gatoraid: identity management at the university of florida mike conlon director of data...
TRANSCRIPT
GatorAid: Identity Management at the University of Florida
Mike ConlonDirector of Data [email protected]
Copyright Notice
Copyright Mike Conlon 2005.
This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
NMI-EDIT Consortium
Comprises Internet2, EDUCAUSE, and SURA NSF Middleware Initiative (NMI)-Enterprise and Desktop
Integration Technologies Consortium (EDIT) Funded by NSF Middleware Initiative
E-science and research Researches and develops inter-institutional Identity
and Access Management tools Shibboleth for example
Guided by MACE – Middleware Architecture Committee for Education Group of R&E IT architects from US and Europe
One Slide About UF
49,000 students in Gainesville Fl 15,000 distance, continuing and executive
students $2.0 Billion annual budget, $475 million in
research -- growing at 9% per year, Health Sciences – 58% of research
140 academic departments in 23 colleges Land grant – extension in all 67 counties The Gators, Lady Gators, Gatorade
One Slide About UF Technology 500 IT professionals across campus Very decentralized Estimated $90 million in annual IT spending Over 300 email servers 30,000 devices on the open network AD, NDS, iPlanet, OpenLDAP, Kerberos Directory Project 2002-2003 PeopleSoft implementation (Finance, HR,
Warehouse, Portal) 2003-2005
Identity Management
Identity management is authoritative association of people with identifiers such as ID numbers and ID cards and access credentials such as usernames/passwords.
Identity management is fundamental for providing secure authentication and authorization services.
Old Process/ New Process
Old process: System administrator gives out accounts on a local system. Varying degrees of local identity management, no referencing across systems
New Process: Identity is established by trained coordinators and maintained centrally. Systems use authoritative sources for identity, credentials and authorization.
You need a Directory
Authentication, Authorization, Directory identified as key problems to solve at UF in August 2000
Community effort to solve the directory problem at UF -- 17 sources for contact information. Limited sharing.
Information Systems, Academic Technology, Health Science Center, Registrar, Data Center involved from the beginning
UF read, studied NMI documents – roadmap, early harvest, Metadirectory practices, identifier mappings
What we had to work with
GatorLink – Kerberos-based authentication mechanism since 1997.
Unsponsored campus LDAP and NDS. DB2-based registry of people information
used by some administrative systems. Many feeds to the registry, few from the
registry. Adhoc integration.
UF Directory Project
Started an adhoc planning group August 2000
Ken Klingenstein visit April 2001 Parallel effort to replace SSN merged August
2001 Finished report September 2001 Began implementation October 2001 Deployed new directory January 23, 2003 http://www.it.ufl.edu/projects/directory
Directory Project Deliverables New Registry – 140 tables New LDAP schema (eduPerson, eduOrg) New IDs – UFID and UUID GatorLink tied to UFID 50,000 new Gator One cards 1,500 applications modified New self-service apps http://phonebook.ufl.edu New directory coordinator apps New APIs for directory-enabling business
processes 800 directory coordinators identified and trained
UF Directory – Architecture Three major
interfaces
One data store One set of APIs
About 50 message queues
Each app receives consistent data
Directory Coordinators Establish Identity Each new faculty or staff member is entered
into the directory by their local directory coordinator. This creates a new directory entry with a new UFID
Student UFIDs are created by directory processes initiated by the Registrar
HR and Registrar update authoritative values for registry attributes
Goals for Authentication Services Tie authentication to identity – all system
access should be attributable to a UFID Provide a single credential (GatorLink)
environment, regardless of access technology
Support enterprise system sign on, LAN sign on, web sign on with same credential and same support for identity attribution
Five Projects
Web Initial Sign On – 2002/2003 Portal –2002/2003 Password Management – 2003/2004 UF Active Directory – 2004/2005 Account Management -- 2005
Web Initial Sign On (WebISO) at UF UF developed a local WebISO solution in 1998 – GLAuth GLAuth provides a secure cookie-based Kerberos
authenticated system GLAuth is simple to install on Apache web servers (Linux
and Windows) Legacy SIS and admin applications use GLAuth
providing single credential access to these systems In 2002, augmented GLAuth to support Windows,
integrated portal, WebCT, Legacy Admin to use GLAuth. Subsequent grad school applications, athletic applications, career resource center, colleges and departments
Portal Implementation
Implemented PeopleSoft/Oracle Enterprise Portal in 2002/2003
Identity changes in directory are synched into portal and into HR and Finance for SSO
Portal provides GLAuth cookie for links to university services
Portal provides authorization platform for enterprise systems
Authorization Concept
Directory has “affiliations” for each person. Affiliations role up to eduPerson affiliations and to primary affiliation
Affiliations imply authorizations Authorization is based on roles Some roles can be algorithmically determined
by affiliations Additional roles are assigned by traditional
access request processes
Entity, Role and Service
Role Management
Roles are assigned algorithmically using processes accessing directory message queues
Roles are also assigned following request based on university policy
Department Security Coordinators use the portal Access Request System (ARS)
Individuals can view their roles from the portal
My Roles Every portal user
can access their role information using My Roles
All roles are listed with descriptions
My Access History Every portal user
can access their access history
Suspicious access is referred to the university security team and potentially law enforcement
Password Management
Password management policies are determined by user roles – each role has a related password policy
Five password policies govern reset, use of hints, password age
Each users’ GatorLink password management policy is the strongest policy required by the users’ roles
All GatorLink accounts have strong passwords Password changing is done using portal screens Kerberos, AD, NDS are updated in real-time
UF Active Directory
UFAD accounts are built from directory message queues
Contact information in UFAD is populated from the directory
UFAD accounts use GatorLink usernames and passwords
OUs are populated based on the value of a “Network Managed By” attribute in the directory – directory coordinators assign the value
Accounts are provisioned centrally, rights are managed locally
Authentication Architecture
Authentication begins with identity
Automated processes populate the portal, HR, FI
Portal login produces cookie for WebISO
Middleware updates additional authentication services
Kerberos, AD, NDS supported
Current Status
All major enterprise systems (WebCT, WebMail, SIS, PeopleSoft, Legacy) use GatorLink authentication attributable to UFID
All major college/unit web sites use attributable authentication
25% of all desktops use attributable authentication (NDS and UFAD). By summer of 2006, over 50% of desktops will use attributable authentication (full Health Science Center implementation)
Current Project – Account Management Create a formal lifecycle and state chart for
GatorLink computer accounts Increase the name space from 8 to 16 characters Consolidate/replace legacy apps for acct mgt into
the portal Introduce web services – account state changes
will be available to subscribing service providers Go live mid-September 2005
Future Work
Directory/identity integration with VOIP services Directory/identity integration with building access
services PeopleSoft/Oracle Campus Community will be
implemented with go-live Summer 2006 Legacy systems maintaining authorization
information will be reimplemented using roles Direct access to the directory via APIs will be
replaced with messaging infrastructure
For More Information
http://ufid.ufl.edu http://www.bridges.ufl.edu/directory http://gatorlink.ufl.edu http://www.ad.ufl.edu
Email [email protected]