Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add files via upload
@khazelton
khazelton committed Jan 18, 2023
1 parent 1bd2cf4 commit e0416e5
Showing 1 changed file with 1,134 additions and 0 deletions.
1,134 changes: 1,134 additions & 0 deletions WebAuthNiamOnline.txt
View file
@@ -0,0 +1,1134 @@

9:56 / 56:10
Transcript
0:01
foreign [Music]
0:10
thank you for joining today's IAM online the monthly webinar focused on identity
0:16
and access management and brought to you by in common my name is April Motley and
0:21
I am the communications lead for in common and I'm helping to host this hour of community and collaboration in just a
0:28
moment I'm going to turn it over to our moderator for the hour but please first note the following we will be taking
0:34
questions and comments live following the presentation using the zoom q a
0:40
function so please send those messages during the presentation because we want
0:45
this to be as interactive as possible but if possible do submit your questions using the zoom q a function
0:52
also feel free to post messages in chat just be sure that you're posting your message to the entire group that's in
0:59
your drop down menu options and also for anyone wondering we are recording this webinar you will receive a link to the
1:06
recording via email and it will also be posted to the in common website and to
1:12
our IM online YouTube channel so without further Ado I will pass things over to
1:18
Steve zoppy to introduce our topic and speaker for today thank you April welcome everyone we're
1:25
glad to see you all here um and my purpose right now just to be set a little context because the topic
1:32
that we're about to explore today has relevance and Myriad contexts and in
1:39
many of our advisory committees in the continuously evolving Universe of
1:44
identity and access management we're all challenged by the complexity of implementing technological innovations
1:51
that can be integrated into the daily lives of our constituents with the objective of making the
1:57
services easier to access and remaining secure these are challenging times and
2:04
challenging things to navigate so those challenges continue to grow with the complexity and the services offered by
2:09
commercial and institutional providers as new challenges to privacy and security arise and then there's the
2:16
subject of standards as our industry Pioneer Andrew Tanenbaum observes the nice thing about standards is that there
2:22
are so many of them moreover standards seldom stands still or stand alone especially in the tools
2:28
that clients use to access these online services authentication and authorization the two
2:35
pillars of our I am world are topics we frequently explore and share in the I am
2:41
online context with hopes that successes and lessons of our community will be of
2:47
value to other community members specifically in the browser World there are significant changes being enacted by
2:54
commercial interests intended to benefit the privacy and security of end users while some of these changes May
3:00
ultimately interfere with our community's current ability to easily access services that we consume and
3:06
provide to each other some advances are geared to overhaul old ways of doing things with new and better ways as a
3:13
community we're challenged to adopt and deploy those changes as seamlessly as possible to large populace of diverse
3:19
and ever-changing requirements in the mission of Higher Education and Research web often is one of those advances which
3:26
promises to bring us closer to the objective of password-free authentication but has its own challenges and implications in its
3:33
deployment and administration today we get to explore this aspect of
3:38
authentication with Tariq Wilson a member of our community serving the University of North Carolina at Chapel
3:45
Hill for the last two years as a software engineer on the identity management team who will share with us
3:51
their journey in implementing password-free logins without further Ado I'll pass the Baton to Tariq
3:58
oh thanks Steve uh yes good morning good afternoon everyone of course I'm on the East Coast
4:05
time so uh we have or have an interesting uh presentation for everyone and would love to share our journey uh
4:11
with a web often and what we call it UNC Carolina key so let me share my screen
4:26
yes so yeah Carolina key this is our our custom-made logo for Carolina key as we'll be um using to Market this
4:33
technology uh to uh Folks at the University so today I'll talk about what uh web
4:41
Autumn is and why we're doing implementing web often at UNC just go
4:46
over the project timeline um talk about the architecture and development aspect of the project talk
4:53
about communication strategies and that's been extremely important of course I'm going to cover challenges
4:58
which there have been many of and we'll tell them and I'll just give a brief demo after that
5:05
so what is web often so web often was announced in 2019 by the World Wide Web
5:10
Consortium and is a a global standard for password free login and
5:16
authentication the Web author API is supported by all the major browsers Firefox Chrome Edge Opera Safari and
5:25
also some more device specific browsers but there's Universe pretty much Universal support for this a for the web
5:31
authen API it relies on public key cryptography so I won't go into that at
5:38
all but for those who feel familiar with cryptography that is the basis of this technology and basically you will
5:45
authenticate to a service or a website using your device and or a hardware key
5:52
so a device can be your laptop Mac Windows machine whatever your mobile
5:57
device happens to be tablet or a UB key which trans you know you can or you'll
6:03
be to your key similar for Authentication
6:09
so continue with what web often is so unfortunately one of the most if you
6:15
search a web often on the web this is one of the top sites that will come up and it is web often is great and it
6:21
sucks and that's one of the top Google uh search results so after someone agree
6:27
with that assessment uh after working with it for two years that is sad but true initially
6:33
um there was a very tall barrier to entry um it's like once you start you it's kind of hard to understand where to
6:40
begin although there are lots of sites with sites that describe the technology there are just so many pieces to it
6:47
there are lots of acronyms there are lots of bad outdated code examples you
6:52
have so many pieces so many browsers so many devices you have your backend services that you have to integrate with
6:58
you have your front end you know depends on if it's a react system or a native JavaScript so many pieces have to come
7:04
together and there's not a lot of good demos on some how to tie all those things together so I have to say and we've had to
7:11
actually overcome uh some of the stigma that's associated with web often because of a sites like this but I think once
7:18
you get your arms around it is actually pretty cool and once you get settled it is a great technology so
7:25
just you have to overcome some of the uh perceptions and the stigma that's associated with it but it's a really
7:30
cool technology and I'll walk through our implementation strategy so why web often at UNC well we've had
7:38
an increase in phishing attacks um some uh folks that you wouldn't even expect to be fall victim victim to them
7:46
have um I.T professionals I think we're all susceptible uh uh hackers and uh other
7:53
parties are becoming very sophisticated at uh making emails look uh official and
7:59
look like they would come from an official source so we're trying to mitigate some of those effects
8:04
um we would like to reduce the number of Health that helped us incidents uh regarding password management so I
8:10
forgot the stats but I think that is one of the um one of their most uh interesting
8:15
topics uh uh and calls that they receive at the help desk is to help people manage passwords
8:21
um we'd like to improve improve overall system security right I mean if there is
8:28
a breach we haven't had one but if there is a breach or at any organization you would you don't want to have a file or a
8:35
database of passwords uh uh to be linked with that breach so that that just the Optics and the fact that that happens is
8:43
uh it's a terrible thing so um you'd like to improve your overall system security and not have eventually
8:49
not have passwords even be a vector and also um
8:54
um web often is a multi-factor authentication as well so um we add uh additional factors which
9:01
also increases uh Social Security and safeguards access to our systems
9:07
um we do think web often does enhance the user experience I mean we've come up with we meeting users people we've come
9:14
up with all sorts of tools to help manage passwords password managers I
9:19
have two of them one for UNC one for my personal um experience and then you have the password ranges built into browsers
9:27
um it's nice if you don't have to worry about those things and you can have just a more seamless process for accessing
9:33
your applications um I think folks are getting an I am getting used to using the Biometrics of
9:39
my various devices to access certain systems use the access device itself or
9:44
services that are offered by the device so I think we can leverage that experience uh with the web and access to
9:50
our systems and then finally um we like to reduce um Duo
9:56
um I guess from on the management side this is not my concern but there was a fee associated with uh pushes and the
10:03
overall interaction with Duo and then users would like to not have to use them so with our web authoring strategy for
10:09
certain sites um if you authenticate using web often you won't have to use Duo so we'll have
10:16
a decrease in in that as well so the UNC uh Web author timeline so I
10:23
started this project a little over two about two years ago yeah and um that's when we uh started the the
10:30
project and just started to think about how we would go about implementing uh web often uh I think we finally figured
10:35
out a strategy and we started our Sprints early in 2021 we just iterated
10:41
over that almost for the entire year Where We Gather requirements we work with different partners to and
10:47
especially Duke they were very helpful to us as far as like bouncing ideas off of them and looking at some of their
10:54
initial code that they've open sourced to help you started so taking that we divide design develop release internally
11:01
get some feedback learn and just go through the whole process forward again so we did that for most of 2021.
11:08
um the results of that we had an initial Pilot release to production in Spring of
11:14
2022 so about seven months ago this year so it's been in production for a small
11:20
uh subset of users so we did have to overhaul the user interface um just to support web authent and we
11:28
hid we allowed access to webathon based on you know certain groups so very
11:34
limited pilot but we got a lot of feedback over the past seven months and
11:39
based off that feedback we then went hard again on development spring summer of this year
11:45
and as a result of that we are ready to go to production tonight so I'm here with you guys to help distract from the
11:52
fact that we're going to do this today but it should be pretty cool so we're going to release uh to production
11:57
tonight it'll still be a limited audience we're going to um slowly um Grant uh students access to the web
12:04
authent and hopefully early November it will be open to the entire student population and I'll talk about why we
12:10
we're limiting access to students uh yeah again open to all students in early
12:15
November um architecture so um this is a almost a cartoonish diagram
12:22
but just wanted to uh show the different components uh architecture uh components
12:27
of our implementation um so of course we have uh shibboleth uh
12:33
system um which is the main component here and then we have and that's you know
12:39
that's where all uh single sign-on uh requests uh originate and that's with
12:46
our Chevrolet application then we uh we developed a custom uh registration
12:53
application that application uh is built using a spring framework basically for the web
13:00
server and some of the other environmental things that we like with spring because we're mostly a Java shop
13:05
and on the front end we're using uh view JS uh for you know reactive
13:12
um on the back end we have some microservices built using spring and the
13:20
shibboleth system and our registration application both make use of the web services and I'll talk about what they
13:26
do in a little bit more detail and then on the back end we have just a custom database for all of our
13:32
web often data that we use where we store the registrations and everything
13:38
associated with authent itself and of course when it's usually active directory to
13:44
deal with the user accounts and then we use grouper to right now to manage who
13:50
has access to the pilot group so we have different pilot groups stored in web often and if you are in that and grouper
13:57
sorry and if you are in that pilot group or one of them then you can have access to registration and then use web often
14:08
Soul development so we had three different streams three different um large components like I mentioned on the
14:16
previous slide so we have the shibboleth uh side um so there was lots of development there so you know I think for folks here
14:23
have a lot of experience there so for our implementation we had to develop a whole new set of custom uh user
14:30
interfaces so um the all of the views have been changed um and they there were there was
14:36
already some of that in place before prior to using integrating web often but we developed even new uh user interfaces
14:44
to support uh web often one thing we wanted to do is when we talked about enhancing user experience we wanted to
14:50
make it quick we really wanted to sell web offense so uh the folks on the product team came up
14:56
with the idea of a one-click access so and I'll demo this but once you log in
15:01
uh web off end then we'll drop a cookie essentially saying oh you've logged in with Web author and you don't have to
15:08
enter uh your username or anything else once you come back to the SSO screen if
15:14
you've done it before you can just click web authen and then you're log in and then your Biometrics uh whatever the
15:21
biometric interface is associated with your system that will fire up and then you you're able to access so internet
15:27
SSO screen click login if you're using FaceTime you smile and
15:34
then you're on your way so and I'll demo that we had to create uh new actions also on the back end to support web
15:41
often so this is a spring webflow application so we had to on the back end
15:46
so we had to develop a whole host of new actions to support uh some of the data
15:52
that we collect and store for web offense so there was no actions there we had to create a new registration
15:57
servlet and the registration server collects you know starts the initial process
16:03
because you know if you were to look at like the developer tools on your browser on a web often session there's a lot of
16:10
things going on when you try and log in or authenticate using the web opt-in so a lot of chatter going back and forth
16:15
between um the browser and the web server uh to communicate and initiate and complete
16:22
the process so we had to develop servlets to help facilitate that and then of course if you've ever been into
16:27
the conf directories or into the guts of Chevrolet we had to create a whole new set of configuration files to support
16:33
this as well so it was a really large effort um to just integrate this with shible if
16:39
so lots of java development and HTML JavaScript development on this end
16:45
um then we developed a registration application so this is a relatively simple uh application no not simple I'll
16:51
take that back the architecture is relatively simple so it's built on uh spring boot
16:57
um and that provides some services on the back end for the front end so it's a BFF for the front end front end is all
17:04
new view uh new view of UJS system so custom developed in-house so we completely developed that system and
17:11
then we developed spring boot Services uh to support the user interface uh components that is uh everything is
17:19
deployed in openshift and that is just a native built uh and deployed as a as a
17:24
uh a Docker image and deployed in openshift and then on the back end like in the
17:31
previous architecture diagram we have uh web often services to support
17:37
both of these two components so it's a spring boot um application with restful Services uh
17:45
Services support the login process the registration process and then user management process as we roll this out
17:53
there is you know we're going to have to add more support for the help desk and
17:58
other administrative folks to take administrative actions on certain accounts enable disable
18:05
um help people when they're stuck so there is some of that there but this will be extended even further
18:11
um to help support more of the administrative uh side of web often
18:18
uh Communications so we found that Communications are vital like I showed in that previous slide
18:25
um some folks think oh let's go back what happened yeah Communications are vital
18:30
um there are a lot of mysteries around web often there are a lot of mysteries around Biometrics and your devices so
18:36
you have to over communicate and we found as far as explaining to people what this is and how this will help them
18:44
um I've been asked this a million times I know people who are on the faculty and they always ask questions but I'll fail
18:50
will UNC have access to my um uh my bio information well they have my
18:57
fingerprints so my Iris scans or anything else that your device collects for this process so that's a resounding
19:03
note that is all stored on your device and I always say you you're an employee here anyway they've done background
19:09
checks and everything about you so but we always say um the device will always contain that
19:14
information so we won't store so you have to communicate that to uh folks
19:20
um and usually puts them at ease um what else oh what else is uh some
19:26
other some other feedback we've gotten but it's really important to communicate you know what we're going to do how it's going to help them one thing that we've
19:34
done um through the process is we capture surveys from Pilot users and we've
19:40
that's going a long way uh towards helping to um streamline operations and gather
19:47
feedback and Implement those as quickly as possible so capturing feedback and communicating with folks has been
19:53
extremely important on our side um we also have a a site a website a
20:00
Wiki essentially internally that folks can access that answers a whole round of
20:06
questions and it's been very helpful uh to help demystify uh the process and
20:11
explain how it will help the university and make their lives somewhat easier
20:19
so challenges many challenges uh like I said the implementation is not easy
20:26
um you are bridging lots of technologies that uh while they there is a bridge to
20:32
be built you have to build that bridge and it's not um it's not uh like entry level work it's
20:39
just really uh tough work once you build that bridge it's built but implementation is not easy you have to
20:45
have a experience with a whole host of Technologies uh JavaScript and and some
20:50
interesting JavaScript um to implement um whoever thing you have to have things
20:56
on the server side to collect this information and communicate with your front end
21:02
um so there are challenges there you have to have a deep experience with Shiba lift and you have to really get
21:08
into uh the guts of shibboleth um to extend that to make it work there
21:15
um you have to have really good Java skills I've found to build some of the
21:21
custom code on the back end to help support this I mean at least for us a little travel that there's a job
21:27
application so you'll need that there um at least interact with shiblet there so lots of Technologies lots of moving
21:34
parts and uh quite frankly some weird JavaScript that you have to learn to get
21:39
this working um interactions differ by device um this is a this is a challenge that
21:46
will always exist and we haven't found a way uh to bridge this um what we did was we did
21:53
heavily involved the help desk and as far as testing the application so they
21:59
can become familiar with some of the pain points so they can um answer calls and and work with users
22:06
more effectively um but every device has a different
22:12
um dialogue for interact for showing the um web often to its users so cool thing
22:18
is like you know if you use different browsers on a device once the browser kicks it
22:24
over to your device it's all the same but um Windows has a different process
22:30
than my Android phone different process from Macs iOS it's all
22:37
different and some of it is a little bit wonky so you've got to figure that out for the most part it is on a happy path
22:44
uh it is relatively simple but there are challenges because you know usually as an application developer you want to
22:52
have control over your old your entire ecosystem and there you don't have really have control you have to trust uh
22:58
that the device maker um has um you know taken care as far as implementing um
23:04
uh the controls for web often another thing that we've had is like so we have
23:09
a lot of managed desktops and this is part of the strategy for um pushing out to users so you know we
23:15
have Windows hello for business so we have to push that out and turn that on and there have been some challenges
23:21
there um so on on the staff side it hasn't been a seamless process to enable
23:28
Windows hello for business so there's been a slow uptake as far as the staff is concerned this is why we're rolling
23:33
it out a little more slowly to them um and there are certain folks who are in the pilot group and advanced users
23:39
people that like to be on the bleeding edge I guess and they've been developing and I haven't a lot of us do but it's
23:45
not a symbol AS hey pushing out everyone Windows hello was enabled ready to go so there have been some challenges there
23:52
um but they're we're overcoming those the other thing is automation so if you are big into test automation
23:58
um have some challenges there you can imagine it's hard to uh test for
24:04
different devices in an automated fashion especially when that control is again turned over to a device and it
24:10
leaves the browser there are some virtual uh there's like a virtual authenticator and things you can do but
24:16
it's not seamless and it doesn't fully uh capture like the user experience so
24:24
um we've had some challenges with automated automating our our testing of our user interfaces for uh web often
24:33
um and then just users with multiple device right device registration may be confused so this is something that we run into we haven't fully figured out
24:40
how to solve this and I think you know myself we've been using this since it rolled out you kind of learn you know
24:46
you learn you know oh how to use it for a specific device so
24:51
once you register for a device I mean we always have to act like you know your cook you know cookies or anything you
24:58
said on a user environment local storage session storage whatever is going to be unavailable for whatever reason maybe
25:03
they've cleared things maybe they've got a new machine so once you register for a particular
25:09
device um it's hard to tell like if you log into another device that that
25:15
registration is not tied to that device um unless you want to store some
25:20
tracking things and stuff like that which we're not doing so you know uh when users have multiple registrations
25:27
it's we can't really tell the device that that registration is tied to and until they initiate a registration so we
25:35
haven't really figured out how to overcome that but most people don't have tons of devices now most people have one
25:40
or two so it's not an issue but if you have multiple like me um you know number developer you know
25:46
we've had some some challenges there on how to Tire registration to a specific
25:51
device when you haven't been there before we always have to accommodate or plan for someone who hasn't logged in
25:57
from that device because your cookie could be erased or whatever foreign
26:06
students we have or how large the population is but this is a huge system uh lots of Impressions per day lots of
26:14
logins per day so this cannot fail and so we have a large team uh dedicated to
26:20
making sure this works correctly and it suits the needs of the University so
26:26
um I just wanted to um talk about some of our team um the teams that came together to help
26:32
to uh bring this to fruition um we have of course the identity management team um
26:38
uh security team which reviewed everything because there are lots of settings you can have let's go for
26:44
instance um there's a way where you can say like right now in a void Universe bring your
26:49
own device Universe I'm bringing my phone uh to the party right to log into systems
26:56
uh there's also a way to increase the security web often you can really go and
27:01
really lock this down and you can install certificates uh you can have the device certificate
27:08
stored on the server side to say hey um not only do you because initially
27:14
you're going to authenticate using your University credentials but not only that but also want the certificate associated
27:19
with your device and I'm going to store that and that'll be part of the entire Web author process
27:25
um you can't do that easily in the bring your own device world because vendors roll out devices uh updates all the time
27:33
a certificate could expire and say if if we had something like that enabled
27:38
um you know when a device updates you can lose your certificate the change and they can lose their access so when you
27:44
don't have control over their devices so but security had to help make some of these calls to figure out what's acceptable what's an acceptable level of
27:51
risk so they've been involved in the entire process the entire time so security has been really important um to
27:58
um everything we've decided to do the accessibility team uh has been a parallel because there are lots of uh
28:05
you know regulations we have to follow as far as making sure it's accessible um by folks with all um you know manner
28:12
methods of accessing accessing the system so we've had to interact with Community accessibility Communications like what I've talked to
28:19
before we try and get ahead of the messaging aspect um project management team to pull
28:25
everyone together infrastructure for deployments and then help desk because once this goes live I'm sure they're
28:31
going to get calls because one thing that the university I'm sure other organizations try to do as well as say
28:37
be vigilant about changes to the login screens because if there is any change
28:43
that means you could be fished or you could be taken to a different site so when you roll out any change to the SSO
28:50
page there's a raft of calls that come to uh vigilant Carolinians about a change so
28:59
um we just had to work with the help desk to prepare for that so now a lot of communication so focused on uh aren't
29:04
alarmed so it's been a large team effort to get this right demo so here's the fun part
29:12
um this will be quick I think um so let me switch to my browser here
29:18
so um I'm this is me accessing a service provider
29:25
um before I access the service provider I'm brought to our single sign-on screen so this is our new user interface so
29:31
there's a new uh if you notice to lots of Enterprise systems I guess in the past you would see like
29:37
uh username password but right now the way things are going um there are lots of different ways to
29:43
authenticate to different systems so a new a pattern is where you um you just take their username and once
29:50
you have the username use that to determine what they have access to next and that's what we're doing here because
29:56
certain users will have access to the web off and certain users won't and then there are other things in the future which are in the plans to integrate with
30:03
this page so um we first collect uh they're onions which we call which is
30:10
their username so for me I've already logged into Carolina key so I have uh the Carolina
30:17
key login button here um but if I did not I'll use Chucky
30:26
then this is what the user interface will look like for users who don't have access to uh Carolina key which is
30:32
relatively uh simple user interface which is what we're used to so if I were to log in with this account then
30:39
um with the password and I won't show you know then you'll be presented with the duo
30:45
um uh challenge screens but uh for myself for this uh demo I'm
30:52
going to our Registration site
30:59
so I'll either put the button and fingerprint and now I'm taken to our Carolina key
31:05
registration website so we have lots of verbiage here about you know how it works and you know what we're trying to
31:11
do and then here are our registered Carolina keys so Carolina key is essentially a device
31:18
a device is your key so I have six um devices registered uh here that I can
31:25
use to access our systems if I wanted to register a new one all I do is um select register new
31:31
device we try and just guess what your device is just to give you some hints towards
31:37
naming it and then hit save already registered this one so we'll complain on
31:42
that one exists now let's delete it here
31:54
thank you and
32:00
making sure so again one other thing on a uh Mac Book it'll be a totally
32:07
different user interface or at least that dialogue that showed
32:12
itself so the light device successfully registered you may not use it to log in
32:19
so there we go UNC Windows 10 is there I can rename that device
32:25
or delete it and there are some management functions there to help manage manage users so
32:31
um I can log out and let's just clear my cookies
32:40
and we'll go back to the registration page and the only reason why my username is stored here is because I'm using this
32:47
LastPass and I haven't turned that over so there are everyone every if you haven't logged in with Carolina key
32:53
you'll have to enter your onion every time unless you're using a password man so
32:59
Carolina key sign in I'll sign in again fingerprint
33:07
takes me to the site now since I've logged in just as a convenience and this is where we're trying to make it uh more a
33:14
quicker experience for users I'm logging into a different service provider so see you remembers
33:20
atariq I'm logged in Carolina key button is available this is all I have to press
33:25
and if I was using FaceTime I just smile and I'm in
33:32
it so and then your access this happens to be the registration page but it's a site but it can be any other service
33:38
provider and also as you notice there is no Duo
33:44
involved in that process let's see trauma and then you can always log in because there are certain service
33:50
providers where uh we would like to still use Duo um so uh we're still figuring out you
33:58
know what that looks like but in those cases if you don't have your device with you you can always use your password and
34:06
then you take it into the duo process here
34:11
no cancel that all right so that's our implementation there and
34:22
that's it
34:31
excellent we have a number of questions that I've queued up I tried answering one of them uh feel free to read that uh
34:38
exchange between myself and Davis same here bands and we have 11
34:44
open questions right now uh if there are comments in chat I didn't see any appear there so I think I I thank you all for
34:51
putting the comments or the questions in the Q a uh Zoom Channel
34:56
so most of the things that are left here Tariq are directed to you and the project and the work so I'll let you uh
35:03
pull those up if and I'll read them along with you so that those who are only attending by Audio can hear that as
35:09
well but the very first question from Michael is how many FTE were focused on the Sprints throughout 2021
35:16
I'll say one and a half and uh was that the full-time
35:23
equivalence were they I'm adding on to the question just because I know I have a frequent understanding of how people
35:30
get uh how a full-time equivalent is shared was this dedicated 100 to this
35:36
work or okay yes yeah so one uh and that was me dedicated 100 to this work and
35:41
then there were uh uh there was another another developer who was about half time who would help uh when we had
35:47
available when he had availability but then we had a whole graph the people that we would pull in as far as the
35:53
teams that I mentioned to help um uh you know with other issues
35:58
fair enough great um uh Michael Hodges asks are the should
36:04
views configs Etc the registration app Etc uh shared on GitHub or elsewhere
36:10
yeah so not not by us so we we have been looking at definitely sharing like our registration service because I know
36:16
folks have asked us about that in the past so as soon as we get to a point to where we can breathe we will look at
36:22
open source in some of these uh some of our developments excellent uh and if there are follow-on
36:29
questions feel free to add them into the channel as well um I'm looking ahead as I'm reading
36:35
through these uh on behalf of Tariq so Duo offers passwordless as an option now
36:40
and can be utilized through tiered Services Duo MFA Duo access and Duo Beyond
36:46
um and I think that this is more just uh expanding on a comment that you had made
36:52
during the uh the demo and the presentation about Duo
36:59
features uh and minimizing their use but there are some other additional things here Abraham if you wanna add any
37:06
additional comments to that feel free yeah because I don't it's not going away anytime soon uh we just I guess to
37:14
reduce the Reliance on it and at least make it more seamless but that will be interesting to see what Duo is offering in this video yeah and the follow-up
37:20
question is is there a plan to go do a you know use the new Duo passwordless option uh in your environment it sounds
37:28
like from your presentation that's something you're trying to avoid yeah yeah it hasn't been presented to me as
37:33
an option so it might be uh someone else may be making that decision but I'm not aware
37:40
okay um that emasks do you have do you give each device a nickname like Duke unlock
37:45
does yes we do so that that's when you uh we're in the registration app and
37:51
then you set you know set this device and it said Windows 10 um we just try and
37:56
um basically uh read the user agent for that device and then we will just give
38:01
you a nice name but you can rename that to whatever you want it to be so every device does have a nickname
38:07
and rohita asks what what was your security testing like too many moving pieces in this architecture any missed
38:14
vulnerability can turn disaster is just wondering if the security aspect was extensively tested oh yeah yeah it was
38:21
extensive um so there are a lot of moving uh pieces but this is the problem once you go to a microservice architecture which
38:28
is what we essentially have I mean you could have bundled all of that into uh Chevrolet but this is uh typical for
38:35
nowadays I have a whole bunch of little services on the back end that are communicating to they changed some goal
38:41
so uh we're just following those new patterns but we did have extensive testing to make sure that things are uh
38:48
complete so um the typical things you know want to report scanning and uh we did find not a
38:55
vulnerability but certain things things that we could share if you look at your libraries that you're using to make sure that those are all uh those don't have
39:02
vulnerabilities you look at um your you know your deployments to make sure open ports are closed no
39:07
passwords you know typical things we did uh run the scans that the university typically uh runs before the uh deploy
39:15
something like this and an aspect of this that was related to David's question about whether the
39:21
shiblet Consortium is going to adopt any of you know these modules or is going to build a response for those who are not
39:28
who are just connected by Audio I just thought I'd replay a portion of that because it relates to this which is there are a lot of moving Parts I want
39:34
to underscore what Tariq just said um and so whether or not the shibboleth uh IDP has in inbuilt support for web
39:42
authen uh is only a portion of the implementation puzzle it is not the key
39:47
to it and so um whether the engine the I know that the engineering team is talking about
39:53
this actively researching sort of a best interface way of presenting this and
39:58
there are a lot of conversations on the ship mail lists about this uh periodically that pop up so you're encouraged to look at those as well to
40:05
follow along um it is also the case that if there is a community solution a community module
40:11
implementation Etc that is acceptable to the engineering team they have incorp
40:16
operated stuff in the past in the core so it's certainly something that could
40:21
be considered but I don't have a definitive answer to that but internet too is a principal investor in the civil
40:27
with Consortium so I just thought I would take that on as a part of this question thank you
40:33
um uh Krishna asks question on resources was it developed and implemented with
40:40
internal resources did you have any external implementation partners well yeah this was uh all internal but I
40:47
always you know Rivals right Duke and UNC Rivals but I always try into I always try and Shout
40:54
Out Duke because um they actually open source their initial rollout of web not name their
40:59
rollout but like a proof of concept essentially for integrating with web authens so that got
41:05
us off the ground so initially we had a couple conversation with them to share what we were doing and to learn about
41:10
some of their uh Lessons Learned as well um so that's like that's the most we've done as far as Outsourcing just to try
41:17
and understand what folks are doing and the challenges they have but all the development has been done in-house but
41:22
some of the code to get off the ground was you know um from other folks
41:28
uh and I I skipped over uh Winston's question I'll I'll I scrolled back up
41:33
and there it is are you buying bulk keys to distribute sell or just having users bring their own
41:39
so uh there has been some discussion about uh buying bulk keys but they've decided not to do that forgot the reason
41:46
why but just um I think it's been more effective to just especially for students to say hey
41:52
use your phone everyone's tethered completely to their phone or their device um um so uh we don't uh have to use uh
42:00
keys but there's if you need one actually you can request one I I have one at the university university
42:06
um uh for testing but if you need one they'll give you one but there's no uh plan to give it out to everyone at the
42:12
University and then Nadim asks we are in the process of ruling out our own
42:18
passwordless solution based on Duke unlock and we're trying to create the logic that you just showed after the
42:23
username and then display whether or not a user can enter a password or use the passwordless option are you willing to
42:29
share how you do that in shivalith sure yep yep it's uh that's where the
42:34
part I mentioned where you have to develop Uh custom servlets and this is where
42:41
I guess because you know you have to we don't develop a lot of servants anymore
42:47
in the Java world you develop you know spring or something that wraps around it but at this level at least on the on the
42:54
Chevrolet side we have to develop a servlet that the user interface can call back to which then uh delegates to our
43:02
back-end services to make that call so I can share that but yeah there's a servlet that we developed to answer
43:07
those calls and provide a yes or no um sorry and related to this I'm skipping
43:14
ahead just a little bit and I'll come back to the other questions uh will UNC share the code for the implementation this is related to the exact same uh
43:21
question that's being asked now so I thought yeah yeah so yeah there was a plan we have discussed that internally
43:27
um about sharing that but like as soon as we can um get through these uh next couple
43:32
weeks as far as rollouts we will definitely revisit that but I we definitely want to contribute back because that's what helped us to get off
43:39
the ground and then Brent asks can you explain how this would work with lab computers or
43:45
public computers do you reject the option for users to register a student lab or public computer
43:50
that's a good question um so um we we don't know that it's a public computer so
43:57
um you can do that um uh how do we take care of that yeah
44:02
we've gone through that uh on a security um rounds but it would I guess it would be similar to just logging with the
44:08
username and password um because there's still a challenge if you use a public computer right there's still a some challenge if you use your
44:14
UB key you have to have that device um if you're using a biometric where I hope a public computer doesn't have a
44:20
biometric device um you'll still have to use your fingerprint or your face so there will
44:25
always be an additional challenge um if you even if you're using a public computer so we're we're okay there and
44:33
we do allow it but um yeah it's actually more secure than the password because you'll have to
44:38
physically have that thing to say you know I am me which
44:44
is you you'll be key or your um device itself and also on on flight so for instance um
44:51
if it's a public computer especially on a university uh I they
44:56
should not have Windows hello involved you know enabled you know where you can do that so I mean there's a whole lot of
45:02
things that have to break down for for it to be uh some you know a large issue but we're okay there
45:09
as is always the joy um there's a yeah there's always the what happens if
45:15
I lose my the thing I have um and then how do I how do I rebootstrap myself into uh into the
45:23
system from that point and I don't know if you've had a number of dry run experiences with people losing things
45:28
but I'm sure that you might have some pointers on that as well yeah here's a great example this happened to me and I
45:34
was embarrassed for a second so I upgraded my phone and I went to log in
45:40
and I kept rejecting it my phone I already said this is registered device
45:45
and then uh oh I updated my phone so I had to go into the Registration site
45:50
just delete that key and then add it for that phone so you know all you have to do is go delete the key or have someone from the
45:57
help desk delete it and then you re-register and you're good to go excellent Michael asks what is the
46:04
thinking behind Services must use Duo um you know there's still a comfort zone
46:11
a comfort right you just want as many and this is not um this is not me uh but
46:18
there are you know certain folks just want as many box boxes checked to access certain things
46:24
um so I think that's going to go away um this is that was some of the initial pilot which is they're like hey let's
46:29
make sure this works for everyone um and it's secure just some folks just have to get comfortable with certain
46:36
security and then um once that Comfort is there I think then it'll go away but yeah I get you
46:43
but just you know people way above our pay grade just want as many boxes checked on certain systems there are
46:50
some highly sensitive systems here that folks want to have additional access
46:55
controls on it and speaking of checking boxes Jeremy asks have you performed surveys of Campus Hardware that can
47:01
support a web opt-in yes we do we we have and that's part of the slow rollout to students so students have the latest
47:08
and greatest Hardware faculty don't always have that so uh that's part of
47:13
the reason why there is an automatic push so but they do have an idea of of what devices are on they do know yeah
47:21
and they expect to have all those issues mitigated early 2023 so early 2023
47:26
hopefully this will just be generally available to everyone at the University
47:32
excellent and then Lance asks does this introduce any unique issues with user D
47:37
provisioning it sure does that's our next project there's a or that's the next project it's a deep provisioning
47:43
project and how to tie that into everything um so yes that's a great question
47:49
uh Eric asks what is the impact to ref Ed's MFA assertion for SPS that may require MFA signaling
47:57
yeah that's a good question and someone told me that will come up um I just didn't have enough time to refigure it but in the configuration
48:03
file there is an association um you just have to associate the web
48:08
often to uh the refresh uh profile so there's a way you say refed and it's
48:15
associated with MFA so web of web often is associated with MFA so they're
48:20
it'll work very good answer lady that's the best I can yeah we tested that
48:25
um and we haven't found any challenges there but there was inside of the configuration that's what I was talking about you have to go deep inside that I
48:32
know by Howard conf often and there's a whole raft of configuration files in there that you have to set
48:39
excellent and we we have a few minutes more for questions I'm going to try and power through them as much as I can
48:44
Pavel asks about Windows hello for business I suppose you have computers in the ad domain is it only enabled so that
48:50
users have to register each computer separately or do they log into the computer and hello is set up
48:55
automatically uh and then they just do the passwordless login oh no so let me read that Aquarium
49:07
um yeah so no they will have to register
49:12
each computer separately so once you enable Windows hello over business
49:17
um and you know then you have to log what you have to integrate that with the VPN there's a whole bunch of things that
49:22
you have to enable that for just for the device itself and then once you log into uh web often
49:29
it'll say oh you can use this as well so you also have to register your laptop in
49:35
addition to but it's just saying since this is available on your laptop you can then use it for web all things
49:41
foreign but yeah it will be also generally available to log on to your
49:46
laptop but you can use that to access everything else that you have access to from your system
49:53
and then uh Michael asks did you have to upgrade your ad environment to support Windows hello
49:58
there was some work there I'm not sure of all the details but it was that's one thing that took us a while there was I
50:03
didn't I wasn't involved in that I was just part of the discussions but there was some work there
50:09
and does the security team consider a login on a registered device with a fingerprint an equivalent dual Factor
50:14
authentication is the old way with password and Duo push
50:19
um I'll say just equivalent from as far as you know uh MFA or multi-factors so
50:26
um uh and so Duo was basically there to implement multi-factor authentication and uh web often is an equivalent uh to
50:34
uh or suffices for multi-factor officer than occasion so it's almost yes technically it is equal but like I said
50:41
there's still some uh you know it'll still be around for a while but
50:47
yeah it is multi-factor similar to new one and also just to keep in mind as far as the registration process is concerned
50:55
um you all you have to go through the Dual process I didn't show that because you don't have any web often uh registrations available so you're still
51:01
using username and password so you have to use Duo to even register so that's another check to even get to the
51:07
Registration site and uh Matthew writes uh thank you for
51:13
the presentation which I will second in another moment but would you please tell me what if any anticipated impact the
51:19
custom implementation will have on shiblet patching and testing yeah there will be
51:24
um and I think so even prior to web authen um the team there we they've had to
51:31
extend Shively for other reasons so they haven't there's an extensive testing
51:37
process um as far as upgrading to a new version of share with us so this will just be folded into that I haven't been part of
51:42
that but I do know that they are in place but there will be what we tried to do
51:48
um much as possible is not disturb the base ecosystem of sugar so and what we do is
51:56
you know even when I want to get started on a new one locally I just download uh Chevrolet and then we overlay our files
52:02
on top of that and that's basically our basic implementation and there are some custom things we do but that's not a lot
52:09
it's like we we co-exist with it that's what our general approach is so when it's upgraded their upgrades
52:15
you know we don't have to do a lot of hard work I will Advocate that as a healthy stance uh Krishna asks if you
52:22
have an MFA as a requirement would you meet the requirement if one is using a UV key will that be a second Factor 100
52:28
yes and then um we're I think we're just gonna make it uh Anonymous attendee asks are you
52:35
able to configure this login flow to only allow web often on UNC networks such as a campus or via VPN yes
52:42
excellent um and then David uh comments that MFA
52:48
profile is explicitly multi-factor profile not a strong auth end profile so um I will acknowledge that and with that
52:55
I would like to say thank you to everyone for participating and the great questions and Tariq for your wonderful
53:01
summary information of your experience and good luck on the deployment tonight uh and with that I will pass the Baton
53:07
back to April foreign
53:15
thank you so much um Steve and I echoed that thanks to both you and Tariq uh for a
53:23
um engaging um discussion uh this afternoon as we're
53:29
wrapping up just a couple of reminders um once again want to reiterate we will provide the recording of this
53:36
afternoon's webinar you can expect to receive that in your inbox uh in the next few days and you'll also find it on
53:43
our website um please complete our Zoom survey we really value your feedback about I am
53:48
online and we would appreciate you taking the time to complete that survey
53:54
if you have General feedback you can certainly get in touch with me April Motley my email address is there I want
54:00
to let you know about our next program which is extending IAM to the cloud
54:05
um will be Wednesday November 16th and if you generally have ideas about future
54:11
programs we do have a web form uh up on the IAM online website of at your
54:18
convenience other quick reminders just want to make you aware this Friday October 21st is
54:24
like a mega day here at internet to and in common um that is the last day to take
54:29
advantage of reduced registration rates for Tech X and during Tech X this year
54:35
we will be having in common Camp week which some of you may be familiar with that will be in person at Tech X so
54:41
again those reduced registration rates are available through this Friday also ending this Friday are early bird
54:48
rates for our next round of grouper training if that is of interest to you and finally do want to remind you that
54:55
this is our last call for nominations for income and advisory committees the call for nominations also ends this
55:01
Friday October 21st so if that's of interest to you please take a look at that information which is also
55:09
um on our website and in preparation for next month's
55:14
program uh cacti which is our community architecture committee for trust and
55:19
identity has prepared a pre-webinar survey and we would ask that if you have
55:25
the opportunity to complete that survey um you would do so we'll be sending out more information about that but did want
55:31
to make you aware of that program and that opportunity to provide input prior
55:37
to the next webinar thank you again to Tariq and Steve and also to our meetings
55:43
and convening team to Susan and Carly for supporting this program and for everyone who attended we will see you in
55:51
November have a great rest of the day okay thank you bye everyone thank you
55:59
[Music]
IAM ONLINE: Going Password Free at UNC
I2 Online - Internet2
111 subscribers
246 views 2 months ago
University of North Carolina at Chapel Hill is on its way towards having passwordless logins. Seven months ago, the university launched a pilot to test its implementation of WebAuthn, known locally as Carolina Key. This new feature of the UNC web-based single sign-on (SSO) utilizes device-specific authentications, such as hardware security keys and fingerprint or face recognition. …
1:01:42
Now playing
Extending IAM to the Cloud: It's Still Your Program
I2 Online - Internet2
194 views 2 months ago
29:57
Now playing
VR Video: CES 2023 XR RECAP - Pimax Portal & Crystal, Shiftall MeganeX, Mutalk, Razer, TCL Nxtwear
Hugh Hou
7.3K views 5 days ago
New
VR180
Speeding Up Game Development with ChatGPT: Creating a Pong Clone in C++
project:code
234 views 2 days ago
New
Introduction to Programming
Eli the Computer Guy
2.3M views 11 years ago
Code 67
VMware Tanzu
1 watching
LIVE
TechEX22: Max Larson Henry
I2 Online - Internet2
12 views 7 days ago
15
Now playing
Minority Serving - Cyberinfrastructure Consortium (MS-CC) Webinars
I2 Online - Internet2
Huron FDA NPRM Webinar #1: Common Rule Harmonization
Huron
32 views 2 weeks ago
📆 Outlook Calendar Tips & Tricks
Kevin Stratvert
1.3M views 1 year ago
Building Tech Connections Featuring Jackson State University
I2 Online - Internet2
107 views 3 months ago
eduroam: What's New For You
I2 Online - Internet2
82 views 3 months ago
Key Takeaways from the I2I Scholarship Experience: Tomomi Imamura
I2 Online - Internet2
16 views 4 months ago
Leaving LastPass - How LastPass failed, Steve's next password manager, how to protect yourself
Security Now
39K views 2 weeks ago
Live Session - Full Stack Developer Course Offered by University of Moratuwa & DP Education
Dhammika Perera
81K views 3 months ago
9
Now playing
Linux
Eli the Computer Guy
CS50 2022 - Lecture 0 - Scratch
CS50
997K views Streamed 4 months ago
The first 20 hours -- how to learn anything | Josh Kaufman | TEDxCSU
TEDx Talks
33M views 9 years ago
MS-CC Meeting on October 27, 2022
I2 Online - Internet2
36 views 2 months ago
Top 20 Microsoft OneNote Tips and Tricks 2022 | How to use OneNote effectively & be more organized
Mike Tholfsen
601K views 1 year ago
CS50 2022 - Lecture 4 - Memory
CS50
219K views Streamed 3 months ago

0 comments on commit e0416e5

Please sign in to comment.