UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma

Identity Management Overview Automate processes for: Identifying and grouping individuals Granting permissions and access transparently Revoking access efficiently Streamlining administration and management Tracking and reporting access patterns ** ENTERPRISE-WIDE! **

Benefits Single enterprise-wide solution –Simplifies and standardizes –Reduces errors Automatic provisioning workflow Instantaneous ability to revoke at-risk access across campus Reduction of hidden costs of independent solutions Full auditability – who has access to what & when ** Better User Experience and Tighter Security **

Planning & Budgeting Consultant from the Burton Group Project funded for $1.5 Million Evaluated JES and other Commercial IdM products Purchased Sun Java Directory only Hired 2 new staffs – A team of 5 but not dedicated to IdM

Current Features Enterprise-wide identity repository – Enterprise Directory Single Logon ID – UCLA Logon ID Integrated account creation with URSA (student portal) Web Single Sign-on - ISIS Federation support - Shibboleth / UCTrust

Enterprise Directory Every person at UCLA has one electronic identity in ED –Consolidate data between different sources –Map multiple IDs together –Analyze on attribute by attribute basis: common definition of attribute data collection / transformation logic access control rules Standard way for conflict resolution Superset of the legacy University ID system –Traditional UID is a 9 digit number for students and employees –UCLA Logon ID is a string of 2-15 alphanumeric characters for everyone

UCLA Logon ID Anyone who needs access is eligible for a UCLA Logon ID –Students and employees –Donors, parents, visiting scholars, hospital staff, conference attendees, library patron, etc. Separating authentication from authorization – having an account does not imply access For students, created at the time they file their intent to register (SIR) For employees and other affiliates, created on demand.

Integrated Account Creation Students are prompted to create their UCLA Logon at the time they SIR using URSA Either a new identity is created in ED, or the UCLA Logon ID matched to an existing identity Bruin Online Services (web , free software, wireless access, web hosting, computer labs) are automatically provisioned upon creation of UCLA Logon Account is immediately available for use in hundreds of web applications via ISIS logon across campus

Web Single Sign-On ISIS –First implemented in 1996 –Highly secured web authentication engine –Standard SOAP web service interface –Features session management –Allows multiple logon types –Integrated with Enterprise Directory –200 participating web applications, including most student service applications

UCLA EDIMI Technical Architecture

Third Party View New feature in URSA that enables parents to create UCLA Logon ID and pay bills online Relatively easy implementation because a.Availability of UCLA Logon ID space b.URSA is already integrated in UCLA EDIMI framework

Moving Forward Migrate ISIS toward standard-based Shibboleth Develop across campus common groups - Grouper Implement integrated permission management - Signet Push more granular authorization data through ED/Shibboleth

Challenges Current decentralized help desk structure does not work for IdM - sometimes causes more user shuffle Convincing applications to integrate with IdM is hard without all components in place Getting all the players to agree on common definitions for data is complicated Addressing data release and privacy issues consistently with IdM consumers requires co- effort from departments at management level.