Identity and Access Management

Updates on IAM in the SystemMark Scheible, NC State University

Lynn Franz, Western Carolina University

Jan Tax, UNC-Chapel Hill

Steven Hopper, UNC-GA

Introductions

Mark ScheibleManager, Identity and Access Management

NC State University

Lynn FranzApplication Development & Data ManagementWestern Carolina University

Jan TaxIdentity and Access ManagementUNC Chapel Hill

Steven HopperDirector of Online Services & CTO for UNC OnlineUNC General Administration

Identity and Access Management “Identity Management has

evolved to include policies, procedures and the broad spectrum of technologies required to establish institutional identity management (IdM) systems” –

(EDUCAUSE IAM Working Group)

Identity and Access Management

• Identity Vetting & Proofing - making sure the information provided about an individual (e.g. name, DOB, address, phone number, degree(s) earned, etc.) is accurate and verified, and insuring a credential is issued to the appropriate person

• Credentialing - the issuing of a “username and password” for authentication purposes

• Directories – database(s) containing information associated with individuals and resources (in this context, identity data or “attributes”)

• Authentication Services – used to authenticate someone (the login process)

• Authorization Services – used to determine what access an individual has to applications, resources, etc., based on who they are, or their membership in a group

Major areas of interest

Internet2 Middleware Diagram

Panel Discussion • Identity Population Utilization

(Lynn Franz)

• Group Management(Jan Tax)

• Federated Identity Management

(Steven Hopper)

Each of our panelists will touch on a different aspect of IAM …

Identity and Access Management at

Western Carolina University

Where we started…

First decision:

Banner is the data source of

record.It drives access to IT resources and

services.

One of the first tasks was to look at the various populations…

A solid understanding of organizational roles is key for creating and maintaining identity and

access management.

At the highest level, our data consisted of three populations.

Each population consisted of further sub-categories.

STUDENT

Intending Student?

Cullowhee Commuter?

Currently Enrolled?

Continuing?

Former Student?

Future Student?

“Student” ?

Which

“Student” ???

This foundation is the core of our Identity Management processing.

Group

Group Members

Further Sub-Group Memberships

We defined and created a scalable mechanism for identifying, creating, and managing those groups.

Role

Security Groups and Distribution

Lists

Reports

Database

Database

Interfaces between data sources, on or off campus

Luminis Roles

Each group, or Role, is defined in one location.The Role may be consumed in many places.

If the Role definition changes, it’s changed in ONE place. Consumption of the Role is not interrupted.

Role definitions are consistent across consumers.

Security Groups and Distribution

Lists

Reports

Database

Database

Role

Luminis Roles Interfaces

between data sources, on or off campus

Roles can be defined, re-defined, and sub-grouped. Meanwhile, the organization keeps

rolling along…

Staff or (Full/Part-Time)

Faculty

Graduate Assistant (Teaching and Lab)

Graduate Assistant (Non-Teaching, Non-

Lab)

Student Worker

Hourly or Temporary

Worker

Cullowhee Commuter

Guest or Consultant

We had to make another key decision…

Banner allows for one external username association with one individual. One individual may exist in multiple roles!

Should these have the same external username?

Sally Sue

Graduate StudentEmploye

e

@catamount@wcu

Student accounts (email hosted off campus) and Non-Student accounts (email hosted on site) would have unique external usernames. Both are provisioned in Active Directory. A Banner mod was necessary for this association.

This simple SQL statement returns the Active Student member information.

( Banner PIDM, Role, Active Directory External Username )

The Blackboard integration components

can be easily

associated using a

single point of reference

for group membership

…

How do all these roles fit with the larger picture?

Identity Management

Banner

Other Systems

With the foundation in place…

Active Directory Outlook Properties Sync

Online Directory uses a Banner database view.

People review their information and send corrections to HR using an Online

Correction Form.

Banner data feeds to Active Directory and Outlook Properties are updated.

Oracle packages using DBMS_LDAP functionality are used for the updates behind the scenes...

Outlook Properties provide the campus with reliable contact data, which can be consumed by other applications (such as the help desk ticketing system, Paw-Print, and Shibboleth).

Supervisor Name

Method for managing roles that are not data driven from Banner.

Automation and management of these roles requires additional data to be stored in Oracle tables. The tables also provide audit information and access control.

Roles are managed by individual “owners”, who can assign “managers”. The owners and managers add/remove members, as defined by privilege assignments.

Manually Managed Roles

Committees

OrganizationsDigital Millennium Copyright Act Offenders

Registered Exchange Active Sync User

Automated AD Security Groups Automated Distribution Groups (in progress)

With automated and manual roles in place…

Additional building blocks and project components on the

way…

HR Intake/Outtake Interface

As individuals enter and exit HR positions, automated processes will provide accurate and timely account information (for create, terminate, and modify actions).

•No Affiliation with University

•Not a Student, Guest, or Employee

Not Affiliated

•University Identity/Email

•Access to University Information Resources

Affiliated

•No longer Affiliated with University

•No Access to University Information Systems

Not Affiliated

Position Change

(Personnel Action)

Health Services

Gym Usage

Parking PermitsLibrary

Cat Card

Personnel action events will be consumed by other organization entities.

Establishment of a practice for managing non-person accounts. These accounts must receive approval and have a WCU sponsor.

Examples of these accounts are email accounts for various groups such as Athletics (baseball@wcu.edu) and departments (

admission@wcu.edu).

Non-Person Account Management

Campus Security Request Process

Provide users on campus one method/location for requesting additional security and authorization to

university systems and resources.

Provost Office

FinanceFacilities

Along the way there have been some internal automations that have streamlined IT processes.

This WayManagementIdentity

o Managing INB Userso Managing Banner Securityo Banner Self-Service Password Changer (AD authentication for INB

accounts)o Help Desk unlock of Banner Accountso Reports

help us move toward our future goal of Role Based Access.

Identity role definitions, automated processes, and better internal and external procedures …

Taking a moment for lessons learned…

Challenges….Culture change is necessary… and sometimes very difficult to achieve.

Ownership and governance must belong to the stakeholders. (Not an IT problem!)

It is time consuming to review and define the various organizational business entities.

There are some tough issues to tackle (for example, account management of non-person accounts).

Processes have to be set up for managing identities.

Boundaries, for how groups can and can’t be used, need to be defined and enforced.

Removing bad data and standardizing data definitions provides better access for data consumption.

As data consumption increases, it is easier to identify and resolve problems.

Paves the way to help identify business processes that need to be reviewed and refined.

Readily highlights auditing concerns.

Systems that are not automated immediately can still utilize role information by seeing a person’s role information and adjusting local security to fit the roles.

Provides framework for retiring old systems and implementing new systems.

Rewards….

Proactive: • looking at campus-wide scope for 1 – 10 years down the road• reviewing institutional business level processes

Process:• creating well-defined procedures• implementing data driven events

Prevention:• decreasing resource issues through greater efficiencies• removing frustrations due to old, outdated business processes• warding off security threats and problems with solid role-based

identity

Following the 3 P’s to success….

… climbing on…

Identity and Access Management

Group Management

Jan TaxUNC Chapel Hill

Background

o UNC-CH has a heterogenous IAM environment

o Centrally managed directories and authentication:• OpenLDAP, Kerberos, Shibboleth SSO• Active Directory• Oracle OID and OSSO

o Distributed/school/departmental directories and authentication systems

o Lots of changes going on• new ERP• Email shift from in-house IMAP to Exchange and Live@Edu

o Want to have consistency across environments (and to reduce the number of environments over time!)

Central IdM system

Person data is managed by a homegrown system that aggregates data from multiple sources

o Inbound connectors Bio/demo data – PeopleSoft is single source Affiliation data – multiple sources (for now)

• Pre-Student/Student – 20+ categories• Faculty/Staff – 5 subcategories• Affiliates – 10 subcategories

o Outbound connectors• OpenLDAP – white pages, applications• Active Directory – Exchange, applications• Oracle Internet Directory – Calendar, AppServer

Authorization

Access decisions can be based on a person’s attributes …

Classification (faculty/staff/student) Department Entitlements

… or on memberships in groups Automatic (members defined by a filter or expression) Manual (members managed by a person) Composite

Groups are a very versatile mechanism

Groups Management

o Want to manage groups centrally, not have locally managed groups in each environment Reduces security risk (timely removal) Increases productivity (timely access)

o Ideally, a single point of management for the enterprise

o Allow delegation for managing groups as much as possible

o Provide consistent replication of groups data across different directories/environments/applications

Grouper

o Internet2 Middleware project – a toolkit for managing groups (http://grouper.internet2.edu)

o Integrates with an existing Identity Management system

oHandles the set logic used to combine groups

o Flexible configuration for sources – JDBC, JNDI

oCreate/maintain groups with SQL queries

o LDAP connector to provision directories

oAccess to group data with Web Services, .NET, PHP

oCommand line interface to Java API & tools

o Lite UI delivered with product can be reskinned

Grouper @ UNC-CH

Grouper is used to provision groups to the two main directory systems: ldap.unc.edu:

• ou=groups,dc=unc,dc=edu

ad.unc.edu: • ou=groups,ou=identity,dc=ad,dc=unc,dc=edu

o MDG_ distribution groupso MSG_ security groups

Existing uses of LDAP groups managed by Grouper Carolina Content Management

• Roles and content-specific rights

Web Services Manager• Web services mapped to group of authorized clients

Misc. Application Access Control• Determines what app. capabilities they have

LDAP Access Control• Membership makes categories of directory data visible

Case Study: Migrate ITS AppServer from Oracle to GlassFish

o Oracle AppServer had its own IAM environment Oracle SSO (OSSO) and Internet Directory (OID) Used OID groups for access control

o Move to GlassFish AppServer Supports groups for access control via LDAP realm concept, but requires

LDAP authentication Desire to use Shibboleth SSO for authentication

o Process Move OID groups into Grouper and sync to LDAP Configure Shibboleth to pass specific group memberships to application

o Results GlassFish uses campus standards for access management Oracle SSO and OID are decommissioned

Identity and Access Management

UNC Identity Federation Update

Steven HopperUNC-GA

UNC Identity Federation Background

oAugust 2008

Production federation (Shibboleth)

17 UNC institutions (Identity Providers)

Inter-institutional Registration (Service Provider)

WAYF

Development federation for testing, etc.

Existing Services

o Foundation for all system-wide application development.

o Examples include:

GA Services (inter-institutional registration, exam proctoring, www.northcarolina.edu, ActiveCollab)

RAMSeS (sponsored programs and research management tool from UNC-CH.

SciQuest (eProcurement)

VCL (Virtual Computing Lab at NCSU)

MCNC/NCREN (Videoconference scheduling, network status tools, etc)

Vendor Integration oEncouraging vendors to

Shibboleth-enable applications

oInCommon - vendors are hesitant to join

Cost (upfront and recurring) Arduous joining process

(legal) Want to pass joining costs

back to UNC Often not feasible given tight

implementation timelines

Solution: Affiliates Federation

oCreate a 3rd “Affiliates Federation”

Production Development Affiliates

oCreate a streamlined (and free) process for vendors to join

oAllows campus Identity Providers to have a separate “handle” when making attribute release decision.

Affiliations Federation Membership

oCurrent Members PeopleAdmin: HR Applicant Tracking SciQuest: eProcurement

oProspective Members ZimRide: Car Pooling Qualtrics: Survey & Feedback Software

Identity and Access Management

Questions?

Contact Information:

Mark Scheiblemascheib@ncsu.edu

Lynn Franzlfranz@email.wcu.edu

Jan Taxtax@unc.edu

Steven Hopperhoppers@northcarolina.edu

Thank you!

Lightening Round?

Identity and Access Management

(Extra Slides if Needed)

LDAP

Updates people data in:ou=People

LDAP ties together Person and Groups data

DirectoryMaster(Idm)

write ou=people

ou=groups

Reads people data so they can be added to groups

Grouper(Idm)

Updates groupdata in:ou=Groups

read

write

LDAP

Updates people data in:ou=People

Populating LDAP with Person Data

Peoplesoft

HRIS

AffiliateWeb

EpaWeb

DirectoryMaster(Idm)

ou=people

ou=groups

Directory Master aggregates person data updates from various sources and synchronizes this data to the directory

DB

LDAP

Reads people data so they can be added to groups

Populating LDAP with Groups Data

Grouper(Idm)

ou=people

ou=groups

Updates groupdata in:ou=Groups

Grouper stores group information natively in a relational database, but also writes groups data to the directory…

DB

Admin/user

Admin/user

Admin/user

Delegated Grouper users

Shib IdP(IdM)

IdP queries LDAP for membership information

Browser/App

IdP synthesizes attrib isMemberOf from group membership and app config (eg. limits to relevant groups)

LDAP Person Attributes Delivered with Shib IdP

LDAP

ou=people

ou=groups

IdP queries LDAP for person attributes

Idp asserts combined person attributes, including isMemberOf

IdP uses person attributes directly, but releases only those configured for each application