Managing Identity on Campus: Lessons Learned So Far

1
Managing Identity on Campus Lessons Learned So
Far
Presented by Chris Phillips chris.phillips_at_quee
nsu.ca, 2006
2
Agenda

• Looking back to help move forward
• Tools and techniques
• Design and implementation decisions

3
What is IDM?

• Identity Management (IdM) is an integrated
  system of business processes, policies and
  technologies that enable organizations to
  facilitate and control their users' access to
  critical online applications and resources --
  while protecting confidential personal and
  business information from unauthorized users.
• http//en.wikipedia.org/wiki/Identity_management

4
What Really Goes On Today
5
Why Change?
No self serve interface for end users!
Cant distribute admin tools easily
Cant do delegated administration
Data accuracy issues.(People sometimes have
duplicates).
Cant do externally created sponsored accounts
Sync is nightly, need realtime or near realtime
Accounts are deleted and removals not always
replicated out. Audit trail is incomplete
Enabling new data is custom work which is
tedious and time consuming. Many opportunities
to break in many places
Bussiness logic and workflow are sprinkled
over many places and need to be refactored to
simplify and to centralize tasks/objects.
No challenge questions for passwd reset
Certain changes dont take effect automatically
(uid changes)
6
Project Objective

• Replace current system with customized
  off-the-shelf solution to reduce dependence on
  locally developed software and provide additional
  functionality in a flexible and scalable
  environment.

7
Guiding Principles

• Give people the right tools at the right time for
  the task at hand
• Operate in real time or near real time
• Leverage off the shelf functionality
• Plan and design the system for change.
• Automate wherever possible to reap maximum benefit

8
Highlights

• Better self service via the web
• Enable on demand creation of sponsored IDs
• More continuity for NetIDs (applicant, student,
  alum, employee, retiree)
• Enable NetIDs for non Queens people
• Better automation for (de)provisioning
  processes.
• Comprehensive audit trail

9
The approach

• Picking a project management strategy
• Establishing communication paths
• Explaining the model for the implementation
• Highlighting what we dont know

10
Agile Iterative Project Management
11
Communication

• Project plan
• Wiki
• Working group
• Project meetings

12
Queens (proposed)IDM Model
13
Development Strategy

• Typical environment, self contained developers,
  test server, production server
• Use cvs extensively for all components, and
  proposed to use it for xml objects too
• Exploring using VMware for totally self contained
  stack of Sun AS8.1, idm, mysql
• Building out build tools not just for IDM, but
  JES in its entirety. (primarily to leverage reuse
  automation and error prevention)
• Willing to share this environment via cvs
  checkout
• (http//wiki.its.queensu.ca/display/IDM/Configurat
  ionManagementStrategy)

14
What we do know

• We need to be on a directory schema compatible
  with the Sun JES suite
• We need to restrict services to require
  authorization as well as authentication
• We need to integrate our test systems somehow to
  help insure accurate testing environments
• People want groups in one product to be present
  in another
• A flat account space does not mean it is shown
  that way in the IDM tools.

15
Some things we dont know yet

• Autogeneration of NetIDs or self selection? Which
  will be best?
• Merging of multiple accounts down to a single
  account for a single person (do we care?)
• How much customization can we get away with NOT
  doing?

16
There is an opportunity here

• Why do the work twice?
• If our respective institutions are gravitating to
  a common platform then it is plausible that we
  can share/trade co-develop components for certain
  workflows or provisioning processes.
• Examples
• Provision/deprovision a WebCT user.
• Provision/deprovision a JES user.
• Provision/deprovision a TSM (backup system) user.
• Provision/deprovision a library Voyager user.
• Custom workflow for granting and revoking roles
  automatically based on attributes
• What else?

17
Thank you for your time!

• chris.phillips_at_queensu.ca
• Questions, comments, and inquiries welcome!
• Project website http//wiki.its.queensu.ca/displ
  ay/IDM/Home

18
Things that we know in detail
19
Directory Tree Changes

• Were Sun Schema v1.0, now migrating to v2.0
• Ramifications
• DIT REALLY wants an org in there, we didnt have
  one. Created omain (yet to happen)
• Roles moved from ouroles to be under omain
  within DIT
• Existing tree needs to be transmogrified.
• DefinitionTo change into a different shape or
  form, especially one that is fantastic or
  bizarre. http//www.answers.com/topic/transmogrify
  
• to change or alter greatly and often with
  grotesque or humorous effect (Websters.com)

20
NetIDs and Receiving Service

• Prerequisite to Sponsored ID creation
• Possessing a NetID should not provide access to
  any services
• Authorization to services will require presence
  of an attribute or other determining factor for
  access

21
NetIDs and Receiving Service

• Approach
• Use an existing attribute of either
  'eduPersonEntitlement' or our own.
• If queensucaServiceEntitlement format would be
  ltrolegtltobjectgtltscopegt
• Endpoints generally fall into 3 broad classes
• Dumb and need help via ACI in ldap (e.g 3rd pty)
• Access Manager controlled via policy
• Smart, but ability to deal with change hard and
  costly to support

22
Computing Roles and Groups

• Explicit assignment now
• Want directory to dynamically compute them on
  the fly for portal usage
• Easier to provision (change attribute)
• Will need to do it anyways for other data
  consumers (shib)
• Key roles should be constructed in IDM to be used
  to link people to resources.

23
Group Ubiquity

• This will be the killer feature
• Interested in sharing custom groups (or auto
  built) among
• Apps (calendar/portal/mail/access manager)
• External apps (listserv/AD)
• Ability to delegate group add/del to others via
  IDM and therefore grant control to data without
  granting control to the resource itself.
• Connectors exist within IDM to manage group
  details in resources. Do not know to what extent
  we can deal with it however.

24
Test Systems

• Problem Want to manage a single set of data, but
  mirror only that which we need to test
• Proposed approach
• Link test systems into production environment
• Restrict data being replicated
• Benefits
• Test data will always be up to dateno manual
  copies!
• Ability to leverage all tools of prod env. in
  test.
• Single holistic environment to manage and
  delegate control (or revoke!)

25
Account NavigationManagement

• Problem all records live in a flat namespace,
  however, we need to delegate access to certain
  areas.
• How do we define them?
• How do we deal with exceptions?
• How do we enable delegation and other controls?

26
Account NavigationManagement