Your SlideShare is downloading. ×
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Identity management - real world usage v8
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Identity management - real world usage v8

158

Published on

A presentation on identity management at a medium-size school district as well as workings of the SIFA Identity Management Task Force to support standardization of Identity Management for the …

A presentation on identity management at a medium-size school district as well as workings of the SIFA Identity Management Task Force to support standardization of Identity Management for the education space.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
158
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. STATS  DC  2011   Balancing  Timeliness  and  Quality   Iden.ty  Management  (IDM)   Real  World  Usage  at  the  Local  Level   Patrick  Plant,  CTO/CIO   Anoka-­‐Hennepin  School  District   Andrew  Elmhorst,  Chief  Architect   Pearson  Data  Solu.ons   Release for web use of this image on file
  • 2. WHAT  IS  THE  USER  EXPERIENCE?   The  Problem  
  • 3. The  End  User  Experience   •  Users  are  dealing  with  mul5ple  usernames   and  passwords  across  systems   – different  username  and  password  policies   across  systems  discourage/prevent  usage  of   same  username  and  password   – From  both  an  ease  of  use  and  organiza5onal   liability  standpoint  this  encourages  “weak”   password  and  bad  prac5ces.  
  • 4. Communica.on  &  Training  are  Key  
  • 5. Communica.on  &  Training  are  Key  !"#$%&'()& New network password policies are being adopted for staff and students across the District. *+",-! Starting 2/2/2010 *+.&/0&122"30%-&&All staff with Active Directory Accounts *+4&56%0&4.6&3+#,7"&4.68&(#%%9.8$:& Poorly chosen user passwords are the most common threat to computer network security. As an employee, you share responsibility for the security of the district network. !.9"& You’ll receive an email from Hattie Leary indicating the date your building will change. The first time you log into your computer after that date, you will be prompted to change your password. It’s easy; enter your new password twice and click OK. ;+..%/,7&4.68&,"9&(#%%9.8$-! • Must be a minimum of 8 characters • Must mix letters, numbers, and at least one special character (* % ^ % # - anything not a letter or number). It’s helpful to think of a phrase/goal/saying like “Retirement? I have 10 years left.” Use the first letter of each word; your password will be R?Ih10yl. • Must start with a letter and contain upper and lower case letters • Remember 4-4-4: Cannot contain more than 4 repeating characters or match more than 4 characters to the 4 previously used passwords </5(=/24&4.68&=/2"-! If you log into several applications, you may use the same password for all of them. You’ll receive an email with links to instructions for changing your password in other applications such as SASI and MyLearningPlan. !.9&.20",&9/==&4.6&,""$&0.&3+#,7"&4.68& (#%%9.8$:& Passwords will expire every 120 days. >"5"5?"8@&do not share your password with anyone! A6"%0/.,%-!!#$%%!&'()*+,-!./0&12!
  • 6. Managing  users  across  systems   over  .me   HR  System   • Robert  J   Brown   • Teacher   Network   System   • rjbrown   • Staff   Email  System   • rjbrown@1-­‐ school.edu   Data  Repor5ng   System   • Bob  Brown   • Can  see   students  in   classes   Parent  Portal   • Bobby  Brown   • Can  see   Susie’s  grades   •  What happens when Robert •  Is Hired? •  Gets Promoted? •  Goes on Leave? •  Looses custody of Susie? •  Gets Divorced? •  Retires?
  • 7. The  Iden.ty  Management   Experience   •  District  staff  are  dealing  with  managing   iden5ty  and  access  management  for  staff,   students  and  parents   – Access  to  systems  must  be  secure   – Timely  provisioning  across  systems   – Timely  de-­‐provisioning  across  systems   – Automa5on  is  essen5al  for  accuracy  and   containing  cost  
  • 8. Standards?   •  LDAP   •  inetOrgPerson   •  eduPerson   •  SAML   •  Shibboleth   •  CAS   •  JAAS   •  Open  SSO   •  OpenId   •  Biometrics   •  Smart  cards   one-­‐off,  custom  integra5ons     not  repeatable  across  organiza5ons   bespoke  requirements  for  suppliers   dizzying  array  of  standards  for   organiza5ons  to  choose  from  
  • 9. Informa.on  Management  Strategy   •  Three  legs  of  an  informa5on  management  strategy:   –  Iden5ty  and  Access  Management   –  Informa5on  sharing  and  data  management   –  Opera5onal  &  Analy5c  System  Use,  Repor5ng,  Data  U5liza5on   •  Unless  everyone  in  the  world  has  one  system,  we  need  the   capability  to  integrate  iden55es     •  Be[er  integra5on  is  a  key  cornerstone  to  unlocking   collabora5ve  possibili5es  (LEA,  SEA,  Ci5es,  Coun5es,  etc.)   •  People  are  becoming  more  aware  of  ID  Standard  Needs   •  SIF  legi5mately  has  the  capacity  and  capability  to  work  on   this  problem  area  for  the  educa5onal  enterprise  
  • 10. IDENTITY  MANAGEMENT  PRACTICES   Real  World  Usage  Scenarios  
  • 11. The  User  Experience   •  Important  capabili5es   –  Provisioning  of  accounts  from  source  systems   –  Zero-­‐day  start  is  op5mal  (and  becoming  essen5al)   –  Providing  access  appropriately  and  securely  to  the   right  users  at  the  right  5me   –  Capability  to  do  single  sign  on  across  systems   –  Understanding  between  systems  of  shared   a[ributes   –  De-­‐provisioning  users  when  they  no  longer  should   have  access  (is  some5mes  overlooked)  
  • 12. What  is  an  iden.ty?   •  A  unique  record,  iden5fying  a  user  within  an   enterprise   – Represented  by  one  or  more  a[ributes  that  are   unique  to  the  user   •  A  set  of  unique  ID  a[ributes  (DN,  UUID,  etc.)   •  A  set  of  logon  creden5als  (usernames/password)   •  Expiry,  5meouts,  retries   – The  record  can  contain  addi5onal  a[ributes   (name,  address,  contact  informa5on)  
  • 13. Where  is  an  iden.ty  created?   •  In  its  simplest  form,  an  iden5ty  may  be   created  in  a  network  directory  system   (Ac5ve  Directory,  Novell  e-­‐Directory,   SunOne,  etc.)   •  Other  systems  can  connect  to  the  directory   – read  directory  informa5on  (address  book)   – verify  a  user’s  creden5als  
  • 14. Iden.ty  Lifecycle  -­‐  Provisioning   •  HR   •  SIS   Data  Sourced   •  First  Name   •  Last  Name   •  Department  /   Grade  /  Course   A[ributes   Applied   •  ID  Created   •  Account   Established   Iden5ty   Established   •  Username   •  Password   Creden5als   Issued  
  • 15. Iden.ty  Lifecycle  –  In  Use   •  Admin   •  Staff   •  Teacher   Roles  Applied   •  One  or  more   systems   Login   •  More  Access   •  Less  Access   Roles  Change   •  Remove   Access   •  Inac5vate   Deprovision  
  • 16. Sustainable  Management  of   Iden..es   •  Ongoing  iden5ty  management  is  crucial   –  Iden5ty  A[ributes  should  be  entered  only  once   –  Provisioning  should  be  automated   –  Informa5on  updates  (typically  from  source  systems)   –  Changing  of  roles  over  5me   –  Creden5al  resets  /  online  self-­‐help  portals   –  Self-­‐serve  capability  for  managers/leaders  to  approve  and  direct   role  changes  over  5me   –  Inac5va5on  and  De-­‐Provisioning   •  Monitoring  and  audi5ng  access  to  systems  is  being  increasingly   required  (e.g.  SOX  compliance)   •  If  Iden55es  and  Roles  are  not  centrally  managed  and  processes   automated,  the  ongoing  maintenance  is  difficult  
  • 17. Iden.ty  Lifecycle  Levels  of   Automa.on   3.  Real   Time   2.  Batch   (Nightly)   1.   Export   Import   0.   Manual   Higher   Accuracy   More   Automa5on   Be[er  User   Experience  
  • 18. Single  Sign  On  Interoperability   •  Centralizing  authen5ca5on  and  authoriza5on   requires  interoperability     –  Use  of  authen5ca5on  protocols  supported  by  the   Iden5ty  Management  System   •  LDAP   •  Kerberos,  CAS,  JAAS,  OpenSSO,  SAML,  Shibboleth,   OpenID   –  A  shared  schema  (understanding  of  the  a[ribute   names  used  in  the  directory)   •  X.500   •  inetOrgPerson  (RFC  2798)  
  • 19. Single  Sign  On  Levels   3.   Federated   Single  Sign   On   2.  Single   Sign  On   1.   Consistent   Sign  On   0.   Separate   Sign  On   Long  Password   Lists   Single   Username  and   Password   Be[er  User   Experience   Crosses   Organiza5onal   Boundaries  
  • 20. What  about  roles?   •  An  iden5ty  can  have  mul5ple  roles   –  Teacher,  Staff,  Parent,  Student,  Administrator   •  A  simplis5c  prac5ce  is  to  create  separate   iden55es  for  users   •  Best  prac5ce  is  to  create  a  single  iden5ty  and   assigns  various  roles  to  a  user   •  Roles  may  need  to  be  very  granular   –  Staff  in  School  A,  Admin  in  School  B   –  Teacher  of  one  Johnny,  Parent/Guardian  of  Susie  
  • 21. Iden.ty  And  Access  Integra.on  levels   2.  Roles/ Access   Shared   1.  Iden5ty   Sharing  /   Provisioning   •  Ahead  of  Time   •  Just  in  Time   0.  No   Sharing   Silo  Systems   Allows  for  SSO   Allows  Central   Access  Control  
  • 22. Iden.ty  and  Access  Integra.on   •  Now  that  the  iden5ty  is  created,  how  do  all   of  the  other  systems  understand  and  use  it?   •  If  changes  are  made,  do  other  systems  get   updated?   •  Are  user  roles  and  system  access  centralized   or  siloed  in  each  system?  
  • 23. STANDARDIZING  IDENTITY   MANAGEMENT   What  the  SIFA  IDM  Project  Team  is  up  to  
  • 24. Why  Standardiza.on?   •  We  are  not  using  the  same  system   •  Standards  open  new  opportuni5es  for   collabora5on   •  Too  many  standards  for  SSO,  not  enough   standards  for  management   •  Bespoke,  ad-­‐hoc  in  prac5ce  
  • 25. Management  of  State  Student  IDs   •  SIF  supports  real-­‐5me  web  services  based   integra5on  between  LEAs  and  SEAs  to   support  automated  student  ID  management   •  No  creden5als  are  issues,  so  not  iden5ty   management  in  the  broader  sense   •  Student  IDs  are  managed  by  SIF  in  9  states   – AK,  IA,  OH,  SC,  UT,  VA,  WY,  MA,  OK  
  • 26. Mission   Create  plug  and  play   interoperability  profiles,   suppor5ng  iden5ty  management     and  single  sign  on  for  the   educa.onal  space  
  • 27. SIFA  IDM  Project  Team   Assump.ons   •  Provisioning  the  IDM   •  Sharing  iden5ty  data   •  Maps  between  SIF  and  IDM   •  Leverage  exis5ng  IDM  specs   •  Global  Scope  
  • 28. Near  Term  Deliverables   •  Iden5ty  Provisioning  Profile   •  Single  Sign  On  Profile   •  Access  Provisioning  Profile   •  Iden5ty  Aggrega5on  Profile  
  • 29. Human Resources and Financial Management Special Programs Instructional Improvement System Data Warehouse Learning Management System Formative Assessment Iden.ty  Provisioning  with  SIF   Applications SIF Agents ZIS SIF Data Objects Identity Management System Student Information System
  • 30. Iden.ty  Provisioning  Profile   •  Describes  how  an  Iden5ty  Management  System   can  be  provisioned  by  SIF   •  Describes  a  basic  set  of  assump5ons  for   determining  user  roles  from  SIF  data   •  Profiles  the  iden5ty  data  that  an  Iden5ty   Management  System  should  publish  back  to  SIF   •  Profiles  the  data  flow  for  standard  use  cases  
  • 31. Identity Management System Special Programs Instructional Improvement System Data Warehouse Student Information System Formative Assessment Publishing  Iden.ty  A^ributes   Applications SIF Agents ZIS SIF Data Objects Human Resources and Financial Management Learning Management System
  • 32. Iden.ty  Provisioning  Example   <Identity RefId="4286194F43ED43C18EE2F0A27C4BEF86"> <SIF_RefId SIF_RefObject="StudentPersonal">23B08571E4D645C3B82A...</SIF_RefId> <AuthenticationSource>MSActiveDirectory</AuthenticationSource> <IdentityAssertions> <IdentityAssertion SchemaName="sAmAccountName">user01</IdentityAssertion> <IdentityAssertion SchemaName="userPrincipalName">user01@asdf.edu.au</IdentityAssertion> <IdentityAssertion SchemaName="distinguishedName">cn=User1,cn=Users,dc=org</ IdentityAssertion> </IdentityAssertions> <AuthenticationSourceGlobalUID>23A08571E4D645C3B82A…</ AuthenticationSourceGlobalUID> </Identity>
  • 33. Authen.ca.on  Profile   •  Focus  on  three  authen5ca5on  protocols  in   wide  use  today  and  profile  for  the  educa5on   space   – LDAP   – OpenID   – Shibboleth   •  For  each  protocol,  create  a  standard  profile   for  discovery,  topology,  and  a[ribute   exchange  
  • 34. Access  Provisioning  Profile   •  Create  a  standardized  set  of  mechanisms  for   central  control  of  roles  and  use  access   •  Allow  for  standard  set  of  roles  to  be   propagated  via  SSO  protocols  (real-­‐5me)   •  Allow  for  roles  and  access  permissions  to  be   propagated  via  SIF  web  services  
  • 35. Iden.ty  Aggrega.on  Profile   •  Iden55es  for  a  user  may  be  sourced  from   mul5ple  systems  via  SIF   •  One  example  is  a  central  Iden5ty  Management   System  that  services  mul5ple  schools   •  Clearly  define  how  iden5ty  aggrega5on  is   conveyed  to  subscribing  systems  within  a  SIF   zone  
  • 36. What  have  we  covered?   •  Effec5ve  iden5ty  management  improves   ease  of  use   •  Iden5ty  management  prac5ces  are  diverse   and  many  5mes  implemented  in  a  bespoke   manner   •  The  SIFA  IDM  project  team  is  a[emp5ng  to   build  common  IDM  prac5ces  and  profiles   for  educa5onal  organiza5ons  and  vendors  
  • 37. Suggested  next  steps   •  Inventory  where  your  organiza5on  is  at  in   iden5ty  management  prac5ces     •  Contribute  to  the  effort  to  standardize   iden5ty  management  for  the  educa5on  space  
  • 38. 39   39 Contact  Informa.on   •  Patrick  Plant      Chief  Technology  and  Informa5on  Officer,  www.anoka.k12.mn.us,             Patrick.Plant@anoka.k12.mn.us,  763.506.1020   •  Andrew  Elmhorst   Chief  Architect,  www.pearsondatasolu5ons.com,   Andrew.Elmhorst@Pearson.com,  801.858.0094  

×