1 / 41

Putting All the Eggs in One Basket

Learn how to securely integrate Luminis-SSO with external web services using CPIP to mitigate risks and enhance portal infrastructure. Discover best practices and methods for effective implementation.

marandag
Télécharger la présentation

Putting All the Eggs in One Basket

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Putting All the Eggs in One Basket • Using CPIP for integration • of Luminis—SSO with • external web services

  2. Putting All the Eggs in One Basket • Prediction is especially difficult.Especially about the future. • Niels Bohr

  3. Putting All the Eggs in One Basket Using CPIP for integration of Luminis—SSO with external web services

  4. Putting All the Eggs in One Basket • My agenda was hidden well.Now I don't know where I left it. • (Chagall Guevara, "Escher's World")

  5. Putting All the Eggs in One Basket Overview All the Eggs One Basket Mitigating Risk Portal Infrastructure Putting the Eggs in the Basket Single Sign-on CPIP Integration Network Infrastructure Sorting the Eggs Implementation Difficult Web Services Security Concerns

  6. Putting All the Eggs in One Basket • An ordinary genius is a fellow whom you and I would be just as good as, if we were only many times better. There is no mystery as to how his mind works. Once we understand what they've done, we feel certain that we, too, could have done it. It is different with the magicians. Even after we understand what they have done it is completely dark. • (Mark Kac)

  7. All the Eggs Portal as Gateway to Everything The authoritative source for information and services Course Registration, Course Evals, Grades (Banner) Admission, Financial Aid, HR, Payroll (Banner) Facilities Management, Other Admin Apps Course Management System (Blackboard) Announcements and News (RSS) Webmail Calendars Discussion Boards Auxiliaries (Bookstore, Express Card, Copy Center) Blogs, Wikis, and other Cool Things

  8. Putting All the Eggs in One Basket • One Ring to Rule them all... • (Tolkien)

  9. One Basket The Dangers of Success... Don’t hatchet your counts before they chicken. Portal Timeout How do external systems open? Within the Portal (frameset) In another window? The Portal times out while you’re taking a Blackboard test Keep alive polling Portal Logout Are other services open after the portal closes? If Webmail tab is open when I hit logout on the Portal... Public Access Terminals Closing the browser session

  10. One Basket

  11. One Basket

  12. Putting All the Eggs in One Basket • ...and in the darkness bind them. • (Tolkien)

  13. One Basket Careful What You Wish... The authoritative source for information and services The Portal is Down Scheduled Maintenance Upgrades and patches “Unscheduled” Maintenance Server goes down Portal goes down CPIP cannot connect Now what?

  14. Putting All the Eggs in One Basket • In theory there is no difference between theory and practice. In practice there is. • (Yogi Berra)

  15. Mitigating Risk Know When the System is Down Monitor, Poll, Alert Present Users with Options Outage Page Have some tricks Alternate Login Mechanism

  16. Putting All the Eggs in One Basket • My own strategy is to find a car, or the nearest equivalent, which looks as if it knows where it is going and follow it.I rarely end up where I was intending to go, but often I end up somewhere that I needed to be. • (Dirk Gently's Holistic Detective Agency)

  17. Portal Infrastructure Basics of our “Outages” System Cisco Content Services Switch (CSS) SSL management Port-level forwarding Load balancing Failover Redirect on full failure Outages server Just a plain LAMP (or Solaris-Apache) server Create a page, directory, or vHost for each service

  18. Putting All the Eggs in One Basket • I love it when a plan comes together! • (Hannibal, The A-Team)

  19. Putting the Eggs in the Basket

  20. Putting the Eggs in the Basket

  21. Putting All the Eggs in One Basket • Who did you say you were, little fellow?Mister, I am the Lorax. I speak for the trees. • (Dr. Seuss) • Who are you and how did you get in here?I'm a locksmith. And, I'm a locksmith. • (Police Squad) • Who are you?No one of consequence. • (The Princess Bride)

  22. Single Sign-on Methods for Handoffs Several ways of getting external services to the user. Basic Links Links with simple identifiers Secure Single Sign-on (SSSO) via CPIP SSSO + Unique “Random” Handoff Identifier SSSO + Post-Handoff Sign-on

  23. Putting All the Eggs in One Basket • Fact is there's nothin' out there you can't do.Yeah, even Santa Claus believes in you. • (The Muppet Movie, "Can You Picture That?”)

  24. CPIP Integration

  25. CPIP Integration

  26. Putting All the Eggs in One Basket • If we are wise, what is born of that pain matures into the promise of a better world, because we learn that we can no longer afford the mistakes of the past. • (G'Kar in Babylon 5: "In the Beginning")

  27. Network Infrastructure Server-to-Server Communications Are communications really from the portal? Restrict by IP Address Communications Limited to a Private Subnet Are handoff communications secure from interception? Tunnel via SSL FYI - GET and POST variables are encrypted via SSL Communicate over a Private Subnet Possibly without SSL? Analyze the Risks...

  28. Putting All the Eggs in One Basket • "The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong, it usually turns out to be impossible to get at or repair." • Douglas Adams.

  29. Sorting the Eggs

  30. Putting All the Eggs in One Basket • The first 90% of the code accounts for the first 90% of the development time • The remaining 10% of the code accounts for the other 90% of the development time. • (Tom Cargill)

  31. Implemetation The Easy Part The Campus Pipeline Integration Protocol Coding the CPIP Connector Get a copy of “Campus Pipeline Integration Protocol” Visit LumDevNet for more samples and help For assistance translating to Perl or PHP contact Andrew or Scott and we’ll try to help The CPIP Actions (Coordinated Session Management) getConfig authenticate deauthenticate lastactive

  32. Putting All the Eggs in One Basket • [Y]ou've got it backwards.It's not death you have to be afraid of,that's the easy part.It's life that you have to worry about. • (La Femme Nikita)

  33. Implementation The Hard Part The front-end handoff page Hacking the External Server’s Login Process What happens when you login “normally” to the system? sets a Cookie creates a Session makes an entry in a database sessions table other (dark?) processes Receiving the handoff apply the same procedures that the “real” login system does make the handoff token non-reusable direct the user to the external system’s main post-login page

  34. Putting All the Eggs in One Basket • I have tricks in my pocket, and I have things up my sleeve, but I am the opposite of a stage magician. He gives you illusion that has the appearance of truth. I give you truth in the pleasant disguise of illusion. • Tennessee Williams, The Glass Menagerie

  35. Difficult Web Services The Even Harder Part Dealing with “Closed” systems Closed Systems Proprietary, Contract, Oft-Updated, etc. Cannot figure out (or gain access to) the things that happen during a “normal” login process Hacking the “Closed” system Make a generic jumping-off SSSO service with CPIP Take the handoff, then do something MORE Option A: Use an API to handoff using some other protocol, shared secret, or form of trust (AlcoholEdu) Option B:Create accounts in the external system with “random” passwords and then log the user in via a 2-click process (Copy Center)

  36. Putting All the Eggs in One Basket • We will burn that bridge when we come to it. • (Johann Wolfgang von Goethe)

  37. Security Concerns A Few Points of Weakness During CPIP Back-end Handoff Only accept CPIP from known Luminis IP address? Is traffic secure (encrypted or on private subnet)? During Front-end Handoff Is traffic secure (over SSL)? Does the token expire if not used? After Front-end Handoff Is the token re-useable? After Portal Logout Are loosely coupled systems still logged in? External “Hacked” Closed System Is the password algorithm still a secret?

  38. Putting All the Eggs in One Basket • Prove that all odd numbers are prime.Professor: 3 is prime, 5 is prime, 7 is prime, and the rest are left as an exercise for the student. • http://www.gdargaud.net/Humor/OddPrime.html

  39. Related Links Single Sign-on Defined with examples in Wikipedia http://en.wikipedia.org/wiki/Single_sign-on Luminis/CPIP http://www.lumdev.net/index.php Shibboleth (Blackboard, Moodle) http://shibboleth.internet2.edu/ http://shibboleth.internet2.edu/seas.html Liberty Alliance http://www.projectliberty.org

  40. Putting All the Eggs in One Basket • What kind of sycophant are you? • [W]hat kind of sycophant would you like me to be? • (101 Dalmations - 1996)

  41. All the Eggs are in This Basket http://www.wm.edu/it/portal2006

More Related