Austrian law mandates a standardized system for user management and single-sign-on for use in Austrian government institutions. The LFRZ is one of the main providers of conformant software solutions for this sector. We show how Magnolia was integrated into this system, and the challenges faced and overcome in doing so.
2. Magnolia user management and SSO
for Austrian government sector
Magnolia Conference 2012 – Technical Track
Presented by Richard Unger and Rihard Monovic
3. Agenda
1 About RISE & LFRZ
2 SSO in Austrian government
3 Requirements and challenges
4 Implementation
Presentation Title 3
5. About RISE and LFRZ – Partnership
RISE
partner for industry
LFRZ
partner for government
User management and SSO for Austrian government 5
6. About RISE
Corporation, www.rise-world.com
TU Spin Off, founded 1987
TU Vienna, INSO – The Think Tank of RISE, 40 PhDs
Competences
More than 300 world-class IT-engineers & architects
Highly acknowledged R&D-enterprise in Europe
Top-Developer (e.g. part of the world-wide
Java-Eclipse provider community, component delivery)
Specialists in IT-Infrastructure and IT-Integration
Top-Experts in e.g. IT-Architecture, IT-Strategy,
IT-Security, Usability, Transport IT, System-Performance
Locations
HQ in Schwechat/Airport and Vienna
offices in several countries
RISE personell works world-wide
User management and SSO for Austrian government 6
7. About RISE - Project examples
2003 – 2006: ID Card for all Austrians + country-wide IT infrastructure
8 mio. electronic ID-Cards, 24.000 specially designed components for
offices, delivered in 24 months
2005 – 2008: overall health network in Germany, architecture,
planning and project/program management for the at that time largest IT
project in Europe (1,8 billion €), design at CeBit 2005, leaded till 2008
2009 – 2012: country-wide ticketing for railway / public transport
in Austria, 10 million tickets/year, highly complex interoperability, all
access channels (clerk counter, pos-automat, internet, travel agent,
mobile phone)
2007 – 2008: design and architecture of the government network
plus the school&health network of Qatar, including NOC (network
operating center) and SOC (security operating center)
1993 – today: IT infrastructure, software projects, rollouts, IT architec-
tures for e.g. MoI, MoH, MoF, MoA, MoS, MoX… in several countries
User management and SSO for Austrian government 7
8. About RISE - Clients
AMS Österreich
Oesterreichische Kontrollbank AG
Bank Austria Treasury Merger & Systemupgrades
Österreichische Universitäten – IT-Gesamtstrategie
Bundesrechenzentrum – Test- und Multiprojektmanagement
Bundesverwaltung – ELAK Einführung
IT-Portfolio – Die Presse
Dresdner Bank
Bundesministerium für Gesundheit Berlin
Justizministerium United Arabic Emirates
ICT Qatar (gesamtes IKT-Portfolio)
Usability- und Web-Strategie der indischen Regierung
Qatar Foundation (Infrastruktur-Planung)
e-Governement-Strategie Libyen
User management and SSO for Austrian government 8
9. About LFRZ
“Land-, forst- & wasserwirtschaftliches
Rechenzentrum GmbH” – www.lfrz.at
IT service provider
located in Vienna
owned by Austrian „ministry of agriculture“,
which is also the principal customer
approx. 30 employees + external consultants
focus is on GIS, SSO, custom application
development in Java, data integration, IT
operations and CMS
User management and SSO for Austrian government 9
10. About LFRZ - Clients
LFRZ’s principal customer, principal website
www.lebensministerium.at
User management and SSO for Austrian government 10
12. SSO in Austrian government
Principal customer – “Lebensministerium”
120 editors
30+ websites
different departments, different offices in different cities
existing SSO solution
windows login enables access to all assigned applications
12
13. SSO in Austrian government
SSO solution
“Portalverbund der Österreichischen Behörden”
use is mandated by law
standardized protocols, different implementations
de-central rights management
different portal providers, different application
providers
13
14. SSO in Austrian government
SSO solution “Portalverbund”
Systems involved:
“Proxy-based” solution, home-portal, application-portal
Role model:
similar to J2EE: users have roles in an application
PVP protocol:
SSO-information provided in HTTP headers
14
15. SSO in Austrian government
SSO solution “Portalverbund”
user-infos in
http-headers
user-infos in
http-headers
application-portal application
home-portal
15
17. SSO – requirements and challenges
Manageable roles and groups
Old CMS had SSO Integration
Old CMS did not use ACLs
120 editors needed 700 groups !!!
Synchronization of Portalverbund LDAP and CMS
Incredibly confusing!
17
18. SSO – requirements and challenges
Requirements
SSO – automatic login
Roles and groups normally managed in magnolia
roles and groups also via PVP headers, mappings
Permissions (ACLs) managed in magnolia
Automatic user creation on login
“Preemptive” user creation from LDAP GUI
18
19. SSO – requirements and challenges
Challenges
Integrating SSO
How to handle Permissions (ACLs)
Keeping roles and groups manageable
Implementing GUIs in magnolia
19
24. SSO – implementation in Magnolia
Module pvp-jaas
Configuration
via content2bean
Group & role
mappings possible
Auto-update of user infos
(marriage, change of office, etc…)
24
26. SSO – implementation in Magnolia
Conclusion
Working well in production
Easy for editors, easy for admins
Customer manages users
LFRZ manages groups, roles & ACLs
Magnolia is now “Portalverbund”-compatible
26