Prepared by Dept. of Information Technology & Telecommunication, May 1, 2015 DoITT Identity Management Security, Provisioning, Authentication

Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023

DoITT Identity Management

Security, Provisioning, Authentication


What is Identity Management

• Identity management deals with identifying individuals in a system and controlling their access to resources within that system throughout their employment by associating user rights and restrictions with the established identity. It is the core of what is termed “Employee Lifecycle Management.”

• In an enterprise setting, identity management is used to increase security and productivity, while decreasing cost and redundant effort.

• Includes:– Password synchronization (reduced sign-on)

– Automated password resets

– Provisioning and authorization to systems

– De-provisioning users when they are no longer in the agency


What is Identity Management?

Standard components of Identity Management:

AuthenticationAuthentication Access Management Access Management

User RegistrationUser Registration MaintenanceMaintenance TerminationTermination

SSO/

Federation

Framework

Provisioni

ng

Identity &

Policy

Administratio

nDirectory Services

Virtual

Directory

Directory

Repositories: LDAP,

AD, eDirectory

Meta

Directory


Today’s Enterprise LDAP

The City Meta-Directory


Project Overview

• The citywide Lightweight Directory Access Protocol (LDAP) project officially launched in January 2004 with a Citywide Employee Contact Directory as the end-product. Email lookups through agency mail clients has been available since July 2004.

• Novell’s eDirectory is the base of this LDAP enabled meta-directory. It resides on a Unix platform with an active-active redundancy.

• Agencies are connected to the LDAP directory via either a dynamic or manual batch connector that pulls identities from their agency’s directory.

• Windows servers are used for LDAP connector services as well as proxy appliances for the iChain web access control product.

• DoITT worked with over 45 agencies to create a meta-directory of employee contact information—totaling over 160,000 employees and growing.


Current Architecture

• Load balanced, fault tolerant, and scalable

• Foundation for future identity vault

citydirectory.nycnetldap.nycnet

(vvrp)

SLD

AP SLDAP

Rep

licat

ion R

eplication

ReplicationS

LD

AP

SL

DA

P

SSL

SS

L

Batch R

eplicatio

n Batch Replication

LDAP-BACKUP2eGuide

eDirectory 8.7.3.2iManager

LDAP-BACKUP1eGuide

eDirectory 8.7.3.2iManager

DirXML 1.1.1a FP2Loopback DriversText File Drivers

BatchSynceGuide 2.1iManager

DirXML 1.1.1a FP2Dynamic Drivers

eGuide 2.1iManager

CSSVIP2

Dyn

amic

Dyn

amic

Dyn

amic

Ba

tch

SLDAP

IDC

ldap-city2ldap-wp2

autheguide2

eDirectory 8.7.3.2eGuide 2.1iManager

SLDAP

IDC ldap-city1ldap-wp1

autheguide1

eGuide 2.1eDirectory 8.7.3.2

iManager

CSSVIP1

SSL

SS

L

IDCWindows

2003ServerDirXML

IDCWindows

2003Server

DirXML(alt)

Dyn

amic

Dyn

amic

Dynamic from Win 2003

SSL SSL

CityNet (WEB) Users CityNet (WEB) Users


Security and Uniqueness

• Agencies define what information is visible through the Citywide Employee Contact Directory.

• Agencies have a variety of means of hiding or removing data from the system.

• The biggest challenge and most important element of the project was to determine a preexisting unique identifier for each employee.

• Name and agency, email address, and even combinations of these aren’t sufficient since none of these are truly unique in NYC.

• Current unique identifier: Surname + Given name, Organizational Unit (s), Organization (nycnet)

• Future unique identifier: PMS Employee I.D.


Employee White Pages

• The web front-end for LDAP is the Citywide Employee Contact Directory. It is available through the City’s intranet, http://cityshare.nycnet.

• The directory has advanced filtering options.

• Data appearing in the directory or through email client lookups is based on what the agency feeds LDAP and what is defined as being visible to the public. Therefore, LDAP participating agencies need to keep data clean and sensitive accounts hidden.

• As part of the long-term identity management strategy, we encourage every agency to put every employee’s PMS ID and active code into the agency directory. DoITT is piloting a script to help agency LDAP liaisons provide this data along with the help from their HR Departments.


Simple Employee Lookup

A more simple Employee Search that ties into LDAP and displays the same data is globally available within CityShare.


Next Steps

Moving from White Pages to Identity Vault


High-level Plan

• LDAP meta-directory building block is in place for the next step in establishing a citywide identity management plan.

• Critical milestones will have to take place for successful implementation:– DoITT, FISA and NYCAPS are working together to use the PMS ID as

the unique identifier, which will populate every City employee in a large citywide identity vault. NYCAPS will be established as the sole identity source of employee data in the future.

– Establishment of an identity management policy board to guide the LDAP project team on key identity management issues found throughout the Employee Management Lifecycle .

– Determining the best products and approaches for authentication and authorization will enable enterprise applications and agency directories to utilize one citywide meta directory for authorization.

• The long-term goal is to eventually have reduced sign-on, provisioning capabilities, and digital signature capability for enterprise applications and participating agencies.


Key Considerations

• Work with agencies to identify their requirements and IM needs as well as bring currently non-participating ones into LDAP.

• Convert all batch connected agencies to dynamic connections. This will be instrumental with future user provisioning and de-provisioning in the Employee Management Lifecycle.

• Create a policy board consisting of multiple agencies to make decisions on:– Technologies– Timeframes– Functionality– Policies– Standards

• Determine the structure of the identity vault and all dependencies.

• Receive buy-in from agencies.


Interested in Learning More?

Contact:

Dominic Pisciotta

Sr. Project Manager, ETD

[email protected]

212-232-1066

OR

Teri Moore

Director of Enterprise Technology Development

[email protected]

212-232-0938

Documents

Prepared by Dept. of Information Technology & Telecommunication, May 1, 2015 DoITT Identity Management Security, Provisioning, Authentication