BCNet IDM Workshop – SFU LDAP, CAS, Shibboleth and OpenRegistry (Oh My!)

by | May 3, 2010

Jeremy Rosenberg, Robert Urquhart, Ray Davison

IDM @ SFU – Jeremy

  • Amaint Account Provisioning – built on WebObjects feed by PeopleSoft Student and HR in a nightly batch
  • Amaint feeds the Mail Lists system which also acts as an access control system
  • Both Amaint and Mail Lists feed UDD to feed AD, WebCT, LDAP
  • LDAP feeds CAS (PeopleSoft authn to CAS)
  • CAS does web authn as well as Zimbra mail service

LDAP @ SFU ( A revisionist history) – Rob

  • overview of LDAP and its use at SFU
  • decision point – do we use LDAP for Mac Lab authn?  Security concerns of mixing academic and admin apps
  • growth from 1 LDAP to 4 LDAP instances
  • introduction of load balancing and segregation

Shibboleth – a roadmap – Rob

  • currently running shib 1.3 which is end of life in June
  • in process of upgrading to shib 2.1.5 on new architecture (RedHat)
  • Future – integration of Shibboleth and SecureSpan Gateway – by offloading authn to gateway, apps behind the gateway can be easily shibbolized

Customizing CAS – and caching for high availability – Ray

  • needed a way to standardize authn for web apps for the university
  • prior to CAS used an app written by Ray called CKID but it did not scale well

OpenRegistry – in house to open source – Jeremy

  • open source software application – developed by Rutgers University
  • now a Jasig incubation project
  • uses web, batch and REST interfaces
  • has a directory builder
  • handles provisioning and de-provisioning
  • tailored to meet the needs of higher education – handles the unique situation where students are also employees
  • interesting data flow from raw-standard-calculated

What is in it for us?

  • need to capture information about all University populations – need to allow more systems of record for the information that they are authoritative for
  • real time data transfer readiness
  • role based access controls
  • modern user interface
  • definitive user directory by distributing the maintenance of phone numbers and office information helps with data quality
  • business rules based data transformation
  • user settable privacy settings – driven by US FERPA legislation
  • comprehensive audit trails
  • better user experience for everyone
  • future – move OpenRegistry to be the service that calculates IDs

One thought on “BCNet IDM Workshop – SFU LDAP, CAS, Shibboleth and OpenRegistry (Oh My!)

  1. Pingback: Tweets that mention BCNet IDM Workshop – SFU LDAP, CAS, Shibboleth and OpenRegistry (Oh My!): Jeremy Rosenberg, Robert Urquhart, Ray D... --

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.