UCLA Enterprise Directory Identity Management Infrastructure

1
UCLA Enterprise DirectoryIdentity Management
Infrastructure

• UC Enrollment Service Technical Conference
• October 16, 2007
• Ying Ma
• yingma_at_ucla.edu

2
Identity Management Overview

• Automate processes for
• Identifying and grouping individuals
• Granting permissions and access transparently
• Revoking access efficiently
• Streamlining administration and management
• Tracking and reporting access patterns
• ENTERPRISE-WIDE!

3
Benefits

• Single enterprise-wide solution
• Simplifies and standardizes
• Reduces errors
• Automatic provisioning workflow
• Instantaneous ability to revoke at-risk access
  across campus
• Reduction of hidden costs of independent
  solutions
• Full auditability who has access to what when
• Better User Experience and Tighter
  Security

4
Planning Budgeting

• Consultant from the Burton Group
• Project funded for 1.5 Million
• Evaluated JES and other Commercial IdM products
• Purchased Sun Java Directory only
• Hired 2 new staffs A team of 5 but not
  dedicated to IdM

5
Current Features

• Enterprise-wide identity repository Enterprise
  Directory
• Single Logon ID UCLA Logon ID
• Integrated account creation with URSA (student
  portal)
• Web Single Sign-on - ISIS
• Federation support - Shibboleth / UCTrust

6
Enterprise Directory

• Every person at UCLA has one electronic identity
  in ED
• Consolidate data between different sources
• Map multiple IDs together
• Analyze on attribute by attribute basis
• common definition of attribute
• data collection / transformation logic
• access control rules
• Standard way for conflict resolution
• Superset of the legacy University ID system
• Traditional UID is a 9 digit number for students
  and employees
• UCLA Logon ID is a string of 2-15 alphanumeric
  characters for everyone

7
UCLA Logon ID

• Anyone who needs access is eligible for a UCLA
  Logon ID
• Students and employees
• Donors, parents, visiting scholars, hospital
  staff, conference attendees, library patron, etc.
• Separating authentication from authorization
  having an account does not imply access
• For students, created at the time they file their
  intent to register (SIR)
• For employees and other affiliates, created on
  demand.

8
Integrated Account Creation

• Students are prompted to create their UCLA Logon
  at the time they SIR using URSA
• Either a new identity is created in ED, or the
  UCLA Logon ID matched to an existing identity
• Bruin Online Services (web email, free software,
  wireless access, web hosting, computer labs) are
  automatically provisioned upon creation of UCLA
  Logon
• Account is immediately available for use in
  hundreds of web applications via ISIS logon
  across campus

9
Web Single Sign-On

• ISIS
• First implemented in 1996
• Highly secured web authentication engine
• Standard SOAP web service interface
• Features session management
• Allows multiple logon types
• Integrated with Enterprise Directory
• 200 participating web applications, including
  most student service applications

10
UCLA EDIMI Technical Architecture
11
Third Party View

• New feature in URSA that enables parents to
  create UCLA Logon ID and pay bills online
• Relatively easy implementation because
• Availability of UCLA Logon ID space
• URSA is already integrated in UCLA EDIMI framework

12
Moving Forward

• Migrate ISIS toward standard-based Shibboleth
• Develop across campus common groups - Grouper
• Implement integrated permission management -
  Signet
• Push more granular authorization data through
  ED/Shibboleth

13
Challenges

• Current decentralized help desk structure does
  not work for IdM - sometimes causes more user
  shuffle
• Convincing applications to integrate with IdM is
  hard without all components in place
• Getting all the players to agree on common
  definitions for data is complicated
• Addressing data release and privacy issues
  consistently with IdM consumers requires
  co-effort from departments at management level.