© 2011 The University of Chicago

InCommon Silver Implementation at UChicago

Tom Barton

1

Which people will need Silver?Tim

e f

ram

e

soon

er

late

r

User group size

smaller

larger

NIHTeraGrid

Open Science

GridCILogon

NSC Nat’l Labs

CIC shared storage

CIC CourseShare

Payroll

caBIG

BenefitsStudent Loans

Financial aid

TIAA-CREF

research.gov

3

Support research & scientific collaborations

Ability to deliver SaaS solutions with higher LoA

Enhance local confidence in our ability to manage access Eg, allay Registrar’s concerns with students using

UChicago netIds for transcript delivery

All faculty, staff, and students needing Silver should be able to get it, easily

But most won’t need it right away, so don’t make them do anything special until they do

UChicago Silver Objectives

4

Central IdM one of several activities supported by a staff pool – inability to sustain focus on IdM

Inadequate operating practices and doc

Unknown if HR on-boarding process good enough to leverage as-is

Student admissions process most likely not

ID Card office co-operative with ITS & Library

UC Medical Center IdM user account management integrated with central IdM

but separate password store

Circumstances – Initial State

5

Re-org IdM

Use existing username/password credentials Stored in LDAP and in Active Directory

Leverage ID card issuing process to meet Silver identity vetting & credential issuance requirements Strengthen management of ID Card office

Assimilate ID Card back-end operations into central IdM

Implementation Approach

6

Move IdM servers to central sysadmin group Document operating practices of both groups Provide IT Security an opportunity to define good

operating practices

Plan IdM audit with Risk Management

Extend IdMS to track who has met which Silver pre-requisites (ID vetting, good password, no security hold)

Implementation Approach

Managing password exposure

browser

IdP/login

authN service

1

app

app

app

authN service

2app

app

IdMSpassword sync

VaTech-style policy to apply to

all apps

8

Medical Center Unlikely to be needed soon (Drs are BSD faculty

and have centrally-issued credentials)

identity vetting options

• independent ID Card office eventually to be assimilated

• leverage HR on-boarding process

ID vetting for remote people needing Silver

Predicated on anticipated specifications in InCommon Silver IAP v1.1

Unknowns

9

Are you organized to enable a Silver implementation (if you wanted to do it)?

And are the necessary stakeholder relationships in good shape?

10

What would motivate you to start a Silver implementation?

What obstacles hinder that?

11

Do you already have the right set of tools, operating practices, and technologies to fold into a Silver implementation?

12

The CIC has found it extremely helpful to go together, as a cohort.

Do you have any friends to share the experience with?

Do you want some?