From e0416e54749ddbfb62f73dad0966a4df6951202c Mon Sep 17 00:00:00 2001 From: Keith Hazelton Date: Wed, 18 Jan 2023 14:57:08 -0600 Subject: [PATCH] Add files via upload --- WebAuthNiamOnline.txt | 1134 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1134 insertions(+) create mode 100644 WebAuthNiamOnline.txt diff --git a/WebAuthNiamOnline.txt b/WebAuthNiamOnline.txt new file mode 100644 index 0000000..f09933b --- /dev/null +++ b/WebAuthNiamOnline.txt @@ -0,0 +1,1134 @@ + +9:56 / 56:10 +Transcript +0:01 +foreign [Music] +0:10 +thank you for joining today's IAM online the monthly webinar focused on identity +0:16 +and access management and brought to you by in common my name is April Motley and +0:21 +I am the communications lead for in common and I'm helping to host this hour of community and collaboration in just a +0:28 +moment I'm going to turn it over to our moderator for the hour but please first note the following we will be taking +0:34 +questions and comments live following the presentation using the zoom q a +0:40 +function so please send those messages during the presentation because we want +0:45 +this to be as interactive as possible but if possible do submit your questions using the zoom q a function +0:52 +also feel free to post messages in chat just be sure that you're posting your message to the entire group that's in +0:59 +your drop down menu options and also for anyone wondering we are recording this webinar you will receive a link to the +1:06 +recording via email and it will also be posted to the in common website and to +1:12 +our IM online YouTube channel so without further Ado I will pass things over to +1:18 +Steve zoppy to introduce our topic and speaker for today thank you April welcome everyone we're +1:25 +glad to see you all here um and my purpose right now just to be set a little context because the topic +1:32 +that we're about to explore today has relevance and Myriad contexts and in +1:39 +many of our advisory committees in the continuously evolving Universe of +1:44 +identity and access management we're all challenged by the complexity of implementing technological innovations +1:51 +that can be integrated into the daily lives of our constituents with the objective of making the +1:57 +services easier to access and remaining secure these are challenging times and +2:04 +challenging things to navigate so those challenges continue to grow with the complexity and the services offered by +2:09 +commercial and institutional providers as new challenges to privacy and security arise and then there's the +2:16 +subject of standards as our industry Pioneer Andrew Tanenbaum observes the nice thing about standards is that there +2:22 +are so many of them moreover standards seldom stands still or stand alone especially in the tools +2:28 +that clients use to access these online services authentication and authorization the two +2:35 +pillars of our I am world are topics we frequently explore and share in the I am +2:41 +online context with hopes that successes and lessons of our community will be of +2:47 +value to other community members specifically in the browser World there are significant changes being enacted by +2:54 +commercial interests intended to benefit the privacy and security of end users while some of these changes May +3:00 +ultimately interfere with our community's current ability to easily access services that we consume and +3:06 +provide to each other some advances are geared to overhaul old ways of doing things with new and better ways as a +3:13 +community we're challenged to adopt and deploy those changes as seamlessly as possible to large populace of diverse +3:19 +and ever-changing requirements in the mission of Higher Education and Research web often is one of those advances which +3:26 +promises to bring us closer to the objective of password-free authentication but has its own challenges and implications in its +3:33 +deployment and administration today we get to explore this aspect of +3:38 +authentication with Tariq Wilson a member of our community serving the University of North Carolina at Chapel +3:45 +Hill for the last two years as a software engineer on the identity management team who will share with us +3:51 +their journey in implementing password-free logins without further Ado I'll pass the Baton to Tariq +3:58 +oh thanks Steve uh yes good morning good afternoon everyone of course I'm on the East Coast +4:05 +time so uh we have or have an interesting uh presentation for everyone and would love to share our journey uh +4:11 +with a web often and what we call it UNC Carolina key so let me share my screen +4:26 +yes so yeah Carolina key this is our our custom-made logo for Carolina key as we'll be um using to Market this +4:33 +technology uh to uh Folks at the University so today I'll talk about what uh web +4:41 +Autumn is and why we're doing implementing web often at UNC just go +4:46 +over the project timeline um talk about the architecture and development aspect of the project talk +4:53 +about communication strategies and that's been extremely important of course I'm going to cover challenges +4:58 +which there have been many of and we'll tell them and I'll just give a brief demo after that +5:05 +so what is web often so web often was announced in 2019 by the World Wide Web +5:10 +Consortium and is a a global standard for password free login and +5:16 +authentication the Web author API is supported by all the major browsers Firefox Chrome Edge Opera Safari and +5:25 +also some more device specific browsers but there's Universe pretty much Universal support for this a for the web +5:31 +authen API it relies on public key cryptography so I won't go into that at +5:38 +all but for those who feel familiar with cryptography that is the basis of this technology and basically you will +5:45 +authenticate to a service or a website using your device and or a hardware key +5:52 +so a device can be your laptop Mac Windows machine whatever your mobile +5:57 +device happens to be tablet or a UB key which trans you know you can or you'll +6:03 +be to your key similar for Authentication +6:09 +so continue with what web often is so unfortunately one of the most if you +6:15 +search a web often on the web this is one of the top sites that will come up and it is web often is great and it +6:21 +sucks and that's one of the top Google uh search results so after someone agree +6:27 +with that assessment uh after working with it for two years that is sad but true initially +6:33 +um there was a very tall barrier to entry um it's like once you start you it's kind of hard to understand where to +6:40 +begin although there are lots of sites with sites that describe the technology there are just so many pieces to it +6:47 +there are lots of acronyms there are lots of bad outdated code examples you +6:52 +have so many pieces so many browsers so many devices you have your backend services that you have to integrate with +6:58 +you have your front end you know depends on if it's a react system or a native JavaScript so many pieces have to come +7:04 +together and there's not a lot of good demos on some how to tie all those things together so I have to say and we've had to +7:11 +actually overcome uh some of the stigma that's associated with web often because of a sites like this but I think once +7:18 +you get your arms around it is actually pretty cool and once you get settled it is a great technology so +7:25 +just you have to overcome some of the uh perceptions and the stigma that's associated with it but it's a really +7:30 +cool technology and I'll walk through our implementation strategy so why web often at UNC well we've had +7:38 +an increase in phishing attacks um some uh folks that you wouldn't even expect to be fall victim victim to them +7:46 +have um I.T professionals I think we're all susceptible uh uh hackers and uh other +7:53 +parties are becoming very sophisticated at uh making emails look uh official and +7:59 +look like they would come from an official source so we're trying to mitigate some of those effects +8:04 +um we would like to reduce the number of Health that helped us incidents uh regarding password management so I +8:10 +forgot the stats but I think that is one of the um one of their most uh interesting +8:15 +topics uh uh and calls that they receive at the help desk is to help people manage passwords +8:21 +um we'd like to improve improve overall system security right I mean if there is +8:28 +a breach we haven't had one but if there is a breach or at any organization you would you don't want to have a file or a +8:35 +database of passwords uh uh to be linked with that breach so that that just the Optics and the fact that that happens is +8:43 +uh it's a terrible thing so um you'd like to improve your overall system security and not have eventually +8:49 +not have passwords even be a vector and also um +8:54 +um web often is a multi-factor authentication as well so um we add uh additional factors which +9:01 +also increases uh Social Security and safeguards access to our systems +9:07 +um we do think web often does enhance the user experience I mean we've come up with we meeting users people we've come +9:14 +up with all sorts of tools to help manage passwords password managers I +9:19 +have two of them one for UNC one for my personal um experience and then you have the password ranges built into browsers +9:27 +um it's nice if you don't have to worry about those things and you can have just a more seamless process for accessing +9:33 +your applications um I think folks are getting an I am getting used to using the Biometrics of +9:39 +my various devices to access certain systems use the access device itself or +9:44 +services that are offered by the device so I think we can leverage that experience uh with the web and access to +9:50 +our systems and then finally um we like to reduce um Duo +9:56 +um I guess from on the management side this is not my concern but there was a fee associated with uh pushes and the +10:03 +overall interaction with Duo and then users would like to not have to use them so with our web authoring strategy for +10:09 +certain sites um if you authenticate using web often you won't have to use Duo so we'll have +10:16 +a decrease in in that as well so the UNC uh Web author timeline so I +10:23 +started this project a little over two about two years ago yeah and um that's when we uh started the the +10:30 +project and just started to think about how we would go about implementing uh web often uh I think we finally figured +10:35 +out a strategy and we started our Sprints early in 2021 we just iterated +10:41 +over that almost for the entire year Where We Gather requirements we work with different partners to and +10:47 +especially Duke they were very helpful to us as far as like bouncing ideas off of them and looking at some of their +10:54 +initial code that they've open sourced to help you started so taking that we divide design develop release internally +11:01 +get some feedback learn and just go through the whole process forward again so we did that for most of 2021. +11:08 +um the results of that we had an initial Pilot release to production in Spring of +11:14 +2022 so about seven months ago this year so it's been in production for a small +11:20 +uh subset of users so we did have to overhaul the user interface um just to support web authent and we +11:28 +hid we allowed access to webathon based on you know certain groups so very +11:34 +limited pilot but we got a lot of feedback over the past seven months and +11:39 +based off that feedback we then went hard again on development spring summer of this year +11:45 +and as a result of that we are ready to go to production tonight so I'm here with you guys to help distract from the +11:52 +fact that we're going to do this today but it should be pretty cool so we're going to release uh to production +11:57 +tonight it'll still be a limited audience we're going to um slowly um Grant uh students access to the web +12:04 +authent and hopefully early November it will be open to the entire student population and I'll talk about why we +12:10 +we're limiting access to students uh yeah again open to all students in early +12:15 +November um architecture so um this is a almost a cartoonish diagram +12:22 +but just wanted to uh show the different components uh architecture uh components +12:27 +of our implementation um so of course we have uh shibboleth uh +12:33 +system um which is the main component here and then we have and that's you know +12:39 +that's where all uh single sign-on uh requests uh originate and that's with +12:46 +our Chevrolet application then we uh we developed a custom uh registration +12:53 +application that application uh is built using a spring framework basically for the web +13:00 +server and some of the other environmental things that we like with spring because we're mostly a Java shop +13:05 +and on the front end we're using uh view JS uh for you know reactive +13:12 +um on the back end we have some microservices built using spring and the +13:20 +shibboleth system and our registration application both make use of the web services and I'll talk about what they +13:26 +do in a little bit more detail and then on the back end we have just a custom database for all of our +13:32 +web often data that we use where we store the registrations and everything +13:38 +associated with authent itself and of course when it's usually active directory to +13:44 +deal with the user accounts and then we use grouper to right now to manage who +13:50 +has access to the pilot group so we have different pilot groups stored in web often and if you are in that and grouper +13:57 +sorry and if you are in that pilot group or one of them then you can have access to registration and then use web often +14:08 +Soul development so we had three different streams three different um large components like I mentioned on the +14:16 +previous slide so we have the shibboleth uh side um so there was lots of development there so you know I think for folks here +14:23 +have a lot of experience there so for our implementation we had to develop a whole new set of custom uh user +14:30 +interfaces so um the all of the views have been changed um and they there were there was +14:36 +already some of that in place before prior to using integrating web often but we developed even new uh user interfaces +14:44 +to support uh web often one thing we wanted to do is when we talked about enhancing user experience we wanted to +14:50 +make it quick we really wanted to sell web offense so uh the folks on the product team came up +14:56 +with the idea of a one-click access so and I'll demo this but once you log in +15:01 +uh web off end then we'll drop a cookie essentially saying oh you've logged in with Web author and you don't have to +15:08 +enter uh your username or anything else once you come back to the SSO screen if +15:14 +you've done it before you can just click web authen and then you're log in and then your Biometrics uh whatever the +15:21 +biometric interface is associated with your system that will fire up and then you you're able to access so internet +15:27 +SSO screen click login if you're using FaceTime you smile and +15:34 +then you're on your way so and I'll demo that we had to create uh new actions also on the back end to support web +15:41 +often so this is a spring webflow application so we had to on the back end +15:46 +so we had to develop a whole host of new actions to support uh some of the data +15:52 +that we collect and store for web offense so there was no actions there we had to create a new registration +15:57 +servlet and the registration server collects you know starts the initial process +16:03 +because you know if you were to look at like the developer tools on your browser on a web often session there's a lot of +16:10 +things going on when you try and log in or authenticate using the web opt-in so a lot of chatter going back and forth +16:15 +between um the browser and the web server uh to communicate and initiate and complete +16:22 +the process so we had to develop servlets to help facilitate that and then of course if you've ever been into +16:27 +the conf directories or into the guts of Chevrolet we had to create a whole new set of configuration files to support +16:33 +this as well so it was a really large effort um to just integrate this with shible if +16:39 +so lots of java development and HTML JavaScript development on this end +16:45 +um then we developed a registration application so this is a relatively simple uh application no not simple I'll +16:51 +take that back the architecture is relatively simple so it's built on uh spring boot +16:57 +um and that provides some services on the back end for the front end so it's a BFF for the front end front end is all +17:04 +new view uh new view of UJS system so custom developed in-house so we completely developed that system and +17:11 +then we developed spring boot Services uh to support the user interface uh components that is uh everything is +17:19 +deployed in openshift and that is just a native built uh and deployed as a as a +17:24 +uh a Docker image and deployed in openshift and then on the back end like in the +17:31 +previous architecture diagram we have uh web often services to support +17:37 +both of these two components so it's a spring boot um application with restful Services uh +17:45 +Services support the login process the registration process and then user management process as we roll this out +17:53 +there is you know we're going to have to add more support for the help desk and +17:58 +other administrative folks to take administrative actions on certain accounts enable disable +18:05 +um help people when they're stuck so there is some of that there but this will be extended even further +18:11 +um to help support more of the administrative uh side of web often +18:18 +uh Communications so we found that Communications are vital like I showed in that previous slide +18:25 +um some folks think oh let's go back what happened yeah Communications are vital +18:30 +um there are a lot of mysteries around web often there are a lot of mysteries around Biometrics and your devices so +18:36 +you have to over communicate and we found as far as explaining to people what this is and how this will help them +18:44 +um I've been asked this a million times I know people who are on the faculty and they always ask questions but I'll fail +18:50 +will UNC have access to my um uh my bio information well they have my +18:57 +fingerprints so my Iris scans or anything else that your device collects for this process so that's a resounding +19:03 +note that is all stored on your device and I always say you you're an employee here anyway they've done background +19:09 +checks and everything about you so but we always say um the device will always contain that +19:14 +information so we won't store so you have to communicate that to uh folks +19:20 +um and usually puts them at ease um what else oh what else is uh some +19:26 +other some other feedback we've gotten but it's really important to communicate you know what we're going to do how it's going to help them one thing that we've +19:34 +done um through the process is we capture surveys from Pilot users and we've +19:40 +that's going a long way uh towards helping to um streamline operations and gather +19:47 +feedback and Implement those as quickly as possible so capturing feedback and communicating with folks has been +19:53 +extremely important on our side um we also have a a site a website a +20:00 +Wiki essentially internally that folks can access that answers a whole round of +20:06 +questions and it's been very helpful uh to help demystify uh the process and +20:11 +explain how it will help the university and make their lives somewhat easier +20:19 +so challenges many challenges uh like I said the implementation is not easy +20:26 +um you are bridging lots of technologies that uh while they there is a bridge to +20:32 +be built you have to build that bridge and it's not um it's not uh like entry level work it's +20:39 +just really uh tough work once you build that bridge it's built but implementation is not easy you have to +20:45 +have a experience with a whole host of Technologies uh JavaScript and and some +20:50 +interesting JavaScript um to implement um whoever thing you have to have things +20:56 +on the server side to collect this information and communicate with your front end +21:02 +um so there are challenges there you have to have a deep experience with Shiba lift and you have to really get +21:08 +into uh the guts of shibboleth um to extend that to make it work there +21:15 +um you have to have really good Java skills I've found to build some of the +21:21 +custom code on the back end to help support this I mean at least for us a little travel that there's a job +21:27 +application so you'll need that there um at least interact with shiblet there so lots of Technologies lots of moving +21:34 +parts and uh quite frankly some weird JavaScript that you have to learn to get +21:39 +this working um interactions differ by device um this is a this is a challenge that +21:46 +will always exist and we haven't found a way uh to bridge this um what we did was we did +21:53 +heavily involved the help desk and as far as testing the application so they +21:59 +can become familiar with some of the pain points so they can um answer calls and and work with users +22:06 +more effectively um but every device has a different +22:12 +um dialogue for interact for showing the um web often to its users so cool thing +22:18 +is like you know if you use different browsers on a device once the browser kicks it +22:24 +over to your device it's all the same but um Windows has a different process +22:30 +than my Android phone different process from Macs iOS it's all +22:37 +different and some of it is a little bit wonky so you've got to figure that out for the most part it is on a happy path +22:44 +uh it is relatively simple but there are challenges because you know usually as an application developer you want to +22:52 +have control over your old your entire ecosystem and there you don't have really have control you have to trust uh +22:58 +that the device maker um has um you know taken care as far as implementing um +23:04 +uh the controls for web often another thing that we've had is like so we have +23:09 +a lot of managed desktops and this is part of the strategy for um pushing out to users so you know we +23:15 +have Windows hello for business so we have to push that out and turn that on and there have been some challenges +23:21 +there um so on on the staff side it hasn't been a seamless process to enable +23:28 +Windows hello for business so there's been a slow uptake as far as the staff is concerned this is why we're rolling +23:33 +it out a little more slowly to them um and there are certain folks who are in the pilot group and advanced users +23:39 +people that like to be on the bleeding edge I guess and they've been developing and I haven't a lot of us do but it's +23:45 +not a symbol AS hey pushing out everyone Windows hello was enabled ready to go so there have been some challenges there +23:52 +um but they're we're overcoming those the other thing is automation so if you are big into test automation +23:58 +um have some challenges there you can imagine it's hard to uh test for +24:04 +different devices in an automated fashion especially when that control is again turned over to a device and it +24:10 +leaves the browser there are some virtual uh there's like a virtual authenticator and things you can do but +24:16 +it's not seamless and it doesn't fully uh capture like the user experience so +24:24 +um we've had some challenges with automated automating our our testing of our user interfaces for uh web often +24:33 +um and then just users with multiple device right device registration may be confused so this is something that we run into we haven't fully figured out +24:40 +how to solve this and I think you know myself we've been using this since it rolled out you kind of learn you know +24:46 +you learn you know oh how to use it for a specific device so +24:51 +once you register for a device I mean we always have to act like you know your cook you know cookies or anything you +24:58 +said on a user environment local storage session storage whatever is going to be unavailable for whatever reason maybe +25:03 +they've cleared things maybe they've got a new machine so once you register for a particular +25:09 +device um it's hard to tell like if you log into another device that that +25:15 +registration is not tied to that device um unless you want to store some +25:20 +tracking things and stuff like that which we're not doing so you know uh when users have multiple registrations +25:27 +it's we can't really tell the device that that registration is tied to and until they initiate a registration so we +25:35 +haven't really figured out how to overcome that but most people don't have tons of devices now most people have one +25:40 +or two so it's not an issue but if you have multiple like me um you know number developer you know +25:46 +we've had some some challenges there on how to Tire registration to a specific +25:51 +device when you haven't been there before we always have to accommodate or plan for someone who hasn't logged in +25:57 +from that device because your cookie could be erased or whatever foreign +26:06 +students we have or how large the population is but this is a huge system uh lots of Impressions per day lots of +26:14 +logins per day so this cannot fail and so we have a large team uh dedicated to +26:20 +making sure this works correctly and it suits the needs of the University so +26:26 +um I just wanted to um talk about some of our team um the teams that came together to help +26:32 +to uh bring this to fruition um we have of course the identity management team um +26:38 +uh security team which reviewed everything because there are lots of settings you can have let's go for +26:44 +instance um there's a way where you can say like right now in a void Universe bring your +26:49 +own device Universe I'm bringing my phone uh to the party right to log into systems +26:56 +uh there's also a way to increase the security web often you can really go and +27:01 +really lock this down and you can install certificates uh you can have the device certificate +27:08 +stored on the server side to say hey um not only do you because initially +27:14 +you're going to authenticate using your University credentials but not only that but also want the certificate associated +27:19 +with your device and I'm going to store that and that'll be part of the entire Web author process +27:25 +um you can't do that easily in the bring your own device world because vendors roll out devices uh updates all the time +27:33 +a certificate could expire and say if if we had something like that enabled +27:38 +um you know when a device updates you can lose your certificate the change and they can lose their access so when you +27:44 +don't have control over their devices so but security had to help make some of these calls to figure out what's acceptable what's an acceptable level of +27:51 +risk so they've been involved in the entire process the entire time so security has been really important um to +27:58 +um everything we've decided to do the accessibility team uh has been a parallel because there are lots of uh +28:05 +you know regulations we have to follow as far as making sure it's accessible um by folks with all um you know manner +28:12 +methods of accessing accessing the system so we've had to interact with Community accessibility Communications like what I've talked to +28:19 +before we try and get ahead of the messaging aspect um project management team to pull +28:25 +everyone together infrastructure for deployments and then help desk because once this goes live I'm sure they're +28:31 +going to get calls because one thing that the university I'm sure other organizations try to do as well as say +28:37 +be vigilant about changes to the login screens because if there is any change +28:43 +that means you could be fished or you could be taken to a different site so when you roll out any change to the SSO +28:50 +page there's a raft of calls that come to uh vigilant Carolinians about a change so +28:59 +um we just had to work with the help desk to prepare for that so now a lot of communication so focused on uh aren't +29:04 +alarmed so it's been a large team effort to get this right demo so here's the fun part +29:12 +um this will be quick I think um so let me switch to my browser here +29:18 +so um I'm this is me accessing a service provider +29:25 +um before I access the service provider I'm brought to our single sign-on screen so this is our new user interface so +29:31 +there's a new uh if you notice to lots of Enterprise systems I guess in the past you would see like +29:37 +uh username password but right now the way things are going um there are lots of different ways to +29:43 +authenticate to different systems so a new a pattern is where you um you just take their username and once +29:50 +you have the username use that to determine what they have access to next and that's what we're doing here because +29:56 +certain users will have access to the web off and certain users won't and then there are other things in the future which are in the plans to integrate with +30:03 +this page so um we first collect uh they're onions which we call which is +30:10 +their username so for me I've already logged into Carolina key so I have uh the Carolina +30:17 +key login button here um but if I did not I'll use Chucky +30:26 +then this is what the user interface will look like for users who don't have access to uh Carolina key which is +30:32 +relatively uh simple user interface which is what we're used to so if I were to log in with this account then +30:39 +um with the password and I won't show you know then you'll be presented with the duo +30:45 +um uh challenge screens but uh for myself for this uh demo I'm +30:52 +going to our Registration site +30:59 +so I'll either put the button and fingerprint and now I'm taken to our Carolina key +31:05 +registration website so we have lots of verbiage here about you know how it works and you know what we're trying to +31:11 +do and then here are our registered Carolina keys so Carolina key is essentially a device +31:18 +a device is your key so I have six um devices registered uh here that I can +31:25 +use to access our systems if I wanted to register a new one all I do is um select register new +31:31 +device we try and just guess what your device is just to give you some hints towards +31:37 +naming it and then hit save already registered this one so we'll complain on +31:42 +that one exists now let's delete it here +31:54 +thank you and +32:00 +making sure so again one other thing on a uh Mac Book it'll be a totally +32:07 +different user interface or at least that dialogue that showed +32:12 +itself so the light device successfully registered you may not use it to log in +32:19 +so there we go UNC Windows 10 is there I can rename that device +32:25 +or delete it and there are some management functions there to help manage manage users so +32:31 +um I can log out and let's just clear my cookies +32:40 +and we'll go back to the registration page and the only reason why my username is stored here is because I'm using this +32:47 +LastPass and I haven't turned that over so there are everyone every if you haven't logged in with Carolina key +32:53 +you'll have to enter your onion every time unless you're using a password man so +32:59 +Carolina key sign in I'll sign in again fingerprint +33:07 +takes me to the site now since I've logged in just as a convenience and this is where we're trying to make it uh more a +33:14 +quicker experience for users I'm logging into a different service provider so see you remembers +33:20 +atariq I'm logged in Carolina key button is available this is all I have to press +33:25 +and if I was using FaceTime I just smile and I'm in +33:32 +it so and then your access this happens to be the registration page but it's a site but it can be any other service +33:38 +provider and also as you notice there is no Duo +33:44 +involved in that process let's see trauma and then you can always log in because there are certain service +33:50 +providers where uh we would like to still use Duo um so uh we're still figuring out you +33:58 +know what that looks like but in those cases if you don't have your device with you you can always use your password and +34:06 +then you take it into the duo process here +34:11 +no cancel that all right so that's our implementation there and +34:22 +that's it +34:31 +excellent we have a number of questions that I've queued up I tried answering one of them uh feel free to read that uh +34:38 +exchange between myself and Davis same here bands and we have 11 +34:44 +open questions right now uh if there are comments in chat I didn't see any appear there so I think I I thank you all for +34:51 +putting the comments or the questions in the Q a uh Zoom Channel +34:56 +so most of the things that are left here Tariq are directed to you and the project and the work so I'll let you uh +35:03 +pull those up if and I'll read them along with you so that those who are only attending by Audio can hear that as +35:09 +well but the very first question from Michael is how many FTE were focused on the Sprints throughout 2021 +35:16 +I'll say one and a half and uh was that the full-time +35:23 +equivalence were they I'm adding on to the question just because I know I have a frequent understanding of how people +35:30 +get uh how a full-time equivalent is shared was this dedicated 100 to this +35:36 +work or okay yes yeah so one uh and that was me dedicated 100 to this work and +35:41 +then there were uh uh there was another another developer who was about half time who would help uh when we had +35:47 +available when he had availability but then we had a whole graph the people that we would pull in as far as the +35:53 +teams that I mentioned to help um uh you know with other issues +35:58 +fair enough great um uh Michael Hodges asks are the should +36:04 +views configs Etc the registration app Etc uh shared on GitHub or elsewhere +36:10 +yeah so not not by us so we we have been looking at definitely sharing like our registration service because I know +36:16 +folks have asked us about that in the past so as soon as we get to a point to where we can breathe we will look at +36:22 +open source in some of these uh some of our developments excellent uh and if there are follow-on +36:29 +questions feel free to add them into the channel as well um I'm looking ahead as I'm reading +36:35 +through these uh on behalf of Tariq so Duo offers passwordless as an option now +36:40 +and can be utilized through tiered Services Duo MFA Duo access and Duo Beyond +36:46 +um and I think that this is more just uh expanding on a comment that you had made +36:52 +during the uh the demo and the presentation about Duo +36:59 +features uh and minimizing their use but there are some other additional things here Abraham if you wanna add any +37:06 +additional comments to that feel free yeah because I don't it's not going away anytime soon uh we just I guess to +37:14 +reduce the Reliance on it and at least make it more seamless but that will be interesting to see what Duo is offering in this video yeah and the follow-up +37:20 +question is is there a plan to go do a you know use the new Duo passwordless option uh in your environment it sounds +37:28 +like from your presentation that's something you're trying to avoid yeah yeah it hasn't been presented to me as +37:33 +an option so it might be uh someone else may be making that decision but I'm not aware +37:40 +okay um that emasks do you have do you give each device a nickname like Duke unlock +37:45 +does yes we do so that that's when you uh we're in the registration app and +37:51 +then you set you know set this device and it said Windows 10 um we just try and +37:56 +um basically uh read the user agent for that device and then we will just give +38:01 +you a nice name but you can rename that to whatever you want it to be so every device does have a nickname +38:07 +and rohita asks what what was your security testing like too many moving pieces in this architecture any missed +38:14 +vulnerability can turn disaster is just wondering if the security aspect was extensively tested oh yeah yeah it was +38:21 +extensive um so there are a lot of moving uh pieces but this is the problem once you go to a microservice architecture which +38:28 +is what we essentially have I mean you could have bundled all of that into uh Chevrolet but this is uh typical for +38:35 +nowadays I have a whole bunch of little services on the back end that are communicating to they changed some goal +38:41 +so uh we're just following those new patterns but we did have extensive testing to make sure that things are uh +38:48 +complete so um the typical things you know want to report scanning and uh we did find not a +38:55 +vulnerability but certain things things that we could share if you look at your libraries that you're using to make sure that those are all uh those don't have +39:02 +vulnerabilities you look at um your you know your deployments to make sure open ports are closed no +39:07 +passwords you know typical things we did uh run the scans that the university typically uh runs before the uh deploy +39:15 +something like this and an aspect of this that was related to David's question about whether the +39:21 +shiblet Consortium is going to adopt any of you know these modules or is going to build a response for those who are not +39:28 +who are just connected by Audio I just thought I'd replay a portion of that because it relates to this which is there are a lot of moving Parts I want +39:34 +to underscore what Tariq just said um and so whether or not the shibboleth uh IDP has in inbuilt support for web +39:42 +authen uh is only a portion of the implementation puzzle it is not the key +39:47 +to it and so um whether the engine the I know that the engineering team is talking about +39:53 +this actively researching sort of a best interface way of presenting this and +39:58 +there are a lot of conversations on the ship mail lists about this uh periodically that pop up so you're encouraged to look at those as well to +40:05 +follow along um it is also the case that if there is a community solution a community module +40:11 +implementation Etc that is acceptable to the engineering team they have incorp +40:16 +operated stuff in the past in the core so it's certainly something that could +40:21 +be considered but I don't have a definitive answer to that but internet too is a principal investor in the civil +40:27 +with Consortium so I just thought I would take that on as a part of this question thank you +40:33 +um uh Krishna asks question on resources was it developed and implemented with +40:40 +internal resources did you have any external implementation partners well yeah this was uh all internal but I +40:47 +always you know Rivals right Duke and UNC Rivals but I always try into I always try and Shout +40:54 +Out Duke because um they actually open source their initial rollout of web not name their +40:59 +rollout but like a proof of concept essentially for integrating with web authens so that got +41:05 +us off the ground so initially we had a couple conversation with them to share what we were doing and to learn about +41:10 +some of their uh Lessons Learned as well um so that's like that's the most we've done as far as Outsourcing just to try +41:17 +and understand what folks are doing and the challenges they have but all the development has been done in-house but +41:22 +some of the code to get off the ground was you know um from other folks +41:28 +uh and I I skipped over uh Winston's question I'll I'll I scrolled back up +41:33 +and there it is are you buying bulk keys to distribute sell or just having users bring their own +41:39 +so uh there has been some discussion about uh buying bulk keys but they've decided not to do that forgot the reason +41:46 +why but just um I think it's been more effective to just especially for students to say hey +41:52 +use your phone everyone's tethered completely to their phone or their device um um so uh we don't uh have to use uh +42:00 +keys but there's if you need one actually you can request one I I have one at the university university +42:06 +um uh for testing but if you need one they'll give you one but there's no uh plan to give it out to everyone at the +42:12 +University and then Nadim asks we are in the process of ruling out our own +42:18 +passwordless solution based on Duke unlock and we're trying to create the logic that you just showed after the +42:23 +username and then display whether or not a user can enter a password or use the passwordless option are you willing to +42:29 +share how you do that in shivalith sure yep yep it's uh that's where the +42:34 +part I mentioned where you have to develop Uh custom servlets and this is where +42:41 +I guess because you know you have to we don't develop a lot of servants anymore +42:47 +in the Java world you develop you know spring or something that wraps around it but at this level at least on the on the +42:54 +Chevrolet side we have to develop a servlet that the user interface can call back to which then uh delegates to our +43:02 +back-end services to make that call so I can share that but yeah there's a servlet that we developed to answer +43:07 +those calls and provide a yes or no um sorry and related to this I'm skipping +43:14 +ahead just a little bit and I'll come back to the other questions uh will UNC share the code for the implementation this is related to the exact same uh +43:21 +question that's being asked now so I thought yeah yeah so yeah there was a plan we have discussed that internally +43:27 +um about sharing that but like as soon as we can um get through these uh next couple +43:32 +weeks as far as rollouts we will definitely revisit that but I we definitely want to contribute back because that's what helped us to get off +43:39 +the ground and then Brent asks can you explain how this would work with lab computers or +43:45 +public computers do you reject the option for users to register a student lab or public computer +43:50 +that's a good question um so um we we don't know that it's a public computer so +43:57 +um you can do that um uh how do we take care of that yeah +44:02 +we've gone through that uh on a security um rounds but it would I guess it would be similar to just logging with the +44:08 +username and password um because there's still a challenge if you use a public computer right there's still a some challenge if you use your +44:14 +UB key you have to have that device um if you're using a biometric where I hope a public computer doesn't have a +44:20 +biometric device um you'll still have to use your fingerprint or your face so there will +44:25 +always be an additional challenge um if you even if you're using a public computer so we're we're okay there and +44:33 +we do allow it but um yeah it's actually more secure than the password because you'll have to +44:38 +physically have that thing to say you know I am me which +44:44 +is you you'll be key or your um device itself and also on on flight so for instance um +44:51 +if it's a public computer especially on a university uh I they +44:56 +should not have Windows hello involved you know enabled you know where you can do that so I mean there's a whole lot of +45:02 +things that have to break down for for it to be uh some you know a large issue but we're okay there +45:09 +as is always the joy um there's a yeah there's always the what happens if +45:15 +I lose my the thing I have um and then how do I how do I rebootstrap myself into uh into the +45:23 +system from that point and I don't know if you've had a number of dry run experiences with people losing things +45:28 +but I'm sure that you might have some pointers on that as well yeah here's a great example this happened to me and I +45:34 +was embarrassed for a second so I upgraded my phone and I went to log in +45:40 +and I kept rejecting it my phone I already said this is registered device +45:45 +and then uh oh I updated my phone so I had to go into the Registration site +45:50 +just delete that key and then add it for that phone so you know all you have to do is go delete the key or have someone from the +45:57 +help desk delete it and then you re-register and you're good to go excellent Michael asks what is the +46:04 +thinking behind Services must use Duo um you know there's still a comfort zone +46:11 +a comfort right you just want as many and this is not um this is not me uh but +46:18 +there are you know certain folks just want as many box boxes checked to access certain things +46:24 +um so I think that's going to go away um this is that was some of the initial pilot which is they're like hey let's +46:29 +make sure this works for everyone um and it's secure just some folks just have to get comfortable with certain +46:36 +security and then um once that Comfort is there I think then it'll go away but yeah I get you +46:43 +but just you know people way above our pay grade just want as many boxes checked on certain systems there are +46:50 +some highly sensitive systems here that folks want to have additional access +46:55 +controls on it and speaking of checking boxes Jeremy asks have you performed surveys of Campus Hardware that can +47:01 +support a web opt-in yes we do we we have and that's part of the slow rollout to students so students have the latest +47:08 +and greatest Hardware faculty don't always have that so uh that's part of +47:13 +the reason why there is an automatic push so but they do have an idea of of what devices are on they do know yeah +47:21 +and they expect to have all those issues mitigated early 2023 so early 2023 +47:26 +hopefully this will just be generally available to everyone at the University +47:32 +excellent and then Lance asks does this introduce any unique issues with user D +47:37 +provisioning it sure does that's our next project there's a or that's the next project it's a deep provisioning +47:43 +project and how to tie that into everything um so yes that's a great question +47:49 +uh Eric asks what is the impact to ref Ed's MFA assertion for SPS that may require MFA signaling +47:57 +yeah that's a good question and someone told me that will come up um I just didn't have enough time to refigure it but in the configuration +48:03 +file there is an association um you just have to associate the web +48:08 +often to uh the refresh uh profile so there's a way you say refed and it's +48:15 +associated with MFA so web of web often is associated with MFA so they're +48:20 +it'll work very good answer lady that's the best I can yeah we tested that +48:25 +um and we haven't found any challenges there but there was inside of the configuration that's what I was talking about you have to go deep inside that I +48:32 +know by Howard conf often and there's a whole raft of configuration files in there that you have to set +48:39 +excellent and we we have a few minutes more for questions I'm going to try and power through them as much as I can +48:44 +Pavel asks about Windows hello for business I suppose you have computers in the ad domain is it only enabled so that +48:50 +users have to register each computer separately or do they log into the computer and hello is set up +48:55 +automatically uh and then they just do the passwordless login oh no so let me read that Aquarium +49:07 +um yeah so no they will have to register +49:12 +each computer separately so once you enable Windows hello over business +49:17 +um and you know then you have to log what you have to integrate that with the VPN there's a whole bunch of things that +49:22 +you have to enable that for just for the device itself and then once you log into uh web often +49:29 +it'll say oh you can use this as well so you also have to register your laptop in +49:35 +addition to but it's just saying since this is available on your laptop you can then use it for web all things +49:41 +foreign but yeah it will be also generally available to log on to your +49:46 +laptop but you can use that to access everything else that you have access to from your system +49:53 +and then uh Michael asks did you have to upgrade your ad environment to support Windows hello +49:58 +there was some work there I'm not sure of all the details but it was that's one thing that took us a while there was I +50:03 +didn't I wasn't involved in that I was just part of the discussions but there was some work there +50:09 +and does the security team consider a login on a registered device with a fingerprint an equivalent dual Factor +50:14 +authentication is the old way with password and Duo push +50:19 +um I'll say just equivalent from as far as you know uh MFA or multi-factors so +50:26 +um uh and so Duo was basically there to implement multi-factor authentication and uh web often is an equivalent uh to +50:34 +uh or suffices for multi-factor officer than occasion so it's almost yes technically it is equal but like I said +50:41 +there's still some uh you know it'll still be around for a while but +50:47 +yeah it is multi-factor similar to new one and also just to keep in mind as far as the registration process is concerned +50:55 +um you all you have to go through the Dual process I didn't show that because you don't have any web often uh registrations available so you're still +51:01 +using username and password so you have to use Duo to even register so that's another check to even get to the +51:07 +Registration site and uh Matthew writes uh thank you for +51:13 +the presentation which I will second in another moment but would you please tell me what if any anticipated impact the +51:19 +custom implementation will have on shiblet patching and testing yeah there will be +51:24 +um and I think so even prior to web authen um the team there we they've had to +51:31 +extend Shively for other reasons so they haven't there's an extensive testing +51:37 +process um as far as upgrading to a new version of share with us so this will just be folded into that I haven't been part of +51:42 +that but I do know that they are in place but there will be what we tried to do +51:48 +um much as possible is not disturb the base ecosystem of sugar so and what we do is +51:56 +you know even when I want to get started on a new one locally I just download uh Chevrolet and then we overlay our files +52:02 +on top of that and that's basically our basic implementation and there are some custom things we do but that's not a lot +52:09 +it's like we we co-exist with it that's what our general approach is so when it's upgraded their upgrades +52:15 +you know we don't have to do a lot of hard work I will Advocate that as a healthy stance uh Krishna asks if you +52:22 +have an MFA as a requirement would you meet the requirement if one is using a UV key will that be a second Factor 100 +52:28 +yes and then um we're I think we're just gonna make it uh Anonymous attendee asks are you +52:35 +able to configure this login flow to only allow web often on UNC networks such as a campus or via VPN yes +52:42 +excellent um and then David uh comments that MFA +52:48 +profile is explicitly multi-factor profile not a strong auth end profile so um I will acknowledge that and with that +52:55 +I would like to say thank you to everyone for participating and the great questions and Tariq for your wonderful +53:01 +summary information of your experience and good luck on the deployment tonight uh and with that I will pass the Baton +53:07 +back to April foreign +53:15 +thank you so much um Steve and I echoed that thanks to both you and Tariq uh for a +53:23 +um engaging um discussion uh this afternoon as we're +53:29 +wrapping up just a couple of reminders um once again want to reiterate we will provide the recording of this +53:36 +afternoon's webinar you can expect to receive that in your inbox uh in the next few days and you'll also find it on +53:43 +our website um please complete our Zoom survey we really value your feedback about I am +53:48 +online and we would appreciate you taking the time to complete that survey +53:54 +if you have General feedback you can certainly get in touch with me April Motley my email address is there I want +54:00 +to let you know about our next program which is extending IAM to the cloud +54:05 +um will be Wednesday November 16th and if you generally have ideas about future +54:11 +programs we do have a web form uh up on the IAM online website of at your +54:18 +convenience other quick reminders just want to make you aware this Friday October 21st is +54:24 +like a mega day here at internet to and in common um that is the last day to take +54:29 +advantage of reduced registration rates for Tech X and during Tech X this year +54:35 +we will be having in common Camp week which some of you may be familiar with that will be in person at Tech X so +54:41 +again those reduced registration rates are available through this Friday also ending this Friday are early bird +54:48 +rates for our next round of grouper training if that is of interest to you and finally do want to remind you that +54:55 +this is our last call for nominations for income and advisory committees the call for nominations also ends this +55:01 +Friday October 21st so if that's of interest to you please take a look at that information which is also +55:09 +um on our website and in preparation for next month's +55:14 +program uh cacti which is our community architecture committee for trust and +55:19 +identity has prepared a pre-webinar survey and we would ask that if you have +55:25 +the opportunity to complete that survey um you would do so we'll be sending out more information about that but did want +55:31 +to make you aware of that program and that opportunity to provide input prior +55:37 +to the next webinar thank you again to Tariq and Steve and also to our meetings +55:43 +and convening team to Susan and Carly for supporting this program and for everyone who attended we will see you in +55:51 +November have a great rest of the day okay thank you bye everyone thank you +55:59 +[Music] +IAM ONLINE: Going Password Free at UNC +I2 Online - Internet2 +111 subscribers +246 views 2 months ago +University of North Carolina at Chapel Hill is on its way towards having passwordless logins. Seven months ago, the university launched a pilot to test its implementation of WebAuthn, known locally as Carolina Key. This new feature of the UNC web-based single sign-on (SSO) utilizes device-specific authentications, such as hardware security keys and fingerprint or face recognition. … +1:01:42 +Now playing +Extending IAM to the Cloud: It's Still Your Program +I2 Online - Internet2 +194 views 2 months ago +29:57 +Now playing +VR Video: CES 2023 XR RECAP - Pimax Portal & Crystal, Shiftall MeganeX, Mutalk, Razer, TCL Nxtwear +Hugh Hou +7.3K views 5 days ago +New +VR180 +Speeding Up Game Development with ChatGPT: Creating a Pong Clone in C++ +project:code +234 views 2 days ago +New +Introduction to Programming +Eli the Computer Guy +2.3M views 11 years ago +Code 67 +VMware Tanzu +1 watching +LIVE +TechEX22: Max Larson Henry +I2 Online - Internet2 +12 views 7 days ago +15 +Now playing +Minority Serving - Cyberinfrastructure Consortium (MS-CC) Webinars +I2 Online - Internet2 +Huron FDA NPRM Webinar #1: Common Rule Harmonization +Huron +32 views 2 weeks ago +📆 Outlook Calendar Tips & Tricks +Kevin Stratvert +1.3M views 1 year ago +Building Tech Connections Featuring Jackson State University +I2 Online - Internet2 +107 views 3 months ago +eduroam: What's New For You +I2 Online - Internet2 +82 views 3 months ago +Key Takeaways from the I2I Scholarship Experience: Tomomi Imamura +I2 Online - Internet2 +16 views 4 months ago +Leaving LastPass - How LastPass failed, Steve's next password manager, how to protect yourself +Security Now +39K views 2 weeks ago +Live Session - Full Stack Developer Course Offered by University of Moratuwa & DP Education +Dhammika Perera +81K views 3 months ago +9 +Now playing +Linux +Eli the Computer Guy +CS50 2022 - Lecture 0 - Scratch +CS50 +997K views Streamed 4 months ago +The first 20 hours -- how to learn anything | Josh Kaufman | TEDxCSU +TEDx Talks +33M views 9 years ago +MS-CC Meeting on October 27, 2022 +I2 Online - Internet2 +36 views 2 months ago +Top 20 Microsoft OneNote Tips and Tricks 2022 | How to use OneNote effectively & be more organized +Mike Tholfsen +601K views 1 year ago +CS50 2022 - Lecture 4 - Memory +CS50 +219K views Streamed 3 months ago