Update 15th November

It has been a busy few weeks lately culminating in a work trip to the USA last week. This trip was quite beneficial as, when one is stuck on a plane for 9 hours each way, or completely disconnected from the world 8300ft up the Colorado Rockies in a 1970s cabin with no phone signal, TV or Internet it allows for lots of thinking.

I’ve come up with a list of things that I want to achieve for Linkey by the end of Semester 1 (end of January ’13):

  • Complete the first draft of a case study looking at institutional uses of OAuth.
  • Invite our program manager, Chris Brown, for a site visit and spend the day looking over the case study and planning the last few months of the project.
  • Formally release the code I have been working on, including documentation, unit tests and tutorials.
  • Look at developing a .well-known standard for describing OAuth endpoints and enabling discovery (more on this in a future post).
  • Work with my colleagues in ICT to start implementing a joint OAuth and Microsoft UAG web single sign-on implementation.

I’ve been asked to work with the Orbital team to try and develop an authentication endpoint that will allow University of Lincoln staff and Siemens staff to securely sign-in to applications that have been developed by that project, but with each member of staff using their own institutional/company credentials.

Update w/c 3rd September

I’ve spent the last few weeks working away on the OAuth PHP library which now includes a resource server as well as an authentication server. I’ve also started merging in Phil Sturgeon’s OAuth 2.0 client code library, which when I’ve finished, will result in a mean, lean PHP library for working with any aspect of OAuth 2.0 (authentication, resource sharing or client side). Both server classes are now fully unit tested and I’m at 90% code coverage for all of the methods. I’ve started writing documentation for the library too and I’m going to write a tutorial on how to build an OAuth secured API server in the CodeIgniter framework.

On the UAG side, both Tim and I have been readingĀ Mastering Microsoft Forefront UAG 2010 Customisation (Amazon link). I’ve now got some ideas about how we can easily integrate the university’s OAuth server that I developed with our UAG install. More on this soon.

What is Microsoft Forefront Unified Access Gateway (UAG)?

Microsoft Forefront Unified Access Gateway (UAG) is a piece of server side software which provides secure access to corporate networks, systems and applications. It incorporates a number of different access technologies including VPN, HTTP reverse proxies and the Microsoft-developed technologies DirectAccess and Remote Desktop Services. Remote clients can access these corporate resources through a special web site that is hosted on an IIS server which is bound to the UAG software.

UAG includes built integrations for Microsoft Exchange Server (2003, 2007 and 2010), SharePoint Server (2003, 2007 and 2010), Remote Desktop Services and Citrix Presentational Services. It also includes a technology called SSL-VPN which allows for authentication integration with most 3rd party and custom software.

UAG can use a number of different authentication sources including Active Directory, LDAP, RADIUS and SecurID. Finally it can also “speak” SAML and ADFS.

Microsoft identifies a number of benefits of using UAG:

Forefront Unified Access Gateway (UAG) is designed to provide secure remote access in a way that extends application intelligence, security and control, and ease of use. Key benefits include:

Anywhere Access

Forefront UAG makes it easier to deliver secure remote access to your applications and resources, and improve employee and partner productivity, by combining an intelligent access policy engine with a variety of connectivity options including SSL VPN and Direct Access. Forefront UAG:

Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
Delivers simple and secure access optimised for applications such as SharePoint, Exchange, and Dynamics CRM.
Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.

Integrated Security

Forefront UAG improves the security in remote access scenarios by enforcing granular access controls and policies that are tailored to the applications being published, the identity of the user, and the health status of the device being used. Forefront UAG further improves security by enabling strong authentication to applications and mitigating the risks of downloaded data from unmanaged devices. Forefront UAG:

Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
Easily integrates with Active Directory and enables a variety of strong authentication methods.
Limits exposure and prevent data leakage to unmanaged endpoints.

Simplified Management

Forefront UAG offers a single platform through which to deliver and manage remote access. With built in policies and configurations for common applications and devices, you can gain more control, more efficient management, greater visibility, and lower total cost of ownership. Forefront UAG:

Consolidates remote access infrastructure and management.
Simplifies deployment and ongoing tasks through wizards and built-in policies.
Reduces support costs by delivering a simplified connectivity experience for users.

Source: http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

How UAG can help us

At the university we have a number of existing web based applications which will benefit from having UAG integration.

We currently have SharePoint and Exchange 2003 installations (which will soon be upgraded to 2010) which UAG can natively integrate with.

We use Blackboard Learn as our LMS and Zendesk as our support desk software, both of which have can use SAML for single sign on.

We are also looking into potentially using UAG as the access point for Windows 7 thin client access.

How can UAG work with OAuth?

As UAG can use SAML to communicate with services it means that we can use the OAuth 2.0 assertions specification to create a translation framework between SAML assertions and OAuth tokens. This will extend some of the work that we’ve originally done on our OAuth server and the updated code will be published.

One of the outcomes of this project will be a case study (with open source code examples) on how UAG and an OAuth server can work together (though because we don’t know how this may work at the moment it could be that it turns out they can’t work together…) and on this blog we will document our experience.