GatorAid: Identity Management at the University of Florida

Mike ConlonDirector of Data Infrastructuremconlon@ufl.edu

Copyright Notice

Copyright Mike Conlon 2005.

This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

NMI-EDIT Consortium

Comprises Internet2, EDUCAUSE, and SURA NSF Middleware Initiative (NMI)-Enterprise and Desktop

Integration Technologies Consortium (EDIT) Funded by NSF Middleware Initiative

E-science and research Researches and develops inter-institutional Identity

and Access Management tools Shibboleth for example

Guided by MACE – Middleware Architecture Committee for Education Group of R&E IT architects from US and Europe

One Slide About UF

49,000 students in Gainesville Fl 15,000 distance, continuing and executive

students $2.0 Billion annual budget, $475 million in

research -- growing at 9% per year, Health Sciences – 58% of research

140 academic departments in 23 colleges Land grant – extension in all 67 counties The Gators, Lady Gators, Gatorade

One Slide About UF Technology 500 IT professionals across campus Very decentralized Estimated $90 million in annual IT spending Over 300 email servers 30,000 devices on the open network AD, NDS, iPlanet, OpenLDAP, Kerberos Directory Project 2002-2003 PeopleSoft implementation (Finance, HR,

Warehouse, Portal) 2003-2005

Identity Management

Identity management is authoritative association of people with identifiers such as ID numbers and ID cards and access credentials such as usernames/passwords.

Identity management is fundamental for providing secure authentication and authorization services.

Old Process/ New Process

Old process: System administrator gives out accounts on a local system. Varying degrees of local identity management, no referencing across systems

New Process: Identity is established by trained coordinators and maintained centrally. Systems use authoritative sources for identity, credentials and authorization.

You need a Directory

Authentication, Authorization, Directory identified as key problems to solve at UF in August 2000

Community effort to solve the directory problem at UF -- 17 sources for contact information. Limited sharing.

Information Systems, Academic Technology, Health Science Center, Registrar, Data Center involved from the beginning

UF read, studied NMI documents – roadmap, early harvest, Metadirectory practices, identifier mappings

What we had to work with

GatorLink – Kerberos-based authentication mechanism since 1997.

Unsponsored campus LDAP and NDS. DB2-based registry of people information

used by some administrative systems. Many feeds to the registry, few from the

registry. Adhoc integration.

UF Directory Project

Started an adhoc planning group August 2000

Ken Klingenstein visit April 2001 Parallel effort to replace SSN merged August

2001 Finished report September 2001 Began implementation October 2001 Deployed new directory January 23, 2003 http://www.it.ufl.edu/projects/directory

Directory Project Deliverables New Registry – 140 tables New LDAP schema (eduPerson, eduOrg) New IDs – UFID and UUID GatorLink tied to UFID 50,000 new Gator One cards 1,500 applications modified New self-service apps http://phonebook.ufl.edu New directory coordinator apps New APIs for directory-enabling business

processes 800 directory coordinators identified and trained

UF Directory – Architecture Three major

interfaces

One data store One set of APIs

About 50 message queues

Each app receives consistent data

Directory Coordinators Establish Identity Each new faculty or staff member is entered

into the directory by their local directory coordinator. This creates a new directory entry with a new UFID

Student UFIDs are created by directory processes initiated by the Registrar

HR and Registrar update authoritative values for registry attributes

Goals for Authentication Services Tie authentication to identity – all system

access should be attributable to a UFID Provide a single credential (GatorLink)

environment, regardless of access technology

Support enterprise system sign on, LAN sign on, web sign on with same credential and same support for identity attribution

Five Projects

Web Initial Sign On – 2002/2003 Portal –2002/2003 Password Management – 2003/2004 UF Active Directory – 2004/2005 Account Management -- 2005

Web Initial Sign On (WebISO) at UF UF developed a local WebISO solution in 1998 – GLAuth GLAuth provides a secure cookie-based Kerberos

authenticated system GLAuth is simple to install on Apache web servers (Linux

and Windows) Legacy SIS and admin applications use GLAuth

providing single credential access to these systems In 2002, augmented GLAuth to support Windows,

integrated portal, WebCT, Legacy Admin to use GLAuth. Subsequent grad school applications, athletic applications, career resource center, colleges and departments

Portal Implementation

Implemented PeopleSoft/Oracle Enterprise Portal in 2002/2003

Identity changes in directory are synched into portal and into HR and Finance for SSO

Portal provides GLAuth cookie for links to university services

Portal provides authorization platform for enterprise systems

Authorization Concept

Directory has “affiliations” for each person. Affiliations role up to eduPerson affiliations and to primary affiliation

Affiliations imply authorizations Authorization is based on roles Some roles can be algorithmically determined

by affiliations Additional roles are assigned by traditional

access request processes

Entity, Role and Service

Role Management

Roles are assigned algorithmically using processes accessing directory message queues

Roles are also assigned following request based on university policy

Department Security Coordinators use the portal Access Request System (ARS)

Individuals can view their roles from the portal

My Roles Every portal user

can access their role information using My Roles

All roles are listed with descriptions

My Access History Every portal user

can access their access history

Suspicious access is referred to the university security team and potentially law enforcement

Password Management

Password management policies are determined by user roles – each role has a related password policy

Five password policies govern reset, use of hints, password age

Each users’ GatorLink password management policy is the strongest policy required by the users’ roles

All GatorLink accounts have strong passwords Password changing is done using portal screens Kerberos, AD, NDS are updated in real-time

UF Active Directory

UFAD accounts are built from directory message queues

Contact information in UFAD is populated from the directory

UFAD accounts use GatorLink usernames and passwords

OUs are populated based on the value of a “Network Managed By” attribute in the directory – directory coordinators assign the value

Accounts are provisioned centrally, rights are managed locally

Authentication Architecture

Authentication begins with identity

Automated processes populate the portal, HR, FI

Portal login produces cookie for WebISO

Middleware updates additional authentication services

Kerberos, AD, NDS supported

Current Status

All major enterprise systems (WebCT, WebMail, SIS, PeopleSoft, Legacy) use GatorLink authentication attributable to UFID

All major college/unit web sites use attributable authentication

25% of all desktops use attributable authentication (NDS and UFAD). By summer of 2006, over 50% of desktops will use attributable authentication (full Health Science Center implementation)

Current Project – Account Management Create a formal lifecycle and state chart for

GatorLink computer accounts Increase the name space from 8 to 16 characters Consolidate/replace legacy apps for acct mgt into

the portal Introduce web services – account state changes

will be available to subscribing service providers Go live mid-September 2005

Future Work

Directory/identity integration with VOIP services Directory/identity integration with building access

services PeopleSoft/Oracle Campus Community will be

implemented with go-live Summer 2006 Legacy systems maintaining authorization

information will be reimplemented using roles Direct access to the directory via APIs will be

replaced with messaging infrastructure

For More Information

http://ufid.ufl.edu http://www.bridges.ufl.edu/directory http://gatorlink.ufl.edu http://www.ad.ufl.edu

Email mconlon@ufl.edu