High level overview slides - Edugate

gabonesedestructionSoftware and s/w Development

Feb 17, 2014 (3 years and 5 months ago)

63 views

Edugate Workshop

(Google Apps intergration)

Workshop Structure


Second of a series of Workshops.


Introduction (previous workshop)


Advanced (pilot participants)


Joining the Edugate Federation (all)

Workshop Content


Reminder of Federated Access


Introduction to Google Apps integration


Hands
-
on


Connecting to Google Apps


Enabling HA


Edugate RR



Objectives


Provide you with enough knowledge use your
IdP to avail of SaaS.



Make your IdP part of your infrastructure

Reminder

Why federate?


SSO


Within the campus (
with or without SAML
)


Beyond the campus (
bilaterally outside the campus
)


Within a federation (
with SAML
)


Beyond a federation (
inter
-
federation with SAML
)

Reminder


Why federate?


Collaboration


VLE (
LMS or eLearning
)


Wiki


Portal


GRID / HPC


SaaS (
Google Apps and others
)


Other...


Reminder


Why federate?


Who are your federation partners?


Research Groups (
cross institutional
)


Shared Resources (
NDLR,
IReL
)


Hospitals


Government R&D (
ESRI, EPA
)


Your campus libraries


Providers of student services (
Travel Cards etc
.)



Reminder


How to federate?


Bilaterally


Your IdP with Google’s SP




My
institution

Google

Other

(
IdP

&
SP)

Reminder


Me

(
IdP
)

You

(SP)

How to federate?


Multilaterally


Google


SalesForce CRM


Live@Edu




Reminder


How to federate?


As a member of a federation


This is Edugate




Reminder

What tools to federate?


OpenSource


Shibboleth 1.3 and 2.0+


SimpleSAMLphp


Commercial


Ping ID


Sun Access Manager


Novell iChain


ADFS


Oracle Identity Manager / Oracle Identity Federation



Reminder

How to integrate?


Loose integration


Replace exisiting (Authentication) AutnN with
Shibboleth AuthN.


Application adds group, role to Shibboleth ‘user’
later, and handles AuthZ

Reminder


Authentication (AuthN)


Shibboleth Authentication


Web server or application


Campus SSO

Reminder



Attribute handling


Attributes to release


Signed or encrypted attributes

Reminder




Session Start


From portal


From target

Reminder



High availability


Apache Load
-
balancing


DNS


Hardware device

SaaS



How do avail of SaaS without adding to your
identity management costs?


Synchronise accounts incl. Passwords


Synchronise accounts and use SSO


Let users ‘register’ for accounts

Google Apps



How do avail of SaaS without adding to your
identity management costs?


Synchronise accounts incl. Passwords

or


Synchronise accounts and use SSO

Google Apps



Synchronise accounts incl. Passwords


1. user logs in the web
-
based application using
username and password issued set
-
up by you

2. User changes password and then confuses it with
institutional password


Synchronise accounts and use SSO

User logs in with institutional account on your portal, there
is only one password
(well almost!)

Google Apps


Caveats of the SSO option


IMAP passwords


Sync’ing passwords from AD (SSO problem?)


email for life


IDP failure


User familiarity


Mapping AD accounts to Google Accounts


No provisioning on
-
the
-
fly


Google Apps


Caveats of the SSO option


IMAP passwords


When accessing Gmail from an IMAP client, you will
need an IMAP password, this can be seeded by you, but
the user can change it.


IMAP users have two passwords


Google Apps


Caveats of the SSO option


Sync’ing passwords from AD (SSO problem?)


AD keeps passwords in binary, user can change his/her
password by pressing CTRL+ALT+DEL


Changed passwords cannot be sent to Google Apps for
IMAP users


This problem is not strictly an SSO problem

Google Apps


Caveats of the SSO option


Email for life


Google Account is accessed via SSO


Institution must maintain the users account somewhere
(ideally not in the same location as staff/students)


Google Apps


Caveats of the SSO option


IDP failure


IdP fails

access to Google Apps stops!


Administrator disables SSO temporarily

but do users
know their Google Apps password (seeded/changed)


IdP becomes a critical component

support?

Google Apps


Caveats of the SSO option


User familiarity


User might find it unusual to be sent to the IdP to access
‘Gmail’?


Is this phishing?


What credential do I enter, my institution or departments?

Google Apps


Caveats of the SSO option


Mapping AD accounts to Google Accounts


Particularly a problem for existing Google Accounts that
do not follow the naming convention in the directory.


Shibboleth

ScriptedAttributeResolver


SimpleSAMLphp

attribute alter module


Can the user authenticate with a different username to
the username on the Google side?


Can users reside in different directories?

Google Apps


Caveats of the SSO option


No provisioning on
-
the
-
fly


Accounts still have to be provisioned at Google


Wasted effort for unused accounts


Regular synchronisation needed

how often?

Google Apps


Benefits of the SSO option


User places more value in the credential


Reduced password resets


Strong password policy becomes realistic


Edugate services


Library will stop issuing their own credentials


A win
-
win


Data accuracy and protection


Google Apps


Setting up SSO in Google Apps

1.
Provision (and deprovision) accounts


Google Apps Directory Sync

2.
Enable SSO


Shibboleth, simpleSAMLphp or other.


Google Apps


1.
Provision (and deprovision) accounts


Google Apps Directory Sync

Video:

http://www.postini.com/webdocs/training/en/DirSync_GoogleApps/DirSync_GoogleApp
s.html

Google Apps


1.
Enable SSO


Shibboleth, simpleSAMLphp or other.


Shibboleth


https://shibboleth.usc.edu/docs/google
-
apps/


simpleSAMLphp


http://rnd.feide.no/content/simplesamlphp
-
idp
-
google
-
apps
-
education


High Availability



Janusz



Video:

http://www.postini.com/webdocs/training/en/DirSync_GoogleApps/DirSync_GoogleApps.html