Fall 2009 Day 2 - Advanced Topics in AuthZ

  • Authorization is not stored in an application anymore
  • Need to pull groups, roles, memberships for each application.
  • Reduce arbitrary distinction of who can do what inside an application.
  • Agreement in the strategy to unify authorization, difficult to get funding, resources to get that to happen
  • Most tackle "Group Management" as a first step to identify similar activities for users
  • Can you at least get others to think about granting authorization into a common system rather than in just an individual silo. Even through the system may not be enterprise-wide, it would pay off significant dividends down the road to work towards a single authorization system over time.
  • Use CAS to do the authentication, then use SAML for the authorization token to grant authorizations, CAS as a broker for that data, not in the authorization business, just a messenger.  - discussed some in the CAS Roadmap session on Monday
  • Poor Man's method is to use Grouper to populate LDAP, use LDAP to determine membership for authorizations
  • Common Design principle (at least at University of Chicago) is to "grab all memberships" at the time of authentication and then hold on to those group memberships within the session to check over and over throughout the user's session.
  • Concept that the authentication server also knows what service is authenticating, not just what authorizations (memberships,permissions), in order to accurately grant permissions to the user.
  • Questions Asked -- although not necessarily answered:
    • How do you leverage authorization beyond one application?
    • How do we identify all the places authorizations need changed for a user?
  • Problems, Issues and Challenges:
    • Projects that get built use similar groupings and permissions for users, but are created in silos and end up as separate access levels for different applications.
    • What does cloud computing (Google Docs, etc) to do the advancements in unified authentications and authorizations.
    • Purchase boxed programs that have solutions that are proprietary and closed -- not open to unification.
    • We're Universities, nothing is standard
  • Cool Ideas:
    • CAS does authentication really well. Could Grouper be placed on top of CAS to build a complete solution with authorization as well.