Identity Management at the University of Florida

1
Identity Management at the University of
Florida Mike Conlon, Director of Data
InfrastructureUniversity of Florida,
Gainesville, Florida
Service Oriented Architecture for
Credential Management
Asserting Identity GatorLink
Background
Identity Management Entities
Who is in Our Environment the UF
Directory and UFID
Project In 2000, the University began an
investigation to determine how to approach the
fundamental questions of identity management. In
the fall of 2001 work began on a new enterprise
person registry with a new person identifier, the
UFID an 8 digit, non-revocable, opaque
identifier assigned to every person affiliation
with UF past or present.
Figure 3. Users interact with PeopleSoft for
credential management. PeopleSoft uses two
methods for replicating credential information
SOA-based methods (blue) and database-based
methods (orange).
UFID has replaced SSN as the primary identifier
in all UF systems. The UF Directory was launched
in January of 2003 and to date over 1.4 million
UFIDs have been issued.
Next Steps
Policy
Credential policy is recommended by the
Information Technical Advisory Council Data
Infrastructure committee and consists of yes/no
values for each directory affiliation. A portion
of the approved policy is shown
below. Affiliation Credential Affiliation Creden
tial Alumni No Emeritus Yes Board of
Trustee Yes Faculty Yes Campus Resident
Yes Former Student Yes Courtesy
Faculty Yes Vendor Yes Password policy consists
of a matrix of 5 policies and 15 attributes per
policy defining five password policies that are
then assigned to each security role. A users
password policy is the maximum password policy
assigned to any of the users assigned roles. A
portion of the password policy matrix is shown
below.
Procedure Identity is established by directory
coordinators, authorized University employees who
enter information into the directory and are
issued the UFID. The UFID is present on the UFs
photo id, the Gator1 card. Identity is also
established by application processes for
students.
What Are People Authorized To Do User
Security Roles
More information
Student applicants are issued a UFID on
completion of their application. Guest identity
(low assurance) can be established by persons
authorized to create guest accounts.
Attribute P1 P2 P3 P4 P5 Minimum Length of
Password 8 8 8 9 9 Password is character
checked Yes Yes Yes Yes Yes Max Age of Password
in Days 365 365 180 90 90 May Reset via Self
Service Hint Yes Yes Yes No No Requires Two
Factor Auth No No No No Yes
Systems The UF Directory is currently a
mainframe application with data residing in a
collection of 145 locally developed DB2 tables.
Services queues are used to slave Directory,
Authentication and Authorization systems to the
UF Directory. Over 50 queues support replication
to Active Directory, NDS, LDAP, Student systems,
PeopleSoft, Housing, Hospital Systems, the UF
Foundation and many others.
Figure 1. My Roles shows each user their
security roles