identity management - real world usage v8
DESCRIPTION
A presentation on identity management at a medium-size school district as well as workings of the SIFA Identity Management Task Force to support standardization of Identity Management for the education space.TRANSCRIPT
STATS DC 2011 Balancing Timeliness and Quality
Iden.ty Management (IDM) Real World Usage at the Local Level
Patrick Plant, CTO/CIO Anoka-‐Hennepin School District
Andrew Elmhorst, Chief Architect Pearson Data Solu.ons
Release for web use of this image on file
WHAT IS THE USER EXPERIENCE? The Problem
The End User Experience
• Users are dealing with mul5ple usernames and passwords across systems – different username and password policies across systems discourage/prevent usage of same username and password
– From both an ease of use and organiza5onal liability standpoint this encourages “weak” password and bad prac5ces.
Communica.on & Training are Key
Communica.on & Training are Key !"#$%&'()&New network password policies are being adopted for staff and students across the District. *+",-! Starting 2/2/2010 *+.&/0&122"30%-&&All staff with Active Directory Accounts *+4&56%0&4.6&3+#,7"&4.68&(#%%9.8$:&Poorly chosen user passwords are the most common threat to computer network security. As an employee, you share responsibility for the security of the district network. !.9"& You’ll receive an email from Hattie Leary indicating the date your building will change. The first time you log into your computer after that date, you will be prompted to change your password. It’s easy; enter your new password twice and click OK. ;+..%/,7&4.68&,"9&(#%%9.8$-!• Must be a minimum of 8 characters • Must mix letters, numbers, and at least one special
character (* % ^ % # - anything not a letter or number). It’s helpful to think of a phrase/goal/saying like “Retirement? I have 10 years left.” Use the first letter of each word; your password will be R?Ih10yl.
• Must start with a letter and contain upper and lower case letters
• Remember 4-4-4: Cannot contain more than 4 repeating characters or match more than 4 characters to the 4 previously used passwords
</5(=/24&4.68&=/2"-! If you log into several applications, you may use the same password for all of them. You’ll receive an email with links to instructions for changing your password in other applications such as SASI and MyLearningPlan. !.9&.20",&9/==&4.6&,""$&0.&3+#,7"&4.68&(#%%9.8$:& Passwords will expire every 120 days. >"5"5?"8@&do not share your password with anyone! A6"%0/.,%-!!#$%%!&'()*+,-!./0&12!
Managing users across systems over .me
HR System
• Robert J Brown
• Teacher
Network System
• rjbrown • Staff
Email System
• rjbrown@1-‐school.edu
Data Repor5ng System
• Bob Brown • Can see students in classes
Parent Portal
• Bobby Brown • Can see Susie’s grades
• What happens when Robert • Is Hired? • Gets Promoted? • Goes on Leave? • Looses custody of Susie? • Gets Divorced? • Retires?
The Iden.ty Management Experience
• District staff are dealing with managing iden5ty and access management for staff, students and parents – Access to systems must be secure
– Timely provisioning across systems – Timely de-‐provisioning across systems – Automa5on is essen5al for accuracy and containing cost
Standards?
• LDAP • inetOrgPerson • eduPerson • SAML • Shibboleth • CAS • JAAS • Open SSO • OpenId • Biometrics • Smart cards
one-‐off, custom integra5ons
not repeatable across organiza5ons
bespoke requirements for suppliers
dizzying array of standards for organiza5ons to choose from
Informa.on Management Strategy
• Three legs of an informa5on management strategy: – Iden5ty and Access Management – Informa5on sharing and data management – Opera5onal & Analy5c System Use, Repor5ng, Data U5liza5on
• Unless everyone in the world has one system, we need the capability to integrate iden55es
• Be[er integra5on is a key cornerstone to unlocking collabora5ve possibili5es (LEA, SEA, Ci5es, Coun5es, etc.)
• People are becoming more aware of ID Standard Needs • SIF legi5mately has the capacity and capability to work on this problem area for the educa5onal enterprise
IDENTITY MANAGEMENT PRACTICES Real World Usage Scenarios
The User Experience
• Important capabili5es – Provisioning of accounts from source systems – Zero-‐day start is op5mal (and becoming essen5al) – Providing access appropriately and securely to the right users at the right 5me
– Capability to do single sign on across systems – Understanding between systems of shared a[ributes
– De-‐provisioning users when they no longer should have access (is some5mes overlooked)
What is an iden.ty?
• A unique record, iden5fying a user within an enterprise – Represented by one or more a[ributes that are unique to the user • A set of unique ID a[ributes (DN, UUID, etc.) • A set of logon creden5als (usernames/password)
• Expiry, 5meouts, retries
– The record can contain addi5onal a[ributes (name, address, contact informa5on)
Where is an iden.ty created?
• In its simplest form, an iden5ty may be created in a network directory system (Ac5ve Directory, Novell e-‐Directory, SunOne, etc.)
• Other systems can connect to the directory – read directory informa5on (address book) – verify a user’s creden5als
Iden.ty Lifecycle -‐ Provisioning
• HR • SIS
Data Sourced
• First Name • Last Name • Department / Grade / Course
A[ributes Applied • ID Created
• Account Established
Iden5ty Established
• Username • Password
Creden5als Issued
Iden.ty Lifecycle – In Use
• Admin • Staff • Teacher
Roles Applied
• One or more systems
Login • More Access • Less Access
Roles Change
• Remove Access
• Inac5vate
Deprovision
Sustainable Management of Iden..es
• Ongoing iden5ty management is crucial – Iden5ty A[ributes should be entered only once – Provisioning should be automated – Informa5on updates (typically from source systems) – Changing of roles over 5me – Creden5al resets / online self-‐help portals – Self-‐serve capability for managers/leaders to approve and direct
role changes over 5me – Inac5va5on and De-‐Provisioning
• Monitoring and audi5ng access to systems is being increasingly required (e.g. SOX compliance)
• If Iden55es and Roles are not centrally managed and processes automated, the ongoing maintenance is difficult
Iden.ty Lifecycle Levels of Automa.on
3. Real Time
2. Batch (Nightly)
1. Export Import
0. Manual
Higher Accuracy
More Automa5on
Be[er User Experience
Single Sign On Interoperability
• Centralizing authen5ca5on and authoriza5on requires interoperability – Use of authen5ca5on protocols supported by the Iden5ty Management System
• LDAP • Kerberos, CAS, JAAS, OpenSSO, SAML, Shibboleth, OpenID
– A shared schema (understanding of the a[ribute names used in the directory)
• X.500 • inetOrgPerson (RFC 2798)
Single Sign On Levels
3. Federated Single Sign
On
2. Single Sign On
1. Consistent Sign On
0. Separate Sign On
Long Password Lists
Single Username and
Password
Be[er User Experience
Crosses Organiza5onal Boundaries
What about roles?
• An iden5ty can have mul5ple roles – Teacher, Staff, Parent, Student, Administrator
• A simplis5c prac5ce is to create separate iden55es for users
• Best prac5ce is to create a single iden5ty and assigns various roles to a user
• Roles may need to be very granular – Staff in School A, Admin in School B – Teacher of one Johnny, Parent/Guardian of Susie
Iden.ty And Access Integra.on levels
2. Roles/Access Shared
1. Iden5ty Sharing /
Provisioning
• Ahead of Time • Just in Time
0. No Sharing
Silo Systems Allows for SSO Allows Central Access Control
Iden.ty and Access Integra.on
• Now that the iden5ty is created, how do all of the other systems understand and use it?
• If changes are made, do other systems get updated?
• Are user roles and system access centralized or siloed in each system?
STANDARDIZING IDENTITY MANAGEMENT
What the SIFA IDM Project Team is up to
Why Standardiza.on?
• We are not using the same system • Standards open new opportuni5es for collabora5on
• Too many standards for SSO, not enough standards for management
• Bespoke, ad-‐hoc in prac5ce
Management of State Student IDs
• SIF supports real-‐5me web services based integra5on between LEAs and SEAs to support automated student ID management
• No creden5als are issues, so not iden5ty management in the broader sense
• Student IDs are managed by SIF in 9 states – AK, IA, OH, SC, UT, VA, WY, MA, OK
Mission
Create plug and play interoperability profiles, suppor5ng iden5ty management and single sign on for the
educa.onal space
SIFA IDM Project Team Assump.ons
• Provisioning the IDM • Sharing iden5ty data • Maps between SIF and IDM
• Leverage exis5ng IDM specs
• Global Scope
Near Term Deliverables
• Iden5ty Provisioning Profile • Single Sign On Profile • Access Provisioning Profile • Iden5ty Aggrega5on Profile
Human Resources and Financial Management
Special Programs
Instructional Improvement
System
Data Warehouse
Learning Management
System
Formative Assessment
Iden.ty Provisioning with SIF
Applications
SIF Agents
ZIS
SIF Data Objects
Identity Management
System
Student Information System
Iden.ty Provisioning Profile
• Describes how an Iden5ty Management System can be provisioned by SIF
• Describes a basic set of assump5ons for determining user roles from SIF data
• Profiles the iden5ty data that an Iden5ty Management System should publish back to SIF
• Profiles the data flow for standard use cases
Identity Management
System
Special Programs
Instructional Improvement
System
Data Warehouse
Student Information System
Formative Assessment
Publishing Iden.ty A^ributes
Applications
SIF Agents
ZIS
SIF Data Objects Human Resources
and Financial Management
Learning Management
System
Iden.ty Provisioning Example
<Identity RefId="4286194F43ED43C18EE2F0A27C4BEF86"> <SIF_RefId SIF_RefObject="StudentPersonal">23B08571E4D645C3B82A...</SIF_RefId> <AuthenticationSource>MSActiveDirectory</AuthenticationSource> <IdentityAssertions> <IdentityAssertion
SchemaName="sAmAccountName">user01</IdentityAssertion> <IdentityAssertion
SchemaName="userPrincipalName">[email protected]</IdentityAssertion> <IdentityAssertion
SchemaName="distinguishedName">cn=User1,cn=Users,dc=org</IdentityAssertion> </IdentityAssertions> <AuthenticationSourceGlobalUID>23A08571E4D645C3B82A…</AuthenticationSourceGlobalUID> </Identity>
Authen.ca.on Profile
• Focus on three authen5ca5on protocols in wide use today and profile for the educa5on space – LDAP – OpenID – Shibboleth
• For each protocol, create a standard profile for discovery, topology, and a[ribute exchange
Access Provisioning Profile
• Create a standardized set of mechanisms for central control of roles and use access
• Allow for standard set of roles to be propagated via SSO protocols (real-‐5me)
• Allow for roles and access permissions to be propagated via SIF web services
Iden.ty Aggrega.on Profile
• Iden55es for a user may be sourced from mul5ple systems via SIF
• One example is a central Iden5ty Management System that services mul5ple schools
• Clearly define how iden5ty aggrega5on is conveyed to subscribing systems within a SIF zone
What have we covered?
• Effec5ve iden5ty management improves ease of use
• Iden5ty management prac5ces are diverse and many 5mes implemented in a bespoke manner
• The SIFA IDM project team is a[emp5ng to build common IDM prac5ces and profiles for educa5onal organiza5ons and vendors
Suggested next steps
• Inventory where your organiza5on is at in iden5ty management prac5ces
• Contribute to the effort to standardize iden5ty management for the educa5on space
39 39
Contact Informa.on
• Patrick Plant Chief Technology and Informa5on Officer, www.anoka.k12.mn.us, [email protected], 763.506.1020
• Andrew Elmhorst
Chief Architect, www.pearsondatasolu5ons.com, [email protected], 801.858.0094