STATS  DC  2011  Balancing  Timeliness  and  Quality  

Iden.ty  Management  (IDM)  Real  World  Usage  at  the  Local  Level  

Patrick  Plant,  CTO/CIO  Anoka-­‐Hennepin  School  District  

Andrew  Elmhorst,  Chief  Architect  Pearson  Data  Solu.ons  

Release for web use of this image on file

WHAT  IS  THE  USER  EXPERIENCE?  The  Problem  

The  End  User  Experience  

•  Users  are  dealing  with  mul5ple  usernames  and  passwords  across  systems  – different  username  and  password  policies  across  systems  discourage/prevent  usage  of  same  username  and  password  

– From  both  an  ease  of  use  and  organiza5onal  liability  standpoint  this  encourages  “weak”  password  and  bad  prac5ces.  

Communica.on  &  Training  are  Key  

Communica.on  &  Training  are  Key  !"#$%&'()&New network password policies are being adopted for staff and students across the District. *+",-! Starting 2/2/2010 *+.&/0&122"30%-&&All staff with Active Directory Accounts *+4&56%0&4.6&3+#,7"&4.68&(#%%9.8$:&Poorly chosen user passwords are the most common threat to computer network security. As an employee, you share responsibility for the security of the district network. !.9"& You’ll receive an email from Hattie Leary indicating the date your building will change. The first time you log into your computer after that date, you will be prompted to change your password. It’s easy; enter your new password twice and click OK. ;+..%/,7&4.68&,"9&(#%%9.8$-!• Must be a minimum of 8 characters • Must mix letters, numbers, and at least one special

character (* % ^ % # - anything not a letter or number). It’s helpful to think of a phrase/goal/saying like “Retirement? I have 10 years left.” Use the first letter of each word; your password will be R?Ih10yl.

• Must start with a letter and contain upper and lower case letters

• Remember 4-4-4: Cannot contain more than 4 repeating characters or match more than 4 characters to the 4 previously used passwords

</5(=/24&4.68&=/2"-! If you log into several applications, you may use the same password for all of them. You’ll receive an email with links to instructions for changing your password in other applications such as SASI and MyLearningPlan. !.9&.20",&9/==&4.6&,""$&0.&3+#,7"&4.68&(#%%9.8$:& Passwords will expire every 120 days. >"5"5?"8@&do not share your password with anyone! A6"%0/.,%-!!#$%%!&'()*+,-!./0&12!

Managing  users  across  systems  over  .me  

HR  System  

• Robert  J  Brown  

• Teacher  

Network  System  

• rjbrown  • Staff  

Email  System  

• rjbrown@1-­‐school.edu  

Data  Repor5ng  System  

• Bob  Brown  • Can  see  students  in  classes  

Parent  Portal  

• Bobby  Brown  • Can  see  Susie’s  grades  

•  What happens when Robert •  Is Hired? •  Gets Promoted? •  Goes on Leave? •  Looses custody of Susie? •  Gets Divorced? •  Retires?

The  Iden.ty  Management  Experience  

•  District  staff  are  dealing  with  managing  iden5ty  and  access  management  for  staff,  students  and  parents  – Access  to  systems  must  be  secure  

– Timely  provisioning  across  systems  – Timely  de-­‐provisioning  across  systems  – Automa5on  is  essen5al  for  accuracy  and  containing  cost  

Standards?  

•  LDAP  •  inetOrgPerson  •  eduPerson  •  SAML  •  Shibboleth  •  CAS  •  JAAS  •  Open  SSO  •  OpenId  •  Biometrics  •  Smart  cards  

one-­‐off,  custom  integra5ons    

not  repeatable  across  organiza5ons  

bespoke  requirements  for  suppliers  

dizzying  array  of  standards  for  organiza5ons  to  choose  from  

Informa.on  Management  Strategy  

•  Three  legs  of  an  informa5on  management  strategy:  –  Iden5ty  and  Access  Management  –  Informa5on  sharing  and  data  management  –  Opera5onal  &  Analy5c  System  Use,  Repor5ng,  Data  U5liza5on  

•  Unless  everyone  in  the  world  has  one  system,  we  need  the  capability  to  integrate  iden55es    

•  Be[er  integra5on  is  a  key  cornerstone  to  unlocking  collabora5ve  possibili5es  (LEA,  SEA,  Ci5es,  Coun5es,  etc.)  

•  People  are  becoming  more  aware  of  ID  Standard  Needs  •  SIF  legi5mately  has  the  capacity  and  capability  to  work  on  this  problem  area  for  the  educa5onal  enterprise  

IDENTITY  MANAGEMENT  PRACTICES  Real  World  Usage  Scenarios  

The  User  Experience  

•  Important  capabili5es  –  Provisioning  of  accounts  from  source  systems  –  Zero-­‐day  start  is  op5mal  (and  becoming  essen5al)  –  Providing  access  appropriately  and  securely  to  the  right  users  at  the  right  5me  

–  Capability  to  do  single  sign  on  across  systems  – Understanding  between  systems  of  shared  a[ributes  

– De-­‐provisioning  users  when  they  no  longer  should  have  access  (is  some5mes  overlooked)  

What  is  an  iden.ty?  

•  A  unique  record,  iden5fying  a  user  within  an  enterprise  – Represented  by  one  or  more  a[ributes  that  are  unique  to  the  user  •  A  set  of  unique  ID  a[ributes  (DN,  UUID,  etc.)  •  A  set  of  logon  creden5als  (usernames/password)  

•  Expiry,  5meouts,  retries  

– The  record  can  contain  addi5onal  a[ributes  (name,  address,  contact  informa5on)  

Where  is  an  iden.ty  created?  

•  In  its  simplest  form,  an  iden5ty  may  be  created  in  a  network  directory  system  (Ac5ve  Directory,  Novell  e-­‐Directory,  SunOne,  etc.)  

•  Other  systems  can  connect  to  the  directory  –  read  directory  informa5on  (address  book)  – verify  a  user’s  creden5als  

Iden.ty  Lifecycle  -­‐  Provisioning  

• HR  •  SIS  

Data  Sourced  

•  First  Name  •  Last  Name  • Department  /  Grade  /  Course  

A[ributes  Applied   •  ID  Created  

• Account  Established  

Iden5ty  Established  

• Username  •  Password  

Creden5als  Issued  

Iden.ty  Lifecycle  –  In  Use  

•  Admin  •  Staff  •  Teacher  

Roles  Applied  

•  One  or  more  systems  

Login  • More  Access  •  Less  Access  

Roles  Change  

•  Remove  Access  

•  Inac5vate  

Deprovision  

Sustainable  Management  of  Iden..es  

•  Ongoing  iden5ty  management  is  crucial  –  Iden5ty  A[ributes  should  be  entered  only  once  –  Provisioning  should  be  automated  –  Informa5on  updates  (typically  from  source  systems)  –  Changing  of  roles  over  5me  –  Creden5al  resets  /  online  self-­‐help  portals  –  Self-­‐serve  capability  for  managers/leaders  to  approve  and  direct  

role  changes  over  5me  –  Inac5va5on  and  De-­‐Provisioning  

•  Monitoring  and  audi5ng  access  to  systems  is  being  increasingly  required  (e.g.  SOX  compliance)  

•  If  Iden55es  and  Roles  are  not  centrally  managed  and  processes  automated,  the  ongoing  maintenance  is  difficult  

Iden.ty  Lifecycle  Levels  of  Automa.on  

3.  Real  Time  

2.  Batch  (Nightly)  

1.  Export  Import  

0.  Manual  

Higher  Accuracy  

More  Automa5on  

Be[er  User  Experience  

Single  Sign  On  Interoperability  

•  Centralizing  authen5ca5on  and  authoriza5on  requires  interoperability    – Use  of  authen5ca5on  protocols  supported  by  the  Iden5ty  Management  System  

•  LDAP  •  Kerberos,  CAS,  JAAS,  OpenSSO,  SAML,  Shibboleth,  OpenID  

– A  shared  schema  (understanding  of  the  a[ribute  names  used  in  the  directory)  

•  X.500  •  inetOrgPerson  (RFC  2798)  

Single  Sign  On  Levels  

3.  Federated  Single  Sign  

On  

2.  Single  Sign  On  

1.  Consistent  Sign  On  

0.  Separate  Sign  On  

Long  Password  Lists  

Single  Username  and  

Password  

Be[er  User  Experience  

Crosses  Organiza5onal  Boundaries  

What  about  roles?  

•  An  iden5ty  can  have  mul5ple  roles  –  Teacher,  Staff,  Parent,  Student,  Administrator  

•  A  simplis5c  prac5ce  is  to  create  separate  iden55es  for  users  

•  Best  prac5ce  is  to  create  a  single  iden5ty  and  assigns  various  roles  to  a  user  

•  Roles  may  need  to  be  very  granular  –  Staff  in  School  A,  Admin  in  School  B  –  Teacher  of  one  Johnny,  Parent/Guardian  of  Susie  

Iden.ty  And  Access  Integra.on  levels  

2.  Roles/Access  Shared  

1.  Iden5ty  Sharing  /  

Provisioning  

•  Ahead  of  Time  •  Just  in  Time  

0.  No  Sharing  

Silo  Systems   Allows  for  SSO   Allows  Central  Access  Control  

Iden.ty  and  Access  Integra.on  

•  Now  that  the  iden5ty  is  created,  how  do  all  of  the  other  systems  understand  and  use  it?  

•  If  changes  are  made,  do  other  systems  get  updated?  

•  Are  user  roles  and  system  access  centralized  or  siloed  in  each  system?  

STANDARDIZING  IDENTITY  MANAGEMENT  

What  the  SIFA  IDM  Project  Team  is  up  to  

Why  Standardiza.on?  

•  We  are  not  using  the  same  system  •  Standards  open  new  opportuni5es  for  collabora5on  

•  Too  many  standards  for  SSO,  not  enough  standards  for  management  

•  Bespoke,  ad-­‐hoc  in  prac5ce  

Management  of  State  Student  IDs  

•  SIF  supports  real-­‐5me  web  services  based  integra5on  between  LEAs  and  SEAs  to  support  automated  student  ID  management  

•  No  creden5als  are  issues,  so  not  iden5ty  management  in  the  broader  sense  

•  Student  IDs  are  managed  by  SIF  in  9  states  – AK,  IA,  OH,  SC,  UT,  VA,  WY,  MA,  OK  

Mission  

Create  plug  and  play  interoperability  profiles,  suppor5ng  iden5ty  management    and  single  sign  on  for  the  

educa.onal  space  

SIFA  IDM  Project  Team  Assump.ons  

•  Provisioning  the  IDM  •  Sharing  iden5ty  data  •  Maps  between  SIF  and  IDM  

•  Leverage  exis5ng  IDM  specs  

•  Global  Scope  

Near  Term  Deliverables  

•  Iden5ty  Provisioning  Profile  •  Single  Sign  On  Profile  •  Access  Provisioning  Profile  •  Iden5ty  Aggrega5on  Profile  

Human Resources and Financial Management

Special Programs

Instructional Improvement

System

Data Warehouse

Learning Management

System

Formative Assessment

Iden.ty  Provisioning  with  SIF  

Applications

SIF Agents

ZIS

SIF Data Objects

Identity Management

System

Student Information System

Iden.ty  Provisioning  Profile  

•  Describes  how  an  Iden5ty  Management  System  can  be  provisioned  by  SIF  

•  Describes  a  basic  set  of  assump5ons  for  determining  user  roles  from  SIF  data  

•  Profiles  the  iden5ty  data  that  an  Iden5ty  Management  System  should  publish  back  to  SIF  

•  Profiles  the  data  flow  for  standard  use  cases  

Identity Management

System

Special Programs

Instructional Improvement

System

Data Warehouse

Student Information System

Formative Assessment

Publishing  Iden.ty  A^ributes  

Applications

SIF Agents

ZIS

SIF Data Objects Human Resources

and Financial Management

Learning Management

System

Iden.ty  Provisioning  Example  

<Identity RefId="4286194F43ED43C18EE2F0A27C4BEF86"> <SIF_RefId SIF_RefObject="StudentPersonal">23B08571E4D645C3B82A...</SIF_RefId> <AuthenticationSource>MSActiveDirectory</AuthenticationSource> <IdentityAssertions> <IdentityAssertion

SchemaName="sAmAccountName">user01</IdentityAssertion> <IdentityAssertion

SchemaName="userPrincipalName">user01@asdf.edu.au</IdentityAssertion> <IdentityAssertion

SchemaName="distinguishedName">cn=User1,cn=Users,dc=org</IdentityAssertion> </IdentityAssertions> <AuthenticationSourceGlobalUID>23A08571E4D645C3B82A…</AuthenticationSourceGlobalUID> </Identity>

Authen.ca.on  Profile  

•  Focus  on  three  authen5ca5on  protocols  in  wide  use  today  and  profile  for  the  educa5on  space  – LDAP  – OpenID  – Shibboleth  

•  For  each  protocol,  create  a  standard  profile  for  discovery,  topology,  and  a[ribute  exchange  

Access  Provisioning  Profile  

•  Create  a  standardized  set  of  mechanisms  for  central  control  of  roles  and  use  access  

•  Allow  for  standard  set  of  roles  to  be  propagated  via  SSO  protocols  (real-­‐5me)  

•  Allow  for  roles  and  access  permissions  to  be  propagated  via  SIF  web  services  

Iden.ty  Aggrega.on  Profile  

•  Iden55es  for  a  user  may  be  sourced  from  mul5ple  systems  via  SIF  

•  One  example  is  a  central  Iden5ty  Management  System  that  services  mul5ple  schools  

•  Clearly  define  how  iden5ty  aggrega5on  is  conveyed  to  subscribing  systems  within  a  SIF  zone  

What  have  we  covered?  

•  Effec5ve  iden5ty  management  improves  ease  of  use  

•  Iden5ty  management  prac5ces  are  diverse  and  many  5mes  implemented  in  a  bespoke  manner  

•  The  SIFA  IDM  project  team  is  a[emp5ng  to  build  common  IDM  prac5ces  and  profiles  for  educa5onal  organiza5ons  and  vendors  

Suggested  next  steps  

•  Inventory  where  your  organiza5on  is  at  in  iden5ty  management  prac5ces    

•  Contribute  to  the  effort  to  standardize  iden5ty  management  for  the  educa5on  space  

39  39

Contact  Informa.on  

•  Patrick  Plant      Chief  Technology  and  Informa5on  Officer,  www.anoka.k12.mn.us,            Patrick.Plant@anoka.k12.mn.us,  763.506.1020  

•  Andrew  Elmhorst  

Chief  Architect,  www.pearsondatasolu5ons.com,  Andrew.Elmhorst@Pearson.com,  801.858.0094