GatorLink Authentication Services A Mostly Single Credential, Sometimes Single Signon Solution

1
GatorLink Authentication Services A Mostly
Single Credential, Sometimes Single Sign-on
Solution

• Mike Conlon
• Director of Data Infrastructure
• November 3, 2004

2
What is GatorLink?

• Under development since 1996
• Conceived as a single sign on solution the
  electronic equivalent of the Gator 1 card
• GatorLink is an adjective used to describe a
  collection of services
• Email
• Web hosting
• Dial-up
• Authentication services for web servers
• Kerberos, LDAP, NDS, UFAD authentication services
• Username and password credential
• Password and account management
• Here we focus on the credential, authentication,
  and credential management processes

3
Authentication Services

• Provide a single credential (GatorLink)
  environment, regardless of access technology
• Support enterprise system sign on, LAN sign on,
  WebISO with same credential
• Tie authentication to identity

4
Authentication Architecture

• Authentication begins with identity
• Automated processes populate the portal
• Portal login produces cookie for WebISO
• Middleware updates additional authentication
  services
• Kerberos, AD, NDS supported

5
Directory Coordinators

• 800 people authorized to manage directory entries
• Can create identity (UFID)
• Can assign most affiliations
• Directory entries and changes in directory
  entries lead to synchronization in other systems

6
UF Directory Architecture

• Three major interfaces
• One data store
• One set of APIs
• About 50 message queues
• Each app receives consistent data

7
Identity synchronization

• A PeopleSoft App Engine process listens for
  directory changes
• As entries are added, accounts are created in
  PeopleSoft
• PeopleSoft signals AT middleware to replicate to
  Kerberos, UFAD and NDS

8
Identity Resolution

• When identity is created, coordinators provide
  information intended to reduce conflicts
• 1-2 conflicts occur per day
• These are resolved manually
• Goal is 1 UFID per person

9
GL Account creation

• Once identity has been established, users can use
  self-service web pages to create GL accounts
• The processes of creating identity and creating
  an account can be completed in under 30 minutes
• Synchronization to PeopleSoft, Kerberos, NDS and
  UFAD is automatic

10
Password Synchronization

• GatorLink password changes are made using the
  portal
• Changes signal the AT middleware
• AT middleware signals Kerberos, UFAD and NDS
• Note Distributed processes at work!

11
Kerberos Authentication

• Kerberos supports a collection of enterprise
  applications
• Radius
• WebMail
• Kerberos provides authentication services for
  LDAP
• Kerberos provides authentication services for
  WebISO via GLAuth

12
LDAP Authentication

• Secure LDAP is used to interact with the
  application
• LDAP uses Kerberos to perform authentication
• This method was used for all portal
  authentication until May 5, 2004
• Cognos uses LDAP authentication

13
WebISO at UF

• UF developed a local WebISO solution in 1998
  GLAuth
• GLAuth provides a secure cookie-based Kerberos
  authenticated system
• GLAuth is simple to install on Apache web servers
• Linux and Windows Apache web servers
• Instructions available at http//login.gatorlink.u
  fl.edu/support/mod_perl/
• Service description at http//open-systems.ufl.edu
  /software/glauth/

14
NDS

• Netware Directory Services has account
  synchronization with GatorLink usernames and
  passwords
• Used in open labs, HSC
• Contact Iain Moffat at CNS for details

15
UF Active Directory

• Enterprise Active Directory implementation
• All accounts are replicated in UFAD along with
  GatorLink usernames and passwords
• Users authentication with GL
• Accounts are provisioned automatically
• Local units control access rights
• Supports LAN authentication and IIS
  authentication using GL
• See www.ad.ufl.edu

16
UF Active Directory

• UFAD accounts are built from directory message
  queues
• OUs are populated based on the value of a
  Network Managed By attribute in the directory
  directory coordinators assign the value
• Contact information in UFAD is populated from the
  directory

17
Password Management

• All GatorLink accounts have strong passwords
• Five password policies govern reset, use of
  hints, password age
• Policies are determined by user roles each role
  has a related password policy
• Each users GatorLink password management policy
  is the strongest policy required by the users
  roles
• Password changing is done using portal screens
• Kerberos, AD, NDS are updated in real-time

18
Current State

• Most enterprise application authenticate via
  GatorLink
• GatorLink can be used for enterprise, LAN, Web
  authentication one credential, one password
  policy
• Account synchronization, credential
  synchronization in place

19
Future Work

• GL account management
• GL life cycle driven by directory
• Full separation of GL account processes,
  directory processes and service processes
• Implementation to be completed in spring 2005

20
More Information

• Subscribe to the IT News pagelet in the portal
• Subscribe to the UF Bridges pagelet in the portal
• Policies are posted at http//www.it.ufl.edu/polic
  ies