400 likes | 725 Views
What is SSO?. Wikipedia Says… “Single Sign On (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.”. Benefits.
E N D
What is SSO? • Wikipedia Says… “Single Sign On (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.”
Benefits • Reduce password fatigue • Reduce time spent re-entering passwords • Abstract authentication from systems • Lower calls to Help Desk about passwords • Centralized reporting for compliance • Can rationalize multiple authentication methods • Improved interaction with 3rd Party
Potential Problems • True Single Sign On is often hard to accomplish • “keys to the castle” • High Availability becomes the new IdM buzzword (well one of them)
Some of the Choices • Jasig CAS • CoSign • Kerberos • OpenSSO • JOSSO • Shibboleth
What to Look For • What protocol do they use? • What kind of “clients” do they have? • Features: • Opt Out of Single Sign On • Management • Monitoring • High Availability / Scalability • Flexibility • “ClearPass” • Deployment/Maintainability
Rolling Out SSO – Why? • Its easy! (relatively) • Assumes you’ve already solved your ID problem • It’s a “big” win • Highly visible • Oh, and all that stuff listed under Benefits
Getting People to Use It • Documentation! • Present, Present, Present! (Education) • A Compelling Reason • Features • Ease-Of-Use • Auditing • Superior User Experience • Support It! • Strong Arm (not a pleasant experience)
What Else Do You Need? • Goes well with… • Self-Password Reset/Change • Lookup Id • Profile • User Education • Help Desk Support • Trusted SSL Certificates
Related • Single Sign Out • OpenID – decentralized authentication system • Federation • Facebook Connect - API to let user log in via Facebook • InfoCards -
What Comes Next? • Rolling out an SSO will raise some of the following questions/concerns: • We can’t use SSO because it doesn’t support all types of guests easily* • What’s your SLA? • Why does it take so long to get an ID?* • What about access control?* • What is the password policy? • What’s the identifier usage policy?
You Probably Already Have One! (but it sucks!)
What Does It Do? • Store identity data about your people • Reconciles different versions • Makes (usually) intelligent choices • Helps feed other systems • Directory builder • Provisioning • Reporting
Choices? • Not too many! • Very few higher education options • Most non-Higher Education ones don’t get “higher ed” • Multiple sources for a person • Multiple possible hierarchies • Every university is (slightly) different
OpenRegistry Plug! • What is OpenRegistry? • OpenRegistry is an OpenSource Identity Management System (IDMS). It's a place for data about people affiliated with your organization. • Core Functionality • Interfaces for web, batch, and real-time data transfer • Identity data store • Identity reconciliation from multiple systems of record • Identifier assignment for new, unique individuals • Additional Functionality • Data beyond Persons: Groups, Courses, Credentials, Accounts • Business Rule based data transformations • More than just a Registry, some periphery too • Directory Builder • Provisioning and Deprovisioning
Changing Your IdM System • Two Options: • “The Big Bang” • Transitional
“The Big Bang” • Benefits • Not maintaining two versions for extended period of time • Direct Developer Resources towards new project • Cons • This stuff better work! (or expect some pissed off people) • Significant investment in testing phase • What’s the back up plan? • Restrictions on flexibility
Transitional • Benefits • Significant time to test system “in production” with real data • Built-in Back Up Plan • More flexible scheduling • Cons • Maintaining multiple systems for extended period • Ambiguity about where to go for data • In some instances, double the work!
What does Rutgers do? • We totally confuse the issue • We’ve “big banged” ourselves for Dec 2010 (PeopleSoft deployment) • We’ve committed to maintaining the legacy system feeds • We are gradually rolling it out! • Why? • It seemed like a good idea at the time! • “Big Bang” attachment to PeopleSoft gets IdM on the radar and stresses importance • Pilot Groups much earlier! • Unfortunately, it puts IdM on the radar • With schedule, no time to update all legacy feeds
Bigger Than You Think • Building a registry is tough! • Deploying a registry is tougher! • Touches everything! • Data is owned by others • Policies around accessing data, identifiers, etc. • Downstream concerns with new populations • Poorly written tools that won’t work with the new system • Help Desk Nightmare! • Start Looking at EVERYTHING • What does it all mean?
What is Governance? (according to Wikipedia) • Governance is the activity of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems. • In the case of a business or of a non-profit organization, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data.
What does IdM Governance cover? • Policies • Responsibility • Coordination and Prioritization • Compliance • Some of them like the details (i.e. text on the page!) really really annoying • Making the Case • Communication
When do you want it? • Not too early • But not too late • Becomes important when you start depending on others
What Makes a Good One? • Some level of actual authority • A method for measuring accountability • Transparent • Leave us better of!
What Happens When It Fails? • Fiefdoms continue to exist • Duplicate data everywhere! • Duplicate application development • Misuse of information
Models • None – just like it sounds • Explicitly Decentralized • High level group sets policy • Specialized groups implement policy • Centralized • Makes just about all the decisions • Hybrid
Levels of Maturity (according to Burton) 1. initial – no process. 2. repeatable – starting to understand processes 3. defined – process documented, standardized and integrated. 4. Managed 5. optimized
And We’re Done with Governance • Two key points: • You need a champion of sufficient authority • Feedback mechanism needs to be in place