Masaryk University Faculty of Informatics Identity provisioning to Masaryk University IT services based on Microsoft environment Master’s Thesis Bc. David Štencel Brno, Spring 2019 Masaryk University Faculty of Informatics Identity provisioning to Masaryk University IT services based on Microsoft environment Master’s Thesis Bc. David Štencel Brno, Spring 2019 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Bc. David Štencel Advisor: Mgr. Kamil Malinka, Ph.D. i Acknowledgements I would like to thank my advisor Mgr. Kamil Malinka, Ph.D. for his professional guidance and experience. Also, I would like to thank Jan Izydorczyk, Mgr. Slávek Licehammer, and the rest of the Office 365 team at ICS for their collaboration, support, and patience during the creation of this master’s thesis. Finally, I would like to thank my family for all their support during my whole studies. iii Abstract The aim of the thesis is to design and implement an interconnection of university identity management system Perun with services run- ning in Microsoft environment. Resultant PowerShell scripts utilizing OpenSSH and PowerShell remoting allow data transmission from Perun to Windows hosts and launching service provisioning scripts. The thesis covers Active Directory and Office 365 as example target services, and a revised PowerShell web proxy that adjusts additional object settings within university Office 365. iv Keywords identity management, identity provisioning, Perun, Windows, ser- vices, Active Directory, Office 365, OpenSSH, PowerShell connector, PowerShell web proxy v Contents Introduction 1 1 Motivation 3 2 Current environment 5 2.1 Perun at MU .........................5 2.2 Active Directory at MU ...................7 2.3 Azure Active Directory and Office 365 at MU ........7 3 Analysis 13 3.1 Requirements ......................... 13 3.2 Windows remote management ................ 14 3.2.1 PowerShell remoting . 14 3.2.2 OpenSSH in Windows Server . 16 3.3 Active Directory ....................... 17 3.4 Azure Active Directory and Office 365 ............ 18 3.5 Message queueing ....................... 18 3.5.1 RabbitMQ . 19 3.6 Group Managed Service Accounts .............. 21 4 Design 23 4.1 Active Directory ....................... 25 4.2 Azure Active Directory and Office 365 ............ 25 4.2.1 PowerShell web proxy . 27 5 Proof of concept 31 5.1 Perun - data generation .................... 32 5.2 Protocol translator ...................... 32 5.3 Perun connector ........................ 33 5.3.1 AD service . 34 5.3.2 AADC service . 34 5.3.3 O365 service . 34 5.4 PowerShell web proxy ..................... 35 5.4.1 REST API . 35 5.4.2 RabbitMQ . 35 5.4.3 Queue listener and O365 module . 35 vii 5.4.4 PowerShell service . 36 5.5 Logging and monitoring ................... 37 5.6 Testing ............................. 38 5.7 Deployment .......................... 39 Conclusion 43 A Electronic appendices 47 Bibliography 49 viii Introduction In large organizations, keeping uniform up-to-date identity informa- tion across all IT services that consume them is a challenge. At Masaryk University, at least ninety thousand1 users and groups from various sources are managed. This data often alters when people graduate, change their fields of studies, work groups, or workplaces. As a central- ized solution, an identity management system can be used to gather information from the Office for studies, economic or HR systems, and to propagate it to connected services. At the university, the identity management system called Perun2 [1] gradually replaces its out-dated predecessor. The identity provisioning procedures vary from service to service. To unify the process and support a wide range of services, Perun misses a generic component that would interconnect the new identity management system with Windows machines which host target services. The thesis aims to design a mean of communication between Perun and Microsoft services. It focuses on identity provisioning to Microsoft Active Directory and Microsoft Office 365 as an example target services that represent important systems for the university operations. The first chapter introduces the motivation of the thesis and defines high-level issues that the current environment faces. In the second chapter, I describe the current architecture of identity management at MU with a focus on Active Directory and Office 365, and more specific problems to be covered in the solution. Chapter three is dedicated to the requirements, analysis of methods of remote Windows management, identity provisioning to Active Directory and Office 365, a concept of message queueing used inthe management of Office 365 at the university, and a secure approach of managing Windows service accounts in a domain. Chapter four covers the design of a Perun-Windows connector and the identity provisioning to Active Directory and Office 365 that builds upon the knowledge of the environment and the performed analysis. 1. The number of user and group objects managed by the identity management system at MU called Perun. 2. https://perun-aai.org 1 A proof of concept described in chapter five follows. It includes implementation and testing of the module interconnecting Perun and Windows hosts. It also incorporates scripts for identity provisioning to Active Directory and Office 365, and deployment instructions to run the proposed solution in the production environment. 2 1 Motivation Masaryk University is a large environment with a great number of users, and also it is very dynamic. Currently, in 2019, there are over two thousand user groups1 and eighty-nine thousand user accounts2 including students, employees, and guest users who often change their fields of studies, workplaces or project partnerships. To provide services that are available to authorized users, and to make sure that every one of them has the proper attributes filled, licenses, rights and permissions assigned for required systems and applications, a centralized identity and access management system is needed. At the university, an identity and access management system called Perun has been deployed that should replace its predecessor. It runs on Linux hosts. It gathers identity information from various sources, processes it and sends it to the connected systems. Linux based ser- vices are usually managed natively through an SSH connector and provisioning scripts on the service host. Another Linux and Windows services rely on standard file transfer protocols, LDAP [2], or own ser- vice APIs. However, some Microsoft-based services are not compatible with any of the listed channels, or they have special requirements. For these use-cases, there is no universal Windows connector available. The university operates Microsoft Office 365 (O365) [3] that already relies on Perun and represents one of the services with extra demands. The original design depends on Perun’s responsibility for filling an instance of Microsoft Active Directory (AD) [4] via LDAP with a por- tion of attributes, and scheduled AD synchronization to O365 Azure Active Directory (AAD) [5]. Asynchronously, Perun calls a web proxy to set other object properties in O365. Although the system has been working fine, it needs to be revised because of the inefficient commu- nication model, unsuitable accountability distribution and resulting bad manageability, and complex implementation of the web proxy. Perun using two data channels is the root problem. The issues are put in context and discussed in more detail in section 2.3. 1. The number of group objects managed by the identity management system at MU called Perun 2. The number of user objects managed by the identity management system at MU called Perun. Fifty-four thousand of them are active users. 3 1. Motivation The goal is to offer centralized identity management with uni- fied provisioning procedures for a wide range of services running on Linux and Windows. The consolidation of heterogeneous identity management approaches involves implementation of a reusable Perun connector for Windows services. The connector would lead to con- necting new services to the central management and relieving Perun of excess functionality. 4 2 Current environment This chapter aims to give an idea of the concept of the identity man- agement at MU and weak spots in the current setting of the O365 service. The design is depicted in figure 2.1. It covers internal and federated identities of university students, employees, and guest users. The data sources distinguish individuals, groups, and other sources of attributes. Connected services consume the consolidated data from the central identity management system. Figure 2.1: The concept of identity management at MU. 2.1 Perun at MU Perun [1] manages organizational identity and access rights infor- mation, one running instance can be shared between several virtual institutions. It is being developed by CESNET1, CERIT-SC2, and stu- dents of Masaryk University. It was originally dedicated for managing users and services in distributed environments like computational and storage grids, so it is a robust and scalable solution. 1. https://www.cesnet.cz 2. https://www.cerit-sc.cz 5 2.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages67 Page
-
File Size-