NMIEDIT Identity Management Tutorial - PowerPoint PPT Presentation

Loading...

PPT – NMIEDIT Identity Management Tutorial PowerPoint presentation | free to download - id: ebdf0-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

NMIEDIT Identity Management Tutorial

Description:

UMBC is looking at having students sponsor parent accounts with delegated access ... What follows are two brief case studies of UMBC and Indiana University ... UMBC ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 40
Provided by: awe45
Learn more at: http://fsuid.fsu.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: NMIEDIT Identity Management Tutorial


1
NMI-EDIT Identity Management Tutorial
NMI TutorialFebruary, 2004
2
  • Michael Berman, VP, CSU-Pomona
  • Keith Hazelton, Dir. Arch., Wisconsin
  • Jack Suess, CIO, UMBC
  • Ann West, NMI-EDIT Coordinator

NMI TutorialFebruary, 2004
3
CSU Identity Management Definition
  • CSU definition - An identity management
    infrastructure is a collection of technology and
    policy that enables networked computer systems to
    determine who has access to them, what resources
    the person is authorized to access, while
    protecting individual privacy and access to
    confidential information.

4
Identity Management System
  • Suite of campus-wide security, access, and
    information services
  • Integrates data sources and manages information
    about people and their contact locations
  • Establishes electronic identity of users
  • Issues identity credentials
  • Uses administrative data and management tools to
    assign affiliation attributes
  • and gives permission to use services based on
    those attributes

5
Key terms Enterprise Directory Services
  • Enterprise Directory Services - where electronic
    identifiers are reconciled and institutional
    identity is established and maintained for all
    people of interest
  • Very quick lookup function
  • Machine address, voice mail box, email box
    location, address, campus identifiers

6
More key terms
  • Authentication (AuthN)
  • Process of proving your identity by presenting
    an identity credential
  • In IT systems, often done by a login process
  • Authorization (AuthZ)
  • Process of determining if policy permits a
    requested action to proceed using attribute
    group information
  • Often associated with an authenticated identity,
    but not always and not necessarily

7
(No Transcript)
8
Infrastructure for Identity Management
  • Common elements
  • Core Business System - system for identifying
    university membership (e.g. SIS, HR, Alumni)
  • Registry - aggregation point , usually a DBMS,
    where key data elements from SOR are integrated
  • Metadirectory - LDAP service that organizes
    registry information and responds to service
    requests
  • Authenticator - service that authenticates (e.g.
    Kerberos, LDAP, or other)
  • Groups - university roles built into directory
  • Services - application services that utilize IdM
  • Policy - definitions and structure, usually
    defines criteria for group membership and service
    restrictions

9
Simplified UMBC Architecture

10
Policy Issues
  • Policy issues that must be defined
  • Rules for membership in your community. Who is
    an active student, who is a faculty member, who
    is an alumni?
  • Who is eligible for an account? Under what
    circumstances?
  • What groups do you need to track?
  • What services is each group allowed to access?
  • Who can sponsor affiliate members?
  • How long do you remain a member of the community?
  • What about guests or the public?

11
How do you define who is eligible for different
services?
  • Obvious staff, faculty, students
  • Less obvious
  • Alumni, supporters?
  • Parents
  • Sponsored or affiliate IDs
  • Transient e.g. meetings and conferences
  • Former employees
  • Research partners
  • Affiliates auxiliaries, credit union, teachers

12
Eligibility -- Thorny Issues
  • Intermittent roles persistent IDs?
  • Lecturers, seasonal employees
  • students
  • Multiple roles change roles, keep IDs?
  • Student workers
  • Staff students
  • Multi-campus issues- common id across system?
  • Does everyone need to be in your IdM?
  • How long does someone remain in your IdM?

13
Eligibility -- Create Policy First
  • Indiana
  • Policy defines who can have and sponsor accounts.
  • Accounts Management System will implement policy
    in software.
  • UMBC
  • Software was written without formalizing the
    policy on paper. This is something we have to
    finalize.

14
Authentication and Authorization
  • Authentication - Who am I?
  • Shared secret -- password?
  • Secret key - PKI
  • Biometrics/other?
  • Authorization - What am I allowed to do or
    access?
  • Affinity groups are defined and populated. Roles
    may be based on a combination of affinities.
  • Identity Management system must answer both
    questions.

15
Creating a single namespace
  • Once you define who is eligible to be in your IdM
    you must create a person registry from multipe
    SORs.
  • For each person in the registry you must define
    an account name. Dealing with conflicts is a
    political challenge.
  • Get agreement on ground rules prior to starting
    the project.
  • Provide flexibility. People care more about their
    email address than they do their username!
  • When creating new authentication service, require
    strong passwords!

16
Indiana University Name Space
  • Had to work across 8 campuses plus 4 major data
    centers
  • Ground work in 1988 with "username format
    summit"Namespace consolidation project began "in
    earnest" in 1997
  • Required high-level leverage (University CIO)
  • Consisted of iterative generation and review of
    name lists of various naming organizations
  • Person who had name first got to keep it
  • Took 3 years to complete

17
Provisioning Credentials
  • Identity Management usually necessitates
    automated distribution of credentials -- referred
    to as provisioning
  • Credentials are managed through an account
    management system
  • Faculty/staff/students initiate account process
    online.
  • Account holders (faculty/staff) may be authorized
    to sponsor affiliates. Affiliate accounts are
    linked to the sponsor.
  • UMBC is looking at having students sponsor parent
    accounts with delegated access to the students
    information

18
Variable Authentication Strength
  • Consider providing alternative authentication
    methods and allow services to specify level of
    authentication and timeout period
  • We use two levels and we are looking at a third
    level id pin usernamepassword
  • We would like a third level that we use in
    addition to usernamepassword
  • WebISO defines password level, timeout duration,
    attributes released, etc.

19
How do you handle authorization to services?
  • Problem our legacy services assumed that
    authentication implies authorization.
  • Remedy Use IdM to define affiliations and
    control access by group membership
  • Strategy Create 15-20 automatically maintained
    major affiliation types (example faculty, staff,
    student, affiliate and several gradations of
    each) to define roles
  • Challenge It isnt easy to keep this maintained
    and not all services can use groups

20
Security and Availability
  • An Identity Management (IdM) system is a the
    heart of defining access to the services you
    offer
  • The IdM is exposed to the Internet and must be
    hardened and protected as a critical IT resource
  • Key Issues
  • Failover
  • Capacity to meet peak loads
  • Capacity to meet critical service needs
  • Replication and distribution are key

21
Protecting Privacy and Confidentiality
  • Rapidly evolving area -- GLB,HIPAA, CA SB-1386,
    etc.
  • Directory services allows services to be
    delegated more broadly -- make sure staff that
    get access are trained in privacy regulations
  • Review logging procedures and log retention
  • Limit who has direct access to the directory and
    who can update the directory
  • IdM can serve role as translator and lessen use
    of private data such as SSN
  • One consequence of directories is that it can
    facilitate spamming, limit trolling

22
Revocation of Credentials?
  • Developed state diagram, accounts transition
    through these states. Time in each state is
    determined by UMBCperson affiliation
  • Requires ability to delegate authority on
    accounts to sponsoring entity. They can sponsor
    anyone but take responsibility for those they
    sponsor.
  • Runs nightly based on last effective date
  • Highly political - everyone wants free access.
    Audit requirements to promptly remove access is
    driver
  • Worked with IT Steering Committee and faculty
    senate 18 months on account deletion plans.

23
Vendor Strategies
  • IBM, Sun, Microsoft, and Novell all have Identity
    Management systems in place. The following is a
    brief summary of what they have or our planning
    in the IdM space.
  • These were all taken from different web sites and
    are listed simply to give an idea of how each
    vendor looks at the issue.
  • The challenge is making this work in a
    heterogeneous system environment

24
Microsoft
25
(No Transcript)
26
(No Transcript)
27
Sun One Identity Management
28
IBM Tivoli Identity Management
29
Case Studies
  • What follows are two brief case studies of UMBC
    and Indiana University
  • UMBC is a single campus, 12000 students, with a
    centralized support structure
  • Indiana University is a 8-campus system, 100,000
    students, with a more decentralized structure

30
Beginning an Identity Management Project
  • Executive sponsorship is critical. Develop a
    business case for the project and treat it like
    any other development project
  • The project will have tremendous implications
    inside IT on how you provide services, make
    certain you get everyone on board.
  • The project requires access to data. Get
    agreements in place from data stewards before
    beginning project.
  • Dont scrimp on hardware, focus on 99.999 uptime

31
UMBC
  • Business driver was online account provisioning
    and delegated administration of password issues.
    WebISO was a spin-off benefit.
  • Directory chosen for integration of services
    because of changing administrative systems
  • CIO was executive sponsor
  • Namespace consolidations was not an issue
  • Started directory services project in January
    2000.
  • Delivered online account system in August 2000

32
UMBC Directory Architecture

33
LDAP-Based User Functions
34
LDAP Administrative Functions
35
Future Plans
  • Expanding person affinities and defining the
    group membership criteria
  • Implement Shibboleth with our Web-ISO
  • Implement user-selectable privacy filters for
    user controlled release of information
  • Expand the API for using our WebISO

36
Indiana University
  • VP McRobbie was the executive sponsor
  • Started in earnest in 1997 with namespace
    consolidation project -- took 3 years to complete
  • Directory project started in 2000, completed in
    late 2001.
  • Portal project launched in fall 2002. WebISO is
    CAS from Yale
  • PeopleSoft becoming SOR, now layering services
    over the IdM

37
----------------- Applications and Services
------------------
OnCourse
Active Directory
Steel
Web Pgs
PplSft
Insite
Shakes/ Jewels
Modems
Eclipse
MY IU
UIS Appl
ERA
FIS
Library
Others
Authentication
Virtual Private Network (VPN)
Authentication API
University Addressbook
Authorization API
Information Extract (LDAP)
Authorization Roles DB
Personal Account Creation Administration (Self
Service)
Accounts Staff
SID
EMPID
MATH Major
Grades Clerk
IU.EDU E-mail Name Space
ISN
Enterprise Directory/ Information Store
C201
Acct Manager
PIN
UITS
HR Rep
Account/Information Mgt Maint
Password
Token
Local/ Campus Support Providers
IUK
Advisor
Core Services
GDS
Extract/Load Process
Extract/Load Process
Kerberos
Safeword AS Server
Other University Affiliations
University People Information
Other Directories ADS, Departmental
Foundation
Continuing Studies
Others
Alumni
Demographic Data
HR Data
Others
38
CSUs IdM Project SIMI
  • California State University is 23 campuses,
    400,000 students, 500,000 people
  • SIMI Secure Identity Management Infrastructure
  • Concept developed by campus CIOs group with
    support from Chancellors Office
  • After long consultation has now received support
    from technology subcommittee of campus presidents
  • Goals
  • Assure IdM developed appropriately for all 23
    campuses
  • Enable secure exchange of ID info across the
    system

39
Questions
  • Resources
  • http//wwws.sun.com/software/products/identity_srv
    r/wp-idsrvr-overview.pdf
  • http//www.novell.com/collateral/4621314/4621314.h
    tml
  • http//www306.ibm.com/software/tivoli/solutions/se
    curity/id/
  • http//middleware.internet2.edu/
  • http//www.nmi-edit.org/
About PowerShow.com