Managing Information Technology @ UT November 13-14, 2008 Campus Identity and Access Management...
-
Upload
felicity-lamb -
Category
Documents
-
view
214 -
download
0
Transcript of Managing Information Technology @ UT November 13-14, 2008 Campus Identity and Access Management...
Managing Information Technology @ UTNovember 13-14, 2008
Campus Identity and Access Management Services
Managing Information Technology @ UTManaging Information Technology @ UT
Objectives Learn how the university assigns and manages electronic identities Learn how this information is used for authentication and authorization
Managing Information Technology @ UTManaging Information Technology @ UT
IAM Overview
•Terms & Concepts•IAM Goals & Principles•IAM Services Overview
•Identity Management •Directory Services•Authentication Services•Authorization Services
Managing Information Technology @ UTManaging Information Technology @ UT
IAM Terms• Set of attributes and credentials
associated with an entityIdentity• Stores, organizes, and provides
information about identities to consuming systems
Directory Services
• Verifying the identity of a user (most commonly with a username and password) and providing assurances of their identity to a service.
Authentication
•Verifying whether an identity is permitted to take an actionAuthorization
Managing Information Technology @ UTManaging Information Technology @ UT
Attributes & CredentialsAttributes • Identity and affiliation characteristics of an entity which
are of interest to the university
Credentials• Used to establish a person’s identity and help the
university maintain a high degree of confidence in it• Helps to define the levels of service, access, or
privileges available to a particular identity• Physical Credentials – UT ID Cards• Electronic Credentials - UT EIDs
Managing Information Technology @ UTManaging Information Technology @ UT
IAM Goals & Principles• Entities have a single identity• Identity is a ubiquitous public user name• Identities have lifelong community membership• Consistent sign-on (authentication)• Self-service• Distributed management
Managing Information Technology @ UTManaging Information Technology @ UT
Identity Management Services
Enterprise Directory
Identity Management
System
Other Directory Services
Authentication Services
Authorization Services
Source Systems
Managing Information Technology @ UTManaging Information Technology @ UT
UT EID• An electronic identifier that contains two key
attributes – UT EID and UIN• Several EID types: Person, Business,
Department, Service, Group, Resource, ID-Only• Person UT EID is an individual’s public
username and their electronic credential that allows them to use online secure services
Managing Information Technology @ UTManaging Information Technology @ UT
Person EID Affiliations & ClassesGuest Class
EID w/out AffiliationProspective StudentProspective FacultyJob Applicant
Affili
ate Class
Library PatronDonor/Friend of the University/VIPUniversity Extension ParticipantRetireeGraduateFuture StudentFuture StaffFormer StaffFuture FacultyFormer FacultyFuture EmployeeFormer Employee
Me
mber
Class
Current StudentCurrent FacultyCurrent StaffOfficial VisitorCurrent Employee
Managing Information Technology @ UTManaging Information Technology @ UT
Additional Person EID Concepts• Specific endorsements, credentials, or
permissions• E.g. IDP, SIG, LLV, DPU, etc.
Entitlements
•IDP – UT has seen photo ID•SIG – Use your EID as legal signatureEID Upgrade
•Limits who may view information (FERPA)•Attributes or entire identity may be restrictedRestrictions
Managing Information Technology @ UTManaging Information Technology @ UT
Did You Know?• Approximately how many EIDs have been
issued by UT Austin?
4.5 Million EIDs (3.8M Person)• On an average day during the regular
semester how many EID logons occur?
~130,000 EID logons
Managing Information Technology @ UTManaging Information Technology @ UT
Enterprise Directory Services
Enterprise Directory
Identity Management
System
Other Directory Services
Authentication Services
Authorization Services
Source Systems
Managing Information Technology @ UT
Enterprise Directories• uTexas Enterprise
Directory (TED)• TED on the Mainframe
(TOM)• White Pages Directory• Austin Active Directory
Attribute Name
Contents Multi- or Single-Valued/ Required Indicator
May Be Populated For
Access Group
Permitted Searches
Source & Format
Identifiers
, utexasEduPersonEid
Current UT EID (uid is the naming attribute for people)
Single Required
All people Basic, AffOnly (see notes)
equality Source: EID SystemFormat: Max 8 characters
utexasEduPersonPriorEid
Prior UT EIDs
Multi All people Basic equality Source: EID SystemFormat: Max 15 characters
utexasEduPersonUin
Current UIN
SingleRequired
All people Basic, AffOnly
equality Source: EID SystemFormat: 16-digit hex
Sample Person Attributes in TED
Managing Information Technology @ UTManaging Information Technology @ UT
Authentication Services
Enterprise Directory
Identity Management
System
Other Directory Services
Authentication Services
Authorization Services
Source Systems
Managing Information Technology @ UTManaging Information Technology @ UT
Web Authentication
Data Store
Authentication Service
Web Server
WebBrowser
AuthN. Agent
Managing Information Technology @ UTManaging Information Technology @ UT
Authentication Methods
Web Authentication
• UT Direct/Fat Cookie• Shibboleth• TAM (next generation)
Mainframe Authentication
• RACF• EID
Managing Information Technology @ UTManaging Information Technology @ UT
Authorization Services
Enterprise Directory
Identity Management
System
Other Directory Services
Authentication Services
Authorization Services
Source Systems
Managing Information Technology @ UTManaging Information Technology @ UT
Authorizations
BACS
NRRECS
Task Manager
BACS Group –
App-empl.
Apollo Group - EID
Stewards
System Internal - Group
Group Mediated
System Internal - Individual
Auth: View unrestricted student records
Auth: Access Main 25th Floor
Auth: Update DPAuth: Submit DP
Managing Information Technology @ UTManaging Information Technology @ UT
Authorization Products
Apollo
• a mainframe authorization repository with customizable application profiles and group management functionality
*DPUSER
• authorization system for mainframe services including the management of Natural and Adabas resources
Managing Information Technology @ UTManaging Information Technology @ UT
In Closing• An entity has only one identity and this is
represented by the UT EID• UT EID is the ubiquitous public user name• Identities have lifelong membership in our
community• Identity & Access Management services include:
Identity Management, Directory Services, Authentication Services, & Authorization Services