Presentation is loading. Please wait.

Presentation is loading. Please wait.

IDENTITY PROBLEM Too Many User Names and Passwords Across Multiple Systems.

Published byCurtis Jenkins Modified over 8 years ago

Similar presentations

Presentation on theme: "IDENTITY PROBLEM Too Many User Names and Passwords Across Multiple Systems."— Presentation transcript:

1 IDENTITY PROBLEM Too Many User Names and Passwords Across Multiple Systems

2 Multiple Directories AD/eDIR/Open Directory AD/eDIR/Open Directory Email Email Student Information System Student Information System Payroll/Finance Payroll/Finance Lunch Systems Lunch Systems Transportation Systems Transportation Systems Library Systems Library Systems Printing Printing Parent Calling Systems (parentlink) Parent Calling Systems (parentlink) Phones Phones Security Cameras Security Cameras VPN Remote Authentication Door Security systems District Web Page Administration Digital Online Based Learning Programs Instructional Applications Read180 Read Naturally Renaissance Place Course Management Systems (Moodle; Blackboard; Schoololgy; etc…)

3 All Directories Using the Same Basic Information Name (Student and Staff) Name (Student and Staff) Login Name or ID (Student and Staff) Login Name or ID (Student and Staff) Password (Student and Staff) Password (Student and Staff) Identification Information Identification Information Address (School Building Location) Address (School Building Location) Phone Phone Email Email Grade or Graduation Year for students Grade or Graduation Year for students Job Classification for Staff Job Classification for Staff

4 Many Directories = Multiple Points of Manual Entry and Multiple Points of Manual Entry Multiple Points of Manual Entry Double or Triple the management of the same user account (too much manual entry) Double or Triple the management of the same user account (too much manual entry) Multiple chances for errors Multiple chances for errors Incorrect Information Incorrect Information Inconsistent formatting Inconsistent formatting Poor Security Poor Security Changing and Resetting passwords requires manual support Changing and Resetting passwords requires manual support Result is that many applications are under utilized or not used at all. Result is that many applications are under utilized or not used at all.

5 Solution Strategies Work to get user and resource information from a common source or directory. Work to get user and resource information from a common source or directory. Use applications which share a common directory Use applications which share a common directory Link Directories together Link Directories together Purchase applications that are directory aware and can authenticate users against an external directory from the app Purchase applications that are directory aware and can authenticate users against an external directory from the app

6 LDAP LDAP provides a standard format for applications to share a single directory as it is a standard directory service for all networks. LDAP provides a standard format for applications to share a single directory as it is a standard directory service for all networks. Avoids the need to copy passwords Avoids the need to copy passwords Permits applications to authenticate users against a common directory Permits applications to authenticate users against a common directory Reasonably easy to transfer directory information if needed Reasonably easy to transfer directory information if needed Easier to move information including user names Easier to move information including user names BUT BUT Adding and Deleting users in other applications remains a challenge Adding and Deleting users in other applications remains a challenge There is often an added cost for some applications to link to LDAP There is often an added cost for some applications to link to LDAP Formats of LDAP directories are not always consistent. Formats of LDAP directories are not always consistent.

7 SIF Implementation Uses a central Integration server to manage user names, passwords and other directory data among applications Uses a central Integration server to manage user names, passwords and other directory data among applications Requires the install and setup of a Zone Integration Server (ZIS) either locally or remote. Requires the install and setup of a Zone Integration Server (ZIS) either locally or remote. SIF agent required on all software applications connected to the Zone Integration Server. SIF agent required on all software applications connected to the Zone Integration Server. SIFS is limited to fields which are included in the specification. SIFS is limited to fields which are included in the specification. Management of SIFS can be challenging Management of SIFS can be challenging SIFS is not a cheap solution SIFS is not a cheap solution

8 3 rd Party Software Solutions Acts as an intermediary between applications and directories Acts as an intermediary between applications and directories Novell Identity Management Novell Identity Management Identity Automation Identity Automation Advanced Toolware Advanced Toolware Tivoli Identity Management Server (IBM) Tivoli Identity Management Server (IBM) Novell Identity Management Novell Identity Management Oracle Identity Management Oracle Identity Management CA Identity Manager (CA Technologies) CA Identity Manager (CA Technologies)

9 North Branch Beginnings Linked GroupWise to eDirectory (LDAP) for common user name and password. Linked GroupWise to eDirectory (LDAP) for common user name and password. Linked other Applications to eDirectory via LDAP for common user name and password for easy authentication. Linked other Applications to eDirectory via LDAP for common user name and password for easy authentication. Central Printing System Central Printing System District Website (rSchool) District Website (rSchool) PD360 PD360 Destiny Destiny VPN (Fortinet) VPN (Fortinet) Upload of student and staff information for other applications using exported data file from Student Information System (Skyward) Upload of student and staff information for other applications using exported data file from Student Information System (Skyward) Parent Calling System (Parentlink) Parent Calling System (Parentlink) Renaissance Place Renaissance Place Edulog Edulog Read Naturally Read Naturally Odyssey Odyssey

10 Remaining Challenges Deprovisioning users from external systems. Deprovisioning users from external systems. Migration to Active Directory and Google Apps (Email) removed link between LDAP and Email for using a common user name and password. Migration to Active Directory and Google Apps (Email) removed link between LDAP and Email for using a common user name and password. Phone system remains independent Phone system remains independent Migration to TIES for our student information system removed the ability to create custom user accounts for students. Migration to TIES for our student information system removed the ability to create custom user accounts for students. Limited Link between TSIS and Lite Lunch System Limited Link between TSIS and Lite Lunch System Links to some hosted applications remains a challenge Links to some hosted applications remains a challenge

11 North Branch Going Forward 3rd party solution with Identity Automation 3rd party solution with Identity Automation Issues that we needed to resolve for beginning school. Issues that we needed to resolve for beginning school. Creating new student accounts in Active Directory from TSIS Creating new student accounts in Active Directory from TSIS Creating home directories for these new student accounts in AD Creating home directories for these new student accounts in AD Creating student email accounts linked with AD Creating student email accounts linked with AD Linking staff Active Directory accounts with Google Apps Domain Linking staff Active Directory accounts with Google Apps Domain

12 North Branch IDM Provisioning for Student Accounts Automated process to pull a CSV file from our TIES Student Information System that includes student information with each students listed per row in this file. Automated process to pull a CSV file from our TIES Student Information System that includes student information with each students listed per row in this file. CSV File (pulled from TSIS) is used by IDM to automatically create all student accounts in AD using DSS with a scheduled process. CSV File (pulled from TSIS) is used by IDM to automatically create all student accounts in AD using DSS with a scheduled process. IDM creates the user accounts by pulling information from several data fields, in the csv file, such as the students’ first and last name, login id, password, grade, etc.. IDM creates the user accounts by pulling information from several data fields, in the csv file, such as the students’ first and last name, login id, password, grade, etc.. Custom user accounts created by IDM product are then automatically provisioned to Google Apps to create student email addresses (google apps accounts) Custom user accounts created by IDM product are then automatically provisioned to Google Apps to create student email addresses (google apps accounts) Report file emailed out to specific staff on new students added to Active Directory. Report file emailed out to specific staff on new students added to Active Directory.

13 North Branch IDM De-Provisioning for Student Accounts Automated process to pull a CSV file from our TIES Student Information System that includes student information. Students not listed in this file are considered no longer in the district. Automated process to pull a CSV file from our TIES Student Information System that includes student information. Students not listed in this file are considered no longer in the district. An IDM Report script is setup to automatically run and email out lists of students to be de-provisioned. An IDM Report script is setup to automatically run and email out lists of students to be de-provisioned. Manual script is setup to run de-provision tasks against student AD and Google Apps Email accounts. Manual script is setup to run de-provision tasks against student AD and Google Apps Email accounts. De-Provision Script disables the student AD account and suspends the student Google Apps Email account De-Provision Script disables the student AD account and suspends the student Google Apps Email account Automated Delete Report Script will email report of accounts to delete from AD and Google. Automated Delete Report Script will email report of accounts to delete from AD and Google. Manual Delete script can be run – will only delete accounts that have not been accessed in over 365 days. Manual Delete script can be run – will only delete accounts that have not been accessed in over 365 days.

14 North Branch IDM Provisioning for Staff Accounts Automated export of data from Skyward to our FTP server. Automated export of data from Skyward to our FTP server. Skyward XML File is used by IDM to create all Staff accounts in AD (still a work in progress) Skyward XML File is used by IDM to create all Staff accounts in AD (still a work in progress) IDM creates the user accounts by pulling information from several data fields in this data file such as first and last name IDM creates the user accounts by pulling information from several data fields in this data file such as first and last name Custom user accounts created by IDM product are then provisioned to Google Apps to create staff email addresses. Custom user accounts created by IDM product are then provisioned to Google Apps to create staff email addresses. Password synchronization between AD and Google account. Password synchronization between AD and Google account. Report file emailed out to specific staff on new staff added to AD and Google Apps. Report file emailed out to specific staff on new staff added to AD and Google Apps.

15 North Branch IDM De-Provisioning for Staff Accounts Manual process still in place Manual process still in place Unable to create an automated method for determining staff no longer employed using the information from Skyward Finance Unable to create an automated method for determining staff no longer employed using the information from Skyward Finance Receive email from District Office with a list of staff no longer employed by the District Receive email from District Office with a list of staff no longer employed by the District

16 North Branch Application User Automation Parent Calling System (Parentlink) – Hosted Solution Parent Calling System (Parentlink) – Hosted Solution Setup automated pull of student data from TSIS into comma delimited text files. Scheduled task setup to push these files to Parentlink using WinSCP process. Setup automated pull of student data from TSIS into comma delimited text files. Scheduled task setup to push these files to Parentlink using WinSCP process. Destiny (Hosted) Destiny (Hosted) Beginning to look at automated method of pulling data from TSIS and pushing this into Destiny using tools they provide. Beginning to look at automated method of pulling data from TSIS and pushing this into Destiny using tools they provide. Central Printing (Local) Central Printing (Local) Begin looking at DSS as a solution for provisioning and deprovisioning of staff accounts in this SQL Server database. Begin looking at DSS as a solution for provisioning and deprovisioning of staff accounts in this SQL Server database.

17 Identity Automation Tools Account Management Account Management Password Management Password Management User Self-Service Management User Self-Service Management Group Management Group Management Sponsorship Management Sponsorship Management Workflow Management Workflow Management Detailed Reporting Detailed Reporting

18 Identity Automation Welcome Timothy Till (Identity Automation) Welcome Timothy Till (Identity Automation) Gotomeeting: Gotomeeting: https://www1.gotomeeting.com/join/929012656 https://www1.gotomeeting.com/join/929012656 https://www1.gotomeeting.com/join/929012656 Dial +1 (773) 945-1018 Dial +1 (773) 945-1018 Access Code: 929-012-656 Access Code: 929-012-656 Meeting ID: 929-012-656 Meeting ID: 929-012-656

19 DSS Data Synchronization System Defined action-sets in DSS are what provision and de- provision accounts in all our system directories. Defined action-sets in DSS are what provision and de- provision accounts in all our system directories. Application with built-in tool-set that can move, transform and validate data between disparate systems Application with built-in tool-set that can move, transform and validate data between disparate systems Powerful reporting engine for real-time reporting against data assets housed is connected systems. Powerful reporting engine for real-time reporting against data assets housed is connected systems. DSS is made up of user-defined action-sets processed by DSS “engine” using scheduler or API triggers. DSS is made up of user-defined action-sets processed by DSS “engine” using scheduler or API triggers.

20 DSS Adapters Command Line Interface (CLI) Command Line Interface (CLI) Database (JDBC compliant DB) Database (JDBC compliant DB) EDI (X12 HIPPA) EDI (X12 HIPPA) LDAP (AD, eDir, OpenLDAP, etc) LDAP (AD, eDir, OpenLDAP, etc) Text (CSV, LDIF, XML) Text (CSV, LDIF, XML) Web Services Web Services Exchange Google Apps GroupWise KeepnTrack Live@EDU Office 365 Raptor V-soft Sharepoint Workday Zendesk Zimbra

21 DSS Action Builder

22 ARMS Access Request Management System Premier End-User facing Identity Mgmt Tool Premier End-User facing Identity Mgmt Tool ARMS is a suite of tools made up of multiple modules. ARMS is a suite of tools made up of multiple modules. Cross platform allowing users to interact with system on any major browser. Cross platform allowing users to interact with system on any major browser. Mobile accessible interface for Blackberry, Android, iPhone, and Windows Mobile Mobile accessible interface for Blackberry, Android, iPhone, and Windows Mobile Account Management Application Access Group Management Reporting Sponsorship Workflow

23 ARMS Account Management Focus on User Identities by providing self- service and delegated administration Focus on User Identities by providing self- service and delegated administration Admins can use this module to reset passwords, reset challenge questions and unlock accounts Admins can use this module to reset passwords, reset challenge questions and unlock accounts Custom delegations to allow groups of users to take action upon a target group of users Custom delegations to allow groups of users to take action upon a target group of users Example: Delegate password reset privileges to teachers so they can reset student passwords. Example: Delegate password reset privileges to teachers so they can reset student passwords. Account Management demonstration video. Account Management demonstration video.demonstration videodemonstration video

24 ARMS Application Access Controls what applications are presented to user based on role within the district. Controls what applications are presented to user based on role within the district. Only presents application icons that are relevant to the end users thus improves user experience Only presents application icons that are relevant to the end users thus improves user experience Supports Single-Sign-On (SSO)for web apps unable to use the SAML based Federated IMS. Supports Single-Sign-On (SSO)for web apps unable to use the SAML based Federated IMS. Product information webpage. Product information webpage. webpage webpage

25 ARMS Application Access Application Dashboard

26 ARMS Group Management Full Delegation of Group Mgmt in AD and eDir environments Full Delegation of Group Mgmt in AD and eDir environments Capability distributes group ownership responsibility to decision makers Capability distributes group ownership responsibility to decision makers Supports static group assignments and dynamic nested group membership Supports static group assignments and dynamic nested group membership Allows group Managers to: Create Groups Delete Groups Manage Group Sub- Owners Manage Group Memberships

27 ARMS Group Management My Groups

28 ARMS Sponsorship Provides a way to manage the lifecycle of “external” (contractors, subs, volunteers, temps) user accounts. Provides a way to manage the lifecycle of “external” (contractors, subs, volunteers, temps) user accounts. An “external” account is any account managed outside of an authoritative source such as AD. An “external” account is any account managed outside of an authoritative source such as AD. Designated Sponsors will be able to create, expire and delete accounts, as well as re-attest accounts and transfer accounts to other sponsors. Designated Sponsors will be able to create, expire and delete accounts, as well as re-attest accounts and transfer accounts to other sponsors.

Download ppt "IDENTITY PROBLEM Too Many User Names and Passwords Across Multiple Systems."

Similar presentations

Omni eControl: Unified management console for multiple applications

Omni eControl: Unified management console for multiple applications
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Omni eControl. New Features in Version 2.x - Manage Mixed Networks: eDirectory, Active Directory, GroupWise, Exchange eControl Version 2.0 New Features.

Omni eControl. New Features in Version 2.x - Manage Mixed Networks: eDirectory, Active Directory, GroupWise, Exchange eControl Version 2.0 New Features.
29 Oded Moshe, VP Products & IT Official Release May 24, 2011 SysAid 8.0.

29 Oded Moshe, VP Products & IT Official Release May 24, 2011 SysAid 8.0.
Chapter 20 Oracle Secure Backup.

Chapter 20 Oracle Secure Backup.
New Release Announcements and Product Roadmap Chris DiPierro, Director of Software Development April 9-11, 2014

New Release Announcements and Product Roadmap Chris DiPierro, Director of Software Development April 9-11, 2014
Program Management Portal: Overview for the Client

Program Management Portal: Overview for the Client
FSU Directory Project The Issue of Identity Management Jeff Bauer Florida State University

FSU Directory Project The Issue of Identity Management Jeff Bauer Florida State University
Outsourcing IAM in North Carolina

Outsourcing IAM in North Carolina
1 ITEC810 An Application Suite for a Student Database Project Supervisor: Abhaya Nayak Student Id: 41064755 Andrew Johnson.

1 ITEC810 An Application Suite for a Student Database Project Supervisor: Abhaya Nayak Student Id: Andrew Johnson.
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
Confidential FullArmor Corp. 2015 Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.

Confidential FullArmor Corp Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.
Your online classroom. Powerhouse Campus o Custom Class dashboards o Links with Moodle, Studywiz, Bb, ClickView & all web apps o Links your school library.

Your online classroom. Powerhouse Campus o Custom Class dashboards o Links with Moodle, Studywiz, Bb, ClickView & all web apps o Links your school library.
Identity and Access Management

Identity and Access Management
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.
NETOP ONDEMAND What’s new in version 2.1? DECEMBER 09 NETOP ONDEMAND1.

NETOP ONDEMAND What’s new in version 2.1? DECEMBER 09 NETOP ONDEMAND1.
Avoiding a Mess with Your “Spaghetti” Integrations.

Avoiding a Mess with Your “Spaghetti” Integrations.
Network Registration and User Tracking An Open Source Approach Mark Berman Ashley Frost Williams College.

Network Registration and User Tracking An Open Source Approach Mark Berman Ashley Frost Williams College.
A Guide for Getting Started

A Guide for Getting Started
A Guide to Getting Started

A Guide to Getting Started

Similar presentations

Ads by Google