ITS NCID Next Generation (NG) Project Overview April 21, 2010 Agenda Welcome & Introductions App Admin Migration Tasks Reverse Proxy Overview/Details Web Services/WSDL Details Model 2 Integration User DN Changes Application.
Download ReportTranscript ITS NCID Next Generation (NG) Project Overview April 21, 2010 Agenda Welcome & Introductions App Admin Migration Tasks Reverse Proxy Overview/Details Web Services/WSDL Details Model 2 Integration User DN Changes Application.
Slide 1
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 2
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 3
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 4
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 5
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 6
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 7
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 8
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 9
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 10
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 11
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 12
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 13
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 14
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 2
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 3
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 4
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 5
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 6
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 7
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 8
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 9
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 10
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 11
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 12
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 13
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]
Slide 14
ITS NCID
Next Generation (NG)
Project Overview
April 21, 2010
Agenda
Welcome & Introductions
App Admin Migration Tasks
Reverse Proxy Overview/Details
Web Services/WSDL Details
Model 2 Integration
User DN Changes
Application Vs. User Migration
Roles & Resources
Q&A
App Admin Migration Tasks
All Models
Change Firewall Rules
Functional & Load Testing
Model 1
Very
Important! Protect Web App From Non-Proxy
Access – Typically with Firewall Rules
Move Public Facing SSL Certs
Change Public DNS Settings
Web Services
Request
Creation of Application Service Account
Reverse Proxy Overview
NCID Current Model-1
Public SSL Cert
& DNS Entry
Web Application
WebGate
Oracle API
SSL 1
Oracle Access Service
SSL 2
User Authentication
Redirect
NCID NG Model-1
Private(SelfSigned) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
SSL1
Load
Balancer
Reverse Proxy
SSL1
Web Application
SSL3
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
Model 1 NG Migration Changes
NCID NG Model 1 –
Migration Changes
Very Important!
Firewall Rules Required to
Prevent Non-Proxy Access
User Access
1. Implement Firewall
Rules Limiting Access
to Only the Proxy
2. Disable WebGate
Web Application
Reverse Proxy
1
WebGate
Oracle API
1
1. Public SSL Cert Moved to
Proxy.
2. Public DNS Entry Moved
to Load Balancer
3. Private SSL Cert Installed
on App/Web Server
Load
Balancer
2
Public SSL Cert
Web Application
Reverse Proxy
SSL 1
SSL 1
2
SSL 3
Public DNS
Entry
3
Private SSL
Cert
Model 1 – NCID NG End State
NCID NG Model 1
Private ( SelfSigned ) SSL Cert
& DNS Entry
Public SSL Cert
Public DNS
Entry
Load
Balancer
SSL 1
Reverse Proxy
Web Application
SSL 3
SSL 1
SSL 2
User Authentication
Redirect
SS
L2
Novell IDP Server
NCID NG – Web Services
Web Services Methods Available
Validate User Login Credentials
Check & Modify Group Membership
User Search & View Using Search Criteria
Search for Agencies, Divisions, Sections Using Search Criteria
Web Services Documentation https://www.ncid.its.state.nc.us/TrainingAndDocumentation.asp
XML Request
XML
Response
NCID NG WebServices
NCID NG
WSDL
Application Server
Identity
Vault
Web Service Call Detail
Web Service Call
Application
Web Server
Account
1. Authentication Request
2. Request WSDL
Load
Balancer
`
WSDL
End User
4. Retrieve WSDL
3. Redirect
Request
WSDL
5. Web Service Call
WSDL
IDP Server
IDP Server
Web Services
Model 2 Integration
Typical Attributes Synchronized
AD
·
·
·
·
userPrincipalName, saMAccountName
GUID
password
userAccountControl
Typical Events Monitored
NCID
AD
·
·
·
·
Group Membership
Account Disabled
Change Password
Account Disabled
Resources/Roles (NG)
Account Lock
Change password
Account Expiration
IDM Driver
NCID NG Identity Directory
Agency LDAP
Directory
Agency Web/App
Server
User Relative DN Changes
GUIDs Remain the Same
Relative DN pretext changes
Current RDN:
Examples:
Examples:
(State)
(External)
cn=User-guid,ou=Internal,ou=People,dc=NC
cn=User-guid,ou=Local Government,ou=External,ou=People,dc=NC
cn=User-guid,ou=Business Users,ou=External,ou=People,dc=NC
cn=User-guid,ou=Individuals,ou=External,ou=People,dc=NC
NG RDN:
(Internal)
(External)
cn=User-guid,ou=State,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Local,ou=Internal,ou=People,o=NC
cn=User-guid,ou=Business,ou=External,ou=People,o=NC
cn=User-guid,ou=Individual,ou=External,ou=People,o=NC
Application Vs. User Migration
Part 1
All User Accounts Continuously Synchronized
between NG & Current NCID
Application Migration Independent of Delegated
Admin & User Account Self-Service Functions
Phased Migration of Applications
Migrated Application
Integrates with NG
Migrated Application Authenticated by NG
DA & User Function Migration Not a Pre-Requisite
Application Vs. User Migration
Part 2
Delegated Admin & User Account SelfService Functions Migrated in Separate
Phased Approach
Migrated Users Must Re-Select Challenge
Questions & Provide Answers
Upon Migration, DA’s Will Provision New
User Accounts
Groups Change to Roles
User Accounts Assigned Roles
Very
little difference in Point-and-Click
Instead of belonging to “My App Users” group, users
will be assigned the “My App Users” role.
Different Technology on the NCID back-end
Roles
Grant Access to Resources
Resources Represent Applications
Functions remain the same for Model 1
authorization and for Model 2 synchronization
Questions & Answers
Chat Questions- noted during presentation
Open Question period
Future Webinar Planned for Delegated Admin
Functions
Additional Documentation & Training Will be
Provided on the NCID Website at
https://www.ncid.its.state.nc.us/TrainingAndDocu
mentation.asp
Submit Remedy Service Request With Additional
Questions- [email protected]