1. USERS Implementers Target Communities NMI Integration Testbed The NMI Integration Testbed NMI Participation Developed and managed by SURA Evaluate NMI components upon release Real life contexts - research projects, enterprise applications and infrastructure ? future expansion UAB UAH UFL FSU GSU UMich TACC UVA Sites NMI Integration Testbed (USC) DEVELOPERSSUPPORTERSCONTRIBUTORS http://www.nsf-middleware.org/testbed

2. NMI Components Take on New Meaning Mike Conlon, Ph.D. Director of Data Infrastructure mconlon@ufl.edu

3. NMI Components GlobusCondor-GNWSKX.509 GSI OpenSSHMyProxyMPICH-G2Grid Packaging Grid ConfigCPMLookOpenSAML PERMISPubCookieSibbolethLDAP Analyzer Cert Profile Registry eduPersoneduOrgcommObject Practice in Groups LDAP RecipeMetadirectory Best Practices Enterprise Impl Roadmap HEPKIPKI-Lite

4. NMI Components At UF GlobusCondor-GNWSKX.509 GSI OpenSSHMyProxyMPICH-G2Grid Packaging Grid ConfigCPMLookOpenSAML PERMISPubCookieSibbolethLDAP Analyzer Cert Profile Registry eduPersoneduOrgcommObject Practice in Groups LDAP RecipeMetadirectory Best Practices Enterprise Impl Roadmap HEPKIPKI-Lite

5. One Slide About UF  49,000 students in Gainesville Fl  Freshman class: 3.92 GPA, 1300 SAT  $1.8 Billion annual budget, $450 million in research -- growing at 12% per year. Health Sciences – 52% of research.  140 academic departments in 23 colleges  Land grant – extension in all 67 counties.  The Gators, Lady Gators, GatorAde

6. One Slide About UF Technology  500 IT professionals across campus  Very decentralized  Over 300 email servers  30,000 devices on the open network  AD, NDS, iPlanet, OpenLDAP, Kerberos  Recent Directory Project  Current PeopleSoft implementation

7. Using the Components  Conventions and Best Practices Metadirectory Practices Enterprise Directory Roadmap Practices in Groups  Schema eduPerson eduOrg commObject

8. MetaDirectory Practices  Concepts of identity management Single Sign-On Security Provisioning Deactivate Attribute Use Identity resolution Identifers

9. UF Directory Project  Start planning August 2000  Finish report September 2001  Begin implementation October 2001  Deploy new directory January 23, 2003  http://www.it.ufl.edu/projects/directo ry http://www.it.ufl.edu/projects/directo ry

10. Directory Project Deliverables  New Registry  New LDAP schema (eduPerson, eduOrg)  New IDs – UFID and UUID tied to GatorLink  50,000 new Gator One cards  1,500 applications modified  New self-service apps http://phonebook.ufl.edu http://phonebook.ufl.edu  New directory coordinator apps  New APIs for directory-enabling business processes

11. UF Directory – Architecture

12. Identifiers  GatorLink – public username, email address (mconlon@ufl.edu), single sign-on. Revocable. Lucent.mconlon@ufl.edu  UFID. Eight digit random number assigned by UF. nnnn-nnnn. Used where SSN was used previously. Protected. Revocable, opaque.  UUID (GUID) “NDC”. Opaque, non- revocable. Not used outside central systems.

13. Enterprise Directory Implementation Road Map  Parallel Tracks for Technical Work and Functional work  Value proposition – why do this (UF spent $4.7 million). Selling “position” or future capability is tough. What can we actually do? Why is it better than what we have?  Use vignettes  Under promise, over deliver

14. A Vignette Bill is a physician faculty member in the College of Medicine. He and/or his department administrator can update his contact information using a web page. This information automatically populates/updates the personnel system, the Shands Communications system (CHRIS), the Shands HealthCare on-line directory of physicians, Bill’s entry in Netware Directory Services, Active Directory, the on-line phone book, the UF enterprise directory database, and the UF LDAP directory. People using email programs and their address books always automatically access Bill’s current email address. UF business processes have access to Bill’s current information. Bill’s information is updated once and is used and accessed consistently across the enterprise.

15. Functional Issues  Who can update data?  Who can replicate data?  Who resolves conflicting values?  Who owns data?  Who can access data?  What business processes are supported? What processes are not supported?

16. Recent Projects  LDAP infrastructure improvements  Library authorization via directory  VPN access via directory  UF Web Portal uses LDAP and LDAP groups  UF Housing Icarus system  Active Directory Provisioning

17. LDAP Groups  Practices in Groups  Currently using groups for Portal  Considering groups for email  Considering groups for role information

18. Current Projects  LDAP infrastructure improvements v2  Help Desk integration  Authorization management  Active Directory Provisioning  commObject for video, VOIP  PubCookie  Location management  Password management

19. Rethinking Directory Services  Metadirectory Practices Identity management, identifier strategy  Enterpise Directory Road Map Functional issues dominate  Practices in Groups Second phase issues for improving services