Provisioning of Services Authentication Requirements

1. Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland dhenry@umd.edu

2. Provisioning of Accounts • For what services are "shell accounts" used? For what services are other provisioning methods used and what are they? • Most provisioning is via “shell accounts” • Some services are pre-provisioned • Time and Attendance system for timesheet, automatically provisioned, based on presence in HRS • Student registration system and personal information management, based on presence in SIS • Some services are provisioned upon initial use • Umail - presence in the directory means user can “activate” the account automatically upon first use, which establishes home directory, password file entry, etc. • New email system will require activation via web page prior to first use

3. Provisioning (cont.) • How are enterprise accounts created/deleted? • Everyone gets an employeenumber • Never changes • Includes student applicants, visiting/adjunct faculty, volunteers, other affiliates • Used as part of the DN in our directory • Initially tied to SSN, but allows for SSN changes • Eight digits plus check digit • Everyone gets a Directory ID/ Unique ID • Alphanumeric up to 8 characters • Is assigned initially first initial, first 7 characters of last name (e.g. dhenry); digits used to make unique (e.g. jjohnso2) • Vanity Ids are supported • User may request a change up to once a year. • When retired, ID won’t be reassigned for 12 months • Some specific Ids are reserved forever

4. Provisioning (cont.) • Entries are added • Faculty/Staff: Upon entry in HR system, includes future appointments • Students: Upon “acceptance with letter sent” • Others: May be sponsored by any of a number of approved offices. • Entries are deleted • Faculty/Staff: 210 days after separation (an attribute is established to indicate a termination date for those apps that care) • Students: After start of second semester of non-registration, treating summer as a semester. • Others: Renewed annually by sponsor

5. Provisioning (cont.) • How are other services provisioning mechanisms managed? • Lots of ways • Lots of admins • How do you advise apps developers on which identifiers to use? • Use the employeenumber as internal ID (if possible) • Use the Directory ID for user auth’n • Don’t use empno or SSN

6. Provisioning (cont.) • How are the identifiers for an individual's multiple accounts managed? • Currently, they’re not. • In some cases, ID’s depend on the directory ID or another system. • Passwords? Don’t ask.

7. Provisioning (cont.) • System to manage IDs in cooperative • Admins • Centrally register their system/service • Indicate characteristics of eligibility (LDAP filter?) • Specify mechanism for notifications (new account request, userid change, account delete, etc.) • User • Goes to a central web page to see the systems and services they may request • Activate systems/services • System • Notify registered systems/services of change events • E-Mail, URL (with Auth’n), Script

8. Authentication Practices • What levels of services require what initial types of identity proofing? • UNIX shell accounts require in-person proofing w/student ID card • Privileged accounts require f2f • Access to certain information requires signed statement re: appropriate use • What mechanisms are used for authentication? • Native authentication mechanism • Kerberos • LDAP compare

9. Authn (cont.) • What is the hope for intercampus standards? • There needs to be some hope. • Shady Grove Campus • Combination of system institutions • All Faculty, Staff, and Students are from one of the other campuses. • Courses from any campus apply. • So far everything is handled by exception.

10. That’s IT David Henry OIT University of Maryland