Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technical Primer: Identifiers Internet2 Base CAMP Boulder, Colorado June, 2002.

Published byMaria Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "Technical Primer: Identifiers Internet2 Base CAMP Boulder, Colorado June, 2002."— Presentation transcript:

1 Technical Primer: Identifiers Internet2 Base CAMP Boulder, Colorado June, 2002

2 Identifiers – Why so important? Foundation of middleware infrastructure – if you can find it, it will receive services. Policy laundry service – clean out the fuzz bunnies. Crossing borders – mapping from one system’s identifier to another. Share the wealth – the right identifier may work across multiple systems. Abuse the wealth – one identifier may enable the activation of additional identifiers.

3 Identifiers – Key Issues Policy Authoritative source How formed Permanence Where used Relationships Mapping between/among subject and subject’s identifiers Dependencies between identifiers

4 Identifier Characteristics Lucent or Opaque? (human readability) For human ease of use, names are good Machines can handle numbers, big numbers Consider privacy issues Provisioning – who/what/when Central vs. distributed assignment Resolving the identifier to the human Persistence Permanent? Reassignable (when)? Revokable?

5 Identifier Types Unique Universal Identifier (uuid) Primary internal identifier, centrally provided Human unfriendly Assigned to all current active users Non-revokable, non-reassignable Linked to by all other identifiers

6 Identifier Types Person Registry ID Used to resolve identity among systems Opaque, centrally administered, persistent, big All affiliates should have a registry ID Account login, netid Often the same – provide access to electronic resources Lucent Authentication required for ownership Preferable to have central provisioning

7 Identifier Types Social Security Number It was such a great identifier (persistent, centrally provisioned) but… Legal restrictions to use Not applicable to foreigners Email address Typically human-friendly Especially helpful if centrally provisioned May use in combination with email aliases

8 Identifier Types Departmental IDs with enterprise scope Library cards, ID cards Policies require scrutiny Helpful if linked to uuid Pseudonymous IDs Unique, opaque identifier to ensure privacy to external world Administrative system IDs Employee IDs, Student IDs, etc. Typically centrally assigned May have competing policies

9 Managing identifiers Preparation through understanding

10 Inventory of Identifiers Scope …who issues, what populations, resources used for, entities, policy and enforcement Operational issues … reassignment, directory access keywords, user or machine-assigned, proof of identity, change requests Interrelationships … policies re. use of central authentication identifier, synchronization of authentication identifiers, assignment to all affiliates, prerequisite identifiers

11 Identifier Mapping For each identifier Map to functional needs Establish key characteristics Document relationship among identifiers Identify policy issues Document data flows into/among identifiers Fix – or acknowledge – problems

12 Identifier Map NameUseCharsNotesWho assigns Who receives WhereFormat/ Example Unix loginAccount, modem, labs Reassign, Revoke, Human Multi-sys admin, Revoke if inactive affil ITS, Sysadmins Active fac, staff, students, sponsors Indv servers, uniquid 8 char alpha- numeric Vaughan SIDSIS identifier Non- reassign Revoke Unique sis SSN else 9N Change allowed Registrar or system Students Incl cont ed SIS9N SSNFormer HR ID, FIS ID, ememo ID Non- reassign, non-revke, Unique USA Replaced by emplid in HR US GovAll rcvg taxable $$ in US PS HR, FIS, SIS, Buff1Card 9N

13 Identity Management - Reconciliation The million dollar question: Does this person already exist? Map incoming attributes to existing attributes Incoming Employee ID = existing employee ID? Incoming SID = existing SID? Incoming SSN = existing SSN, existing SID, previous SID? If yes matching identifier, still check for (dob + gender) match If no matching identifier, look for (dob + gender + name) match

14 Registry Identifier Mapping Distinct sources for distinct roles Unique identifiers for each system Blending together to build a CU Person Generating a unique directory entry dn: uuid=123456789,ou=people,dc=colorado,dc=edu HR fac/staff; empID SIS student; SID FIS faculty; SSN Uniquid accounts; unix ID IDcard photos; ISO Telecom phone locn phone # CU Person uuid

15 Identifier mapping results Policy regarding registry uuid, directory dn Automatically generated for each new affiliate Permanent, non-revokable, non-reassignable Public Policy-based identity reconciliation logic SIS and HR are the only trusted identity sources HR has precedence over SIS for SSN Identifiers not guaranteed across systems (dob, gender) Source system identifiers must map to uuid

16 Identifier puzzlers Resolving reconciliation exceptions Coordination among system/data owners Correction process Gathering identity attributes from ‘external’ affiliates Coordinating policies Identity interoperability among technologies

17 Discuss!

Download ppt "Technical Primer: Identifiers Internet2 Base CAMP Boulder, Colorado June, 2002."

Similar presentations

Working with Data Managers Renee Woodten Frost Internet2 Middleware Initiative University of Michigan Copyright Renee Woodten Frost 2003. This work is.

Working with Data Managers Renee Woodten Frost Internet2 Middleware Initiative University of Michigan Copyright Renee Woodten Frost This work is.
HRMS 8.9 Upgrade Person Model. Introduction One of the significant changes to HRMS with the upgrade to 8.9 is the new Person Model. This course provides.

HRMS 8.9 Upgrade Person Model. Introduction One of the significant changes to HRMS with the upgrade to 8.9 is the new Person Model. This course provides.
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.

Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Copyright Ann West 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Ann West This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity.

Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland

Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
Middleware & Enterprise Services at College Park David Henry Office of Information Technology November 16, 2001.

Middleware & Enterprise Services at College Park David Henry Office of Information Technology November 16, 2001.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Directory Services Project University of Colorado at Boulder.

Directory Services Project University of Colorado at Boulder.
Peter Deutsch Director, I&IT Systems July 12, 2005

Peter Deutsch Director, I&IT Systems July 12, 2005
KEAS K-State Enterprise Authentication System CITAC April 26, 2002.

KEAS K-State Enterprise Authentication System CITAC April 26, 2002.
Directory Services Project University of Colorado at Boulder.

Directory Services Project University of Colorado at Boulder.

Similar presentations

Ads by Google