Identity and Access Management Services Tom Jordan tom

Identity and Access Management Services • Agenda • Overview of Campus IAM services •

IAM on Campus • The IAM Problem Space Identity Registration Directory Services Account Management

UW System Data Sources Madison Data Sources Overview of Do. IT IAM Services and

Who uses IAM services? • Principal Customers • UW Madison application owners / providers

UW Madison IAM Populations • Students (including SOAR, applicants and former students) • Faculty

Gaps / Issues / Campus Needs • Gaps in current infrastructure offerings • Scalable

Current Initiatives 11/20/2017 Initiative Gap Addressed Duo Deployment Strong Authentication (MFA) Spec. Auth retirement

Future Initiatives 11/20/2017 Initiative Gap Addressed Self-Service attribute release Scalable automation for departments API-based

Service Feedback • Individual Services • Net. ID Login – help@login. wisc. edu •

How ITAG could help • Are we offering the right IAM services to campus?

Slides: 11

Download presentation

Identity and Access Management Services Tom Jordan <tom. jordan@wisc. edu> Presented to Infrastructure Technical Advisory Group (ITAG) November 20, 2017

Identity and Access Management Services • Agenda • Overview of Campus IAM services • Who’s using IAM services? • IAM Populations • Gaps / Campus Needs • Current Initiatives • Future Initiatives • Forums for campus feedback • How ITAG can help 11/20/2017

IAM on Campus • The IAM Problem Space Identity Registration Directory Services Account Management Grouping / Provisioning Person Data Delivery Access Management • IAM On Campus (from IT Services Survey) • • 17 campus services for Identity Management 38 campus services for Access Management 7 campus services for Directory Services Major campus providers: 11/20/2017 Do. IT Business AIMS Computer Science SMPH Engineering Athletics

UW System Data Sources Madison Data Sources Overview of Do. IT IAM Services and Infrastructure SIS Hosp Identity Registry Spec. Auth etc Authentication Services WI Fed On-Premise Web. SSO Apps Cloud Apps for UW Madison Credential Management MFA Common Systems Apps (onprem and in the cloud) PHEXPORT (Customer Data Views) LDAP UW Madison Directory-based apps and Infrastructure Active Directory Office 365 IDM/PASE HRS Directory Services UWM Cloud Directories UW System Provisioning (OIM) UWW Net. ID Login Google Apps Cisco Spark UWGB etc UW Madison Provisioning (Regsync) Enterprise Group Management (Manifest / Grouper) Person APIs Identity Sources 11/20/2017 Identity Reconciliation Identity Data Management SOAP / REST Ad-hoc and data-driven grouping for authorization Person data APIs for developers Messaging Identity Data Integration Identity Consumers

Who uses IAM services? • Principal Customers • UW Madison application owners / providers • UW Madison business process owners • By IAM Service • Person Data Views – about 300 data views* • Person Web Services – about 25 customers* • Directory Services – about 200 departments / subunits • Manifest – about 300 departments / subunits • SAML / Net. ID Login – about 1, 500 applications 11/20/2017

UW Madison IAM Populations • Students (including SOAR, applicants and former students) • Faculty / Staff • Affiliates • Special Authorizations • UW Foundation • Visiting Staff / Researchers • Partner Agencies on campus (Forest Products Lab, USGS, etc) • • UW Health / UW Medical Foundation Pre-College Program Summer Research Opportunities Program (SROP) Lifelong Learners • Manifest-Invited Populations • UW System populations (students, facstaff, affiliates) 11/20/2017

Gaps / Issues / Campus Needs • Gaps in current infrastructure offerings • Scalable provisioning and deprovisioning for compliance and audit • Scalable support for Unix integration with directory services • Scalable automation by departments • Support for modern development tools and processes (REST APIs, ORM-friendly data models) • Support for stronger authentication types (MFA) • Technical debt in some IAM components • Gaps in populations / account types • Additional ‘affiliate’ populations • Social / External Identity integration • Non-person and Privileged Accounts 11/20/2017

Current Initiatives 11/20/2017 Initiative Gap Addressed Duo Deployment Strong Authentication (MFA) Spec. Auth retirement Technical Debt REST-based Person API Support for modern development toolsets Message queueing for person data change notification Support for modern development toolsets

Future Initiatives 11/20/2017 Initiative Gap Addressed Self-Service attribute release Scalable automation for departments API-based access to group information Scalable automation for departments Unix integration with Net. ID authentication Services for Unix environments Person Hub refactor / replacement Technical Debt Service / privileged account management Compliance and Audit Improved provisioning / deprovisioning capability Compliance and Audit

Service Feedback • Individual Services • Net. ID Login – help@login. wisc. edu • Campus Active Directory – activedirectory@doit. wisc. edu • Manifest - manifest@doit. wisc. edu • Measuring Service Effectiveness / Customer Satisfaction • Meetings with campus departments in 2016 • Customer Survey of IAM Needs – Early 2018 • General IAM Feedback – iam-feedback@office 365. wisc. edu 11/20/2017 blah

How ITAG could help • Are we offering the right IAM services to campus? • How do we reach those units that are not engaged? • What other feedback venues should we be using to get feedback from our customers? • What are you hearing? 11/20/2017