32
NMI-EDIT Identity NMI-EDIT Identity Management Tutorial Management Tutorial NMI Tutorial June, 2004

NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

Embed Size (px)

Citation preview

Page 1: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

NMI-EDIT Identity NMI-EDIT Identity Management TutorialManagement Tutorial

NMI TutorialJune, 2004

Page 2: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

NMI TutorialJune, 2004

Michael Berman, VP, CSU-Pomona

Keith Hazelton, Dir. Arch., Wisconsin

Jack Suess, CIO, UMBC

Ann West, NMI-EDIT Coordinator

And

Michael Gettes, Duke University

Copyright 2004

Page 3: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

CSU Identity Management CSU Identity Management DefinitionDefinition

– CSU definition - An identity management infrastructure is a collection of technology and policy that enables networked computer systems to determine who has access to them, what resources the person is authorized to access, while protecting individual privacy and access to confidential information.

Page 4: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

““Identity Management System”Identity Management System”

Suite of campus-wide security, access, and information services– Integrates data sources and manages information

about people and their contact locations– Establishes electronic identity of users– Issues identity credentials– Uses administrative data and management tools to

assign affiliation attributes – …and gives permission to use services based on

those attributes

Page 5: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Key terms: Key terms: Enterprise Directory ServicesEnterprise Directory Services

Where electronic identifiers are reconciled and institutional identity is established and maintained for all entities of interest

–Very quick lookup function

–Machine address, voice mail box, email box location, address, campus identifiers

Page 6: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

More key termsMore key terms

Authentication (AuthN)– Process of proving your identity by “presenting” an

identity credential – In IT systems, often done by a login process

Authorization (AuthZ)– Process of determining if policy permits a requested

action to proceed using attribute & group information

– Often associated with an authenticated identity, but not always and not necessarily

Page 7: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Page 8: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Infrastructure for Identity Infrastructure for Identity ManagementManagement

Common elements–Core Business System - system for identifying university

membership (e.g. SIS, HR, Alumni)–Registry - aggregation point , usually a DBMS, where key data

elements from SOR are integrated–Metadirectory - LDAP service that organizes registry information

and responds to service requests–Authenticator - service that authenticates (e.g. Kerberos, LDAP,

or other)–Groups - university roles built into directory–Services - application services that utilize IdM–Policy - definitions and structure, usually defines criteria for group

membership and service restrictions

Page 9: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Simplified UMBC ArchitectureSimplified UMBC Architecture

Public LDAP(Whitepages)

(SunOne DS5)

Oracle DB

LDAPDirectory

(iPlanet 4.1x)

AuthenticationService

(MIT K5)

MetadirectoryProcesses

(perl)SIS

(HP MPE)

HRSystem

User Input DirectoryManagmentApplications

Replica Replica

SISMirror

OutgoingConnectors

(perl)

To Consumers

Radius,WebAuth,PeopleSoft,etc.

UNIX Systems,Win2K Labs,AFS

Email Clients

Email Routing

Page 10: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Policy IssuesPolicy Issues

Policy issues should be defined or considered–Rules for membership in your community. Who is an

active student, who is a faculty member, who is an alumni?

–Who is eligible for an account? Under what circumstances?

–What groups do you need to track?–What services is each group allowed to access?–Who can sponsor affiliate members?–How long do you remain a member of the community?–What about guests or the public?

Page 11: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Page 12: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

How do you define who is How do you define who is eligible for different services?eligible for different services?

Obvious– staff, faculty, students

Less obvious: – Alumni, supporters?– Parents – Sponsored or affiliate ID’s– Transient e.g. meetings and conferences– Former employees– Research partners– Affiliates: auxiliaries, credit union, teachers

Page 13: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Eligibility -- Thorny Issues Eligibility -- Thorny Issues

Intermittent roles – persistent ID’s?– Lecturers, seasonal employees– students

Multiple roles – change roles, keep ID’s?– Student workers– Staff students

Multi-campus issues- common id across system?

Does everyone need to be in your IdM? How long does someone remain in your IdM?

Page 14: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Eligibility -- Create Policy FirstEligibility -- Create Policy First

Indiana– Policy defines who can have and sponsor

accounts.– Accounts Management System will implement

policy in software.

UMBC– Software was written without formalizing the

policy on paper. This is something we have to finalize.

Page 15: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Authentication and Authentication and AuthorizationAuthorization

Authentication - Who am I?– Shared secret -- password?

– Secret key - PKI

– Biometrics/other? Authorization - What am I allowed to do or

access? – Affinity groups are defined and populated. Roles

may be based on a combination of affinities. Identity Management system must answer both

questions.

Page 16: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Creating a single namespaceCreating a single namespace

Once you define who is eligible to be in your IdM you must create a person registry from multipe SORs.

For each person in the registry you must define an account name. Dealing with conflicts is a political challenge.

Get agreement on ground rules prior to starting the project.

Provide flexibility. People care more about their email address than they do their username!

When creating new authentication service, require strong passwords!

Page 17: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Indiana University Name Space Indiana University Name Space

Had to work across 8 campuses plus 4 major data centers

Ground work in 1988 with "username format summit"*Namespace consolidation project began "in earnest" in 1997

Required high-level leverage (University CIO) Consisted of iterative generation and review of

name lists of various naming organizations Person who had name first got to keep it Took 3 years to complete

Page 18: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

How do you handle How do you handle authorization to services?authorization to services?

Problem: our legacy services assumed that authentication implies authorization.

Remedy: Use IdM to define affiliations and control access by group membership

Strategy: Create 15-20 automatically maintained major affiliation types (example: faculty, staff, student, affiliate and several gradations of each) to define roles

Challenge: It isn’t easy to keep this maintained and not all services can use groups

Shibboleth transports attributes for authZ decisions.

Page 19: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Protecting Privacy and Protecting Privacy and ConfidentialityConfidentiality

Rapidly evolving area -- GLB,HIPAA, CA SB-1386, etc. Directory services allow services to be delegated more

broadly -- make sure staff that get access are trained in privacy regulations

Review logging procedures and log retention Limit who has direct access to the directory and who can

update the directory IdM can serve role as translator and reduce use of private

data such as SSN One consequence of directories is that it can facilitate

spamming, limit trolling and be careful what data you show

Page 20: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Revocation of Credentials and Revocation of Credentials and Change Management of identityChange Management of identity

Develop a state diagram. Accounts transition through these states. Time in each state is determined by local business rules.

Requires ability to delegate authority on accounts to sponsoring entity. They can sponsor anyone but take responsibility for those they sponsor.

Runs nightly based on last effective date Highly political - everyone wants free access. Audit

requirements to promptly remove access is driver Be sure to bring the right people to the table. Political

as well as functional and technical types.

Page 21: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

ProvisioningProvisioning

Accounts -- timely creating, management and removal of identities and credentials

Services -- timely allocation, management, removal of service controlling attributes.

Authorizations -- timely allocation, management and removal of attributes contributing to authorization decisions by applications and functional processes.

Page 22: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

More infoMore info

www.nmi-edit.org/roadmap

middleware.internet2.edu

Page 23: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Vendor StrategiesVendor Strategies

IBM, Sun, Microsoft, and Novell all have Identity Management systems in place. The following is a brief summary of what they have or planning in the IdM space.

These were all taken from different web sites and are listed simply to give an idea of how each vendor looks at the issue.

The challenge is making this work in a heterogeneous system environment

Page 24: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Microsoft Microsoft

Page 25: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Page 26: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

NOVELL

Page 27: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Sun One Identity ManagementSun One Identity Management

Page 28: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Page 29: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Leading up to Campus SecurityLeading up to Campus Security

Proper identity/account management and provisioning of services leads to:– Timely allocation of new services to new staff– Timely provisioning of services and authorities for

status or role changes– Timely removal of services and authorities upon

termination

If only those who require service or authority have it, then you are more secure!

Page 30: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Page 31: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Authentication API University Addressbook

OnCourseActive

DirectorySteel Web PgsPplSft Insite

Shakes/Jewels

----------------- Applications and Services ------------------

Modems

Foundation

Other University AffiliationsContinuing

StudiesOthers

University People Information

Eclipse

Alumni

MY IU UIS Appl

Virtual Private Network (VPN)

ERAFIS

DemographicData

HR Data Others

Library Others

Personal A

ccount C

reation &

Ad

ministration (Self S

ervice)

Authorization APIInformation Extract

(LDAP)

Extract/Load Process Extract/Load Process GDS

EnterpriseDirectory/

InformationStore

PIN

TokenPassword

Authentication

SIDEMPID

ISN

MATHMajor

C201

UITS

IUK

IU.EDUE-mailNameSpace

GradesClerk

AcctManager

HRRep

Advisor

KerberosSafeword

AS Server

Core Services

Authorization& Roles DB

Other DirectoriesADS, Departmental

Accounts Staff

Local/ C

ampus Support

Providers

Accou

nt/In

formation

Mgt &

Main

t

Page 32: NMI-EDIT Identity Management Tutorial NMI Tutorial June, 2004

SERC, June 9, 2004

Leading up to National SecurityLeading up to National Security

As each Campus becomes more secure at the network layer

Each Campus properly manages identity for the 3 major enterprises within (Administrative, Academic and Research)

then … We collectively become more secure and

stronger. WE will then dramatically impact National Security

and Global Security. It’s just plain smart!