<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2769" name=GENERATOR>
<STYLE>@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Verdana;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial
}
SPAN.EmailStyle18 {
COLOR: navy; FONT-FAMILY: Arial
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff size=2>I can
see that some clarifications are in order.</FONT></SPAN></DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff size=2>The
current SSO available within the JHS is an implementation of the <A
href="https://clearinghouse.ja-sig.org/wiki/display/CAS/Home">Centralized
Authentication Server (CAS)</A> from Yale University. I have been updating
the JhsSso project at <A
href="http://epic52.dep.state.fl.us/jhs-sso/">http://epic52.dep.state.fl.us/jhs-sso/</A> and
will include this and your questions as part of the information on the project
web site.</FONT></SPAN></DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff size=2>The
JhsSso ticket is never saved to the hard drive of any computer in so far as I
know. The ticket is specific to the user's browser session only. If
the browser is closed the ticket is removed from the user session
information. Later versions of the MS windows OS's incorporate kerberos
authentication with MS Active Directory (AD) at login time. This
information, a ticket, is loaded into Internet Explorer when it is started
up.</FONT></SPAN></DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff size=2>The
CAS only supports authentication. Authorization is an application specific
consideration. We can authenticate now against the Waca user tables in the
databases and working with Brandon has led me to believe that we can
authenticate against the MS AD user store via the kerberos ticket in the IE
Browser eventually. This is different though than is currently implemented
in that using the MS AD involves getting the user's ticket from the Operating
System once the user has logged on to the local network. In this respect
it is considerably different than web enabled SSO. Obviously MS likes to
keep one tied to the OS and not simply a browser session. This is part of
the reason for the disparity in authentication techniques.</FONT></SPAN></DIV>
<DIV><SPAN class=439204313-14112005></SPAN> </DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff size=2>The
authorization element of Single Sign On presents another aspect of this
effort. From an Enterprise point of view, we would like to offer a single
unified approach for all applications to utilize in determining any user's
accessibility to and roles within any Jhs hosted applications. Rather than
have each application write code to define a User Object and collect
applications and roles for each in various databases we would prefer it be done
one time in one set of User components for all applications within the
Jhs.</FONT></SPAN></DIV>
<DIV><SPAN class=439204313-14112005></SPAN> </DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff size=2>I have
discussed this architecture with Dannny and Brandon and we all basically agree
on an approach. I have been working on implementing this in a manner that
is useful to all applications. Unfortunately demands on my time preclude
any rapid prototyping. It is quite easy though for others to contribute to
this effort. The architecture is in place and the code is being
implemented. The current status of these components</FONT> <FONT
face=Arial color=#0000ff size=2>is found online at <A
href="http://epic52.dep.state.fl.us/ent-comp/">http://epic52.dep.state.fl.us/ent-comp/</A> The
specific files involved are User, UserImpl, UserFactory, AbstractEntUser,
UserTest, Application, Role and a handful of others. None of these are
particularly difficult to write and are intended to facilitate cooperative and
iterative development.</FONT></SPAN></DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff
size=2>Regarding the remainder of your questions, Standard functionality
provided by CAS requires the Client side of the CAS to perform a validation of
the ticket returned by the CAS server. This works fine on the
Pre-Production server but for reasons that are still being investigated it does
not seem to work on the Integration machine. The server side code works
fine on all machines. So it seems we have some additional troubleshooting
to perform.</FONT></SPAN></DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff size=2>The
architecture described above is specifically designed to allow for any user to
have controlled access to multiple applications and multiple roles within any
one or all of the applications. Our intent is to have this collection of
applications and roles available to the Jhs applications regardless of where the
information is stored, be it on the MS AD or Waca or any other place.
Adding in additional information stores is fairly simple although not
trivial. So far Waca seems to suit most applications and I have yet to be
advised of formal requirements in addition to these. My suggestion is that
if any application requires additional functionality it is most easily
accommodated within the current architecture with some
guidance.</FONT></SPAN></DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff size=2>The
JhsSso is deployed on the Pre-Production machines and undergoing testing as part
of the DslFspli and other applications. We expect to have the current
version deployed to Production in concert with the production deployments of the
applications that require it. </FONT></SPAN></DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN><SPAN class=439204313-14112005><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff size=2>All
documentation and project information is available on the Jhs web site or from
links found there. I have tried to collect and organize it
appropriately. The main web site is <A
href="http://epic52.dep.state.fl.us/jhs-sso/">http://epic52.dep.state.fl.us/jhs-sso/</A> and
the example Jhs client application is at <A
href="http://epic52.dep.state.fl.us/sso-exp/">http://epic52.dep.state.fl.us/sso-exp/</A>
The authentication portion of the Sso as previously noted is part of the EntComp
at <A
href="http://epic52.dep.state.fl.us/ent-comp/">http://epic52.dep.state.fl.us/ent-comp/</A>.</FONT></SPAN></DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=439204313-14112005><FONT face=Arial color=#0000ff size=2>I will
add the above information to the web sites noted as soon as I
can.</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Keyt, Bob <BR><B>Sent:</B>
Monday, November 14, 2005 8:39 AM<BR><B>To:</B> Kirkpatrick,
Ivan<BR><B>Cc:</B> Zimmerman, Jeffrey<BR><B>Subject:</B> FW: Update of the
SSO, in regards to the SRF application-<BR><BR></FONT></DIV>
<DIV class=Section1>
<P class=MsoNormal><B><FONT face=Arial color=navy size=2><SPAN
style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Ivan</SPAN></FONT></B><FONT
face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">, </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">I need your
confirmation and clarifications to be completely comfortable with our
approach. </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">1. Is the SSO summary
below correct? Please provide corrections and clarifications as appropriate. I
would understand better if you would insert (SSO) or (SRF) behind the words
“it” and “application” in the Summary. Right now, it looks like the SSO will
only verify the user identifier/password and save a “ticket” for the hard
drive. Is remaining security functionality, such as checking the ticket, left
to the (SRF) application? </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">2. Will the SSO
support multiple concurrent applications roles? Specifically, can an
individual have multiple roles for one application enabled by one sign-on?
</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">3. What is the SSO
project timeline (design, development, UAT, implementation)?
</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">4. Where is SSO
project documentation located, such as the needs evaluation and detailed
specification? </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">We really appreciate
your assistance! </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><B><FONT face=Arial color=navy size=2><SPAN
style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Dan</SPAN></FONT></B><FONT
face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">, </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Since we plan to
create a “black box” substitute for the SSO, do we have the specifications
(classes, methods, data) to seamlessly (NO or minimal code changes) replace
our “black box” with SSO when it becomes available for testing and
implementation? </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">I must remind you
that the approved SRF-I2 project timeline requires construction testing to be
<U>complete</U> the first week of June 2006 (the rest of June is QA reviews
and Approvals) and User Beta Testing (UAT) in July 2006. That means we need an
implementable security solution by April 2006, at the very latest!
</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<DIV>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; LAYOUT-GRID-MODE: line; COLOR: navy; FONT-FAMILY: Arial">Bob
Keyt, PMP(R) </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; LAYOUT-GRID-MODE: line; COLOR: navy; FONT-FAMILY: Arial">Senior
Principal Consultant/Project Manager </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; LAYOUT-GRID-MODE: line; COLOR: navy; FONT-FAMILY: Arial">Department
of Environmental Protection </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; LAYOUT-GRID-MODE: line; COLOR: navy; FONT-FAMILY: Arial">2600
Blair Stone Rd, MS 3500 </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; LAYOUT-GRID-MODE: line; COLOR: navy; FONT-FAMILY: Arial">Tallahassee,
Florida 32399-2400 </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; LAYOUT-GRID-MODE: line; COLOR: navy; FONT-FAMILY: Arial">-----------------------------------------------------------
</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; LAYOUT-GRID-MODE: line; COLOR: navy; FONT-FAMILY: Arial">Work:
(850) 245-8674 (internal 5674)</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; LAYOUT-GRID-MODE: line; COLOR: navy; FONT-FAMILY: Arial">Cell:
(850) 545-4897 </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; LAYOUT-GRID-MODE: line; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Verdana color=black size=1><SPAN
style="FONT-SIZE: 7.5pt; COLOR: black; FONT-FAMILY: Verdana">Please note:
Florida has a very broad public records law. Most written communications to or
from state officials are public records and may be made available to
the public or media upon request. This e-mail
communication, your reply, and future e-mails to my
attention may therefore be subject to public
disclosure.</SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<DIV>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT
face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">
<HR tabIndex=-1 align=center width="100%" SIZE=3>
</SPAN></FONT></DIV>
<P class=MsoNormal><B><FONT face=Tahoma size=2><SPAN
style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT
face=Tahoma size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">
Zimmerman, Jeffrey <BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B>
Thursday, November 10, 2005 4:02 PM<BR><B><SPAN
style="FONT-WEIGHT: bold">To:</SPAN></B> Keyt, Bob<BR><B><SPAN
style="FONT-WEIGHT: bold">Cc:</SPAN></B> Bergenroth, Brandon; Carney,
Christopher; O'Donnell, Danny; Worley, Robert; Etter, Kathleen<BR><B><SPAN
style="FONT-WEIGHT: bold">Subject:</SPAN></B> Update of the SSO, in regards to
the SRF application-</SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Good afternoon,
Bob,</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Both Brandon and Danny O’Donnell
have met with Ivan independently to discuss the implementation of the proposed
SSO. It seems that there has been some progress made in this arena and
we wanted to give you a brief update as to the information we
received.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><U><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Summary of how SSO was explained
to work:</SPAN></FONT></U></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">1) When a user opens a
browser and goes to a web application that utilizes the SSO, it looks for a
ticket on the user's hard drive. </SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">2) If the user has a valid
ticket, go to step #4.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">3) If user does not have a
valid ticket, it is taken to the SSO screen, where they are prompted to input
a user name and password. A successful username/password combination
will then create a ticket and place it on the user's hard
drive.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">4) The application verifies
the ticket, located on the user's hard drive. Information is taken from
the ticket and enables creation of a user object from the enterprise
component. This object will contain the application information which
will be used by the application. If the user does not have the proper
privileges (roles) for the application then user may be denied entry to some
or all of the application (and/or certain functionality). Otherwise, the
user is allowed to have access to the application with whatever privileges and
access that is granted to that individual for their role(s) as they move
through the application.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><U><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">The solution for how SRF will
proceed:</SPAN></FONT></U></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">The WRMITS team will create a
temporary facsimile of the proposed SSO component. This will act as a
temporary placeholder and will allow us to continue with our
development. Upon the SSO’s completion, it will be integrated into our
current framework. Since the foundational framework will be created to
handle the parameters of the proposed SSO, transition to the enterprise wide
component should not be an arduous task.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Since this is one of our highest
risk factors, the SSO will need to be stable and in place by the time
construction is complete, in the spring to early summer of this year. If
the SSO is not in place by that time, it is safe to say that this risk has
unfortunately come to fruition and that we need to find an alternate means of
securing the SRF application.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Thanks,</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Dan</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P></DIV></BLOCKQUOTE></BODY></HTML>