Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Management Internet2 Fall Meeting Jack Suess, CIO, UMBC

Published byClyde Jordan Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Management Internet2 Fall Meeting Jack Suess, CIO, UMBC"— Presentation transcript:

1 Identity Management Internet2 Fall Meeting Jack Suess, CIO, UMBC http://userpages.umbc.edu/~jack/talks/idman.htm

2 2 Identity Management Definition What do we mean by Identity Management? CSU definition - An identity management infrastructure is a collection of technology and policy that enables networked computer systems to determine who has access to them, what resources the person is authorized to access, while protecting individual privacy and access to confidential information.

3 3 Let’s Analyze the Definition Infrastructure - software and hardware Collection - not just technology Technology and policy - Policy is as important as technology Networked computer systems - implies distributed technology and communication over the network Access - Who am I Authorized - What can I do Protecting - limiting access and protecting information

4 4 Infrastructure for Identity Management Common elements System of record (SOR) - system for identifying university membership (e.g. SIS, HR, Alumni) Registry - aggregation point where key data elements from SOR are integrated Directory - LDAP service that organizes registry information and responds to requests Authenticator - service that authenticates (e.g. Kerberos) WebISO - web-based authentication Groups - university roles Services - application services that utilize IdM Policy - definitions and structure

5 5 UMBC Directory Architecture

6 6 Authentication API University Addressbook OnCourse Active Directory SteelWeb PgsPplSftInsite Shakes/ Jewels ----------------- Applications and Services ------------------ Modems Foundation Other University Affiliations Continuing Studies Others University People Information Eclipse Alumni MY IUUIS Appl Virtual Private Network (VPN) ERAFIS Demographic Data HR Data Others LibraryOthers Personal Account Creation & Administration (Self Service) Authorization API Information Extract (LDAP) Extract/Load Process GDS Enterprise Directory/ Information Store PIN Token Password Authentication SIDEMPID ISN MATH Major C201 UITS IUK IU.EDU E-mail Name Space Grades Clerk Acct Manager HR Rep Advisor Kerberos Safeword AS Server Core Services Authorization & Roles DB Other Directories ADS, Departmental Accounts Staff Local/ Campus Support Providers Account/Information Mgt & Maint

7 7 Technology and Policy Policy Issues Rules for membership in your community. Who is an active student, who is a faculty member, who is an alumni? Who is eligible for an account? Under what circumstances? What services are they allowed to access? Who can sponsor affiliate members? How long do you remain a member of the community? What about guests or the public?

8 8 Authentication and Authorization Authentication - Who am I? Shared secret -- password? Secret key - PKI Biometrics/other? Authorization - What am I allowed to do or access? Affinity groups are defined and populated. Roles are based on a combination of affinities. Identity Management system must answer both questions.

9 9 Security and Availability An Identity Management (IdM) system is a the heart of defining who may have accounts on different systems The IdM is exposed to the Internet and must be hardened and protected as a critical IT resource Key Issues: Failover Capacity to meet peak loads Capacity to meet critical service needs Replication and distribution are key

10 10 Beginning an Identity Management Project Executive sponsorship is critical. Develop a business case for the project and treat it like any other development project The project will have tremendous implications inside IT on how you provide services, make certain you get everyone on board. The project requires access to data. Get agreements in place from data stewards before beginning project. Don’t scrimp on hardware, focus on 99.999 uptime

11 11 Questions to Answer What follows are some questions you want to have answered prior to starting your Identity Management project

12 12 How do you define who is eligible for different services? Obvious: staff, faculty, students Less obvious: –Alumni, supporters? –Parents –Sponsored or affiliate ID’s –Transient e.g. meetings and conferences –Former employees –Research partners –Affiliates: auxiliaries, credit union, teachers

13 13 Eligibility -- Thorny Issues Intermittent roles – persistent ID’s? –Lecturers, seasonal employees –students Multiple roles – change roles, keep ID’s? –Student workers –Staff students Multi-campus issues- common id across system? Does everyone need to be in your IDM? “Frontier-class” service

14 14 Eligibility -- Create Policy First Indiana Policy defines who can have and sponsor accounts. Accounts Management System will implement policy in software.

15 15 What were the challenges in creating a single namespace? Once you define who is eligible to be in your IM you must create a person registry from multipe SOR. For each person in the registry you must define an account name. Dealing with conflicts is a political challenge. Get agreement on ground rules prior to starting the project. Provide flexibility. People care more about their email address than they do their username! When creating new authentication service, require strong passwords!

16 16 Indiana University Name Space Had to work across 8 campuses plus 4 major data centers Ground work in 1988 with "username format summit"*Namespace consolidation project began "in earnest" in 1997 Required high-level leverage (University CIO) Consisted of iterative generation and review of name lists of various naming organizations Person who had name first got to keep it Took 3 years to complete

17 17 Namespace Person who had an identifier the longest got to keep it Took over 3 years to complete In 2002, moved namespace to enterprise LDAP directory UMBC created common namespace in 1995 when we merged academic and administrative computing In 2002 we allowed users to select account name and promote that they create custom email aliases (up to 3). Giving custom email aliases lessens namespace complaints

18 18 Distribution of Credentials Identity Management usually necessitates automated distribution of credentials Credentials are managed through an account management system Faculty/staff/students initiate account process online. Account holders (faculty/staff) may be authorized to sponsor affiliates. Affiliate accounts are linked to the sponsor.

19 19 Will authentication strength vary by application type? Consider providing alternative authentication methods and allow services to specify level of authentication and timeout period We use two levels and we are looking at a third level { id : pin ; username:password } We would like a third level that we use in addition to username:password WebISO defines password level, timeout duration, attributes released, etc.

20 20 How do you handle authorization to services? Problem: our legacy services assumed that authentication implies authorization. Remedy: Use IdM to define affiliations and control access by group membership Strategy: Create 15-20 automatically maintained major affiliation types (example: faculty, staff, student, affiliate and several gradations of each) to define roles Challenge: It isn’t easy to keep this maintained and not all services can use groups

21 21 How do you insure privacy and accountability? Rapidly evolving area -- GLB,HIPAA, CA SB-1386, etc. Directory services allows services to be delegated more broadly -- make sure staff that get access are trained in privacy regulations Review logging procedures and log retention Limit who has direct access to the directory and who can update the directory IdM can serve role as translator and lessen use of private data such as SSN One consequence of directories is that it can facilitate spamming, limit trolling

22 22 Revocation of Credentials? Worked with IT Steering Committee and faculty senate 18 months on account deletion plans. Developed state diagram, accounts transition through these states. Time in each state is determined by UMBCperson affiliation Requires ability to delegate authority on accounts to sponsoring entity. They can sponsor anyone but take responsibility for those they sponsor. Runs nightly based on last effective date Highly political - everyone wants free access

23 23 Account State Diagram

24 24 Revocation (cont)

25 25 Future Plans Expanding person affinities and defining the group membership criteria Implement Shibboleth with our Web-ISO Implement user-selectable privacy filters for user controlled release of information Expand the API for our using our WebISO

26 26 Questions Jack Suess - jack@umbc.edujack@umbc.edu Online Slides http://userpages.umbc.edu/~jack/talks/idman.htm Resources: http://middleware.internet2.edu/ http://www.nmi-edit.org/

Download ppt "Identity Management Internet2 Fall Meeting Jack Suess, CIO, UMBC"

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.

Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.

Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
1 Collaborators at the Gates of Troy: Extending eServices at USC.

1 Collaborators at the Gates of Troy: Extending eServices at USC.
Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland

Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Understanding Active Directory

Understanding Active Directory
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Peter Deutsch Director, I&IT Systems July 12, 2005

Peter Deutsch Director, I&IT Systems July 12, 2005
Identity and Access Management

Identity and Access Management
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Similar presentations

Ads by Google