Presenters (East to West): Suresh Balakrishnan, University System of Maryland Dennis Cromwell, Indiana University - Bloomington Melinda Jones, University of Colorado at Boulder Mark Crase, California State University David Bantz, University of Alaska Strategies for Directory Deployment - Centralized, Distributed, Federated, Decentralized
University System of Maryland Identity Management Infrastructure Vision, Architecture, and Strategies Suresh Balakrishnan,
Vision Create a unifying layer across autonomous institutions Identification Affiliation Provide transparent access to shared services Authentication Authorization Provide a foundation for more advanced services E.g. PKI Provide vehicle for coordination with K-12 education in the State Integrate education in Maryland into a broader fabric
Library Applications Currently in Use/Development Rock-n-Roll Reserves Digital Library Access Future Possibilities Shared and unique resources for institutions Multiple institutional affiliations Auto-populating the patron database
Architecture & Collaborative Efforts Highly Decentralized Implementation Context System-wide work group developing guidance materials Tool Kit Demonstrations of local and collaborative apps Testing Shibboleth
Indiana University Global Directory Services Centralized Directory Structure Flat name space – 150,000 actual users 100,000 students 20,000 faculty and appointed staff 30,000 others Seven Campuses Provides updates for the two authentication services – Kerberos and ADS Implements the Eduperson schema with extensions
Indiana University Directory Entries Directory automatically loaded from SIS, HR systems IU faculty, staff and students Sponsored Accounts Affiliates of IU Data is entered into PeopleSoft system Picked up as part of load. Account can not be created until entry in the Directory
Indiana University – Architecture Open LDAP Batch feeds from SIS and HRMS API for LDAP abstracts access ADS used in conjunction for non-enterprise type groups Account Management System and Address Book reads Directory
Indiana University Future Directions Real time updates from SIS/HRMS “Guest” stored in directory Cleaning up old technology components and integrate technical components Disaster Recovery replication and automatic failover Better purge procedures Decision Support functions
University of Colorado System 4 unique campuses – traditional, non- traditional, and health sciences + System Services Campus 49,000 students total (28,000 at Boulder campus) 22,000 employees Melinda Jones, University of Colorado at Boulder
Directory Services Project: Goals Develop common infrastructure Develop UCB Enterprise Directory Create trusted, authoritative data source Usable by variety of applications & services Identity, data & relationship management Authentication/Authorization
cn description seeAlso sn telephoneNumber userPassword Uuid, au activities & research alternateContact campus degreeInstitution & Yr employmentStartDate Expertise feesIndicator highestDegree homeDepartment ISO major, minor, class Privacy, SID, SSN cuEduPerson organizational Person person inetOrgPerson departmentNumber displayName, employeeNumber employeeType homePhone,homePost alAddress jpegPhoto, labeledURI mail, uid eduPerson affiliation jobClassification nickName orgDN orgUnitDN primaryAffiliation principalName schoolCollegeName facsimileTelephoneNumber ou, postalAddress, street, st, postsalCode, l postOfficeBox preferredDeliveryMethod,title colorado Person Macgridnumber Machomelocpath Machomedir cusysPerson Identifiers…
Core Team Steering Team Campus Experts Business Rules SISHR Boulder 4-Campus Registry Boulder/Central Enterprise Directory
Campus-specific University- wide Common Infrastructure WebCT AuthN MacOS AuthN UCB calendar Spons. Entry Card Office AuthN – ITS svcs Bldr UCB Directory Identity Recon. Directory Build cu.edu (concept) SISHR Registry White Pages CS Directory CUSYS Directory UCD Directory Faculty “Portal” Student Portal Library – Digital AuthN Identity/ Access Campus File System
The California State University 23 Campuses 1 Research Institution (R2) 21 4-year Comprehensive Institutions California Maritime Academy 400,000 Students 60,000 Faculty and Staff Mark Crase, California State University
Planning Activities Identified internal and external drivers for multi-campus approach Defined Development Principles: 1.Foster collaborative efforts among CSU campuses 2.Foster collaboration with others (I2, UC, CCC, etc.) 3.Use directories as the starting point for more comprehensive middleware effort 4.Standards-based w/o mandatory apps/tools 5.Initially, campus participation is voluntary, but adoption of eduPerson was mandatory Communicated at all levels of institution
Initial Deployment Objectives Maintain appearance of unified directory architecture Adopt a common view (eduPerson, etc.) Define common CSU objects and unique campus objects Adopt a system-wide unique identifier Security of Directory had to be no less that most secure application being supported Standards compliant, but no mandatory tools (LDAP now, others later)
Initial Architecture Proposal Distributed directory model (campus directories, LDAP v3 referrals to all others) Domain component naming Adoption of eduPerson 1.0 (now 2.0) Extension to calstateEduPerson (affiliation, major, SecurityFlag, VOIP address) Provision for campusEduPerson attributes Global unique ID based on “uniqueness” algorithm Secure directory servers (SSL )
Final Recommendations Central directory servers (redundant and diverse) Submit campus data to system wide directory registry service (like DoDHE CDS) Common view with extensions, unique ID, security, Minimum central attributes option Expanded central attributes option
UA Enterprise Directory Centralized core data Campus applications Contacts: self-service
University of Alaska
UA Directory Status 67,000 students; 10,000 employees; 760 departments Departments fork linked to employees Web gateway interface supports searching, listing, self-service data Scheduled & ad hoc batch updates from multiple sources
UA Enterprise Directory Strategy Environmental Challenges Distributed implementation team Complex interface constraints - based on attributes or roles Sub-set vs. super-set philosophies
Two phase commit for self-service edits (Registry/EDir) Registry (Oracle db) enforces UA rules (syntax, constraints, validation values) Distributed admin facilitated by attribute-based roles (role-based ACIs) UA Enterprise Directory Responses to Challenges
UA Directory Architecture SQL
B*ntz Directory Search (Anon.)
Directory Search (Auth.)
Detailed Results (Anon.)
Self-service edits (Auth.)
Employee ids, student ids, social security identifiers are not stored in the Directory Web gateway intermediary communicates only via SSL Data changed only by “known” processes (web gateway or MAU IT) Gateway limits bulk harvesting Protecting Information