App Developers Forum

This forum is for the UH IT community, which includes IT staff, IT managers, IT professors and those participating in IT-related projects.

It is highly recommended that you sign up if you utilize any of the IAM services in order to stay informed.  The IAM services include, but are not limited to UH Login (CAS, Shibboleth IdP) and Directory Services (LDAP).


The UH IT Community forum is currently on hiatus convened by the ITS Identity and Access Management (IAM) group approximately every few years.  These meetings are host by the IAM team in ITS so that we may share our project plans and status updates for Middleware projects relevant to the UH developer community.  The intent is to involve IT managers and UH developers in the very early project stages to obtain feedback and to ensure better alignment of efforts and outcomes.  Over time it is hoped that IT managers and UH developers begin sharing their own projects to further enhance collaboration within the UH developer community.  Besides IAM topics, other topics that are relevant to UH applications developers and technical leads are often included.

Joining the UH App Developers email list

UH IT Community email list: <uh-app-developers-l@lists.hawaii.edu>.  

  • If you are not on the mailing list for notices of upcoming meetings, please email <its-iam-help@lists.hawaii.edu> to be included. 
  • The mailing list also features technical discussions and a searchable archive of previous discussions.
  • The list includes over 250 members from across the UH IT community.
LISTSERV discussion archives

Forum Discussions: Upcoming, Recent and Historic


Upcoming discussions


Presenters, there is a PowerPoint template available for your use: <UH App Developers 2015 template.pptx>. This is very useful if you'd like us to merge your slides into the master presentation deck.

Next Meeting - TBA - Information Technology Center - snacks

Date/Time/Venue:

  • TBA, 2:00-3:30 PM
  • Information Technology Center, room 105A/B (visitor badges not needed for 1st floor events)

Presentations:

  1. TBA
  2. TBA
  3. TBA
  4. Quick Topics - Michael Hodges, ITS, TI-IAM
    1. CAS URL registration requests
    2. CAS Infrastructure changes
    3. CAS, attributes, and 3rd-parties; yes we can!
    4. MFA, what's up with that?
    5. IAM is now actively blogging

Slide Deck

More info: 

 Q&As (click here to expand)


Remote attendance. If you plan to attend from a remote location, please review the (read this whole paragraph before clicking the link) MCU Services requirements and then send me your IP at least 5 working days before the meeting. Please do not contact the ITS Videoconferencing group directly; email me your IP so that I may collect them all and submit a single MCU request. Thank you.



Future topics

  1. Presentation: Using Selenium for testing web apps and other automations (Erik Meade)
  2. Presentation: UH Groupings Road Map (Michael)
  3. Presentation: Crafting Email Official Messages that don't look like phishing attacks (TBD)
  4. Topic: Gathering functional requirements for Delegated Management of "extended community members" that require central authentication (Michael)
    1. Topic needs a shorter handle that is also intelligible.
    2. "Extended community members" are members of the more general community that utilize UH online resources informally, or semi-formally, such as walk-ins using UH library resources.

Previous discussions


Friday, May 25, 2018 - Information Technology Center

Date/Time/Venue:

  • Fri, 5/25, 2:00-3:30 PM
  • Information Technology Center, room 105A/B (visitor badges not needed for 1st floor events)

Presentations:

  1. UH Groupings Update - Julio Polo, ITS, TI-IAM
  2. UH Groupings UI 2.0 - Michael Hodges and the IAM Web student Team team, ITS, TI-IAM
  3. Security Update - Jodi Ito, ITS, InfoSec
  4. Website Accessibility and Compliance - Mitch Ochi, ITS, CSOC
  5. UHIMS Events Update - Julio Polo, ITS, TI-IAM
  6. Quick Topics - Michael Hodges, ITS, TI-IAM
    1. CAS URL registration requests
    2. CAS Infrastructure changes
    3. CAS, attributes, and 3rd-parties; yes we can!
    4. MFA, what's up with that?
    5. IAM is now actively blogging

Slide Deck

Jodi's Slide Deck

More info: 

 Q&As (click here to expand)

Q: Do you know how the under-age-of-majority will be used
A: Currently being used for the consumer app, google requires parental consent or verification of age to use consumer app. Decided it’s better to keep track of minors in order to deny them access to consumer apps.

Q: Do you know how under-age-of-majority will be used?
A: Currently used for consumer app, Google requires 18+ or parental consent to user consumer app. It’s useful to keep track of minors to deny access.

Q: UH Groupings v2.0 is not in production yet?
A:  2.0 is under qa as a “production” early release,  We are never going to do that again. Will be displacing version 1 in a matter of weeks, certainly before the end of the summer.

Q:  Is Laulima ADA compliant?
A: Probably not. A lot of laulima is while a lot of it is not

Q: Does everything (ADA) you talked about apply to .hawaii.edu domain or university managed domains?
A: Yes, section 508 applies to everything under the university. Compliance will only be important if a complaint is made as there are too many entities wrapped under the university

Q: Any recommendations for ADA scanning tools?
A: Technically sortsight can be installed on a public network. Not any specific recommendations. Chrome plugin “sightedproof”?

Q: Does ADA compliance apply to institution or social media platforms?
A: University must still be compliant, but some controls are limited as to how they can remediate.  


Fri, Oct 30, 2015 - Information Technology Center

Date/Time/Venue:

  • Fri, October 30, 2015, 2:00-3:30 PM
  • Information Technology Center, room 105A/B (visitor badges not needed for 1st floor events)

Presenters:

  1. Jennifer Geis, ITS, MIS
  2. Michael Hodges, ITS, TI-IAM
  3. Dr Philip Johnson, UHM, ICS, CSDL
  4. Julio Polo, ITS, TI-IAM
  5. Craig Spurrier, KCC, CELT

Agenda:

  1. Presentation: Publishing UH projects to Github and building a community of interest (Philip)
  2. Presentation: Native iOS App Authenticate with CAS (Jen)
  3. Presentation: Invoking CAS from a PhoneGap based hybrid app (Craig)
  4. Update: UH Groupings (Julio)
  5. Quick Topics: (Michael)
    1. Info: ITS IAM Projects for FY2016
    2. Info: New LDAP Attributes Under Consideration
    3. Info: Phasing out CAS support for http

More info:

Slide Deck

 Q&As Transcription (click to expand)

Publishing UH projects to Github and building a community of interest:

Question:  If we publish code on Github, are we less secure?
Answer:  Security through obscurity is not the best strategy.  Publishing on Github actually makes code more secure as more eyes can view it.  You can always limit the code that is posted to Github.
Question:  What does legal think of publishing to Github?
Answer:  Developers should reach out to legal in solidarity for the purposes of convincing them that Github is a positive step forward.
Question:  Should decades old code be put onto Github?
Answer:  Not all code needs to go on Github.  It is advantageous to put up code that will benefit other UH developers.
Native iOS App Authenticate with CAS:
Question:  How does an app authenticate itself to the web service?
Answer:  When cookie gets passed to the login service.
Question:  If an app does not associate with eCafe, how does it validate the person is UH affiliated?
Answer:  You can pass it any URL that is registered
Question:  In native app scenario, does the app obtain the user credentials?
Answer:  Yes
Invoking CAS from a PhoneGap based hybrid app:  
Question:  What are the benefits of using the phone app compared to a web app?
Answer:  Geo location functionality for map, better access to camera, access to additional libraries, able to access ios key chain.
Question:  How does app deal with jail broken android phone?
Answer:  Android takes steps against this, ultimately data is students responsibility.
Question:  Is the app available for the community?
Answer:  Currently working with HCC.  IN general, there is support from the "higher ups".  Contact Craig if interested.  
UH Groupings:
Question:  What is it UH Groupings used for?
Answer:  Allows person to enter an application based off of specified qualifications set in the group.   Allows on/off boarding of list to be automated.
Question:  Is there documentation for grouper?

Fri, April 24, 2015 - Information Technology Center

Date/Time/Venue:

  • Fri, April 24, 2015, 2:00-3:30 PM
  • Information Technology Center, room 105A/B (visitor badges not needed for 1st floor events)

Presenters:

  1. Wendall Ho, Treasury Office
  2. Michael Hodges, ITS, Enterprise Middleware, Identity and Access Management
  3. Monir Hodges, HCC, PCATT
  4. Ben Karsin, ITS, Technology Infrastructure
  5. Julio Polo, ITS, Enterprise Middleware, Identity and Access Management
  6. Paul Ryan, UHM, College of Education

Agenda:

  1. Breaking News: All IT Workshop
  2. Presentation: eCommerce on Campus (Wendall/Monir)
  3. Presentation: Using Backbone and Handlebars for Web-App Development (Ben)
  4. Presentation: WordPress Authorizer plugin (Paul)
  5. Presentation: There's a Group for that (Julio)
  6. Notables, Quick Tips and Reminders
    1. Google@UH calendaring informal poll
    2. ACER, online General Confidentiality Notice
    3. SECE now supports GCN review for student supervisors
    4. MFA project update

More info:

Slide Deck

 Q&As Transcription (click to expand)
  • eCommerce on Campus
    • Q: Does TouchNet (uStore, uPay) link to existing UH accounts with your fiscal office(r)?
      • A: No. Your F.O. must log in to the TouchNet to obtain credit card receipts and reconcile them with your account
    • Q: Does it have the ability to do authorization & "capture"?
      • A: Yes. This is called "fulfill". Allows you to charge the user's card at a later time.
    • Q: Is it required to have some sort of identification or branding (e.g. UH logo) that identifies the site using this as official UH service?
      • A: May be subject to general UH or specific campus policy(?). the initial uStore page is branded with UH identifiers; developers using uPay are responsible for the appearance of their apps. Each campus/system may have their own style guides.
    • Q: How does TouchNet support developers (libraries, languages, clients, etc?)
      • A: Most of interface is via exchanged form processing. TouchNet provides extensive documentation and support materials.
  • Using Backbone and Handlebars for Web-App Development
    • Q: Are there limitations on the number of records/amount of data you can pull down & manipulate?
      • A: It can handle a lot, but since the heavy lifting occurs locally in your browser, it probably depends on the local resources available to your browser.
  • WordPress Authorizer Plugin
    • Q: How does the plugin obtain (potentially) Personally Identifiable Information (PII)? Does it store it?
      • A: PII is obtained via returned CAS attributes, or as entered but the WP site admin. May be subject to UH PII policies. Some may be stored internally(?)
    • Q: What is the granularity of access control? Can access be authorized on a per page basis?
      • A: Individual pages (or the entire site) may be designated as public or private, subject to access restrictions.
    • Q: is Role Based Access Control (RBAC) available?
      • A: Not yet, just a default rule currently.
    • Q: Why do professors use WordPress instead of Laulima?
      • A: Historically, some prefer WP's editing environment and template/layout options.
    • Q: What roles may students have?
      • A: The admin defines their roles/capabilities. For example, may include contributing content.
    • Q: Have you seen any (security) attacks?
      • A: Not that's been noticed. Generally keeps a low profile: it's not "published", robots.txt file keeps the well behaved from indexing sites.
    • Q: Is the plugin available for the UH WordPress service?
      • A: UH provides a "multi-site" WP offering. The plugin was designed to be compatible with this. TBD if the plugin is actually available.
  • There's a Group for That
    • Q: Groupings for faculty roles (e.g.: dept. chairs, deans, etc)? 
      • A: An office has that info/grouping – they may be open to making it available via the Group Store
    • Q: What's stored in a group?
      • A: The UH Number. This is used because some people do not have or have not yet been assigned usernames.
    • Q: How do I use Groupings in an application?
      • A: IAM provides a form to request UH Groupings access, subject to data governance policies. IAM generally has discretion approving typical Groupings requests. Once access is granted, the groupings may be accessed via a variety of methods, such as SOAP, JSON, etc.
    • Q: Plans to for LDAP integration? Would Groupings be exposed an a single attribute or multiple attributes?
      • A: Under consideration. Still weighing the form such integration might take (e.g., specific multivalued attributes, or replicating the Groupings hierarchies in an LDAP schema)
  • Miscellaneous
    • Q: Who is responsible for ensuring General Confidentiality Notice (GCN) requirements are met, where applicable?
      • A: Not really settled. But we're trying to provide tools to streamline business processes.
        • ACER is tied in with CAS and Groupings
          • CAS releases the uhAcknowledgement attribute
            • multivalued, may include GCN, Security Awareness Training (SAT), etc.
        • CAS releases attributes; authorization (AuthZ) is determined by the application's business logic.
    • Q: Are there funding hurdles to deploying Multi-Factor Authentication (MFA)?
      • A: No. Work is progressing as resources allow; pace is allowing us the benefit of evaluating the experiences of other institutions.



10/31/2014 - Information Technology Center 105A/B - 2:00-4:00 PM

Date/Time/Venue:

  • Fri, October 31, 2014, 2:00 PM
  • Information Technology Center, room 105A/B (visitor badges not needed for 1st floor events)

Presenters:

  1. Sandra Furuto, Office of the Exec VP for Academic Affairs, Data Governance and Operations
  2. Darryl Higa, ITS, Information Security
  3. Michael Hodges, ITS, Identity and Access Management

Agenda:

  1. Discussion: Split Our Email List: Discussions vs Announcements? (Michael)
  2. Presentation: Data Governance Topics for Applications Developers (Sandra)
    1. Mandatory Training and the General Confidentiality Notice
    2. Process for Securing Applications for 3rd Party and Cloud Services
  3. Presentation: Test Your Web App for Obvious Security Vulnerabilities Before Going Live (Darryl)
  4. Discussion: Standardizing Attribute Release Policies for CAS and Special DNs (Michael)
    1. The IAM Data Element Dictionary for LDAP and CAS
    2. The new "uhAcknowledgement" attribute, Data Governance, and the General Confidentiality Notice
    3. Is there value for a student and fac/staff "primary campus" attribute, uhScopedHomeOrg?
  5. Presentation: Multi-Factor Authentication Pilot Project (Michael)
  6. Notables, Quick Tips and Reminders
    1. CAS3 Registrations approaching 200.
    2. Final End of Service Life Reminders: CAS2 and legacy LDAP retire end of calendar year 2014.

More info:

  • Slide Deck

     Q&As Transcription (click to expand)

     

    o During decision process evaluating different applications, they should know data must be provided.  Why isn't this a trigger to engage data providers?
    Has not been in the culture.  Typically data providers are only engaged very late in the process. 
    Comment: Provide training and educate everyone to involve data providers earlier in the process.
    Comment: Going to be sending out a memo to everyone about this.

     

    o I'm a system staff AND a student, is my affiliation system staff?
    This attribute is connected to many systems so we know not just primary, but all your roles.  There are many possible roles and we track them.  Some of your roles are scoped through Peoplesoft, some through Banner.  People can currently have 2 scopedHomeOrg values (from peoplesoft and banner).
    Comment (julio): We are not arbitrarily picking 1 affiliation as primary.  This concept is already in other systems (e.g., Banner and Peoplesoft).  We are just exposing those concepts through this multivalued attribute.  You can scope as Banner or Peoplesoft depending on which you want.
    The meaning of "primary" homeOrg is very different from Banner vs. Peoplesoft.
    Comment (baron): Scoping is based on the system of record.  We are trying to make each SoR's concept of homeOrg available.

    o This doesn't tell me if im primarily a staff or primarily a student?
    No, it does not.  We have a "trumping order" to determine that.  "Fac/Staff" trumps "Student", but the logic for that trumping order is internal to UHIMS at this point.
    Comment (Julio): Trumping order is something we come up with, this scopedHomeOrg comes strait from Banner or Peoplesoft and we are just exposing that.

     

    o For UH Acknowledgement - Attribute has a timestamp recorded for when the person became certified.  Do we leave it to app to determine how long the certification is good for?  Or does policy invalidate them?
    Plan is to consider GCN to be past its expiration date after 1 year.  For ISAT, could be 2 or 3 years. The policy is not yet set.  

     

    o How do we enforce that?
    Has not been solidified yet.  Application could check this or we could centrally clear them. 
    Comment: Currently the attribute is a date so your application has to check that it is recent enough.

    o How are the certifications done; is it a separate system?
    For GCN it is simple, but others require different systems and is messy.  ISAT is in laulima but a lot more work to be done to make smoother.

    o Will we be implementing MFA for Google@UH?
    No, hard to support student population.

    o Can developers play with Duo MFA?
    Not now since we are waiting for vanilla CAS to support it. However, you can visit Duo directly, <https://www.duosecurity.com/>.

    o Limit MFA to just fac/staff in CAS?
    When CAS implements MFA support, if it does so similar to how the Shibboleth project implemented the mutli-context broker, this should be possible.  It is currently possible for an app developer to add some shim code right after the CAS authentication logic to check a person's affiliation before invoking the 2nd factor.

    o MFA-enable the password change website?
    No, it would require supporting MFA for students and we are not ready to scale out that far for the foreseeable future.

    o Can app developers receive the Duo fraud alert?
    No, the fraud alert only goes to the UH Duo administrators.

    o How does Duo MFA pricing work?
    Duo offers 3 EDU pricing models, each with a different cost per named person. Two of the models are administered by the InCommon organization. Selection of the most cost effective model is determined by anticipated head count.

    o Status of Central Active Directory Authentication Service?
    AD trust relationships remain problematic and someone other than ITS will need to investigate this and make a recipe available.



04/04/2014 - Information Technology Center 105A/B - 2:00-4:00 PM

Presenters:

  1. Jodi Ito, ITS, Info Tech Security Officer
  2. Sid Savara, ITS, KFS Team Manager and Software Developer
  3. Gwen Jacobs, ITS, Director for Cyberinfrastructure
  4. Michael Hodges, ITS, Identity and Access Management

Agenda:

  1. Security: Overview of Univ. of Maryland Breach - a highly targeted attack (Jodi Ito)
  2. Presentation: Utilizing a wiki space for organizing technical documentation, sharing ITS practices (Sid Savara)
  3. Presentation: ITS Cyberinfrastructure: supporting the IT needs of the UH research community (Gwen Jacobs)
  4. Presentation: UH Groupings, a highly versatile tool for authorizations management and much more (Michael Hodges)
  5. Quick Tips and Reminders
    1. VIA for visitor access to wireless networks, and creating test accounts
    2. Technical questions? You have 180 UH IT colleagues on the uh-app-developers-l@lists.hawaii.edu list.
    3. End of Service Life Reminders: CAS2 and legacy LDAP retire end of calendar year 2014.

More info:

  • Slide Deck
  •  Q&As Transcription (click to expand)

    Jodi Ito, ITS, Info Sec

    Maintaining necessary Data, User Accounts

    Two Factor Authentication

    Do not reuse old passwords

    Q: Why did the hackers change the passwords of the accounts they compromised?

    A: To gain access without using a brute force method, changing System Administrator passwords opened access to rest of the system databases.


    Sid Savara, ITS, MIS

    Uses of Wiki:

    Stand in for training, solutions cheat sheet, serve as proxy when a person is Out of Office

    Q: Are the tags specific to your content only or confluence wide?

    A: It doesn’t span across spaces, it only retrieves relevant tags connected to your space

    Q: Are the fields generated by the JIRA gadget specific to the problem? 

    A: Yes, they are retrieved from the library of solutions we created.  You can use the JIRA gadget in any point of the confluence pages.


    Gwen Jacobs, ITS, CI

    CI support - Data Intensive Science and Engineering Theme

    Acquiring resources for implementing infrastructure

    -Informatics

    -High performance Computing

    -Big Data Analytics

    -Data Management

    Q: Has there been some thought on giving access to CI to Administrative Units?

    A: Definitely, the different services that were mentioned are open to anyone on campus

    Q: How is access going to de divided up for everyone?

    A: The vision is to have a faculty advisory board will oversee how resources are allocated, grants will be recruited by faculty. 


    Michael Hodges, ITS, TI-IAM

    Grouper

    Q: You mentioned a user interface, is there an API?

    A: Yes the entire Grouper APi is exposed.

  • Photos


10/25/2013 - Kuykendall 201 - 2:00-4:00 PM

Presenters:

  1. Russ Tokuyama, ITS, TI-SYS
  2. Ben Karsin, ITS, TI-IAM
  3. Jodi Ito, ITS, Infotech Security
  4. Michael Hodges, ITS, TI-IAM

Agenda:

  1. Informal Polls: UH Web Login Service V2 and LDAP migration plans (Michael)
  2. Presentation: The Importance of Best Practices for ADLC (Russ)
    1. ADLC == Application Development Life Cycle
  3. Presentation: Using JqGrid for rich web client app development (Ben)
  4. Presentation: New UH Data Classifications (Jodi)
  5. Topic: Oracle CWL Pricing Changes (Michael)
  6. Topic: Quick IAM Ecosystem Glance (Michael)
  7. Snacks: And an opportunity to meet your colleagues (everyone)

More info:

  • Slide Deck
  • Draft Data Classifications Categories

     Q&As Transcription (click to expand)

    Q. My application is using special DN to do searches. Is the new 389DS LDAP similar enough to the old Sun/Oracle LDAP for my application to continue to work?
    A. The new 389DS LDAP should work without any changes on your part. Take a look at the following page in our IAM docs for developers for more info:
    o https://uhawaii.atlassian.net/wiki/display/UHIAM/Next+Generation+LDAP
    It is recommended that you test first before committing your changes to your production environment.

    Q. Regarding the new draft data classifications, what classifies something as part of the Restricted category
    A. Items in the Restricted Category would be a data element that exposes limited amounts of information where, if it were to be hacked, there would be no damaging effects.

    Q.Is there a current place to retrieve data classifications/specifications for category items?
    A. Executive Policy et.214, securing sensitive information at the university. Also,
    o http://www.hawaii.edu/infosec has information regarding applicable university policies and compliance

    Q.When will new category classification system take effect?
    A. Currently we are vetting with the key stakeholders. We hope to have the new policy place by the end of calendar year 2013.

    Q.Can you differentiate between Sensitive and Highly regulated Information
    A. Sensitive: Personal credentials (home address, etc) -- this is protected by the University, but does not constitute data for which a breach notification would be necessary.
    Highly regulated: PCI, HIPPA

    Q. Difference private and student home address?
    A. Permanent address => home address; current address/local address => dorm, apt.; student's permanent address is classified as sensitive.

    A. Do these new data classifications apply only to ITS?
    A. This new policy is applicable to the entire University System.

    Q. What does moving the email to the restricted category do?
    A. This is primarily for FERPA compliance. It restricts the sharing of student email addresses when they are requested by companies such as data services that want the information under the Hawaii sunshine laws for access to government information.

    Q. Will we be getting New hardware to be placed in the new Data Center?
    A. Yes, but the new hardware reflects our planned growth requirements and is not a large-scale replacement of existing hardware.

    Q. Are there any costs for the new Oracle Enterprise Database license available through ITS?
    A. ITS is paying Oracle a lot of money for the Campus Wide License. ITS has implemented a charge-back structure for those that would like to have direct access to Oracle technical support. The charge-back structure represents a 95% from Oracle list price and is considered very fair and reasonable. Details are available:
    o http://www.hawaii.edu/sitelic/oracle/

    Q. If the costs for Oracle support are still to high for those that only support for 1 or two processors and can use Standard instead of Enterprise edition software, what are the alternatives?
    A: The MariaDB fork of MySQL has gained substantial moment with Intel being the most recently large organization to get behind the project. And it MariaDB is increasingly becoming the MySQL variant of choice for the various LAMP stacks. Note that MySQL increasingly contains proprietary features such that replacing with a forked MySQL variant will become increasingly more difficult. Now's a good time to determine your future strategy. PostgreSQL's latest version has been very well received, has a very active community, and even has a PhpMyAdmin-like interface for developers.


2013-02-22 - Kuykendall 201 - 2:00-4:00 PM - snacks

Presenters:

  1. Michael Hodges, ITS, IAM
  2. Stephan Fabel, UHM College of Ed
  3. Janice Kawachi, ITS, Network Operations

Agenda:

  1. Poll: Migration plans for exiting CAS2 before 2014
  2. Poll: Using the UH Holiday Web Service
  3. Poll: Thinking about Enterprise Deprovisioning
  4. Presentation: OpenStack for Server Virtualization & Mngt (Stephan Fabel, COE)
  5. Tech Tip: Selecting an smtp server for applications
  6. Presentation: Information Technology Building (Jan Kawachi, ITS)
  7. Presentation: ITS Price List – ITS Services expansion (Michael Hodges, ITS)
  8. Updates: Quick status updates
  9. Snacks: And an opportunity to meet your colleagues

Presentations:

 Discussion:
Enterprise Deprovisioning

Q: Why might one need more than "role" based access control (RBAC)?
Q: Why use UHIMS messages vs. using AuthZ just at time of AuthN?

  • Depends on your application needs.
  • UHIMS provides more detail/granularity for distinguishing between campuses/roles.

Q: UHIMS covers all UH?

  • Yes
Tech Tip: Selecting an SMTP server for appplications
  • smtp.hawaii.edu should be used in preference to mail.hawaii.edu for SMTP

Q: Distinction between smtp.hawaii.edu and smtp.its.hawaii.edu

  • smtp.its.hawaii.edu is used for ITS (internal) apps. Generally, smtp.hawaii.edu should be used by developers.
IT center status

Q: Security and access?

  • Security cameras, proximity access cards; data center floor (2) restricted further.

Q: Availability of VLANs over wider geographic areas / across campus? More distant MPLS to overcome multipath/VLAN restrictions?

  • Evaluated on a per-request basis. Subject to constraints but networking group welcomes inquiries.
IT price list: IaaS

Q: When will price list be published?

  • Shooting for Q1 this year / by start of fiscal year for planning. Hopefully coincide w/ move to new building.

Q: BIM(?) project, needs more resources than available w/ current VM offerings. E.g.:

  • Managed desktops
  • Thick vs. thin provisioning?

Q: Underlying hardware/architecture? Limitations with Cisco — shared GPU identified as important supported feature.

  • Feedback welcomed.
Quick status updates

Q: Limited support for campus VPN services. More VPN support in future? Tied in w/ LDAP? SSO?

  • To be considered.

Q: LDAP: Status of test data in production systems?

  • Test data to remain for now but we would like to eventually remove test data from production systems, migrate test data to test environments.

Q: ldap.hawaii.edu live yet?

  • Slated for 04.01


2012-08-03 - Kuykendall 201 - 2:00-4:00 PM

Presenters:

  1. Michael Hodges, ITS, IAM
  2. Jodi Ito, ITS, Security
  3. Cameron Ahana, ITS, MIS
  4. Julio Polo, ITS, IAM

Agenda:

  1. uh-app-developers-l@lists.hawaii.edu LISTSERV list, 110 members to date (Michael)
    1. Discuss folding uh-web-login-l@lists.hawaii.edu into this list, looking for critical mass, and shutting down uh-ldap too.
  2. Security Awareness (Jodi Ito)
    1. Information Security Issues (3rd party applications/hosting including cloud considerations, data sharing issues, etc)
  3. UH Holiday Web Service (Cameron)
  4. UHIMS Events (Julio)
    1. UH Message Broker is now in production
    2. UHIMS produces messages for KFS consumption
    3. SECE produces messages for UHIMS consumption
  5. CAS3 - next generation UH Web Login Service (Michael)
    1. Features include skins for authentication on mobile devices
    2. Discuss draft guidelines for the default attribute release policy
    3. Discuss availability of the test environments (CAS2 and CAS3)
  6. ACER (acknowledgements and certifications service) demo and update on pilot results (Michael)
    1. Discuss availability of General Confidentiality Notice acknowledgements and Security Awareness Training certifications
    2. Update on SECE integration plans
  7. Update: Quick status update for previously mentioned projects (Michael)
    1. ACER, Acknowledgements and Certifications
    2. Grouper Groups for LISTSERV enhanced lists
    3. LDAP Project, including Active Directory
    4. UH Message Broker

Presentation Slides, including links to additional information

Discussion: (Q&As are posted here)


2012-02-10 - Kuykendall 201 - 2:00-4:00 PM

Presenters:

  1. Michael Hodges, ITS, IAM
  2. Stephan Fabel, UHM College of Ed

Agenda:

  1. Poll: UH Developers listserv list - establish an online forum for UH Developers? (Michael)
  2. Update: Quick status update for previously mentioned projects (Michael)
    1. UHIMS Grouper
    2. UHIMS Events
    3. ACER
    4. LDAP Pruning
  3. Poll: Determine interest in hands-on UHIMS Events and UHIMS Grouper bootcamps (Michael)
  4. Presentation: Using LDAP (Authz) and SASL (Authn) for passthrough authentication to control lab computers access (Stephan)
  5. Factoid: UH Number or UH Username, which is the recommended unique identifier for applications? (hint, the numeric one) (Michael)
  6. Factoid: Coordinating OID Assignments for the UH Developer Community (Michael)
  7. Presentation: Planned LDAP infrastructure changes to enhance availability and scalability (Michael)

slides
sasl passthru

 Discussion:
  • UH Developer Listserv List
    • Interest indicated.  A UH Developer listserv list will be created.
  • OpenLDAP and SASL passthrough
    • Q: how to handle groups of users that are not in local area? within uh, but not local.
      • register those users/groups with SASL openLDAP local server.
    • Q: an org could have their own openldap and their web services would use uh cas?
      • you don't. you authenticate directly with its ldap instead. this relies on you having the username/password in local openldap server
    • Q: so you have your own ldap repository with uh usernames, how do you manage lifecycle?
      • not automated of course, because users may stay in uh ldap. but maybe implement with rabbit mq and deprovision as events are generated.
      • (openldap is doing the authorization, its ldap is doing the authentication)
      • (users may not need to worry about having to manage multiple usernames or passwords for different services)
  • Boot Camps
    • Boot camps are of interest.  A Grouper boot camp for training will be developed to get started.
  • LDAP for the future
    • Q: difference between ldapmaster and ldap? difference in datasets?
      • no, but for performance and availability will be better with "silo"ed ldap servers. ldapmaster can be thought of as belonging to "core" ldap applications, like Google@UH.
    • Q: authenticate to PCs at hilo, using ldap1 is very slow. so they use local server, but it doesn't appear as though it's getting updated instantaneously.
      • we'll need to look at the specific case to determine what the exact issue is. perhaps running some of the suggested tests can replicate the issue. for example, if person can log into wireless but not PCs, versus cannot log into anything.
    • Q: with ldap servers being fundamental, is there redundancy?
      • minimally triple-replicated. if something fails, we're still redundant.
    • Q: google comes through shibboleth. is the intent to have more apps go through shibboleth, both external and internal?
      • for external, definitely, because of the federated "agreements" services need to have when leveraging shibboleth. internally, looking at the possibility of either offering shibboleth or case.
    • Q: mail clients currently point to ldap1.its.hawaii.edu. is that correct?
      • yes, it'd be difficult to "move" all mail clients to a newer ldap server, so they will remain on ldap1 and we'll instead move everybody else to ldap.its.hawaii.edu. ldap1 will stay what it is, everyone else will move (subject to change)


2011-09-16 - Kuykendall 201

Presenters:

  1. Michael Hodges, ITS, IAM
  2. Julio Polo, ITS, IAM

Agenda:

  1. UH Applications Developers Meeting - establish as an ongoing series of meetings (Michael)
  2. Update on the Grouper project (Julio)
  3. Update on the UHIMS Event Messaging Service (Julio)
  4. Planned LDAP updates to remove references to people no longer affiliated with UH (Julio)
  5. Acknowledgements application specifications (Michael)
  6. Authentication to 3rd party service providers and the sharing of attributes (Michael)
  7. The IAM public website and information for developers (Michael)

Slides

 Discussion:
  • Grouper
    • Q: How would developers interface with Grouper?
      • Either as a web service or via the GUI interface.
    • Q: Will there be a test environment?
      • Yes, contact its-iam-help@lists.hawaii.edu if interested in early access.
  • UHIMS Event Messaging Services
    • Q: how do applications subscribe to events?
      • The protocol is AMQP; documentation will be provided when the service is ready.
    • Q: what port does it run on?
      • 5672
    • Q: one server?
      • initially yes for the test environment, but production will be clustered.
    • Q: push protocol?
      • UHIMS will push events to the broker and applications will pull events from the broker.
      • Applications must subscribe to the service.
    • Q: how long will events persist in the queue?
      • several models for message persistance are available; depends on needs and we need to determine these.
    • Q: how does a newly subscribed application catch up?
      • initialization information for a new application needs to be reviewed on a case-by-case basis
  • LDAP Pruning
    • Q: is anyone using LDAP for legacy information and for cross-walking UH Numbers to UH Usernames?
      • No one attending the meeting does; LDAP is primarily used for authentication.
      • Note: since the meeting it has been established that at least one developer does. IAM will provide a solution, and environment for testing, and time for migration to the solution, before any pruning is done.
    • Q: will pruned entries be preserved elsewhere?
      • UHIMS is the UH Person Registry and preserves this information.
    • Q: are UH Numbers preserved too?
      • Yes
      • UH Numbers are the unique identifier assigned to anyone affiliated with UH. References to Employee Id, Student Id, Banner Id, etc are more corrected called UH Number references; the intention is that there is but one per person no matter how many affiliations they may have with UH. If they return to UH, they should get the same UH Number back.
      • Reminder: never use the UH Number as a shared secret. The UH Number should never be used for security purposes. It would be a disservice to students to give them yet one more thing they have to guard.
  • Acknowledgements Application specifications
    • Q: where are acknowledgements stored?
      • to be determined
      • Since the meeting it has been determined that User Actions will be stored in LDAP.  The Acknowledgements and Certifications themselves will be stored in a relational database.
    • Q: why would one need rotating acknowledgements?
      • Maybe for acknowledgements a developer would determine that an annual renewal is not necessary. For certifications it is likely that annual renewals will be necessary.
    • Q: can acknowledgements be general/custom?
      • Yes, this inherent to the design. A department should be able to stand up an Acknowledgement and IT developers would then be able to require the acknowledgement as a prerequisite for access to a department's application.
  • Authentication to 3rd Party Service Providers
    • Q: what technology is used for this?
      • Shibboleth
  • IAM Public website
    • Q: can you email us the URL
      • yes

Note: some of the questions above have been answered after-the-fact.

  • Pre-meeting discussion:
    • Q: to those that have arrived early, is Friday at 1:30PM good timeslot for this meeting?
      • After a brief discussion it was decided that Friday is okay and that 2:00PM would be a better start time.


2011-04-28 - Kuykendall 201

Presenters:

  1. Michael Hodges, ITS, IAM
  2. Julio Polo, ITS, IAM

Agenda:

  1. Grouper - new middleware planning discussion
    1. Present organization and planned use of stems.
    2. Discuss use for role-based access control (RBAC); explore use-cases anticipated by UH Developers
  2. UHIMS Event Messaging Service - new middleware planning discussion
    1. Present early draft of the events to be communicated by this service

Topics:

UHIMS Groups maintains a repository of groups of people. The groups are automatically updated regularly and are available to applications developers. Besides the groups that are automatically maintained, custom groups can also be created. Custom groups can combine custom entries with references to members of the automatic groups.

The automatically populated groups will include students, faculty and staff, collectively and also per campus. As people change status their group membership will change accordingly. Applications that reference these groups will always have accurate information since UHIMS has connections to Banner, PeopleSoft HR, etc. Some applications will benefit from referencing the automatic groups for role-based-access-control (RBAC). If a person is not in the group, access can be denied or restricted. Automatic groups organized by EAC will also be available.
Features and Benefits:

  1. Define your group once and in one place (Grouper) and use it to:
    1. Manage the list of people who are allowed to access your application or system.
    2. Possibly integrate Grouper with your application or system so that membership in the group equates to authorization.
    3. Use the termination notification feature so that you are notified if anyone in your group leaves UH or changes position.
    4. Use the listserv sync feature so that your group is automatically synchronized with a listserv mailing list
    5. Grouper gets data from LDAP so if your application is using LDAP directly, a combination of CAS and Grouper is all that your application will need. This is still being researched.
  2. For applications that need to be notified the moment someone enters or leaves a Grouper group, we are currently in the planning stages of a UHIMS Event Messaging Service. Applications will subscribe to this service to receive select event notifications, such as terminations, position changes, etc. This will allow applications to quickly adjust as appropriate a user's access to application resources.