nmi-edit identity management tutorial nmi tutorial june, 2004
TRANSCRIPT
NMI-EDIT Identity NMI-EDIT Identity Management TutorialManagement Tutorial
NMI TutorialJune, 2004
NMI TutorialJune, 2004
Michael Berman, VP, CSU-Pomona
Keith Hazelton, Dir. Arch., Wisconsin
Jack Suess, CIO, UMBC
Ann West, NMI-EDIT Coordinator
And
Michael Gettes, Duke University
Copyright 2004
SERC, June 9, 2004
CSU Identity Management CSU Identity Management DefinitionDefinition
– CSU definition - An identity management infrastructure is a collection of technology and policy that enables networked computer systems to determine who has access to them, what resources the person is authorized to access, while protecting individual privacy and access to confidential information.
SERC, June 9, 2004
““Identity Management System”Identity Management System”
Suite of campus-wide security, access, and information services– Integrates data sources and manages information
about people and their contact locations– Establishes electronic identity of users– Issues identity credentials– Uses administrative data and management tools to
assign affiliation attributes – …and gives permission to use services based on
those attributes
SERC, June 9, 2004
Key terms: Key terms: Enterprise Directory ServicesEnterprise Directory Services
Where electronic identifiers are reconciled and institutional identity is established and maintained for all entities of interest
–Very quick lookup function
–Machine address, voice mail box, email box location, address, campus identifiers
SERC, June 9, 2004
More key termsMore key terms
Authentication (AuthN)– Process of proving your identity by “presenting” an
identity credential – In IT systems, often done by a login process
Authorization (AuthZ)– Process of determining if policy permits a requested
action to proceed using attribute & group information
– Often associated with an authenticated identity, but not always and not necessarily
SERC, June 9, 2004
SERC, June 9, 2004
Infrastructure for Identity Infrastructure for Identity ManagementManagement
Common elements–Core Business System - system for identifying university
membership (e.g. SIS, HR, Alumni)–Registry - aggregation point , usually a DBMS, where key data
elements from SOR are integrated–Metadirectory - LDAP service that organizes registry information
and responds to service requests–Authenticator - service that authenticates (e.g. Kerberos, LDAP,
or other)–Groups - university roles built into directory–Services - application services that utilize IdM–Policy - definitions and structure, usually defines criteria for group
membership and service restrictions
SERC, June 9, 2004
Simplified UMBC ArchitectureSimplified UMBC Architecture
Public LDAP(Whitepages)
(SunOne DS5)
Oracle DB
LDAPDirectory
(iPlanet 4.1x)
AuthenticationService
(MIT K5)
MetadirectoryProcesses
(perl)SIS
(HP MPE)
HRSystem
User Input DirectoryManagmentApplications
Replica Replica
SISMirror
OutgoingConnectors
(perl)
To Consumers
Radius,WebAuth,PeopleSoft,etc.
UNIX Systems,Win2K Labs,AFS
Email Clients
Email Routing
SERC, June 9, 2004
Policy IssuesPolicy Issues
Policy issues should be defined or considered–Rules for membership in your community. Who is an
active student, who is a faculty member, who is an alumni?
–Who is eligible for an account? Under what circumstances?
–What groups do you need to track?–What services is each group allowed to access?–Who can sponsor affiliate members?–How long do you remain a member of the community?–What about guests or the public?
SERC, June 9, 2004
SERC, June 9, 2004
How do you define who is How do you define who is eligible for different services?eligible for different services?
Obvious– staff, faculty, students
Less obvious: – Alumni, supporters?– Parents – Sponsored or affiliate ID’s– Transient e.g. meetings and conferences– Former employees– Research partners– Affiliates: auxiliaries, credit union, teachers
SERC, June 9, 2004
Eligibility -- Thorny Issues Eligibility -- Thorny Issues
Intermittent roles – persistent ID’s?– Lecturers, seasonal employees– students
Multiple roles – change roles, keep ID’s?– Student workers– Staff students
Multi-campus issues- common id across system?
Does everyone need to be in your IdM? How long does someone remain in your IdM?
SERC, June 9, 2004
Eligibility -- Create Policy FirstEligibility -- Create Policy First
Indiana– Policy defines who can have and sponsor
accounts.– Accounts Management System will implement
policy in software.
UMBC– Software was written without formalizing the
policy on paper. This is something we have to finalize.
SERC, June 9, 2004
Authentication and Authentication and AuthorizationAuthorization
Authentication - Who am I?– Shared secret -- password?
– Secret key - PKI
– Biometrics/other? Authorization - What am I allowed to do or
access? – Affinity groups are defined and populated. Roles
may be based on a combination of affinities. Identity Management system must answer both
questions.
SERC, June 9, 2004
Creating a single namespaceCreating a single namespace
Once you define who is eligible to be in your IdM you must create a person registry from multipe SORs.
For each person in the registry you must define an account name. Dealing with conflicts is a political challenge.
Get agreement on ground rules prior to starting the project.
Provide flexibility. People care more about their email address than they do their username!
When creating new authentication service, require strong passwords!
SERC, June 9, 2004
Indiana University Name Space Indiana University Name Space
Had to work across 8 campuses plus 4 major data centers
Ground work in 1988 with "username format summit"*Namespace consolidation project began "in earnest" in 1997
Required high-level leverage (University CIO) Consisted of iterative generation and review of
name lists of various naming organizations Person who had name first got to keep it Took 3 years to complete
SERC, June 9, 2004
How do you handle How do you handle authorization to services?authorization to services?
Problem: our legacy services assumed that authentication implies authorization.
Remedy: Use IdM to define affiliations and control access by group membership
Strategy: Create 15-20 automatically maintained major affiliation types (example: faculty, staff, student, affiliate and several gradations of each) to define roles
Challenge: It isn’t easy to keep this maintained and not all services can use groups
Shibboleth transports attributes for authZ decisions.
SERC, June 9, 2004
Protecting Privacy and Protecting Privacy and ConfidentialityConfidentiality
Rapidly evolving area -- GLB,HIPAA, CA SB-1386, etc. Directory services allow services to be delegated more
broadly -- make sure staff that get access are trained in privacy regulations
Review logging procedures and log retention Limit who has direct access to the directory and who can
update the directory IdM can serve role as translator and reduce use of private
data such as SSN One consequence of directories is that it can facilitate
spamming, limit trolling and be careful what data you show
SERC, June 9, 2004
Revocation of Credentials and Revocation of Credentials and Change Management of identityChange Management of identity
Develop a state diagram. Accounts transition through these states. Time in each state is determined by local business rules.
Requires ability to delegate authority on accounts to sponsoring entity. They can sponsor anyone but take responsibility for those they sponsor.
Runs nightly based on last effective date Highly political - everyone wants free access. Audit
requirements to promptly remove access is driver Be sure to bring the right people to the table. Political
as well as functional and technical types.
SERC, June 9, 2004
ProvisioningProvisioning
Accounts -- timely creating, management and removal of identities and credentials
Services -- timely allocation, management, removal of service controlling attributes.
Authorizations -- timely allocation, management and removal of attributes contributing to authorization decisions by applications and functional processes.
SERC, June 9, 2004
More infoMore info
www.nmi-edit.org/roadmap
middleware.internet2.edu
SERC, June 9, 2004
Vendor StrategiesVendor Strategies
IBM, Sun, Microsoft, and Novell all have Identity Management systems in place. The following is a brief summary of what they have or planning in the IdM space.
These were all taken from different web sites and are listed simply to give an idea of how each vendor looks at the issue.
The challenge is making this work in a heterogeneous system environment
SERC, June 9, 2004
Microsoft Microsoft
SERC, June 9, 2004
SERC, June 9, 2004
NOVELL
SERC, June 9, 2004
Sun One Identity ManagementSun One Identity Management
SERC, June 9, 2004
SERC, June 9, 2004
Leading up to Campus SecurityLeading up to Campus Security
Proper identity/account management and provisioning of services leads to:– Timely allocation of new services to new staff– Timely provisioning of services and authorities for
status or role changes– Timely removal of services and authorities upon
termination
If only those who require service or authority have it, then you are more secure!
SERC, June 9, 2004
SERC, June 9, 2004
Authentication API University Addressbook
OnCourseActive
DirectorySteel Web PgsPplSft Insite
Shakes/Jewels
----------------- Applications and Services ------------------
Modems
Foundation
Other University AffiliationsContinuing
StudiesOthers
University People Information
Eclipse
Alumni
MY IU UIS Appl
Virtual Private Network (VPN)
ERAFIS
DemographicData
HR Data Others
Library Others
Personal A
ccount C
reation &
Ad
ministration (Self S
ervice)
Authorization APIInformation Extract
(LDAP)
Extract/Load Process Extract/Load Process GDS
EnterpriseDirectory/
InformationStore
PIN
TokenPassword
Authentication
SIDEMPID
ISN
MATHMajor
C201
UITS
IUK
IU.EDUE-mailNameSpace
GradesClerk
AcctManager
HRRep
Advisor
KerberosSafeword
AS Server
Core Services
Authorization& Roles DB
Other DirectoriesADS, Departmental
Accounts Staff
Local/ C
ampus Support
Providers
Accou
nt/In
formation
Mgt &
Main
t
SERC, June 9, 2004
Leading up to National SecurityLeading up to National Security
As each Campus becomes more secure at the network layer
Each Campus properly manages identity for the 3 major enterprises within (Administrative, Academic and Research)
then … We collectively become more secure and
stronger. WE will then dramatically impact National Security
and Global Security. It’s just plain smart!