1 / 34

APS 7 Identity Management: How and Why

APS 7 Identity Management: How and Why. Kirk M. Anne Assistant Director, Systems & Networking State University of New York College at Geneseo kma@geneseo. edu HighEdWeb 2008 – October 7, 2008. A little about Geneseo. Small public liberal arts college in Western NY

eloise
Download Presentation

APS 7 Identity Management: How and Why

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. APS 7Identity Management:How and Why Kirk M. AnneAssistant Director, Systems & Networking State University of New York College at Geneseo kma@geneseo.edu HighEdWeb 2008 – October 7, 2008

  2. A little about Geneseo Small public liberal arts college in Western NY Around 5,300 undergrad, 200 grad students Around 300 faculty Around 700 support staff employees Around 42,000 active alumni An original campus of SUNY

  3. A little about SUNY • State University of New York formed in 1948 • 64 campuses serve over 425,000 students • Over 7500 courses of study • Over 3400 D/L courses for over 100,000 students • Over 83,000 employees • Over 2.4 million alumni • Around a $10 billion budget

  4. What is an Identity? • noun (pl. identities) • 1 the fact of being who or what a person or thing is. • 2 the characteristics determining this. • 3 a close similarity or affinity. • How do we deal with the fact component? • How does affinity affect those characteristics? • How do we deal with “multiple identities”? • How do we prove an electronic identity?

  5. Problems we faced/are facing • “Source of Record” for somebody’s identity? • Student versus Faculty/Staff? • How do you identify somebody electronically? • Where is the paperwork for HR/Records? • Why can’t people have just one SSN? • Keep and delete adjuncts at the same time? • What about “generic” accounts? • “Service accounts”, student groups, “affiliates”

  6. What is Identity Management? Definitions of identity management from the Web: Strictly speaking identity management is the identification of authorized users and their enrollment in a system that is used to manage their identity information. However, the management of identity information is not an end in itself-it is used to facilitate business activities such as physical access control, information systems access control, and workflow automation in accordance with business policies. This identity management is an integrated system of business processes, policies and technologies.http://www.corestreet.com/glossary/ The creation of flexible definitions for individuals and groups which authenticates users and allows different levels of authorisation depending on the service used. http://www.ict.ox.ac.uk/strategy/plan/plan.xml.ID=appF An integrated system of business processes, policies and technologies that enables organizations to facilitate and control user access to critical online applications and resources — while protecting confidential personal and business information from unauthorized users. http://www.comcare.org/Patient_Tracking/IPTI-Glossary.html In information systems, identity management, sometimes referred to as identity management systems, involves the management of the identity life cycle of entities (subjects or objects) during which the system: 1. Establishes the identity 1. Links a name (or number) with the subject or object; 2. Re-establishes the identity (i.e. links a new or additional name, or number, with the subject or object); 2. Describes the identity 1. Optionally assigns one or more attributes applicable to the particular subject or object to the identity; 2. Re-describes the identity (i.e. changes one or more attributes applicable to the particular subject or object); 3. Destroys the identity http://en.wikipedia.org/wiki/Identity management

  7. What is Identity Management? • Not an end in itself • Business processes, policies and programs • Flexible definitions of people and groups • Must protect confidential information • Handling the “identity life cycle” of an entity • Establish the identity • Describe the identity • #5 on EduCAUSE 2008 “Top 10 Issues”

  8. The “Big Picture”

  9. Let’s enter the “Wayback Machine” • Identity (aka Account) Management (1998) • The “Über Database” Theory • Contains all information for all accounts ever created • Tracks UNIX uid and username usage • Matches SSN to uid and username • Keep basic personal information for each identity • Account Management tools • Easily create accounts for UNIX and NT • Easily delete accounts for UNIX and NT • Synchronize passwords between UNIX and NT (ssod)

  10. “Now we stepped in it…” • my.geneseo.edu portal project (2006) • We decided to concentrate on the “my” part • Need personal information now • Need a way to synchronize account information • Need groups for permissions • “Unfunded mandates” • iTunes University support needed • SUNY System Administration requires us to provide local info • “Mailing lists” for everyone and everything • Maintaining identities forever for Banner access

  11. How are we going to get there? • Directory Services • Contain the “characteristics” (attributes) • Provide a method for authentication • Harvesters/Identity Mgmt Tools • Harvest “Sources of Truth” for attribute updates • Convert business processes to id mgmt action • CAS/Shibboleth • Provide attributes to services (SOA) • Simplify passing information from identity store to apps

  12. What we have now SUNY HR System Web AppsSUNY Portal Email System HRMS Web AppsLibrary Apps Angel AD Perl iPlanet SSOD “Sources of Truth” Banner Perl Service Accts Dept AcctsOrg Accts“Affiliates” mygeneseoedu OID SUNY Applications System

  13. Where we want to go SUNY HR System Web AppsSUNY Portal Email System OIF HRMS Perl PL/SQL OID “Sources of Truth” Banner DIP Web AppsLibrary Apps Angel AD Service Accts Dept AcctsOrg Accts“Affiliates” SUNY Applications System

  14. Directory Services • LDAP the protocol, LDIF the file format • PL/SQL to use Banner and HRMS for updating • Perl/VB to provision UNIX and Windows accounts • Directory Integration Protocol (DIP) • Allow mapping into other directory servers (Active Dir) • Delegated Administration Service (DAS) • Self service password reset • Self editable attributes • Access Control Lists (ACL) • Protect information from prying eyes

  15. LDAP/LDIF Information • Data is stored in a hierarchy • Keyed by the “distinguished name” (DN) • objectclasses and attributes • Objectclass is a defined group of attributes • Attributes hold the values (single/multiple) • OID (Object IDentifier) • Base search paths • Tall versus flat tree design • Thick (a lot of data in tree) or thin (no data)

  16. Tall versus Flat o=geneseo.edu dc=edu ou=Alumni ou=Provost ou=business dc=geneseo ou=Chemistry ou=Art ou=Education cn=users Base DN dc=geneseo,dc=edu o=geneseo.edu cn=groups DN formatcn=kma,cn=users,dc=geneseo,dc=edu uid=kma,ou=Photo,ou=Art,ou=Provost,o=geneseo.edu ou=Photo

  17. organizationalPerson

  18. inetOrgPerson

  19. person/eduPerson/sunyPerson

  20. orclUserV2

  21. Unix classes

  22. Defining a new SUNY object class attributetype ( 1.3.6.1.4.1.27652.1.1.1.1.1.1 NAME 'sunyPersonId’ DESC 'Identifier for SUNY employee’ EQUALITY numericStringMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' ) attributetype ( 1.3.6.1.4.1.27652.1.1.1.1.1.2 NAME 'sunyStudentId’ DESC 'Identifier for SUNY student’ EQUALITY numericStringMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' ) # sunyPersonobjectclass definition # can only be done after attributes established objectclass ( 1.3.6.1.4.1.27652.1.1.1.1.2 NAME 'sunyPerson’ AUXILIARY MAY ( sunyPersonId $ sunyStudentId ) )

  23. Example LDIF file dn: uid=kma,ou=People,o=geneseo.edu objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: mailrecipient objectClass: eduPerson cn: Kirk M Anne givenName: Kirk sn: Anne ou: Computing & Information Technology title: Assistant Director of Systems & Networking employeeType: Staff telephoneNumber: 585-245-5577 street: South 124b2 l: Geneseo st: NY postalCode: 14454 mail: kma@geneseo.edu mailAlternateAddress: kirk.m.anne@geneseo.edu labeledUri: http://www.geneseo.edu/~kma uid: kma userPassword: {crypt}GLsdfaS3wx1ug uidNumber: 1605 gidNumber: 1000 gecos: Kirk M Anne homeDirectory: /home/kma loginShell: /bin/bash eduPersonAffiliation: staff eduPersonPrimaryAffiliation: staff eduPersonPrincipalName: kma@geneseo.edu eduPersonEntitlement: Administrator@urn:mace:itunesu.com:sites:geneseo.edu

  24. Identity Management Tools • Harvester • Simplest version • Reads from a “source of truth” • Updates attributes • Identity Management systems • More complex • Provision access automatically • Defined by business processes and policy

  25. Example Harvesting Maps

  26. CAS/Shibboleth • Central Authentication System (from Yale) • Shibboleth (from Internet2 middleware) • Provide protected access to attributes • Provide the ability for single sign-on • Key concepts • Identity Provider (IdP) • Service Provider (SP) • Security Assertion Markup Language (SAML)

  27. Sample SAML 2.0 transaction

  28. So why would we do this? • Simplify • Reduce the number of usernames/passwords • Reduce the number of places for “personal info” • Secure • One username, one password -> strong passwords • Enforce policies (force pw changes, remove access) • Self-service • Password resets • Provide/update attribute information

  29. Why should we do this? One word… “Facebook” (one BIG directory) Students today expect personalized service Attributes allows us to select affinity groups Public versus private social networks

  30. Other reasons • Online phone books/directories • Central authentication/Single Sign On • Service Oriented Applications (SOA) • “Portal” applications • iTunesU • SUNY Administration Applications (HR) • Google Gadgets? • iPod Touch/iPhones? • InCommon?

  31. What will it look like?

  32. Technology is not the whole answer • We still need to develop policies. • Do we use last names for usernames? • What do we do about adjuncts? • When is a student a student? • What about leaves of absence? • Do we create staff accounts before signed letters? • Do we keep student accounts forever? • Who gets to see what attributes? • Processes should be based on policies.

  33. For more information… • Shibboleth • http://shibboleth.internet2.edu/ • Grouper • http://grouper.internet2.edu/ • COmanage • http://middleware.internet2.edu/co/ • Central Authentication System • http://www.ja-sig.org/products/cas/index.html • InCommon • http://www.incommonfederation.org/ • Internet2 middleware • http://middleware.internet2.edu/dir/

More Related