Unc cause 2010 Identity and Access Mgmt Panel


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Unc cause 2010 Identity and Access Mgmt Panel

  1. 1. Identity and Access Management Updates on IAM in the System Mark Scheible, NC State University Lynn Franz, Western Carolina University Jan Tax, UNC-Chapel Hill Steven Hopper, UNC-GA
  2. 2. Introductions Mark Scheible Manager, Identity and Access Management NC State University Lynn Franz Application Development & Data Management Western Carolina University Jan Tax Identity and Access Management UNC Chapel Hill Steven Hopper Director of Online Services & CTO for UNC Online UNC General Administration
  3. 3. Identity and Access Management “Identity Management has evolved to include policies, procedures and the broad spectrum of technologies required to establish institutional identity management (IdM) systems” – (EDUCAUSE IAM Working Group)
  4. 4. Identity and Access Management • Identity Vetting & Proofing - making sure the information provided about an individual (e.g. name, DOB, address, phone number, degree(s) earned, etc.) is accurate and verified, and insuring a credential is issued to the appropriate person • Credentialing - the issuing of a “username and password” for authentication purposes • Directories – database(s) containing information associated with individuals and resources (in this context, identity data or “attributes”) • Authentication Services – used to authenticate someone (the login process) • Authorization Services – used to determine what access an individual has to applications, resources, etc., based on who they are, or their membership in a group Major areas of interest
  5. 5. Internet2 Middleware Diagram
  6. 6. Panel Discussion • Identity Population Utilization (Lynn Franz) • Group Management (Jan Tax) • Federated Identity Management (Steven Hopper) Each of our panelists will touch on a different aspect of IAM …
  7. 7. Identity and Access Management at Western Carolina University
  8. 8. Where we started… First decision: Banner is the data source of record. It drives access to IT resources and services.
  9. 9. One of the first tasks was to look at the various populations… A solid understanding of organizational roles is key for creating and maintaining identity and access management.
  10. 10. At the highest level, our data consisted of three populations.
  11. 11. Each population consisted of further sub-categories. STUDENT Intending Student? Cullowhee Commuter? Currently Enrolled? Continuing? Former Student? Future Student?
  12. 12. This foundation is the core of our Identity Management processing. Group Group Members Further Sub-Group Memberships We defined and created a scalable mechanism for identifying, creating, and managing those groups.
  13. 13. Role Security Groups and Distribution Lists Reports Database Database Interfaces between data sources, on or off campus Luminis Roles Each group, or Role, is defined in one location. The Role may be consumed in many places.
  14. 14. If the Role definition changes, it’s changed in ONE place. Consumption of the Role is not interrupted. Role definitions are consistent across consumers. Security Groups and Distribution Lists Reports Database Database Role Luminis RolesInterfaces between data sources, on or off campus
  15. 15. Roles can be defined, re-defined, and sub-grouped. Meanwhile, the organization keeps rolling along… Staff or (Full/Part-Time) Faculty Graduate Assistant (Teaching and Lab) Graduate Assistant (Non- Teaching, Non- Lab) Student Worker Hourly or Temporary Worker Cullowhee Commuter Guest or Consultant
  16. 16. We had to make another key decision… Banner allows for one external username association with one individual. One individual may exist in multiple roles! Should these have the same external username? Sally Sue Student accounts (email hosted off campus) and Non-Student accounts (email hosted on site) would have unique external usernames. Both are provisioned in Active Directory. A Banner mod was necessary for this association.
  17. 17. This simple SQL statement returns the Active Student member information. ( Banner PIDM, Role, Active Directory External Username ) The Blackboard integration components can be easily associated using a single point of reference for group membership…
  18. 18. How do all these roles fit with the larger picture? Identity Management Banner Other Systems With the foundation in place…
  19. 19. Active Directory Outlook Properties Sync Online Directory uses a Banner database view. People review their information and send corrections to HR using an Online Correction Form. Banner data feeds to Active Directory and Outlook Properties are updated.
  20. 20. Oracle packages using DBMS_LDAP functionality are used for the updates behind the scenes...
  21. 21. Outlook Properties provide the campus with reliable contact data, which can be consumed by other applications (such as the help desk ticketing system, Paw-Print, and Shibboleth). Supervisor Name
  22. 22. Method for managing roles that are not data driven from Banner. Automation and management of these roles requires additional data to be stored in Oracle tables. The tables also provide audit information and access control. Roles are managed by individual “owners”, who can assign “managers”. The owners and managers add/remove members, as defined by privilege assignments. Manually Managed Roles Committees Organizations Digital Millennium Copyright Act Offenders Registered Exchange Active Sync User
  23. 23. Automated AD Security Groups Automated Distribution Groups (in progress) With automated and manual roles in place…
  24. 24. Additional building blocks and project components on the way…
  25. 25. HR Intake/Outtake Interface As individuals enter and exit HR positions, automated processes will provide accurate and timely account information (for create, terminate, and modify actions). •No Affiliation with University •Not a Student, Guest, or Employee Not Affiliated •University Identity/Email •Access to University Information Resources Affiliated •No longer Affiliated with University •No Access to University Information Systems Not Affiliated Position Change (Personnel Action) Health Services Gym Usage Parking PermitsLibrary Cat Card Personnel action events will be consumed by other organization entities.
  26. 26. Establishment of a practice for managing non-person accounts. These accounts must receive approval and have a WCU sponsor. Examples of these accounts are email accounts for various groups such as Athletics (baseball@wcu.edu) and departments (admission@wcu.edu). Non-Person Account Management
  27. 27. Campus Security Request Process Provide users on campus one method/location for requesting additional security and authorization to university systems and resources. Provost Office Finance Facilities
  28. 28. Along the way there have been some internal automations that have streamlined IT processes. This WayManagementIdentity o Managing INB Users o Managing Banner Security o Banner Self-Service Password Changer (AD authentication for INB accounts) o Help Desk unlock of Banner Accounts o Reports
  29. 29. help us move toward our future goal of Role Based Access. Identity role definitions, automated processes, and better internal and external procedures …
  30. 30. Taking a moment for lessons learned…
  31. 31. Challenges…. Culture change is necessary… and sometimes very difficult to achieve. Ownership and governance must belong to the stakeholders. (Not an IT problem!) It is time consuming to review and define the various organizational business entities. There are some tough issues to tackle (for example, account management of non- person accounts). Processes have to be set up for managing identities. Boundaries, for how groups can and can’t be used, need to be defined and enforced.
  32. 32. Removing bad data and standardizing data definitions provides better access for data consumption. As data consumption increases, it is easier to identify and resolve problems. Paves the way to help identify business processes that need to be reviewed and refined. Readily highlights auditing concerns. Systems that are not automated immediately can still utilize role information by seeing a person’s role information and adjusting local security to fit the roles. Provides framework for retiring old systems and implementing new systems. Rewards….
  33. 33. Proactive: • looking at campus-wide scope for 1 – 10 years down the road • reviewing institutional business level processes Process: • creating well-defined procedures • implementing data driven events Prevention: • decreasing resource issues through greater efficiencies • removing frustrations due to old, outdated business processes • warding off security threats and problems with solid role-based identity Following the 3 P’s to success….
  34. 34. … climbing on…
  35. 35. Identity and Access Management Group Management Jan Tax UNC Chapel Hill
  36. 36. Background o UNC-CH has a heterogenous IAM environment o Centrally managed directories and authentication: • OpenLDAP, Kerberos, Shibboleth SSO • Active Directory • Oracle OID and OSSO o Distributed/school/departmental directories and authentication systems o Lots of changes going on • new ERP • Email shift from in-house IMAP to Exchange and Live@Edu o Want to have consistency across environments (and to reduce the number of environments over time!)
  37. 37. Central IdM system Person data is managed by a homegrown system that aggregates data from multiple sources o Inbound connectors  Bio/demo data – PeopleSoft is single source  Affiliation data – multiple sources (for now) • Pre-Student/Student – 20+ categories • Faculty/Staff – 5 subcategories • Affiliates – 10 subcategories o Outbound connectors • OpenLDAP – white pages, applications • Active Directory – Exchange, applications • Oracle Internet Directory – Calendar, AppServer
  38. 38. Authorization Access decisions can be based on a person’s attributes …  Classification (faculty/staff/student)  Department  Entitlements … or on memberships in groups  Automatic (members defined by a filter or expression)  Manual (members managed by a person)  Composite Groups are a very versatile mechanism
  39. 39. Groups Management o Want to manage groups centrally, not have locally managed groups in each environment  Reduces security risk (timely removal)  Increases productivity (timely access) o Ideally, a single point of management for the enterprise o Allow delegation for managing groups as much as possible o Provide consistent replication of groups data across different directories/environments/applications
  40. 40. Grouper o Internet2 Middleware project – a toolkit for managing groups (http://grouper.internet2.edu) o Integrates with an existing Identity Management system o Handles the set logic used to combine groups o Flexible configuration for sources – JDBC, JNDI o Create/maintain groups with SQL queries o LDAP connector to provision directories o Access to group data with Web Services, .NET, PHP o Command line interface to Java API & tools o Lite UI delivered with product can be reskinned
  41. 41. Grouper @ UNC-CH Grouper is used to provision groups to the two main directory systems:  ldap.unc.edu: • ou=groups,dc=unc,dc=edu  ad.unc.edu: • ou=groups,ou=identity,dc=ad,dc=unc,dc=edu o MDG_ distribution groups o MSG_ security groups Existing uses of LDAP groups managed by Grouper  Carolina Content Management • Roles and content-specific rights  Web Services Manager • Web services mapped to group of authorized clients  Misc. Application Access Control • Determines what app. capabilities they have  LDAP Access Control • Membership makes categories of directory data visible
  42. 42. Case Study: Migrate ITS AppServer from Oracle to GlassFish o Oracle AppServer had its own IAM environment  Oracle SSO (OSSO) and Internet Directory (OID)  Used OID groups for access control o Move to GlassFish AppServer  Supports groups for access control via LDAP realm concept, but requires LDAP authentication  Desire to use Shibboleth SSO for authentication o Process  Move OID groups into Grouper and sync to LDAP  Configure Shibboleth to pass specific group memberships to application o Results  GlassFish uses campus standards for access management  Oracle SSO and OID are decommissioned
  43. 43. Identity and Access Management UNC Identity Federation Update Steven Hopper UNC-GA
  44. 44. UNC Identity Federation Background o August 2008  Production federation (Shibboleth)  17 UNC institutions (Identity Providers)  Inter-institutional Registration (Service Provider)  WAYF  Development federation for testing, etc.
  45. 45. Existing Services o Foundation for all system-wide application development. o Examples include:  GA Services (inter-institutional registration, exam proctoring, www.northcarolina.edu, ActiveCollab)  RAMSeS (sponsored programs and research management tool from UNC-CH.  SciQuest (eProcurement)  VCL (Virtual Computing Lab at NCSU)  MCNC/NCREN (Videoconference scheduling, network status tools, etc)
  46. 46. Vendor Integration o Encouraging vendors to Shibboleth-enable applications o InCommon - vendors are hesitant to join  Cost (upfront and recurring)  Arduous joining process (legal)  Want to pass joining costs back to UNC  Often not feasible given tight implementation timelines
  47. 47. Solution: Affiliates Federation o Create a 3rd “Affiliates Federation”  Production  Development  Affiliates o Create a streamlined (and free) process for vendors to join o Allows campus Identity Providers to have a separate “handle” when making attribute release decision.
  48. 48. Affiliations Federation Membership o Current Members  PeopleAdmin: HR Applicant Tracking  SciQuest: eProcurement o Prospective Members  ZimRide: Car Pooling  Qualtrics: Survey & Feedback Software
  49. 49. Identity and Access Management Questions?
  50. 50. Contact Information: Mark Scheible mascheib@ncsu.edu Lynn Franz lfranz@email.wcu.edu Jan Tax tax@unc.edu Steven Hopper hoppers@northcarolina.edu Thank you! Lightening Round?
  51. 51. Identity and Access Management (Extra Slides if Needed)
  52. 52. LDAP Updates people data in: ou=People LDAP ties together Person and Groups data Directory Master (Idm) write ou=people ou=groups Reads people data so they can be added to groups Grouper (Idm) Updates group data in: ou=Groups read write
  53. 53. LDAP Updates people data in: ou=People Populating LDAP with Person Data Peoplesoft HRIS AffiliateWeb EpaWeb Directory Master (Idm) ou=people ou=groups Directory Master aggregates person data updates from various sources and synchronizes this data to the directory DB
  54. 54. LDAP Reads people data so they can be added to groups Populating LDAP with Groups Data Grouper (Idm) ou=people ou=groups Updates group data in: ou=Groups Grouper stores group information natively in a relational database, but also writes groups data to the directory… DB Admin/user Admin/user Admin/user Delegated Grouper users
  55. 55. Shib IdP (IdM) IdP queries LDAP for membership information Browser/ App IdP synthesizes attrib isMemberOf from group membership and app config (eg. limits to relevant groups) LDAP Person Attributes Delivered with Shib IdP LDAP ou=people ou=groups IdP queries LDAP for person attributes Idp asserts combined person attributes, including isMemberOf IdP uses person attributes directly, but releases only those configured for each application
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.