1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer Washington State University 2007 Washington State University This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Summary About Washington State University Identity Management at WSU Need for Friend Accounts Friend Accounts Project Friend Accounts Demo Future Use Recap Questions

3 About Washington State University Land-grant university founded in ,428 students statewide Research I status Four regional campuses Multiple learning centers Distance education program 10 Colleges and a Graduate School 245 Fields of Study with over 150 majors

4 Pullman Tri-Cities Vancouver Spokane ~DDP~

5

6 Identity Management at WSU WSU’s technology environment as relevant to Friend Accounts…

8 Identity Management at WSU Active Directory Primary identity store User accounts, user attributes, group memberships, and computer accounts Authenticates users to web and computer resources Group memberships for authorizations Single Sign On with Active Directory Federation Services (ADFS) Provisioning of identity information with Microsoft Identity Integration Server (MIIS)

9 Identity Management at WSU WSU Network ID’s –Must have a WSU ID Number to be eligible for a Network ID WSU ID Number –Nine digit unique identifier –Only WSU Student, Faculty, or Staff are eligible for a WSU ID Number –Assigned at the point that an associate is entered into core legacy system and is the primary key

10 Need for Friend Accounts Non-WSU students attending WSU courses and guest teachers/lecturers –Learning Management Systems WebCT, Blackboard, SharePoint –Lab access –“myWSU” portal access –VPN wireless network access

11 Need for Friend Accounts Parents/Guardians/Relatives/Spouse –Online electronic payments of tuition, housing, child care, etc. NACHA Requirements –Precursor to “Proxy Access”

12 Need for Friend Accounts Prospective Employers & Outside Advisors –View online portfolios (“mySite”) Conference Attendees –VPN wireless network access Search Committees/Advisory Groups with non-WSU members –SharePoint collaboration sites

13 Friend Accounts Project Project Team Collaborative project between two ITS groups –University Information System Services Director, Student Systems Coordinator, Data Architect, Technology Architect, 2-3 Application Developer/Analysts Analysis, Design, Development, and Implementation of application –Operations & System Support (Infrastructure) Director, Coordinator, Systems Developer/Analyst Analysis, Design, Development, and Implementation of identity provisioning interfaces.

14 Friend Accounts Project Design Decisions Friend Accounts to reside in Active Directory –Parallel to Network IDs Authentication identical to Network IDs –Resources that authenticate against Active Directory should not have to change to be able to authenticate Friend Accounts (although some business rules may change after authentication) Friend Account user ID is equal to the “friend’s” address

15 Friend Accounts Project Design Decisions Friend Account ID must be changeable –As address changes we must allow user to change Friend Account ID Different types of authorizations –Role-based sponsorship to specific resources VPN Wireless Network, Class resources, myWSU Portal, etc. –External authorizations Online portfolio, SharePoint collaboration sites, etc. –Automatic authorizations Authorized if authenticated (no authorization, just authentication)

16 Friend Accounts Project Design Decisions Friend Account does NOT have a WSU ID Number –Friend Account holders do not have a student/faculty/staff official relationship with the university –Not entered into WSU’s core legacy administrative systems –Alternate unique identifier generated when created CN = sAMAccountName = “fred!F4679”

17 Friend Accounts Project Design Decisions Friend Account can be created by a sponsor or by self-service –User with WSU Network ID or a Friend Account can sponsor the creation of a Friend Account Sponsor can grant authorizations to resources at the same time (depending on sponsor’s role) –“Friend” can create a Friend Account on their own “Friend” cannot grant their own authorizations to resources

18 Friend Accounts Project Design Decisions Friend Account Activation/Verification –Friend Accounts are created in “expired” status, and are non-functional –Activation is sent to the Friend Account holder at the address that his/her Friend Account ID is named after –Friend Account holder receives the Activation containing a one-time randomly generated password

19 Friend Accounts Project Design Decisions Friend Account Activation/Verification –Friend Account holder must go to Friend Accounts web page to activate their account and reset password –Friend Account holder verifies his/her Name and Address information and indicates if that information should be restricted from the campus directory –Friend Account is then set to active and resource authorizations (if any) are provisioned into Active Directory, myWSU portal, etc.

20 Friend Accounts Project Design Decisions Class Resource Authorizations –Needed for a non-WSU student taking a WSU course or a guest teacher/lecturer –Authorization to class resources are sponsored by authorizing to course section(s) Only WSU employees can sponsor class resource authorizations –Class “membership” provisioned to Active Directory groups, myWSU portal groups, and Learning Management Systems

21 Identity Management at WSU WSU’s new technology environment as relevant to Friend Accounts…

23 Friend Accounts Demo Scenario: –I am a WSU teacher with a non-WSU student attending my course. I have a Blackboard site for my class that I need her to be able to participate in. The student also needs access to the myWSU Portal. Sponsored creation and authorizations…  WSU Employee role  Non-WSU Student role

24 Future Use Proxy Access –Granted Authorizations Students would give parents/relatives/spouse/etc. access to view their myWSU services/data –Increased Security Students would no longer feel the need to give their parents their Network ID and Password

25 Future Use Proxy Access –Example: Student gives access to her mom to be able to see her account balances and class schedule. She also gives her dad access to see her grades and her DARS degree audit. Both mom and dad would have a Friend Account that she could give specific proxy authorizations to. Note: She could also give proxy access to her spouse, who is also a WSU student and has a WSU Network ID (proxy access not restricted to Friend Accounts).

26 Recap Success! –Non-WSU students/teachers –Conference attendees –Parents/Guardians/Family –Outside advisors –Consultants Excellent Feedback –Highlighted on front page of WSU newspaper –Departments are excited

27 Questions? Brian Foley Technology Architect / Applications Developer Analyst University Information Systems Services Washington State University