Federating Identity with Virtual LDAP - PowerPoint PPT Presentation

1 / 33

About This Presentation

Title:

Federating Identity with Virtual LDAP

Description:

... 30 Institutes. Famous Alumni: Stephen Harper and James Gosling. Page 4. Connected Campus ' ... 'Enabling the learning, research, administrative, and ... – PowerPoint PPT presentation

Number of Views:50

Avg rating:3.0/5.0

Slides: 34

Provided by: canh9

Category:

more less

Transcript and Presenter's Notes

Title: Federating Identity with Virtual LDAP

1
Federating Identity withVirtual LDAP
Jeremy Mortis
2
Todays Agenda

Overview of LDAP
ID Federation
Virtual LDAP
Case studies
Relationship with other initiatives
Q A

3
The University of Calgary

8th largest University in Canada
28,000 FTE students
5,000 faculty and staff
15 Faculties, 53 Depts, 30 Institutes
Famous Alumni
Stephen Harper and James Gosling

4
Connected Campus

Enabling the learning, research,
administrative, and community goals of the UofC,
through the effective and efficient use of
technology allowing people to access information
they need, at the required time, in the desired
location, and in the appropriate format

5
What is LDAP?

A protocol for accessing organizational
directories
Defines a data model
Silent on backend implementation
Mature technology

6
Directory Structure
oucalgary.ca
ougroups
oupeople
cnadm
ouchem
cnusers
oumath
cnjohn
cnsam
cnjohn
7
Whats Good About LDAP?

The only real standard for IAM
Most software can authenticate via LDAP
Many implementations availableOpenLDAP, Oracle,
Active Directory, etc.
Accessible from any environment
Can use any back-end data store
Generally tuned for fast read at expense of
update

8
Whats Bad About LDAP?

Funky data model
Not 3rd-normal form
ASN.1/DER encoding is complex
API is rather awkward
Most people dont get it

9
Searching a Directory

Bind to an object by sending a distinguished
name and password
Send search request
ACLs restrict what you can search for

10
Binding Searching
oucalgary.ca
ougroups
oupeople
cnadm
ouchem
cnusers
oumath
cnjohn
cnsam
cnjohn
cnjohn,ouchem,oupeople,oucalgary.ca
11
Identity Verification

Try the bind
If it fails, then the password was bad
Protocol allows for different domains
Warning blank passwords always succeed!

12
Identity Federation

Users have multiple UofC identifiers
How did that happen?
Big problem is Unix vs. portal IDs
Users can't remember which to use

13
LDAP Trees
oucalgary.ca
ouunix UNIX/Windows accounts e.g.
mortisj 50,000 entries
oupeople Students, staff, and others e.g.
02003003 800,000 entries
oueID Portal accounts e.g. jeremy.mortis 30,0
00 entries
14
Virtual LDAP
15
Virtual LDAP

Home-made Java LDAP server
Arbitrary backends, including LDAP, AD,
databases, etc.
Puts authentication back into your control

16
Virtual Trees
Clients
oupeoplesoft
Virtual LDAP
Oracle
17
Virtual Trees
Clients
ouunix-or-eid
Virtual LDAP
Real LDAP
Real LDAP
oueid
ouunix
18
Virtual Trees
Clients
oualberta
Virtual LDAP
Real LDAP
Real LDAP
Real LDAP
ouleth.ca
oucalgary.ca
oualberta.ca
19
SecurID Authentication
Clients
ouunix
Virtual LDAP
Real LDAP
SecurID
ouunix
20
Extending Virtual LDAP

1200 lines of Java
Uses Mozilla ASN.1/DER tools
Not a full implementation
Incremental improvement
Only limited by the imagination

21
Wireless Authentication
Aruba
Radius
Determines identifier Determines eligibility
Virtual LDAP
LDAP
22
Portal Integration
Portal
SSO Server
Username/Password
Ticket Granting Ticket
Ticket Granting Ticket
One-Time Ticket
Application
Username/OTT
23
Portal Integration
Portal
SSO Server
Username/Password
Ticket Granting Ticket
Ticket Granting Ticket
One-Time Ticket
Virtual LDAP
Application
Username/OTT
24
Virtual LDAP Farm
Clients
LVS
LVS
Virtual LDAP
Virtual LDAP
Virtual LDAP
Virtual LDAP
Backends
25
Shibboleth