Integrating SPAs into Groups

Overview:

As departments expand their use of Special Purpose Accounts, SPAs, we need to re-assess how and where they are used along with a name change to better handle the dual aspects of SPAs.

Original concept:

There are two aspects to a SPA, the account itself which resides in LDAP, and the user delegation group which resides in CalGroups. Often, someone using a SPA may think of them as being the same thing though. In LDAP, the SPA is like a regular person account with a couple of extra attributes, one of which is the name of the user delegation group. When someone logs into an application via our campus SSO, they are allowed to login as a SPA if they are part of the SPA’s user delegation group. 

Within CalGroups itself, the user delegation group is a regular group that can be used for authorization or other purposes. Groups can be nested in each other for indirect membership. 

There are several SPA related names that appear in different contexts. For example:

In CalGroups: 

the user delegation group: edu:berkeley:apps:calnet-spa:group-spa-test-name

In LDAP:

the account has a:

Givenname: Test-name

Sn (last name): SP_Account

Display Name: Test-name SP_Account

Cn: SP_Account, Test-name

Calnet ID: spa-test-name

isMemberOf:

cn=edu:berkeley:app:calnet-spa:spa-test-name,ou=campus groups,dc=berkeley,dc=edu

In bConnected: 

Account: test-name@berkeley.edu

Email: test-name@berkeley.edu

Authenticating via CAS: spa-test-name+CalNetID

In AD: the user delegation group (under ou=ManagedGroups,ou=CalGroups):

CN=group-spa-test-name,OU=calnet-spa,OU=app,OU=berkeley,OU=edu

Current needs:

As campus departments are making expanded use of SPAs, we need to allow both the Special Purpose Account and the SPA user delegation group to be used in groups.

Proposed Solution: Change SPA Group Name - 

To allow clarity for the two aspects of a SPA (account and user delegation group), we will change the group names slightly. 

The current idea for group name modification is to prefix it with 'group'. That way when a user is searching for a SPA, user group, or account, the user group will be obvious.

An example:

SPA name: spa-test-name

SPA as account in google: test-name@berkeley.edu

SPA user delegation group name: spa-test-name -> group-spa-test-name

After the change:

The group you would use to allow users to use spa-test-name (group-spa-test-name):

SPA page for group-spa-test-name 

If someone is searching for spa-test-name within CalGroups, they will see two items in the list:

  1. SP_Account, Test-name
  2. edu:Berkeley:Applications:CalNet SPA:group-spa-test-name

Spa-test-name and group-spa-test-name appear when typing "test-name)

Choosing the first option “SP_Account, Test-name” will add the account to the group. 

SPA-test-name is added

Choosing the second option "edu:Berkeley:Applications:CalNet SPA:group-spa-test-name" will add the user delegation group which will in turn will add the members of the user delegation group. In this case, Jeff McCullough and group-spa-testname.

group-SPA-test-name is added