APS 7 Identity Management How and Why Kirk

  • Slides: 34
Download presentation
APS 7 Identity Management: How and Why Kirk M. Anne Assistant Director, Systems &

APS 7 Identity Management: How and Why Kirk M. Anne Assistant Director, Systems & Networking State University of New York College at Geneseo [email protected] edu High. Ed. Web 2008 – October 7, 2008

A little about Geneseo • • • Small public liberal arts college in Western

A little about Geneseo • • • Small public liberal arts college in Western NY Around 5, 300 undergrad, 200 grad students Around 300 faculty Around 700 support staff employees Around 42, 000 active alumni An original campus of SUNY

A little about SUNY • State University of New York formed in 1948 –

A little about SUNY • State University of New York formed in 1948 – 64 campuses serve over 425, 000 students – Over 7500 courses of study – Over 3400 D/L courses for over 100, 000 students – Over 83, 000 employees – Over 2. 4 million alumni – Around a $10 billion budget

What is an Identity? • noun (pl. identities) – 1 the fact of being

What is an Identity? • noun (pl. identities) – 1 the fact of being who or what a person or thing is. – 2 the characteristics determining this. – 3 a close similarity or affinity. • • How do we deal with the fact component? How does affinity affect those characteristics? How do we deal with “multiple identities”? How do we prove an electronic identity?

Problems we faced/are facing • • “Source of Record” for somebody’s identity? Student versus

Problems we faced/are facing • • “Source of Record” for somebody’s identity? Student versus Faculty/Staff? How do you identify somebody electronically? Where is the paperwork for HR/Records? Why can’t people have just one SSN? Keep and delete adjuncts at the same time? What about “generic” accounts? – “Service accounts”, student groups, “affiliates”

What is Identity Management? Definitions of identity management from the Web: • Strictly speaking

What is Identity Management? Definitions of identity management from the Web: • Strictly speaking identity management is the identification of authorized users and their enrollment in a system that is used to manage their identity information. However, the management of identity information is not an end in itself-it is used to facilitate business activities such as physical access control, information systems access control, and workflow automation in accordance with business policies. This identity management is an integrated system of business processes, policies and technologies. http: //www. corestreet. com/glossary/ • The creation of flexible definitions for individuals and groups which authenticates users and allows different levels of authorisation depending on the service used. http: //www. ict. ox. ac. uk/strategy/plan. xml. ID=app. F • An integrated system of business processes, policies and technologies that enables organizations to facilitate and control user access to critical online applications and resources — while protecting confidential personal and business information from unauthorized users. http: //www. comcare. org/Patient_Tracking/IPTI-Glossary. html • In information systems, identity management, sometimes referred to as identity management systems, involves the management of the identity life cycle of entities (subjects or objects) during which the system: 1. Establishes the identity 1. Links a name (or number) with the subject or object; 2. Re-establishes the identity (i. e. links a new or additional name, or number, with the subject or object); 2. Describes the identity 1. Optionally assigns one or more attributes applicable to the particular subject or object to the identity; 2. Re-describes the identity (i. e. changes one or more attributes applicable to the particular subject or object); 3. Destroys the identity http: //en. wikipedia. org/wiki/Identity management

What is Identity Management? • • • Not an end in itself Business processes,

What is Identity Management? • • • Not an end in itself Business processes, policies and programs Flexible definitions of people and groups Must protect confidential information Handling the “identity life cycle” of an entity – Establish the identity – Describe the identity • #5 on Edu. CAUSE 2008 “Top 10 Issues”

The “Big Picture”

The “Big Picture”

Let’s enter the “Wayback Machine” • Identity (aka Account) Management (1998) – The “Über

Let’s enter the “Wayback Machine” • Identity (aka Account) Management (1998) – The “Über Database” Theory • • Contains all information for all accounts ever created Tracks UNIX uid and username usage Matches SSN to uid and username Keep basic personal information for each identity – Account Management tools • Easily create accounts for UNIX and NT • Easily delete accounts for UNIX and NT • Synchronize passwords between UNIX and NT (ssod)

“Now we stepped in it…” • my. geneseo. edu portal project (2006) – We

“Now we stepped in it…” • my. geneseo. edu portal project (2006) – We decided to concentrate on the “my” part • Need personal information now • Need a way to synchronize account information • Need groups for permissions • “Unfunded mandates” – – i. Tunes University support needed SUNY System Administration requires us to provide local info “Mailing lists” for everyone and everything Maintaining identities forever for Banner access

How are we going to get there? • Directory Services – Contain the “characteristics”

How are we going to get there? • Directory Services – Contain the “characteristics” (attributes) – Provide a method for authentication • Harvesters/Identity Mgmt Tools – Harvest “Sources of Truth” for attribute updates – Convert business processes to id mgmt action • CAS/Shibboleth – Provide attributes to services (SOA) – Simplify passing information from identity store to apps

What we have now SUNY HR System Web Apps SUNY Portal Email System HRMS

What we have now SUNY HR System Web Apps SUNY Portal Email System HRMS “Sources of Truth” Perl AD Web Apps Library Apps Angel Perl Banner SUNY Applications System i. Planet SSOD Service Accts Dept Accts Org Accts “Affiliates” OID my geneseo edu

Where we want to go SUNY HR System HRMS “Sources of Truth” Perl PL/SQL

Where we want to go SUNY HR System HRMS “Sources of Truth” Perl PL/SQL AD Web Apps Library Apps Angel OID DIP Banner SUNY Applications System OIF Web Apps SUNY Portal Email System Service Accts Dept Accts Org Accts “Affiliates”

Directory Services • LDAP the protocol, LDIF the file format – PL/SQL to use

Directory Services • LDAP the protocol, LDIF the file format – PL/SQL to use Banner and HRMS for updating – Perl/VB to provision UNIX and Windows accounts • Directory Integration Protocol (DIP) – Allow mapping into other directory servers (Active Dir) • Delegated Administration Service (DAS) – Self service password reset – Self editable attributes • Access Control Lists (ACL) – Protect information from prying eyes

LDAP/LDIF Information • Data is stored in a hierarchy • Keyed by the “distinguished

LDAP/LDIF Information • Data is stored in a hierarchy • Keyed by the “distinguished name” (DN) • objectclasses and attributes – Objectclass is a defined group of attributes – Attributes hold the values (single/multiple) • • OID (Object IDentifier) Base search paths Tall versus flat tree design Thick (a lot of data in tree) or thin (no data)

Tall versus Flat dc=edu o=geneseo. edu ou=Alumni ou=Chemistry ou=Provost ou=Art ou=Photo dc=geneseo ou=business ou=Education

Tall versus Flat dc=edu o=geneseo. edu ou=Alumni ou=Chemistry ou=Provost ou=Art ou=Photo dc=geneseo ou=business ou=Education Base DN dc=geneseo, dc=edu o=geneseo. edu cn=users DN format cn=kma, cn=users, dc=geneseo, dc=edu uid=kma, ou=Photo, ou=Art, ou=Provost, o=geneseo. edu cn=groups

organizational. Person cn object. Class sn description destination. Indicator facsimile. Telephone. Number internationali. SDNNumber

organizational. Person cn object. Class sn description destination. Indicator facsimile. Telephone. Number internationali. SDNNumber l ou physical. Delivery. Office. Name postal. Address postal. Code post. Office. Box preferred. Delivery. Method registered. Address see. Also st street telephone. Number teletex. Terminal. Identifier telex. Number title user. Password x 121 Address common name object class Surname Description Fax number Locality (City) Organizational Unit DN State Street (Building/Office) Telephone Number Title

inet. Org. Person audio business. Category car. License department. Number display. Name employee. Number

inet. Org. Person audio business. Category car. License department. Number display. Name employee. Number employee. Type given. Name home. Phone home. Postal. Address initials jpeg. Photo labeled. URI mail manager mobile o pager photo preferred. Language room. Number secretary uid user. Certificate user. PKCS 12 user. SMIMECertificate x 500 unique. Identifier kind of business performed License dept code Name to be displayed employee number type of employee First name Home Phone Home address Initials JPEG photo web page "Official" mail address DN of manager Cell Phone Number organization name Pager Number Preferred Language Office Number DN of secretary Username

person/edu. Person/suny. Person person sn cn user. Password telephone. Number see. Also description Surname

person/edu. Person/suny. Person person sn cn user. Password telephone. Number see. Also description Surname Common (container) Name Password Phone Number edu. Person. Affiliation edu. Person. Nickname edu. Person. Org. DN edu. Person. Org. Unit. DN edu. Person. Primary. Affiliation edu. Person. Principal. Name edu. Person. Entitlement edu. Person. Primary. Org. Unit. DN edu. Person. Scoped. Affiliation edu. Person. Targeted. ID relationship to institution informal name DN of org tree DN of org unit Primary relationship The "Net. ID" set of rights Primary org unit "Security domain" Description edu. Person suny. Person. Id suny. Student. Id

orcl. User. V 2 orcl. Hire. Date orcl. Date. Of. Birth orcl. Maiden. Name

orcl. User. V 2 orcl. Hire. Date orcl. Date. Of. Birth orcl. Maiden. Name orcl. Is. Visible orcl. Display. Personal. Info middle. Name orcl. Default. Profile. Group c orcl. Time. Zone orcl. Is. Enabled orcl. Password. Hint. Answer orcl. Password. Hint orcl. Work. Flow. Notification. Pref orcl. Active. Start. Date orcl. Active. End. Date orcl. Gender user. PKCS 12 orcl. PKCS 12 Hint orcl. Password auth. Password orcl. Password. Verifier orcl. Secondary. UID krb. Principal. Name orcl. Wireless. Account. Number orcl. UIAccessibility. Mode assistant orcl. SAMAccount. Name orcl. User. Prov. Mode

Unix classes posix. Account cn uid. Number gid. Number home. Directory login. Shell gecos

Unix classes posix. Account cn uid. Number gid. Number home. Directory login. Shell gecos description Username Unix user id number Unix group id number Home Directory Login Shell Unix Display Name Description uid shadow. Last. Change shadow. Min shadow. Max shadow. Warning shadow. Inactive shadow. Expire shadow. Flag description Last change day min days before change max days before change days for warning number of days after expire to disable days since 1/1/70 to expiration reserved field Description shadow. Account

Defining a new SUNY object class attributetype ( 1. 3. 6. 1. 4. 1.

Defining a new SUNY object class attributetype ( 1. 3. 6. 1. 4. 1. 27652. 1. 1. 1 NAME 'suny. Person. Id’ DESC 'Identifier for SUNY employee’ EQUALITY numeric. String. Match SYNTAX '1. 3. 6. 1. 4. 1. 1466. 115. 121. 1. 36' ) attributetype ( 1. 3. 6. 1. 4. 1. 27652. 1. 1. 1. 2 NAME 'suny. Student. Id’ DESC 'Identifier for SUNY student’ EQUALITY numeric. String. Match SYNTAX '1. 3. 6. 1. 4. 1. 1466. 115. 121. 1. 36' ) # suny. Person objectclass definition # can only be done after attributes established objectclass ( 1. 3. 6. 1. 4. 1. 27652. 1. 1. 2 NAME 'suny. Person’ AUXILIARY MAY ( suny. Person. Id $ suny. Student. Id ))

Example LDIF file dn: uid=kma, ou=People, o=geneseo. edu object. Class: top object. Class: person

Example LDIF file dn: uid=kma, ou=People, o=geneseo. edu object. Class: top object. Class: person object. Class: organizational. Person object. Class: inet. Org. Person object. Class: posix. Account object. Class: mailrecipient object. Class: edu. Person cn: Kirk M Anne given. Name: Kirk sn: Anne ou: Computing & Information Technology title: Assistant Director of Systems & Networking employee. Type: Staff telephone. Number: 585 -245 -5577 street: South 124 b 2 l: Geneseo st: NY postal. Code: 14454 mail: [email protected] edu mail. Alternate. Address: kirk. m. [email protected] edu labeled. Uri: http: //www. geneseo. edu/~kma uid: kma user. Password: {crypt}GLsdfa. S 3 wx 1 ug uid. Number: 1605 gid. Number: 1000 gecos: Kirk M Anne home. Directory: /home/kma login. Shell: /bin/bash edu. Person. Affiliation: staff edu. Person. Primary. Affiliation: staff edu. Person. Principal. Name: [email protected] edu. Person. Entitlement: [email protected]: mace: itunesu. com: sites: ge neseo. edu

Identity Management Tools • Harvester – Simplest version – Reads from a “source of

Identity Management Tools • Harvester – Simplest version – Reads from a “source of truth” – Updates attributes • Identity Management systems – More complex – Provision access automatically – Defined by business processes and policy

Example Harvesting Maps Attribute given. Name sn cn description telephone. Number mail street title

Example Harvesting Maps Attribute given. Name sn cn description telephone. Number mail street title post. Office. Box ou edu. Person. Org. Dn edu. Person. Primary. Org. Unit. Dn edu. Person. Affiliation edu. Person. Primary. Affiliation HR Feedback pers. fst_init+pers. fst_nam_rmt pers. lst_nam pers. fst_init+pers. fst_nam_rmt+pers. lst_nam directory. dir_dpt+pers. prim_aff_cat_cd directory. dir_area_cd+directory. dir_tel_nbr_shr email_addr directory. dir_bld directory. dir_fre_ln BANNER spriden_first_name spriden_last_name spriden_first_name+sprident_mi+spriden_last_name Student sprtele_area_code+sprtele_phone_number goremal_email_address spraddr_street_line_1 Student spraddr_line_1 Student dc=geneseo, dc=edu cn=Users, dc=geneseo, dc=edu directory. dir_dpt dc=geneseo, dc=edu cn=Users, dc=geneseo, dc=edu pers. prim_aff_cat_cd+position. nu_cd+position. po student s_sal_grd_suf

CAS/Shibboleth • • • Central Authentication System (from Yale) Shibboleth (from Internet 2 middleware)

CAS/Shibboleth • • • Central Authentication System (from Yale) Shibboleth (from Internet 2 middleware) Provide protected access to attributes Provide the ability for single sign-on Key concepts – Identity Provider (Id. P) – Service Provider (SP) – Security Assertion Markup Language (SAML)

Sample SAML 2. 0 transaction

Sample SAML 2. 0 transaction

So why would we do this? • Simplify – Reduce the number of usernames/passwords

So why would we do this? • Simplify – Reduce the number of usernames/passwords – Reduce the number of places for “personal info” • Secure – One username, one password -> strong passwords – Enforce policies (force pw changes, remove access) • Self-service – Password resets – Provide/update attribute information

Why should we do this? • • One word… “Facebook” (one BIG directory) Students

Why should we do this? • • One word… “Facebook” (one BIG directory) Students today expect personalized service Attributes allows us to select affinity groups Public versus private social networks

Other reasons • Online phone books/directories • Central authentication/Single Sign On • Service Oriented

Other reasons • Online phone books/directories • Central authentication/Single Sign On • Service Oriented Applications (SOA) – – – “Portal” applications i. Tunes. U SUNY Administration Applications (HR) Google Gadgets? i. Pod Touch/i. Phones? In. Common?

What will it look like?

What will it look like?

Technology is not the whole answer • We still need to develop policies. –

Technology is not the whole answer • We still need to develop policies. – Do we use last names for usernames? – What do we do about adjuncts? – When is a student? – What about leaves of absence? – Do we create staff accounts before signed letters? – Do we keep student accounts forever? – Who gets to see what attributes? • Processes should be based on policies.

For more information… • Shibboleth – http: //shibboleth. internet 2. edu/ • Grouper –

For more information… • Shibboleth – http: //shibboleth. internet 2. edu/ • Grouper – http: //grouper. internet 2. edu/ • COmanage – http: //middleware. internet 2. edu/co/ • Central Authentication System – http: //www. ja-sig. org/products/cas/index. html • In. Common – http: //www. incommonfederation. org/ • Internet 2 middleware – http: //middleware. internet 2. edu/dir/