of the conference with Gregory Jackson's keynote on We Have Open Source. Now what?. Jackson is EDUCAUSE Vice President for Policy and Analysis.

CAS in Context

Kim Cary, Chief Information Security Officer of Pepperdine University, will be presenting this session on CAS in Context: Explained, Deployed, Extended. The context here is a case study of Pepperdine's actual implementation of CAS.

This talk is aimed at persons who are familiar with some of the technology and concepts involved in implementing and operating a CAS system, but who may lack the overview to make sense of the wealth of information available for the CAS project. The goal is to illustrate the most common deployment issues by way of a case study.

The presenter will explain deployment, maintenance and extension of a typical Central Authentication Service system in context of Pepperdine University’s experience with the CAS 3.3 server software. A CD with reference materials will be provided to all participants, in addition to a presentation outline keyed to those materials.

Protocol. We will first cover a basic overview of how CAS servers and their web application clients work using diagrams and audience participation. Reference: jasig community CAS diagrams (in-progress from various deployer materials).

Server. We will then cover a visual overview of Pepperdine’s CAS server implementation as development, test and production tiers. Part of the implementation overview will cover tips and best practices for CAS and tomcat maintenance across software and configuration changes. The server implementation section will conclude with demonstrate a simple change as an example of server change control and change deployment using the maven overlay method (easy once you see it). Reference: Pepperdine’s system description & procedures documentation.

Client. We will demonstrate how a simple dynamic web page can become a CAS application, with the addition of half-dozen lines to the page and copying a few files onto the server. Reference: Before/after web page code and CAS client library installation procedure.

Extension. We will conclude with an explanation of why Pepperdine University developed a service check extension for the CAS service and how it was architected and deployed. Reference: Source code, plus installation and testing procedures.

By keeping pace and leaving detail in the reference materials for each section, we will target 15 minutes for questions at the conclusion of the talk.

Extending CAS Using Spring Web Flow

Unicon's Adam Rybicki will present on Extending CAS Using Spring Web Flow. The CAS login flow is a great place to extend CAS to handle additional institution-local use cases such as password and profile update requirements.

CAS uses Spring Web Flow to do "script" processing of login and ticket validation protocol. This presentation will discuss how to extend CAS by injecting business logic into CAS Web Flow. This allows extending CAS without having to modify any CAS code.

The presentation will illustrate how to add a new Web Flow state. This state checks for the user having accepted the university's "Accepted Use Policy." This is a policy that every user has to accept once a year. The date of the last policy acceptance is stored in LDAP.

Another example of extending CAS this way is to check for password change. Many universities have a policy to require periodic password changes. This enhancement checks the last password change date, and if it has been too long since the last password change, the user is forced to change the password. Both examples prevent the users from authenticating to services until they are satisfied. Both the password change and policy acceptance application are themselves CAS-enabled.

This presentation details how normal CAS flow is changed to force the users to perform these steps before they are allowed to log in. Upon satisfying both applications, normal CAS behavior is restored.

Lunch

Meals at Jasig conferences are traditionally excellent, and besides this is a chance to lunch with others interested in identity management in higher education at this conference.

OpenRegistry

After lunch, Scott Battaglia will present on What's new with OpenRegistry.

Historically, core identity management systems within higher education have either been a homegrown implementation requiring constant care and feeding, understood by only a handful of people, or a cobbled together commercial implementation with lots of glue code written by temporary consultants or with significant amounts of staff time. Both of these approaches are problematic. The OpenRegistry initiative is an alternative, opensource/community-based approach. OpenRegistry will be an opensource identity management platform, managing data provided by systems of records and other sources through business rule driven processes such as reconciliation, identifier assignment, attribute and privilege assignment, provisioning and deprovisioning, and reporting and audit. This presentation will review the history of the initiative, including its objectives, and provide an overview of the design, architecture, and current status of work.

Refreshment Break

Personally, I'm hoping for large hot pretzels. Regardless of pretzel availability, refreshment breaks are some of my favorite parts of the Jasig conference since they're a chance to discuss the sessions and discover colleagues and their solutions.

Spring Security 3

Scott Battaglia will be presenting on Spring Security 3.

Spring Security is a popular, open-source Java security framework offered by SpringSource. It's been downloaded hundreds of thousands of times and is a population choice in many banking, government, education, and military installations. This session presents practical solutions for addressing today's complex enterprise application security requirements using Spring Security. It takes attendees step-by-step through securing their application, and highlights the new features available in Spring Security 3.

Identity, Credentials, and Access Management

Ted Bross of Princeton University will be giving this session.

Managing digital identities, credentials, and access to services requires a comprehensive middleware solution with support of administrative, academic, and information technology. The EDUCAUSE identity management list serves as a great venue for questions, discussions, and solutions from colleagues from peer educational institutions. This panel session will focus on some of the more challenging and controversial topics raised on this list over the least year such as implementing levels of assurance, password expiration, and assignment of NetID's.

Reception and Poster Sessions

Sounds like a good time to me.

Tuesday March 09 2010

Breakfast

It's the most important meal of the day, I'm told.

General Session

Justin Erenkrantz of Apache Software Foundation will be giving a general session talk The Apache Software Foundation: No Jerks Allowed

Refreshment break

Personally, I feel it's never too early to enjoy a hot baked pretzel, but I suspect this refreshment break won't be pretzels. I still suspect it will be good.

ClearPass

I'll be giving a presentation on ClearPass - A CAS Extension Allowing Credential Replay.

ClearPass is a free and open source CAS extension allowing the secure release of cached end user credentials (passwords) to selected applications while still supporting enterprise SSO. This session will review ClearPass and the example of using ClearPass with uPortal to accomplish simultaneous CAS-based enterprise single sign on and point-to-point credential replay solutions.

Managing Infrastructure Complexity with 'IT Ecosystem'

Tom Barton of the University of Chicago will be giving this talk.

There are a great number of dependencies in IT systems these days. The technology stack on which applications run has gotten pretty deep, and it’s common for hosting, storage, database, middleware, and other types of services, operated by different IT departments, to be integrated with applications. What’s impacted if a given element in this ecosystem goes down? What all does a given application depend on? For several years the University of Chicago has been developing a tool to help us report on and visualize all of the IT infrastructure we operate and the dependencies among them. This tool, the IT Ecosystem, has reached sufficient maturity to promise real help in managing our complex IT environment. At this session we’ll show the IT Ecosystem and discuss how it’s being used at U Chicago.

Lunch

This is a good opportunity to find some people to talk some more identity management.

CAS Clustering for High Availability

Eric Pierce of the University of South Florida and fellow member of the CAS Steering Committee will be giving this talk.

The CAS server is the central hub for all of your enterprise web-applications. A single point for authentication for all of your apps has many advantages in terms of security and user experience, but it has the potential of being a single point of failure. To address this issue, clustering technologies can be used to build a Highly Available CAS system.

This presentation will provide:

• The differences between High Availability and High Performance clusters


• An overview of the cluster architectures supported by CAS


• Comparisons of the MemCache and Database TicketRegistries


• Building CAS clusters with more than 2 nodes


• Details on a real-world 4-node CAS cluster at USF and lessons I've learned from building it.

Refreshment break

Hope springs eternal for hot fresh-baked pretzels.

Multi-factor Authentication with CAS

I'll be giving a presentation on multi-factor authentication with CAS.

Jasig CAS is a free and open source platform for extensible Web single sign on. Extending CAS to implement multi-factor authentication enables CASified applications to benefit from stronger end-user authentication and may enable an institution adopting CAS to achieve higher Level of Assurance in authenticating their users on the Web.

This session will briefly review the reasons for interest in multi-factor authentication and enumerate the benefits of supplementing static passwords with dynamic passwords such as those generated by physical tokens. We will then outline implementing multi-factor authentication in CAS, highlighting the extensible CAS login web flow and CAS authentication AP--starting points for doing this.

As a case study of accomplishing multi-factor authentication in CAS, integration with VASCO one-time-password generating physical tokens will be demonstrated, highlighting the extension points in CAS APIs that make this integration possible.

Integrating CAS and Grouper with the new Windows Identity Foundation

Jean Marie THIA of Université Pierre et Marie CURIE (UPMC) will be giving this talk.

Cassifing IIS7 or a .Net application like Sharepoint is an easy job with CAS4Net for example. But authentication is not enough as this part just allows to know the user identity. Authorization is the next bridge to cross to know what the user has access to.

Grouper is a very good candidate as the core repository of a role based access control (RBAC) system. Identity and Access management systems are evolving, new standards arise. The new Windows Identity Foundation (WIF) is also embracing SAML. This talk is about our work in integrating CAS and Grouper with WIF.

Wednesday March 10 2010

Breakfast

Last chance to load up on included-in-conference-fee food.

Kuali Identity Management: Introduction and Implementation Options

Eric Westfall of Indiana University will be giving this talk.

The Kuali Identity Management (KIM) module of Kuali Rice provides identity and authorization services. This session will take a look at KIM design, terminology, and services from an architectural perspective. We will also explore the different options and strategies for implementing KIM at your institution, including integration with other solutions such as CAS, Shibboleth, Grouper, LDAP and more.

Identity Services for Open Source Software

Tom Barton will be giving this talk.

In June 2009, Jasig, EDUCAUSE, Internet2, the Internet Society, the Kantara Initiative, and Unicon sponsored an energetic and successful “Identity Services Summit” that gathered representatives from several of the leading open source software (OSS) projects in higher ed together with campus and community IT and middleware architects to attack the problem of integrating OSS software with enterprise access management systems. We'll report on some of the themes and follow-up activities emerging from that summit, and look ahead to possible next steps. Attendees will gain insight into this challenging and strategically important integration area and learn how to participate in or stay abreast of follow-up activities.

Closing general session

Rod Johnson of SpringSource on Open Source, Cloud Computing and the Future of Innovation.

Jasig BarCamp

This is the un-conference portion of the formal Jasig conference where participants self-organized just-in-time into discussion and collaboration groups based on what they've learned about and interests they've exercised during the formal conference. Stick around to have that extra conversation with a person of particular interest or to advance a local identity management issue for discussion.



(This post originally appeared elsewhere and is syndicated here under CC-BY-NC.)