Identity management - real world usage v8


Published on

A presentation on identity management at a medium-size school district as well as workings of the SIFA Identity Management Task Force to support standardization of Identity Management for the education space.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Identity management - real world usage v8

  1. 1. STATS  DC  2011   Balancing  Timeliness  and  Quality   Iden.ty  Management  (IDM)   Real  World  Usage  at  the  Local  Level   Patrick  Plant,  CTO/CIO   Anoka-­‐Hennepin  School  District   Andrew  Elmhorst,  Chief  Architect   Pearson  Data  Solu.ons   Release for web use of this image on file
  2. 2. WHAT  IS  THE  USER  EXPERIENCE?   The  Problem  
  3. 3. The  End  User  Experience   •  Users  are  dealing  with  mul5ple  usernames   and  passwords  across  systems   – different  username  and  password  policies   across  systems  discourage/prevent  usage  of   same  username  and  password   – From  both  an  ease  of  use  and  organiza5onal   liability  standpoint  this  encourages  “weak”   password  and  bad  prac5ces.  
  4. 4. Communica.on  &  Training  are  Key  
  5. 5. Communica.on  &  Training  are  Key  !"#$%&'()& New network password policies are being adopted for staff and students across the District. *+",-! Starting 2/2/2010 *+.&/0&122"30%-&&All staff with Active Directory Accounts *+4&56%0&4.6&3+#,7"&4.68&(#%%9.8$:& Poorly chosen user passwords are the most common threat to computer network security. As an employee, you share responsibility for the security of the district network. !.9"& You’ll receive an email from Hattie Leary indicating the date your building will change. The first time you log into your computer after that date, you will be prompted to change your password. It’s easy; enter your new password twice and click OK. ;+..%/,7&4.68&,"9&(#%%9.8$-! • Must be a minimum of 8 characters • Must mix letters, numbers, and at least one special character (* % ^ % # - anything not a letter or number). It’s helpful to think of a phrase/goal/saying like “Retirement? I have 10 years left.” Use the first letter of each word; your password will be R?Ih10yl. • Must start with a letter and contain upper and lower case letters • Remember 4-4-4: Cannot contain more than 4 repeating characters or match more than 4 characters to the 4 previously used passwords </5(=/24&4.68&=/2"-! If you log into several applications, you may use the same password for all of them. You’ll receive an email with links to instructions for changing your password in other applications such as SASI and MyLearningPlan. !.9&.20",&9/==&4.6&,""$&0.&3+#,7"&4.68& (#%%9.8$:& Passwords will expire every 120 days. >"5"5?"8@&do not share your password with anyone! A6"%0/.,%-!!#$%%!&'()*+,-!./0&12!
  6. 6. Managing  users  across  systems   over  .me   HR  System   • Robert  J   Brown   • Teacher   Network   System   • rjbrown   • Staff   Email  System   • rjbrown@1-­‐   Data  Repor5ng   System   • Bob  Brown   • Can  see   students  in   classes   Parent  Portal   • Bobby  Brown   • Can  see   Susie’s  grades   •  What happens when Robert •  Is Hired? •  Gets Promoted? •  Goes on Leave? •  Looses custody of Susie? •  Gets Divorced? •  Retires?
  7. 7. The  Iden.ty  Management   Experience   •  District  staff  are  dealing  with  managing   iden5ty  and  access  management  for  staff,   students  and  parents   – Access  to  systems  must  be  secure   – Timely  provisioning  across  systems   – Timely  de-­‐provisioning  across  systems   – Automa5on  is  essen5al  for  accuracy  and   containing  cost  
  8. 8. Standards?   •  LDAP   •  inetOrgPerson   •  eduPerson   •  SAML   •  Shibboleth   •  CAS   •  JAAS   •  Open  SSO   •  OpenId   •  Biometrics   •  Smart  cards   one-­‐off,  custom  integra5ons     not  repeatable  across  organiza5ons   bespoke  requirements  for  suppliers   dizzying  array  of  standards  for   organiza5ons  to  choose  from  
  9. 9. Informa.on  Management  Strategy   •  Three  legs  of  an  informa5on  management  strategy:   –  Iden5ty  and  Access  Management   –  Informa5on  sharing  and  data  management   –  Opera5onal  &  Analy5c  System  Use,  Repor5ng,  Data  U5liza5on   •  Unless  everyone  in  the  world  has  one  system,  we  need  the   capability  to  integrate  iden55es     •  Be[er  integra5on  is  a  key  cornerstone  to  unlocking   collabora5ve  possibili5es  (LEA,  SEA,  Ci5es,  Coun5es,  etc.)   •  People  are  becoming  more  aware  of  ID  Standard  Needs   •  SIF  legi5mately  has  the  capacity  and  capability  to  work  on   this  problem  area  for  the  educa5onal  enterprise  
  10. 10. IDENTITY  MANAGEMENT  PRACTICES   Real  World  Usage  Scenarios  
  11. 11. The  User  Experience   •  Important  capabili5es   –  Provisioning  of  accounts  from  source  systems   –  Zero-­‐day  start  is  op5mal  (and  becoming  essen5al)   –  Providing  access  appropriately  and  securely  to  the   right  users  at  the  right  5me   –  Capability  to  do  single  sign  on  across  systems   –  Understanding  between  systems  of  shared   a[ributes   –  De-­‐provisioning  users  when  they  no  longer  should   have  access  (is  some5mes  overlooked)  
  12. 12. What  is  an  iden.ty?   •  A  unique  record,  iden5fying  a  user  within  an   enterprise   – Represented  by  one  or  more  a[ributes  that  are   unique  to  the  user   •  A  set  of  unique  ID  a[ributes  (DN,  UUID,  etc.)   •  A  set  of  logon  creden5als  (usernames/password)   •  Expiry,  5meouts,  retries   – The  record  can  contain  addi5onal  a[ributes   (name,  address,  contact  informa5on)  
  13. 13. Where  is  an  iden.ty  created?   •  In  its  simplest  form,  an  iden5ty  may  be   created  in  a  network  directory  system   (Ac5ve  Directory,  Novell  e-­‐Directory,   SunOne,  etc.)   •  Other  systems  can  connect  to  the  directory   – read  directory  informa5on  (address  book)   – verify  a  user’s  creden5als  
  14. 14. Iden.ty  Lifecycle  -­‐  Provisioning   •  HR   •  SIS   Data  Sourced   •  First  Name   •  Last  Name   •  Department  /   Grade  /  Course   A[ributes   Applied   •  ID  Created   •  Account   Established   Iden5ty   Established   •  Username   •  Password   Creden5als   Issued  
  15. 15. Iden.ty  Lifecycle  –  In  Use   •  Admin   •  Staff   •  Teacher   Roles  Applied   •  One  or  more   systems   Login   •  More  Access   •  Less  Access   Roles  Change   •  Remove   Access   •  Inac5vate   Deprovision  
  16. 16. Sustainable  Management  of   •  Ongoing  iden5ty  management  is  crucial   –  Iden5ty  A[ributes  should  be  entered  only  once   –  Provisioning  should  be  automated   –  Informa5on  updates  (typically  from  source  systems)   –  Changing  of  roles  over  5me   –  Creden5al  resets  /  online  self-­‐help  portals   –  Self-­‐serve  capability  for  managers/leaders  to  approve  and  direct   role  changes  over  5me   –  Inac5va5on  and  De-­‐Provisioning   •  Monitoring  and  audi5ng  access  to  systems  is  being  increasingly   required  (e.g.  SOX  compliance)   •  If  Iden55es  and  Roles  are  not  centrally  managed  and  processes   automated,  the  ongoing  maintenance  is  difficult  
  17. 17. Iden.ty  Lifecycle  Levels  of   Automa.on   3.  Real   Time   2.  Batch   (Nightly)   1.   Export   Import   0.   Manual   Higher   Accuracy   More   Automa5on   Be[er  User   Experience  
  18. 18. Single  Sign  On  Interoperability   •  Centralizing  authen5ca5on  and  authoriza5on   requires  interoperability     –  Use  of  authen5ca5on  protocols  supported  by  the   Iden5ty  Management  System   •  LDAP   •  Kerberos,  CAS,  JAAS,  OpenSSO,  SAML,  Shibboleth,   OpenID   –  A  shared  schema  (understanding  of  the  a[ribute   names  used  in  the  directory)   •  X.500   •  inetOrgPerson  (RFC  2798)  
  19. 19. Single  Sign  On  Levels   3.   Federated   Single  Sign   On   2.  Single   Sign  On   1.   Consistent   Sign  On   0.   Separate   Sign  On   Long  Password   Lists   Single   Username  and   Password   Be[er  User   Experience   Crosses   Organiza5onal   Boundaries  
  20. 20. What  about  roles?   •  An  iden5ty  can  have  mul5ple  roles   –  Teacher,  Staff,  Parent,  Student,  Administrator   •  A  simplis5c  prac5ce  is  to  create  separate   iden55es  for  users   •  Best  prac5ce  is  to  create  a  single  iden5ty  and   assigns  various  roles  to  a  user   •  Roles  may  need  to  be  very  granular   –  Staff  in  School  A,  Admin  in  School  B   –  Teacher  of  one  Johnny,  Parent/Guardian  of  Susie  
  21. 21. Iden.ty  And  Access  Integra.on  levels   2.  Roles/ Access   Shared   1.  Iden5ty   Sharing  /   Provisioning   •  Ahead  of  Time   •  Just  in  Time   0.  No   Sharing   Silo  Systems   Allows  for  SSO   Allows  Central   Access  Control  
  22. 22. Iden.ty  and  Access  Integra.on   •  Now  that  the  iden5ty  is  created,  how  do  all   of  the  other  systems  understand  and  use  it?   •  If  changes  are  made,  do  other  systems  get   updated?   •  Are  user  roles  and  system  access  centralized   or  siloed  in  each  system?  
  23. 23. STANDARDIZING  IDENTITY   MANAGEMENT   What  the  SIFA  IDM  Project  Team  is  up  to  
  24. 24. Why  Standardiza.on?   •  We  are  not  using  the  same  system   •  Standards  open  new  opportuni5es  for   collabora5on   •  Too  many  standards  for  SSO,  not  enough   standards  for  management   •  Bespoke,  ad-­‐hoc  in  prac5ce  
  25. 25. Management  of  State  Student  IDs   •  SIF  supports  real-­‐5me  web  services  based   integra5on  between  LEAs  and  SEAs  to   support  automated  student  ID  management   •  No  creden5als  are  issues,  so  not  iden5ty   management  in  the  broader  sense   •  Student  IDs  are  managed  by  SIF  in  9  states   – AK,  IA,  OH,  SC,  UT,  VA,  WY,  MA,  OK  
  26. 26. Mission   Create  plug  and  play   interoperability  profiles,   suppor5ng  iden5ty  management     and  single  sign  on  for  the   educa.onal  space  
  27. 27. SIFA  IDM  Project  Team   Assump.ons   •  Provisioning  the  IDM   •  Sharing  iden5ty  data   •  Maps  between  SIF  and  IDM   •  Leverage  exis5ng  IDM  specs   •  Global  Scope  
  28. 28. Near  Term  Deliverables   •  Iden5ty  Provisioning  Profile   •  Single  Sign  On  Profile   •  Access  Provisioning  Profile   •  Iden5ty  Aggrega5on  Profile  
  29. 29. Human Resources and Financial Management Special Programs Instructional Improvement System Data Warehouse Learning Management System Formative Assessment Iden.ty  Provisioning  with  SIF   Applications SIF Agents ZIS SIF Data Objects Identity Management System Student Information System
  30. 30. Iden.ty  Provisioning  Profile   •  Describes  how  an  Iden5ty  Management  System   can  be  provisioned  by  SIF   •  Describes  a  basic  set  of  assump5ons  for   determining  user  roles  from  SIF  data   •  Profiles  the  iden5ty  data  that  an  Iden5ty   Management  System  should  publish  back  to  SIF   •  Profiles  the  data  flow  for  standard  use  cases  
  31. 31. Identity Management System Special Programs Instructional Improvement System Data Warehouse Student Information System Formative Assessment Publishing  Iden.ty  A^ributes   Applications SIF Agents ZIS SIF Data Objects Human Resources and Financial Management Learning Management System
  32. 32. Iden.ty  Provisioning  Example   <Identity RefId="4286194F43ED43C18EE2F0A27C4BEF86"> <SIF_RefId SIF_RefObject="StudentPersonal">23B08571E4D645C3B82A...</SIF_RefId> <AuthenticationSource>MSActiveDirectory</AuthenticationSource> <IdentityAssertions> <IdentityAssertion SchemaName="sAmAccountName">user01</IdentityAssertion> <IdentityAssertion SchemaName="userPrincipalName"></IdentityAssertion> <IdentityAssertion SchemaName="distinguishedName">cn=User1,cn=Users,dc=org</ IdentityAssertion> </IdentityAssertions> <AuthenticationSourceGlobalUID>23A08571E4D645C3B82A…</ AuthenticationSourceGlobalUID> </Identity>
  33. 33.  Profile   •  Focus  on  three  authen5ca5on  protocols  in   wide  use  today  and  profile  for  the  educa5on   space   – LDAP   – OpenID   – Shibboleth   •  For  each  protocol,  create  a  standard  profile   for  discovery,  topology,  and  a[ribute   exchange  
  34. 34. Access  Provisioning  Profile   •  Create  a  standardized  set  of  mechanisms  for   central  control  of  roles  and  use  access   •  Allow  for  standard  set  of  roles  to  be   propagated  via  SSO  protocols  (real-­‐5me)   •  Allow  for  roles  and  access  permissions  to  be   propagated  via  SIF  web  services  
  35. 35. Iden.ty  Aggrega.on  Profile   •  Iden55es  for  a  user  may  be  sourced  from   mul5ple  systems  via  SIF   •  One  example  is  a  central  Iden5ty  Management   System  that  services  mul5ple  schools   •  Clearly  define  how  iden5ty  aggrega5on  is   conveyed  to  subscribing  systems  within  a  SIF   zone  
  36. 36. What  have  we  covered?   •  Effec5ve  iden5ty  management  improves   ease  of  use   •  Iden5ty  management  prac5ces  are  diverse   and  many  5mes  implemented  in  a  bespoke   manner   •  The  SIFA  IDM  project  team  is  a[emp5ng  to   build  common  IDM  prac5ces  and  profiles   for  educa5onal  organiza5ons  and  vendors  
  37. 37. Suggested  next  steps   •  Inventory  where  your  organiza5on  is  at  in   iden5ty  management  prac5ces     •  Contribute  to  the  effort  to  standardize   iden5ty  management  for  the  educa5on  space  
  38. 38. 39   39 Contact  Informa.on   •  Patrick  Plant      Chief  Technology  and  Informa5on  Officer,,   ,  763.506.1020   •  Andrew  Elmhorst   Chief  Architect,,,  801.858.0094