CAP Federated Authentication, 2016 Edition

[Nick]

So we are coming up on about 10 years since Nin broached this subject:

BTW, I did hear back from Michelle, and the long and the short of it is that there is no external authentication of any sort, in part, due to concerns about information security with the auditors, etc.  There is a worry (and I think its relatively accurate) about passing password data back and forth during LDAP queries.

They do have some things "in the hopper" down there, however, but the event horizon is quite long.

Apparently the question at the time about exactly how long is the event horizon has, well... let's just say we didn't even see this coming.

Back in 2007, we were talking about using LDAP to do this business.  Since then, there has been a surge in various protocols to do this work -- SAML, OAuth, OpenID Connect, JWT -- I mean, there's more ways of doing this than I could really shake a stick at, and the real unfortunate point is that this is now minimal additional coding on NHQ's part (for example, going the JWT route is a matter of one extra web page and a database table of authorized applications).  Not to compound the issue, but over the past 10 years there has been so many homebrewed authentication solutions, a sizable chunk of wings and units have gone off and created their own Google Apps domains that all maintain their own authentication system, and there's a proliferation of websites with local authentication.  Between eServices, the Texas Wing website, and CAPERS, that's three logins for me just to get into "daily business" web applications.

With the new NHQ IT leadership in place on the paid side, this might be an opportunity to bring up the subject.  However, something like this needs to come from a functional area that is impacted by the issue and would sponsor the request for development, and unfortunately. I see this as truly an IT geek issue more than an operational issue unless we could find a few command council members that would be willing to push the issue that the lack of a unified authentication system is a barrier to innovation, affects volunteer member productivity, yadda yadda.  Or does anyone else have any ideas on how we could go about making another push for this?

FWIW, I think OpenID Connect is probably the most durable solution.  SAML is nice in the enterprise, but requires a fairly involved configuration that might be beyond the scope of some volunteer members.  JWT is the most simple solution, but would require more a database of symmetric secret keys for each authorized application, which might be an administrative burden.  Any thoughts?

[Spaceman3750]

Without knowing the details of each of the protocols mentioned, making eServices handle the authentication might be the best way to go about it. CAP application needs to authenticate a user. It sends the user to eServices to authenticate, and after successfully authenticating, eServices generates a token consisting of the user's CAP ID and timestamp of the authentication (and maybe a hash of these two fields), encrypted with a private key. The user then gets redirected back to the application with their token, which the application knows is valid because it can decrypt it with NHQ's public key and verify the hash. Rolling in a timestamp allows the application to limit the validity of the token, reducing its useful life in replay attacks. The application then extracts the CAPID from the token and authorizes them for whatever functions they are allowed to have.

I'm a security professional, but I'm not a programmer and don't design authentication systems. That said, this seems at least slightly sound. This way, 3rd party apps don't have to handle passwords, but you still reach the same end. It wouldn't really require that much additional work on NHQs part either.

[Nick]

Without knowing the details of each of the protocols mentioned, making eServices handle the authentication might be the best way to go about it. [snip] This way, 3rd party apps don't have to handle passwords, but you still reach the same end. It wouldn't really require that much additional work on NHQs part either.

Well yeah, that's the idea.  eServices is "the" enterprise authentication for all National applications, so you extend it with a standard protocol like OpenID that is designed to accept third-party application requests for authentication, and other applications are able to take advantage of it.

As an aside, I'm a security professional as well (a state agency information security officer and hold a CISSP) and spend many of my days dealing with designing processes to integrate enterprise authentication.  Using a documented standard (like I said in my original post, SAML is most ideal but also most involved; OAuth is the most industry accepted by cloud applications) and sourcing the authentication from a reputable source is the best way to approach this kind of stuff these days.  Definitely more ideal than homebrewing an authentication solution and bolting it onto an application. 

[Paul Creed III]

We certainly need proper federated sign-on (with two-factor) more and more every day. As Maj McLarty mentioned, Wings (and other echelons) are rolling Google Apps (and Office 365 from what RUMINT tells me) and, with the push to move to more coordinated website hosting with WordPress-based sites, managing all of these systems is a pain.

We really need centralized IT systems coming from NHQ. One centrally-managed email platform. One centrally-managed website platform. One centrally-managed computer management platform (JAMF perhaps). Let's start running IT centrally rather than everyone in the field re-inventing the wheel every few years when seniors who create something move on elsewhere.

[Nick]

We really need centralized IT systems coming from NHQ. One centrally-managed email platform. One centrally-managed website platform. One centrally-managed computer management platform (JAMF perhaps). Let's start running IT centrally rather than everyone in the field re-inventing the wheel every few years when seniors who create something move on elsewhere.

Yup.  NHQ even went so far as to start paving out a Google Apps for CAP (as an example, txwg.cap.gov points to their Google Apps domain somehow yet nobody is using it).  I suspect they were trying to figure out how to automate the on/off-boarding of email accounts for the membership and then extend it out to everyone, but it was a project that never made traction.  I was confused about the direction of the website thing.  Before they disbanded the National IT committee, one of our last things was to review the wing level website templates they had the NHQ web development folks put together.  The idea was that the field organization continues to host their own site, but use a common branding template.  Instead of doing that, they could have just found an enterprise CMS that would give everyone a basic, uniform looking site, and then units could populate their site with their own unique info.  But, meh.

[Paul Creed III]

We really need centralized IT systems coming from NHQ. One centrally-managed email platform. One centrally-managed website platform. One centrally-managed computer management platform (JAMF perhaps). Let's start running IT centrally rather than everyone in the field re-inventing the wheel every few years when seniors who create something move on elsewhere.

Yup.  NHQ even went so far as to start paving out a Google Apps for CAP (as an example, txwg.cap.gov points to their Google Apps domain somehow yet nobody is using it).  I suspect they were trying to figure out how to automate the on/off-boarding of email accounts for the membership and then extend it out to everyone, but it was a project that never made traction.  I was confused about the direction of the website thing.  Before they disbanded the National IT committee, one of our last things was to review the wing level website templates they had the NHQ web development folks put together.  The idea was that the field organization continues to host their own site, but use a common branding template.  Instead of doing that, they could have just found an enterprise CMS that would give everyone a basic, uniform looking site, and then units could populate their site with their own unique info.  But, meh.

According to the intel I have, there's a WordPress template that is rolling out now. Many Wings in GLR have already moved over as have some units.

[NIN]

15-20 years ago (gaaah, was it really that long?), Toph Kovacs and I put together a concept plan for unifying and hosting CAP websites under a common domain structure with DNS driven out of the membership system, with a common templating system, and "levels" of complexity for units depending on their ability to keep and maintain a website.   Don't have an IT guy or your entire unit's level of technical sophistication stops with everybody's AOL.com addresses? Your unit gets the "basic page" that has unit contact info, etc.   All the same branding, etc, just "Joe Blow Cadet Squadron, SER-NY-123" and contact info.  Oh, you or some of the guys in your unit are a bit more web savvy? Here, add some things like a calendar, photo gallery, news entries, etc.  Still template driven, the "components" could be dragged and dropped.   Or, maybe power users abound in your unit? Hey, we'll alias your cap.gov URL to your hosting (with some guidelines for standards, etc) and you can go to town.

The cool thing was the idea that you could move between any of those levels at the unit's need and nobody had to worry about "SM Snuffy quit and took the keys to the website with him".   Commander goes in, clicks "Reset password" and now your site is back under your control.

Mind you, this was back when there were beaucoup units with Angelfire sites.. LOL..

[Luis R. Ramos]

What happened?

[JeffDG]

We really need centralized IT systems coming from NHQ. One centrally-managed email platform. One centrally-managed website platform. One centrally-managed computer management platform (JAMF perhaps). Let's start running IT centrally rather than everyone in the field re-inventing the wheel every few years when seniors who create something move on elsewhere.

No, we don't need "centralized IT systems coming from NHQ."

The problem is, NHQ has very few IT people.  They will never be able to handle the number of requirements from the field.  Conservatively, CAP has several thousand IT professionals in the field.  Create secure links to the data held by NHQ for the field with good solid APIs, and things like OpenID authentication, and let the field make use of the data.

Let NHQ focus on managing core systems, let field apps compete for those that work or don't work. 

[JeffDG]

We really need centralized IT systems coming from NHQ. One centrally-managed email platform. One centrally-managed website platform. One centrally-managed computer management platform (JAMF perhaps). Let's start running IT centrally rather than everyone in the field re-inventing the wheel every few years when seniors who create something move on elsewhere.

Yup.  NHQ even went so far as to start paving out a Google Apps for CAP (as an example, txwg.cap.gov points to their Google Apps domain somehow yet nobody is using it).  I suspect they were trying to figure out how to automate the on/off-boarding of email accounts for the membership and then extend it out to everyone, but it was a project that never made traction.  I was confused about the direction of the website thing.  Before they disbanded the National IT committee, one of our last things was to review the wing level website templates they had the NHQ web development folks put together.  The idea was that the field organization continues to host their own site, but use a common branding template.  Instead of doing that, they could have just found an enterprise CMS that would give everyone a basic, uniform looking site, and then units could populate their site with their own unique info.  But, meh.

TNCAP.US points to a Google Apps domain, with automated onboarding, account cretion and deletion, e-mail creation, file storage, etc.  It's not rocket science, and if you are interested, will be talking about it Saturday in Nashville.

[Nick]

According to the intel I have, there's a WordPress template that is rolling out now. Many Wings in GLR have already moved over as have some units.

There is, I have it. But just handing out a template and saying "go use this and host it yourself" doesn't address the fundamental issue of unifying the platform for everyone. The template just addresses the appearance, does nothing for the content that should be standard across the organization and then opening up regions of customization within the template.


Sent from my iPhone using Tapatalk

[Paul Creed III]

According to the intel I have, there's a WordPress template that is rolling out now. Many Wings in GLR have already moved over as have some units.

There is, I have it. But just handing out a template and saying "go use this and host it yourself" doesn't address the fundamental issue of unifying the platform for everyone. The template just addresses the appearance, does nothing for the content that should be standard across the organization and then opening up regions of customization within the template.


Sent from my iPhone using Tapatalk

GLR is hosting for the region, from what I am told.

[Nick]

So we're 1/8 of the way there.


Sent from my iPhone using Tapatalk

[Spaceman3750]

According to the intel I have, there's a WordPress template that is rolling out now. Many Wings in GLR have already moved over as have some units.

There is, I have it. But just handing out a template and saying "go use this and host it yourself" doesn't address the fundamental issue of unifying the platform for everyone. The template just addresses the appearance, does nothing for the content that should be standard across the organization and then opening up regions of customization within the template.


Sent from my iPhone using Tapatalk

GLR is hosting for the region, from what I am told.

You too, can have a WordPress template... https://www.dropbox.com/sh/b1trc6mni8zefta/AADb9v7Z6aE25oUBgthXQhK-a?dl=0

[Paul Creed III]

According to the intel I have, there's a WordPress template that is rolling out now. Many Wings in GLR have already moved over as have some units.

There is, I have it. But just handing out a template and saying "go use this and host it yourself" doesn't address the fundamental issue of unifying the platform for everyone. The template just addresses the appearance, does nothing for the content that should be standard across the organization and then opening up regions of customization within the template.


Sent from my iPhone using Tapatalk

GLR is hosting for the region, from what I am told.

You too, can have a WordPress template... https://www.dropbox.com/sh/b1trc6mni8zefta/AADb9v7Z6aE25oUBgthXQhK-a?dl=0

I tried using those for another CAP project on my own WordPress server and has no joy at getting them to work.

[Holding Pattern]

According to the intel I have, there's a WordPress template that is rolling out now. Many Wings in GLR have already moved over as have some units.

There is, I have it. But just handing out a template and saying "go use this and host it yourself" doesn't address the fundamental issue of unifying the platform for everyone. The template just addresses the appearance, does nothing for the content that should be standard across the organization and then opening up regions of customization within the template.


Sent from my iPhone using Tapatalk

GLR is hosting for the region, from what I am told.

You too, can have a WordPress template... https://www.dropbox.com/sh/b1trc6mni8zefta/AADb9v7Z6aE25oUBgthXQhK-a?dl=0

I tried using those for another CAP project on my own WordPress server and has no joy at getting them to work.

So Wordpress is still working as advertised, eh?

[Nick]

I wonder if I should take the effort to Jekyll-ize the template and then offer it up for anyone who wants to park their site on GitHub Pages for free.

[Eclipse]

Why Wordpress?

We should be developing robust Google Sites templates to go with the services CAP is getting,
not to mention making it easy to grant rights and during transition.

That's what NHQ should be rolling out as the standard, and if done properly they could control them from the top down.

[Nick]

Why Wordpress?

We should be developing robust Google Sites templates to go with the services CAP is getting,
not to mention making it easy to grant rights and during transition.

That's what NHQ should be rolling out as the standard, and if done properly they could control them from the top down.

In their defense, they have a pure HTML template but then they sorta WordPress enabled that and packaged it up as a WordPress theme. I haven't attempted to turn anything "modern" into a Google Sites template, so I don't know how involved it is.


Sent from my iPhone using Tapatalk

[Eclipse]

I'm not sure you can, beyond transcribing look and feel.  G-Sites is basically its "own thing".