Using Grouper and Signet for Access Management

1
Using Grouper and Signet for Access Management

• Kathryn Huxtable
• GPN Annual Meeting
• 30 May 2008
• kathryn_at_kathrynhuxtable.org

2
Grouper for Groups Management

• Create and manage groups of other groups and
  entities from your identity management systems.
• Allow group math, that is, union, intersection,
  and relative complement to produce new groups.
• Provide access to groups information via an API
  and via web services.
• Provision Groups data to LDAP directory.

3
Whats New in Grouper 1.3.0?

• Web services access to Grouper API.
• New API calls to improve usability.
• Improved web user interface.
• Better performance with large groups.
• Better performance with large numbers of groups.

4
Whats Still Missing?

• Group loading from identity management criteria.
• Instantaneous updates of LDAP when group
  membership changes.
• Simpler user interface for basic users, e.g.
  administrative assistants.

5
Quick installation

• Have a working tomcat installation.
• Get the quick start from the wiki and unpack
  into a directory.
• Follow the installation instructions in
  README.html to build grouper and configure
  tomcat, and install grouper into tomcat.
• Start the built-in database and tomcat
• Open a browser and go to your local grouper.

6
Installation for Actual Use

• Download the API and the UI. Unpack to the same
  root directory.
• Configure the files in the APIs conf directory.
• Build the API.
• Build the UI.
• Configure a working tomcat for grouper login
  (CAS, Shibboleth, Tomcat login, etc.).
• Install the UI to a working tomcat.

7
Configuring the API

• Files are in conf directory.
• Edit grouper.hibernate.properties to include type
  and location of database and authentication
  information.
• Edit grouper.properties to specify default group
  permissions and to specify the wheel group.
• Edit log4j.properties to specify log level and
  location.
• Edit sources.xml to specify external entity
  lookup.
• Edit ehcache.xml and grouper.ehcache.xml for
  database cache tuning. (Ive never done this.)

8
Who is Using Grouper?

• Duke.
• KU, but its converting to Sun Identity Manager.
• Cornell is close to rollout.
• Brown is ready to convert from their homegrown
  grouper.
• About a dozen other universities have pilot
  programs.

9
Signet for Permissions Management

• Manage complex permissions structure, including
  delegation, expiration, scope, and limits.
• Reimplementation of Stanford Access Manager for
  general use.
• Structured web interface for management.
• Provide access to permissions via API and via
  LDAP directory.

10
What is not in version 1.2.2?

• Prerequisites, e.g. having taken a web
  examination or attended training.
• Conditions, e.g. being an employee in a
  particular department, or having a particular
  position number.

11
Quick Installation

• Get the quick start from the wiki and unpack
  into a directory.
• Go to the demo directory and run
  start_demo.sh or start_demo.bat.
• Browse to http//localhost8080/signet
• Log in as user kmart with password signet.

12
Signets Promise

• Scaleable privilege management.
• Integrated with identity management system.
• Unify privilege management across the enterprise.

13
Signets Current State

• Without prerequisites it lacks some
  functionality, but it could be hacked into the
  LDAP directory.
• Without conditions other than dates, it lacks the
  links with enterprise information systems that
  would really make it useful.
• Design of the privileges is clunky and I havent
  seen any sign that it will be improved.

14
Who is Using Signet?

• No one.
• Stanford wants more features before they replace
  Stanford Access Manager with Signet.
• People express interest, but there seems to be a
  barrier of understanding, exacerbated by the lack
  of features.

15
Essential Links

• Grouper main page http//grouper.internet2.edu
• Grouper wiki https//wiki.internet2.edu/confluenc
  e/display/GrouperWG/Home
• Grouper users mailing list grouper-users_at_internet
  2.edu

16
Essential Links (cont.)

• Signet main page http//signet.internet2.edu
• Signet wiki https//wiki.internet2.edu/confluence
  /display/SignetWG/Home
• Signet users mailing list signet-users_at_internet2.
  edu