Скачать презентацию Gator Aid Identity Management at the University of Скачать презентацию Gator Aid Identity Management at the University of

a70748db51021aeab500c149102e4a56.ppt

  • Количество слайдов: 29

Gator. Aid: Identity Management at the University of Florida Mike Conlon Director of Data Gator. Aid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure mconlon@ufl. edu

Copyright Notice Copyright Mike Conlon 2005. This work is the intellectual property of the Copyright Notice Copyright Mike Conlon 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

NMI-EDIT Consortium n Comprises Internet 2, EDUCAUSE, and SURA q n Funded by NSF NMI-EDIT Consortium n Comprises Internet 2, EDUCAUSE, and SURA q n Funded by NSF Middleware Initiative q n E-science and research Researches and develops inter-institutional Identity and Access Management tools q n NSF Middleware Initiative (NMI)-Enterprise and Desktop Integration Technologies Consortium (EDIT) Shibboleth for example Guided by MACE – Middleware Architecture Committee for Education q Group of R&E IT architects from US and Europe

One Slide About UF n n n 49, 000 students in Gainesville Fl 15, One Slide About UF n n n 49, 000 students in Gainesville Fl 15, 000 distance, continuing and executive students $2. 0 Billion annual budget, $475 million in research -- growing at 9% per year, Health Sciences – 58% of research 140 academic departments in 23 colleges Land grant – extension in all 67 counties The Gators, Lady Gators, Gatorade

One Slide About UF Technology n n n n 500 IT professionals across campus One Slide About UF Technology n n n n 500 IT professionals across campus Very decentralized Estimated $90 million in annual IT spending Over 300 email servers 30, 000 devices on the open network AD, NDS, i. Planet, Open. LDAP, Kerberos Directory Project 2002 -2003 People. Soft implementation (Finance, HR, Warehouse, Portal) 2003 -2005

Identity Management Identity management is authoritative association of people with identifiers such as ID Identity Management Identity management is authoritative association of people with identifiers such as ID numbers and ID cards and access credentials such as usernames/passwords. Identity management is fundamental for providing secure authentication and authorization services.

Old Process/ New Process n n Old process: System administrator gives out accounts on Old Process/ New Process n n Old process: System administrator gives out accounts on a local system. Varying degrees of local identity management, no referencing across systems New Process: Identity is established by trained coordinators and maintained centrally. Systems use authoritative sources for identity, credentials and authorization.

You need a Directory n n Authentication, Authorization, Directory identified as key problems to You need a Directory n n Authentication, Authorization, Directory identified as key problems to solve at UF in August 2000 Community effort to solve the directory problem at UF -- 17 sources for contact information. Limited sharing. Information Systems, Academic Technology, Health Science Center, Registrar, Data Center involved from the beginning UF read, studied NMI documents – roadmap, early harvest, Metadirectory practices, identifier mappings

What we had to work with n n n Gator. Link – Kerberos-based authentication What we had to work with n n n Gator. Link – Kerberos-based authentication mechanism since 1997. Unsponsored campus LDAP and NDS. DB 2 -based registry of people information used by some administrative systems. Many feeds to the registry, few from the registry. Adhoc integration.

UF Directory Project n n n n Started an adhoc planning group August 2000 UF Directory Project n n n n Started an adhoc planning group August 2000 Ken Klingenstein visit April 2001 Parallel effort to replace SSN merged August 2001 Finished report September 2001 Began implementation October 2001 Deployed new directory January 23, 2003 http: //www. it. ufl. edu/projects/directory

Directory Project Deliverables n n n n n New Registry – 140 tables New Directory Project Deliverables n n n n n New Registry – 140 tables New LDAP schema (edu. Person, edu. Org) New IDs – UFID and UUID Gator. Link tied to UFID 50, 000 new Gator One cards 1, 500 applications modified New self-service apps http: //phonebook. ufl. edu New directory coordinator apps New APIs for directory-enabling business processes 800 directory coordinators identified and trained

UF Directory – Architecture n Three major interfaces n One data store One set UF Directory – Architecture n Three major interfaces n One data store One set of APIs n n About 50 message queues n Each app receives consistent data

Directory Coordinators Establish Identity n n n Each new faculty or staff member is Directory Coordinators Establish Identity n n n Each new faculty or staff member is entered into the directory by their local directory coordinator. This creates a new directory entry with a new UFID Student UFIDs are created by directory processes initiated by the Registrar HR and Registrar update authoritative values for registry attributes

Goals for Authentication Services n n n Tie authentication to identity – all system Goals for Authentication Services n n n Tie authentication to identity – all system access should be attributable to a UFID Provide a single credential (Gator. Link) environment, regardless of access technology Support enterprise system sign on, LAN sign on, web sign on with same credential and same support for identity attribution

Five Projects n n n Web Initial Sign On – 2002/2003 Portal – 2002/2003 Five Projects n n n Web Initial Sign On – 2002/2003 Portal – 2002/2003 Password Management – 2003/2004 UF Active Directory – 2004/2005 Account Management -- 2005

Web Initial Sign On (Web. ISO) at UF n n n UF developed a Web Initial Sign On (Web. ISO) at UF n n n UF developed a local Web. ISO solution in 1998 – GLAuth provides a secure cookie-based Kerberos authenticated system GLAuth is simple to install on Apache web servers (Linux and Windows) Legacy SIS and admin applications use GLAuth providing single credential access to these systems In 2002, augmented GLAuth to support Windows, integrated portal, Web. CT, Legacy Admin to use GLAuth. Subsequent grad school applications, athletic applications, career resource center, colleges and departments

Portal Implementation n n Implemented People. Soft/Oracle Enterprise Portal in 2002/2003 Identity changes in Portal Implementation n n Implemented People. Soft/Oracle Enterprise Portal in 2002/2003 Identity changes in directory are synched into portal and into HR and Finance for SSO Portal provides GLAuth cookie for links to university services Portal provides authorization platform for enterprise systems

Authorization Concept n n n Directory has “affiliations” for each person. Affiliations role up Authorization Concept n n n Directory has “affiliations” for each person. Affiliations role up to edu. Person affiliations and to primary affiliation Affiliations imply authorizations Authorization is based on roles Some roles can be algorithmically determined by affiliations Additional roles are assigned by traditional access request processes

Entity, Role and Service Entity, Role and Service

Role Management n n Roles are assigned algorithmically using processes accessing directory message queues Role Management n n Roles are assigned algorithmically using processes accessing directory message queues Roles are also assigned following request based on university policy Department Security Coordinators use the portal Access Request System (ARS) Individuals can view their roles from the portal

My Roles n n Every portal user can access their role information using My My Roles n n Every portal user can access their role information using My Roles All roles are listed with descriptions

My Access History n n Every portal user can access their access history Suspicious My Access History n n Every portal user can access their access history Suspicious access is referred to the university security team and potentially law enforcement

Password Management n n n Password management policies are determined by user roles – Password Management n n n Password management policies are determined by user roles – each role has a related password policy Five password policies govern reset, use of hints, password age Each users’ Gator. Link password management policy is the strongest policy required by the users’ roles All Gator. Link accounts have strong passwords Password changing is done using portal screens Kerberos, AD, NDS are updated in real-time

UF Active Directory n n n UFAD accounts are built from directory message queues UF Active Directory n n n UFAD accounts are built from directory message queues Contact information in UFAD is populated from the directory UFAD accounts use Gator. Link usernames and passwords OUs are populated based on the value of a “Network Managed By” attribute in the directory – directory coordinators assign the value Accounts are provisioned centrally, rights are managed locally

Authentication Architecture n n n Authentication begins with identity Automated processes populate the portal, Authentication Architecture n n n Authentication begins with identity Automated processes populate the portal, HR, FI Portal login produces cookie for Web. ISO Middleware updates additional authentication services Kerberos, AD, NDS supported

Current Status n n n All major enterprise systems (Web. CT, Web. Mail, SIS, Current Status n n n All major enterprise systems (Web. CT, Web. Mail, SIS, People. Soft, Legacy) use Gator. Link authentication attributable to UFID All major college/unit web sites use attributable authentication 25% of all desktops use attributable authentication (NDS and UFAD). By summer of 2006, over 50% of desktops will use attributable authentication (full Health Science Center implementation)

Current Project – Account Management n n n Create a formal lifecycle and state Current Project – Account Management n n n Create a formal lifecycle and state chart for Gator. Link computer accounts Increase the name space from 8 to 16 characters Consolidate/replace legacy apps for acct mgt into the portal Introduce web services – account state changes will be available to subscribing service providers Go live mid-September 2005

Future Work n n n Directory/identity integration with VOIP services Directory/identity integration with building Future Work n n n Directory/identity integration with VOIP services Directory/identity integration with building access services People. Soft/Oracle Campus Community will be implemented with go-live Summer 2006 Legacy systems maintaining authorization information will be reimplemented using roles Direct access to the directory via APIs will be replaced with messaging infrastructure

For More Information n http: //ufid. ufl. edu http: //www. bridges. ufl. edu/directory http: For More Information n http: //ufid. ufl. edu http: //www. bridges. ufl. edu/directory http: //gatorlink. ufl. edu http: //www. ad. ufl. edu n Email mconlon@ufl. edu n n n