Skip to content
All posts
·2 min read

Designing Authentication and RBAC for University-Scale Systems

How I implemented SAML SSO, role mapping, and audit trails for a cyber lab platform used by students, faculty, and administrators.

securitysamlrbac

Context

Universities are messy identity environments. Students, faculty, teaching assistants, and administrators cycle in and out each term. We handle FERPA regulated data, so access decisions must be precise and auditable.

Choosing SAML vs OAuth2/OIDC

The campus already invested in a SAML Identity Provider (IdP) with strong governance. We used SAML for single sign-on and attribute release. OAuth2/OIDC supplement external integrations, but core auth rides on SAML assertions signed by the university.

RBAC Model

Roles are derived from SAML attributes and mapped to local permissions:

| Role | Capabilities | |----------|--------------| | Student | View labs, run VMs, submit reports | | TA | Everything a student can do plus reset VMs and view analytics | | Faculty | Provision labs, manage rosters, approve TA access | | Admin | Platform settings, feature flags, audit tools |

Mapping happens through a policy engine that understands group memberships (e.g., course-123-ta). Unknown users drop into a disabled state until approved.

Session Hardening and CSRF Protection

  • HttpOnly, Secure, SameSite=strict cookies.
  • Double Submit tokens for form posts from the SPA.
  • Automatic session renewal every 30 minutes with rotation on privilege escalation.
  • Strict transport security headers and content security policy preflighted with the security office.

Audit Logging and Incident Response

Every privileged action emits a structured log (actor, action, resource, ip, trace_id). Logs stream to a dedicated index with retention policies. Dashboards surface:

  • Failed login attempts by IdP attribute.
  • Permission changes over time.
  • Administrative actions grouped by course.

When an incident hits, the runbook starts in Kibana, filtering by trace ID from the UI. We can trace a suspicious action back to the SAML assertion and confirm whether it was legitimate.

Lessons Learned

  • Start with attribute contracts written down; it prevents breaking changes from the IdP team.
  • Build tooling for term rollovers so graduates lose access automatically.
  • Keep an emergency break-glass account in a separate identity provider for resilience.

Security becomes much easier when roles, sessions, and audit data work together. The result is a platform that satisfies compliance while staying friendly to busy instructors.