The UW-Madison IAM Experience
Transcript of The UW-Madison IAM Experience
![Page 1: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/1.jpg)
The UW-Madison IAM Experience
Building our Dream HomePresented by Steve Devoti, Senior IT Architect© 2007 Board of Regents of the University of Wisconsin System
![Page 2: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/2.jpg)
The UW-Madison needs to remodel and expand its IAM services
© 2007 Board of Regents of the University of Wisconsin System
![Page 3: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/3.jpg)
You probably look a lot like us
© 2007 Board of Regents of the University of Wisconsin System
![Page 4: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/4.jpg)
We are clearly not meeting the needs of campus, we lack a blueprint
© 2007 Board of Regents of the University of Wisconsin System
![Page 5: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/5.jpg)
Analysis and an organized approach can get this thing built
© 2007 Board of Regents of the University of Wisconsin System
![Page 6: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/6.jpg)
Form a project, assign resources and recommend a direction
© 2007 Board of Regents of the University of Wisconsin System
![Page 7: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/7.jpg)
We had been working on a small space for over 4 years
© 2007 Board of Regents of the University of Wisconsin System
![Page 8: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/8.jpg)
We decided to build it our selves
© 2007 Board of Regents of the University of Wisconsin System
![Page 9: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/9.jpg)
There were no vendors that could meet our needs
© 2007 Board of Regents of the University of Wisconsin System
![Page 10: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/10.jpg)
We love to build things
© 2007 Board of Regents of the University of Wisconsin System
![Page 11: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/11.jpg)
Who knows? All the original decision-makers are gone!
© 2007 Board of Regents of the University of Wisconsin System
![Page 12: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/12.jpg)
Overly complex design
© 2007 Board of Regents of the University of Wisconsin System
![Page 13: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/13.jpg)
Never really structured as a project
© 2007 Board of Regents of the University of Wisconsin System
![Page 14: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/14.jpg)
Customers are getting grumpy
© 2007 Board of Regents of the University of Wisconsin System
![Page 15: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/15.jpg)
For 4 years, customers have been told that PASE will solve everything
© 2007 Board of Regents of the University of Wisconsin System
![Page 16: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/16.jpg)
The executive sponsor decided it was time for some changes
© 2007 Board of Regents of the University of Wisconsin System
![Page 17: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/17.jpg)
A new enterprise architect was assigned
© 2007 Board of Regents of the University of Wisconsin System
![Page 18: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/18.jpg)
A “real” project manager was assigned
© 2007 Board of Regents of the University of Wisconsin System
![Page 19: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/19.jpg)
The team reexamined the requirements and the decision to build
VS
© 2007 Board of Regents of the University of Wisconsin System
![Page 20: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/20.jpg)
We formalized our requirements and did a high level evaluation of the options
Functional/Non Functional
IAM Category Scope Requirement Compliance
Module or Feature
Effort
F Authorize System
Shall provide the ability to define combinations of create, retrieve (read), update (modify) and delete permissions to created appropriate system roles (e.g. "Affiliation Manager")
None Authorization Manager Difficult
F Authorize SystemThe system shall support integration with the institutional and/or standards-based authentication mechanisms (e.g. pubcookie, Shibboleth, SAML).
None Authentication Manager Moderate
F Authorize SystemThe system shall support an "auditor" role which allows a subject to read and create reports from system logs, but allows no other system access.
None Authorization Manager/UI Moderate
F Log System Shall support logging of, and reporting on governance activities. Partial Log/Audit
facility Easy
See: WIBuyVSBuild.xls
Build vs. Open Source vs. Buy
© 2007 Board of Regents of the University of Wisconsin System
![Page 21: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/21.jpg)
We also completed a high-level pros and cons analysis
• Acquire Total Solution (Commercial Vendor) Pros:– Consulting resources. Consulting resources are readily available to assist in
commercial vendor implementations.– Provisioning. Commercial vendor identity management suites include advanced
provisioning functionality.– Workflow. Commercial vendor identity management suites include workflow.– Functionality. In addition to provisioning, many vendor suites include other
advanced identity management functionality that might be useful to the organization (web access control, federation services, virtual directory or meta-directory, etc.).
• Acquire Total Solution (Commercial Vendor) Cons:– Cost. Is more expensive than some other solutions.– Lack of higher education community. Though there is high adoption of
commercial identity management software in private industry, there is much less adoption in higher education, particularly at large institutions
See: WIProsAndCons.xls
© 2007 Board of Regents of the University of Wisconsin System
![Page 22: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/22.jpg)
We decided that the Grouper/Signet solution best met our needs
© 2007 Board of Regents of the University of Wisconsin System
![Page 23: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/23.jpg)
We went to some camps, and installed a POC system
© 2007 Board of Regents of the University of Wisconsin System
![Page 24: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/24.jpg)
The natives were getting even more restless
© 2007 Board of Regents of the University of Wisconsin System
![Page 25: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/25.jpg)
Priorities have changed
© 2007 Board of Regents of the University of Wisconsin System
![Page 26: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/26.jpg)
Our customers wanted us to address provisioning first
© 2007 Board of Regents of the University of Wisconsin System
![Page 27: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/27.jpg)
That was going to take a lot of building or maybe purchase of another product
© 2007 Board of Regents of the University of Wisconsin System
![Page 28: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/28.jpg)
The only reasonable thing to do was look at vender solutions
© 2007 Board of Regents of the University of Wisconsin System
![Page 29: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/29.jpg)
We did proof-of-concepts with Oracle and Sun
© 2007 Board of Regents of the University of Wisconsin System
![Page 30: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/30.jpg)
Our sponsor was exploring ways to pay for the solution
© 2007 Board of Regents of the University of Wisconsin System
![Page 31: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/31.jpg)
Through hard work and masterful persuasion funding was secured
© 2007 Board of Regents of the University of Wisconsin System
![Page 32: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/32.jpg)
We began an RFP, dividing the work into 3 high-level capabilities
Directory Services
IdentityManagement
Integration
Access Management
History
Support
Cost
© 2007 Board of Regents of the University of Wisconsin System
![Page 33: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/33.jpg)
Each capability section was built with standard bricks
See: WIRFPSpecs.doc
© 2007 Board of Regents of the University of Wisconsin System
![Page 34: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/34.jpg)
Capabilities, functions and “other considerations” were weighted
© 2007 Board of Regents of the University of Wisconsin System
![Page 35: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/35.jpg)
We ended up with something like this:
3 Web Access Management Capability Rating Guidance Points Total Points= 3,400
We define Web Access Management Capability as a central policy and enforcement infrastructure capable of protecting heterogeneous web resources for the purpose of providing users with single sign-on. Note, in the context of this RFP, Web Access Management includes federation functionality and the protection of SOAP-based web services.
3.1.
Architecture: Describe at a high level the elements and technologies that make up this capability and their relation to each other. Provide diagrams. What are the advantages of this architecture? Specify any disadvantages or limitations of this architecture. If your solution supports multiple high-level configurations, describe the advantages and disadvantages of each. Describe the logical architecture of the servers that make up your solution.
SHOULD follow good application architecture practices with an architecture that is compatible with the University of Wisconsin's Common Systems technology infrastructure.
544
3.1.1.Policy Administration Points (PAPs): Describe how the PAP(s) are deployed. Do you provide a single PAP or must policies be individually managed on each Policy Decision Point (PDP)?
SHOULD provide a single point of policy management 72
See: WIRFPSpecs.xls
© 2007 Board of Regents of the University of Wisconsin System
![Page 36: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/36.jpg)
We developed an evaluation methodology
Evaluation Definition Score
No SupportNo support according to the ratings guidance. No documentation. Extension to meet requirement is difficult, extremely expensive, or not possible to extend.
0
Partial SupportPartially supported, with some aspects missing according to the ratings guidance or the answer doesn't follow expected format. Lacking clear or specific documentation. Unreasonable, or somewhat expensive to extend.
1
Strong SupportMostly supported, with a couple aspects missing according to the ratings guidance. Somewhat well documented in the vendor response with reference to technical documentation. Provides functionality out-of-the-box or easy to extend to provide functionality.
3
Full SupportCompletely supported according to the rating guidance. Fully or somewhat documented in the vendor response with reference to technical documentation. Requirement requires standard expertise to implement, perform, or meet.
9
© 2007 Board of Regents of the University of Wisconsin System
![Page 37: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/37.jpg)
We sent it out, received the responses and scored them
© 2007 Board of Regents of the University of Wisconsin System
![Page 38: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/38.jpg)
And the winner is…..
© 2007 Board of Regents of the University of Wisconsin System
![Page 39: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/39.jpg)
Where do we go from here?
© 2007 Board of Regents of the University of Wisconsin System
![Page 40: The UW-Madison IAM Experience](https://reader035.fdocuments.net/reader035/viewer/2022081521/54c6d7a04a7959a4578b45ed/html5/thumbnails/40.jpg)
Questions?
© 2007 Board of Regents of the University of Wisconsin System