Portal Services Credentials at UT Austin CAMP

Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005

Discussion Items • Setting the stage • UT’s portal service – UT Direct • UT’s authentication service – UT EID • Credentialing & Support • Challenges & Responses • Future Directions 27 June 2005 – CAMP Identity & Access Management

Setting the Stage • UT Austin has large number of core constituents: – ~50, 000 students – ~18, 000 faculty & staff • And even larger groups of “extended” populations (e. g. , prospective students, former students, parents, job applicants) 27 June 2005 – CAMP Identity & Access Management

UT’s Portal – UT Direct • Created in 2000, upgraded in 2003 • “Home-grown” using local custom development tools • Serves as both a portal and a web application framework (look & feel, menus, bookmarks, etc. ) • Personalization is based on user’s affiliations 27 June 2005 – CAMP Identity & Access Management

UT Direct Usage • UT Direct has achieved strong penetration – – 80% of students use it at least weekly – 70% of faculty & staff use it weekly – 100, 000 distinct users login weekly • UT Direct user interface is used for most business/administrative web services at UT Austin 27 June 2005 – CAMP Identity & Access Management

UT’s Authentication Service – UT EID • UT EID system created in 1995, upgraded in 1999, major overhaul coming this fall • All members of UT community have EIDs • Unified namespace for all EIDs • Sponsoring departments control the affiliations attached to EIDs 27 June 2005 – CAMP Identity & Access Management

EID Classes • EIDs are grouped into 3 major classes based on affiliation and status of identity verification – Low assurance – Self-registered EIDs – Medium assurance – Sponsored by an approved UT department – High assurance – ID verified in-person & electronic signature agreement signed • Required password strength depends on EID class 27 June 2005 – CAMP Identity & Access Management

EID Populations • The EID system currently contains 1. 7 M identity accounts, including: – Current students (~50 K) – Former students (since ’ 74) (~600 K) – Current employees (~35 K*) – Former employees (since ’ 72) (~300 K*) – Prospective students (~650 K) – Guests (~400 K) * Includes employees from certain other UT System universities that use shared administrative services. 27 June 2005 – CAMP Identity & Access Management

Relationship between UT Direct & the EID System UT Direct Blackboard UT EID Authentication Webmail Webspace • UT Direct and UT EID authentication are distinct systems • Most but not all UT Direct Services are EIDauthenticated • UT EID authentication also used by many other services at UT Austin 27 June 2005 – CAMP Identity & Access Management

EID Credentialing • EID Creation – Guest EID suite (self-registration) – EID-on-demand (inline registration) – Automated EID creation • Physical ID verification is required for most core affiliates, but not for extended populations • EID e. Proxy allows one person to act on behalf of another for certain services (e. g. , a parent who is paying a student’s housing bill) 27 June 2005 – CAMP Identity & Access Management

EID Support • EID web help suite lists contacts and provides password help options based on user’s current affiliations • Passwords can be reset online via challenge/response questions or via email ticketing (w/other credentials) • EID phone support is delegated to affiliation sponsors; Central ITS help desk is the last resort 27 June 2005 – CAMP Identity & Access Management

Challenges Part 1 • Risks posed by a unified identifier (for example, FERPA compliance) – One set of credentials shared by multiple systems can expose data in unexpected ways – User support systems/options are complicated by need to prevent inappropriate access to confidential data 27 June 2005 – CAMP Identity & Access Management

Challenges Part 2 • Duplicate EIDs and merging of EIDs – Extended populations tend to be future or former core constituents, so duplicate EIDs can cause problems • Privacy & identity theft concerns – Data elements used for identity reconciliation raise privacy concerns for the university community 27 June 2005 – CAMP Identity & Access Management

Challenges Part 3 • Relentless increase in identity registry size: +20% per year – New extended populations regularly being identified – Campus departments replacing local SSN-based identifiers with EIDs – Ongoing migration of campus systems to EID authentication (simplified signon initiative) 27 June 2005 – CAMP Identity & Access Management

Responses Part 1 • Risks posed by a unified identifier (for example, FERPA compliance) – Proactively coordinate EID support and password reset policies across sponsoring departments, especially when new affiliations are added – Move toward more granular authentication status and control 27 June 2005 – CAMP Identity & Access Management

Responses Part 2 • Duplicate EIDs and merging of EIDs – Increase intelligence of self-registration process with adaptive questionnaire – Push EID usage to start of business processes to limit backend EID merges • Privacy & identity theft concerns – Remove SSN from EID System – Institute stricter controls on access to identity registry data 27 June 2005 – CAMP Identity & Access Management

Responses Part 3 • Relentless increase in identity registry size: +20% per year – Improve flexibility & agility of identity registry to better cope with growth – Limit identity reconciliation efforts to close affiliates – Implement new classes of EIDs (e. g. , identifier-only) with characteristics targeted to campus needs 27 June 2005 – CAMP Identity & Access Management

Future Directions – UT Direct • Bolster support for non-authenticated sessions • Unify central UT web site architecture with UT Direct portal • Support Shibboleth-style local-campus authentication for other UT System universities • Explore commercial & open-source tools/products for next generation of UT Direct 27 June 2005 – CAMP Identity & Access Management

Future Directions – UT EID • Complete overhaul of EID system will occur in Fall 2005 • Improve online support tools for users, especially former students • Allow affiliation sponsors to define populations within an affiliation to provide customized support options • Support strong second-factor authentication options 27 June 2005 – CAMP Identity & Access Management

My Contact Info CW Belcher c. belcher@its. utexas. edu (512) 232 -6519 27 June 2005 – CAMP Identity & Access Management

Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005