Page Comparison

It is highly recommended that you sign up if you utilize any of the IAM services in order to stay informed.  The IAM services include, but are not limited to UH Login (CAS, Shibboleth IdP) and Directory Services (LDAP).

Date/Time/Venue:

• Fri, October 30, 2015, 2:00-3:30 PM
• Information Technology Center, room 105A/B (visitor badges not needed for 1st floor events)

Presenters:

1. Jennifer Geis, ITS, MIS
2. Michael Hodges, ITS, TI-IAM
3. Dr Philip Johnson, UHM, ICS, CSDL
4. Julio Polo, ITS, TI-IAM
5. Craig Spurrier, KCC, CELT

Agenda:

1. Presentation: Publishing UH projects to Github and building a community of interest (Philip)
   
2. Presentation: Native iOS App Authenticate with CAS (Jen)
3. Presentation: Invoking CAS from a PhoneGap based hybrid app (Craig)
4. Update: UH Groupings (Julio)
5. Quick Topics: (Michael)
   1. Info: ITS IAM Projects for FY2016
   2. Info: New LDAP Attributes Under Consideration
   3. Info: Phasing out CAS support for http

More info:

Slide Deck

Date/Time/Venue:

• Fri, April 24, 2015, 2:00-3:30 PM
• Information Technology Center, room 105A/B (visitor badges not needed for 1st floor events)

Presenters:

1. Wendall Ho, Treasury Office
2. Michael Hodges, ITS, Enterprise Middleware, Identity and Access Management
3. Monir Hodges, HCC, PCATT
4. Ben Karsin, ITS, Technology Infrastructure
5. Julio Polo, ITS, Enterprise Middleware, Identity and Access Management
6. Paul Ryan, UHM, College of Education

Agenda:

1. Breaking News: All IT Workshop
2. Presentation: eCommerce on Campus (Wendall/Monir)
3. Presentation: Using Backbone and Handlebars for Web-App Development (Ben)
4. Presentation: WordPress Authorizer plugin (Paul)
5. Presentation: There's a Group for that (Julio)
6. Notables, Quick Tips and Reminders
   
   1. Google@UH calendaring informal poll
   2. ACER, online General Confidentiality Notice
   3. SECE now supports GCN review for student supervisors
   4. MFA project update

More info:

Slide Deck

Date/Time/Venue:

• Fri, October 31, 2014, 2:00 PM
• Information Technology Center, room 105A/B (visitor badges not needed for 1st floor events)

Presenters:

1. Sandra Furuto, Office of the Exec VP for Academic Affairs, Data Governance and Operations
2. Darryl Higa, ITS, Information Security
3. Michael Hodges, ITS, Identity and Access Management

Agenda:

1. Discussion: Split Our Email List: Discussions vs Announcements? (Michael)
2. Presentation: Data Governance Topics for Applications Developers (Sandra)
   1. Mandatory Training and the General Confidentiality Notice
   2. Process for Securing Applications for 3rd Party and Cloud Services
3. Presentation: Test Your Web App for Obvious Security Vulnerabilities Before Going Live (Darryl)
4. Discussion: Standardizing Attribute Release Policies for CAS and Special DNs (Michael)
   
   1. The IAM Data Element Dictionary for LDAP and CAS
   2. The new "uhAcknowledgement" attribute, Data Governance, and the General Confidentiality Notice
   3. Is there value for a student and fac/staff "primary campus" attribute, uhScopedHomeOrg?
5. Presentation: Multi-Factor Authentication Pilot Project (Michael)
6. Notables, Quick Tips and Reminders
   1. CAS3 Registrations approaching 200.
   2. Final End of Service Life Reminders: CAS2 and legacy LDAP retire end of calendar year 2014.

More info:

• Slide Deck

  Expand
  title Q&As Transcription (click to expand)
  o During decision process evaluating different applications, they should know data must be provided.  Why isn't this a trigger to engage data providers? Has not been in the culture.  Typically data providers are only engaged very late in the process.  Comment: Provide training and educate everyone to involve data providers earlier in the process. Comment: Going to be sending out a memo to everyone about this.   o I'm a system staff AND a student, is my affiliation system staff? This attribute is connected to many systems so we know not just primary, but all your roles.  There are many possible roles and we track them.  Some of your roles are scoped through Peoplesoft, some through Banner.  People can currently have 2 scopedHomeOrg values (from peoplesoft and banner). Comment (julio): We are not arbitrarily picking 1 affiliation as primary.  This concept is already in other systems (e.g., Banner and Peoplesoft).  We are just exposing those concepts through this multivalued attribute.  You can scope as Banner or Peoplesoft depending on which you want. The meaning of "primary" homeOrg is very different from Banner vs. Peoplesoft. Comment (baron): Scoping is based on the system of record.  We are trying to make each SoR's concept of homeOrg available. o This doesn't tell me if im primarily a staff or primarily a student? No, it does not.  We have a "trumping order" to determine that.  "Fac/Staff" trumps "Student", but the logic for that trumping order is internal to UHIMS at this point. Comment (Julio): Trumping order is something we come up with, this scopedHomeOrg comes strait from Banner or Peoplesoft and we are just exposing that.   o For UH Acknowledgement - Attribute has a timestamp recorded for when the person became certified.  Do we leave it to app to determine how long the certification is good for?  Or does policy invalidate them? Plan is to consider GCN to be past its expiration date after 1 year.  For ISAT, could be 2 or 3 years. The policy is not yet set.     o How do we enforce that? Has not been solidified yet.  Application could check this or we could centrally clear them.  Comment: Currently the attribute is a date so your application has to check that it is recent enough. o How are the certifications done; is it a separate system? For GCN it is simple, but others require different systems and is messy.  ISAT is in laulima but a lot more work to be done to make smoother. o Will we be implementing MFA for Google@UH? No, hard to support student population. o Can developers play with Duo MFA? Not now since we are waiting for vanilla CAS to support it. However, you can visit Duo directly, <https://www.duosecurity.com/>. o Limit MFA to just fac/staff in CAS? When CAS implements MFA support, if it does so similar to how the Shibboleth project implemented the mutli-context broker, this should be possible.  It is currently possible for an app developer to add some shim code right after the CAS authentication logic to check a person's affiliation before invoking the 2nd factor. o MFA-enable the password change website? No, it would require supporting MFA for students and we are not ready to scale out that far for the foreseeable future. o Can app developers receive the Duo fraud alert? No, the fraud alert only goes to the UH Duo administrators. o How does Duo MFA pricing work? Duo offers 3 EDU pricing models, each with a different cost per named person. Two of the models are administered by the InCommon organization. Selection of the most cost effective model is determined by anticipated head count. o Status of Central Active Directory Authentication Service? AD trust relationships remain problematic and someone other than ITS will need to investigate this and make a recipe available.

  
  

  
  

Presenters:

1. Jodi Ito, ITS, Info Tech Security Officer
2. Sid Savara, ITS, KFS Team Manager and Software Developer
3. Gwen Jacobs, ITS, Director for Cyberinfrastructure
4. Michael Hodges, ITS, Identity and Access Management

Agenda:

1. Security: Overview of Univ. of Maryland Breach - a highly targeted attack (Jodi Ito)
2. Presentation: Utilizing a wiki space for organizing technical documentation, sharing ITS practices (Sid Savara)
3. Presentation: ITS Cyberinfrastructure: supporting the IT needs of the UH research community (Gwen Jacobs)
4. Presentation: UH Groupings, a highly versatile tool for authorizations management and much more (Michael Hodges)
5. Quick Tips and Reminders
   1. VIA for visitor access to wireless networks, and creating test accounts
   2. Technical questions? You have 180 UH IT colleagues on the uh-app-developers-l@lists.hawaii.edu list.
   3. End of Service Life Reminders: CAS2 and legacy LDAP retire end of calendar year 2014.

More info:

• Slide Deck

• 
  

  Expand
  title Q&As Transcription (click to expand)
  Jodi Ito, ITS, Info Sec Maintaining necessary Data, User Accounts Two Factor Authentication Do not reuse old passwords Q: Why did the hackers change the passwords of the accounts they compromised? A: To gain access without using a brute force method, changing System Administrator passwords opened access to rest of the system databases. Sid Savara, ITS, MIS Uses of Wiki: Stand in for training, solutions cheat sheet, serve as proxy when a person is Out of Office Q: Are the tags specific to your content only or confluence wide? A: It doesn’t span across spaces, it only retrieves relevant tags connected to your space Q: Are the fields generated by the JIRA gadget specific to the problem?  A: Yes, they are retrieved from the library of solutions we created.  You can use the JIRA gadget in any point of the confluence pages. Gwen Jacobs, ITS, CI CI support - Data Intensive Science and Engineering Theme Acquiring resources for implementing infrastructure -Informatics -High performance Computing -Big Data Analytics -Data Management Q: Has there been some thought on giving access to CI to Administrative Units? A: Definitely, the different services that were mentioned are open to anyone on campus Q: How is access going to de divided up for everyone? A: The vision is to have a faculty advisory board will oversee how resources are allocated, grants will be recruited by faculty.  Michael Hodges, ITS, TI-IAM Grouper Q: You mentioned a user interface, is there an API? A: Yes the entire Grouper APi is exposed.

  
  

• Photos

  Gallery
  include 2014-04-04a.jpg, 2014-04-04b.jpg, 2014-04-04c.jpg, 2014-04-04d.jpg, 2014-04-04e.jpg columns 3 sort name

Presenters:

1. Russ Tokuyama, ITS, TI-SYS
2. Ben Karsin, ITS, TI-IAM
3. Jodi Ito, ITS, Infotech Security
4. Michael Hodges, ITS, TI-IAM

Agenda:

1. Informal Polls: UH Web Login Service V2 and LDAP migration plans (Michael)
2. Presentation: The Importance of Best Practices for ADLC (Russ)
   1. ADLC == Application Development Life Cycle
3. Presentation: Using JqGrid for rich web client app development (Ben)
4. Presentation: New UH Data Classifications (Jodi)
5. Topic: Oracle CWL Pricing Changes (Michael)
6. Topic: Quick IAM Ecosystem Glance (Michael)
7. Snacks: And an opportunity to meet your colleagues (everyone)

More info:

• Slide Deck

• Draft Data Classifications Categories

  Expand
  title Q&As Transcription (click to expand)
  Q. My application is using special DN to do searches. Is the new 389DS LDAP similar enough to the old Sun/Oracle LDAP for my application to continue to work? A. The new 389DS LDAP should work without any changes on your part. Take a look at the following page in our IAM docs for developers for more info: o https://wwwuhawaii.hawaiiatlassian.edunet/bwikiwiki/display/UHIAM/Next+Generation+LDAP It is recommended that you test first before committing your changes to your production environment. Q. Regarding the new draft data classifications, what classifies something as part of the Restricted category A. Items in the Restricted Category would be a data element that exposes limited amounts of information where, if it were to be hacked, there would be no damaging effects. Q.Is there a current place to retrieve data classifications/specifications for category items? A. Executive Policy et.214, securing sensitive information at the university. Also, o http://www.hawaii.edu/infosec has information regarding applicable university policies and compliance Q.When will new category classification system take effect? A. Currently we are vetting with the key stakeholders. We hope to have the new policy place by the end of calendar year 2013. Q.Can you differentiate between Sensitive and Highly regulated Information A. Sensitive: Personal credentials (home address, etc) -- this is protected by the University, but does not constitute data for which a breach notification would be necessary. Highly regulated: PCI, HIPPA Q. Difference private and student home address? A. Permanent address => home address; current address/local address => dorm, apt.; student's permanent address is classified as sensitive. A. Do these new data classifications apply only to ITS? A. This new policy is applicable to the entire University System. Q. What does moving the email to the restricted category do? A. This is primarily for FERPA compliance. It restricts the sharing of student email addresses when they are requested by companies such as data services that want the information under the Hawaii sunshine laws for access to government information. Q. Will we be getting New hardware to be placed in the new Data Center? A. Yes, but the new hardware reflects our planned growth requirements and is not a large-scale replacement of existing hardware. Q. Are there any costs for the new Oracle Enterprise Database license available through ITS? A. ITS is paying Oracle a lot of money for the Campus Wide License. ITS has implemented a charge-back structure for those that would like to have direct access to Oracle technical support. The charge-back structure represents a 95% from Oracle list price and is considered very fair and reasonable. Details are available: o http://www.hawaii.edu/sitelic/oracle/ Q. If the costs for Oracle support are still to high for those that only support for 1 or two processors and can use Standard instead of Enterprise edition software, what are the alternatives? A: The MariaDB fork of MySQL has gained substantial moment with Intel being the most recently large organization to get behind the project. And it MariaDB is increasingly becoming the MySQL variant of choice for the various LAMP stacks. Note that MySQL increasingly contains proprietary features such that replacing with a forked MySQL variant will become increasingly more difficult. Now's a good time to determine your future strategy. PostgreSQL's latest version has been very well received, has a very active community, and even has a PhpMyAdmin-like interface for developers.