Groups Inside FHNW: Why it s not just another AAI SP

Similar documents
Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

SAML SSO Configuration

Federated Identity Management

Federated Identity Management

The Top 5 Federated Single Sign-On Scenarios

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Federated Identity for Cloud Computing and Cross-organization Collaboration

Microsoft Office 365 Using SAML Integration Guide

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Logout Support on SP and Application

Using Shibboleth for Single Sign- On

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Shibboleth N-Tier Support. Chad La Joie

E-LibUkr portal: Case study of Shibboleth and EZProxy in Ukraine.

AAI: SAP NETWEAVER INTEGRATION. André Hunziker and André Wahlig, ETH Zürich ID-BI Februar 2010

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

The Challenges of Web single sign-on

Digicomp Microsoft Evolution Day MIM 2016 Oliver Ryf. Partner:

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

Getting Started with Single Sign-On

Perceptive Experience Single Sign-On Solutions

SAP HANA Cloud Portal Overview and Scenarios

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Flexible Identity Federation

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Logout in Single Sign-on Systems

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

CERN Single Sign On. Emmanuel Ormancey CERN IT/IS. CERN IT Department CH-1211 Genève 23 Switzerland

Identity. Provide. ...to Office 365 & Beyond

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Collaborating with External Users

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees

IGI Portal architecture and interaction with a CA- online

Okta Identity Management for Portals Built on Salesforce.com. An Architecture Review. Okta Inc. 301 Brannan Street San Francisco, CA 94107

Getting Started with AD/LDAP SSO

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

SAML-Based SSO Solution

SECUREAUTH IDP AND OFFICE 365

SWITCH Cloud Services

HP Software as a Service

Leveraging SAML for Federated Single Sign-on:

Authentication Integration

Identity Server Guide Access Manager 4.0

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

SAP Cloud Identity Service Document Version: SAP Cloud Identity Service

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

The increasing popularity of mobile devices is rapidly changing how and where we

Interwise Connect. Working with Reverse Proxy Version 7.x

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

SESAM Services Standards for the Automotive: Federation Services.

SAP Mobile Platform rapid-deployment solution

USP IT-Security Consulting & Projects

CAS s IDP system and resources in Education Cloud

Single Sign-On: Reviewing the Field

Identity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Introduction to SAML

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Configuring user provisioning for Amazon Web Services (Amazon Specific)

Egnyte Single Sign-On (SSO) Installation for OneLogin

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

Mobile Security. Policies, Standards, Frameworks, Guidelines

Safewhere*Identify 3.4. Release Notes

Getting Started with Single Sign-On

User and Machine Authentication and Authorization Infrastructure for Distributed Wireless Sensor Network Testbeds

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

Federated Identity- and Access Management for the Max-Planck Society

From centralized to single sign on

SAM Context-Based Authentication Using Juniper SA Integration Guide

Development and deployment of integrated attribute based access control for collaboration

Businessmodelle des SaaS Eco-Systems Chancen, Risiken und kritische Erfolgsfaktoren

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

SAML Security Option White Paper

AA enabling a closed source legacy application

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

SINGLE & SAME SIGN-ON ASPECTS

Auth0 SSO Drives B2B Expansion

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

APPLICATION ACCESS MANAGEMENT (AAM) Augment, Offload and Consolidate Access Control

Agenda. How to configure

Transcription:

Groups Inside FHNW: Why it s not just another AAI SP Michael Hausherr, Business Applications FHNW 1

Agenda Introduction (Groups) Inside FHNW Issue 1: authentication for different user groups Issue 2: simple creation of collaboration space Issue 3: End-user choice of ldentity Provider Findings Questions? 2

Inside FHNW Vision and high level goals Vision (Zielsystem) Übergeordnete Zielsetzung «Inside FHNW unterstützt die Hochschulen und das Zusammenwachsen von Prozessen und Menschen über Hochschul- und Campusgrenzen hinweg, wo immer dies sinnvoll erscheint bzw. zur Steigerung von Effizienz, Efektivität, Qualität sowie zur gemeinsamen Wissenssicherung beiträgt. Zeitgemässe Funktionalitäten ermöglichen einen fortwährenden Dialog mit und unter den Angehörigen der FHNW. Das Portal fördert die Organisationkultur, die Partizipation, den Wissenstransfer sowie den Austausch untereinander als auch mit der wissenschaftlichen Gemeinschaft national und international und schafft dadurch Raum für Kreativität.» Hohe Unterstützung der FHNW-Angehörigen in der Leistungserbringung «Inside FHNW» is THE central entry Strategische Ausrichtung der FHNW- Angehörigen auf die Ziele der Organisation point to ALL relevant information, tools Stärkung/Förderung einer gemeinsamen FHNW-Kultur and applications that are integrated into the FHNW system landscape. Identifikation mit der FHNW und ihren Hochschulen Nachhaltige Wissenssicherung Förderung der hochschulübergreifenden Zusammenarbeit 3

Guiding principles (1/2) At the center are the members of FHNW (staff and students) with their individual needs Austausch- Student Institutsleiterin Student Standortleiter Wissenschaftliche Mitarbeiterin Forscher Neue Mitarbeiterin Dozentin Leiter Finance & Controlling 4

Guiding principles (2/2) = Supporting collaboration within interdisciplinary groups also with external partners 5

Key features (stage 1) Optimized access to existing tools and platforms people directory FHNW search across all Inside content Transparent news center personalized news on start page «Groups Inside FHNW» collaboration platform FHNW-«showcase» 6

Groups Inside FHNW: core functionality Document collaboration Collectively work on documents and store them in a central location. Create collaboration space All FHNW members, no administrator needed Group calendar Task list Perfect overview of all common dates. Plan, assign and supervise tasks. Discussion forum Efficient group communication. 7

Collaboration spaces: as diverse as the groups Users should not be overwhelmed by the full SharePoint functionality in a newly created collaboration space, so three templates for different use cases have been created: Types of collaboration spaces File share theme group project group calendar X X X Core features document library X X X discussion forum task list X X Image gallery contact list link list Additional functionality extendable according to needs X extendable according to needs X X X X extendable according to needs 8

Issue 1: authentication for different user groups Challenge Key factors 3 groups of users - same technology for all user groups - SWITCHaai is strategic focus of FHNW staff / students @ FHNW - benefit from earlier investments (Kerberos) - simplify SSO with other integrated applications tertiary education community external users! 9

Using ADFS as the gateway between AAI and SharePoint 2 1 Switch AAI ADFS (IdP) 3 4 SharePoint SAML 2.0 WS-Federation Authentication Flow Protocol 10

Issue 2: simple creation of collaboration space Requirements - possible for every staff member or student - without administrator intervention - integrated invitation of external users Architecture Additional directory (AD) for external users VHO not suitable for this case, because comprehensive integration is not possible 11

Implementation 12

AAI user categories at FHNW «member» group affiliation: staff, member (max.musterdozent@fhnw.ch) affiliation: student, member (max.musterstudent@student.fhnw.ch) «affiliate» group affilation: affiliate (max.musterpartner@guest.fhnw.ch) 13

Issue 3: End-user choice of ldentity Provider Requirements - external users should be able to use an AAIenabled account of their choice to access a collaboration space - extendable to include further login scenarios (i.e. Google) at a later stage Architecture - SharePoint does not need to know about how the user was authenticated - ADFS server provides possibility to link different login credentials to the same SharePoint user - Self-service app allows user to switch login method (IdP) and re-authenticate himself See also the slides of the 'AAI and ADFS with SharePoint' workshop https://www.switch.ch/aai/events/adfs-sharepoint-2013/ 14

Choosing an alternate authentication provider Alternate Authentication external SharePoint ReAuth SwitchAAI IdP HSLU hans.muster@guest.fhnw.ch Already logged in User SharePoint Page define mapping Process hans.muster@guest.fhnw.ch = hans.muster@hlsu.ch Attribute Store (SQL) Redirect to ReAuth Page ReAuth Page Redirect hans.muster@guest.fhnw.ch Redirect to welcome.inside.fhnw.ch SharePoint Page ReAuth Page 15

Findings external user integration key success factor for collaboration platform (a few hundred accounts in six months) Shibboleth interoperability is good ADFS (V2.1 in production, V3 in testing) SAP Enterprise Portal (NW7.4 in production, NW7.3 used before) added complexity (architecture, operation, troubleshooting) important to spread awareness that AAI User is not always a student or staff member from an AAI point of view more and more Services will be «hidden» behind a portal SP or protocol gateway SP (i.e. ADFS) rather than have their own SP some issues with non-browser access (i.e. MS Office applications) left 16

Questions? 17

Contact Michael Hausherr Business Applications Team leader ERP & Collaboration group +41 56 202 71 56 michael.hausherr@fhnw.ch 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information