Mark Gibney (UNC-Asheville) Reed Wood (UNC-Chapel Hill) Linda Cornett (UNC-Asheville) )
Unc cause 2010 Identity and Access Mgmt Panel
-
Upload
mark-scheible -
Category
Education
-
view
1.274 -
download
0
description
Transcript of Unc cause 2010 Identity and Access Mgmt Panel
Identity and Access Management
Updates on IAM in the SystemMark Scheible, NC State University
Lynn Franz, Western Carolina University
Jan Tax, UNC-Chapel Hill
Steven Hopper, UNC-GA
Introductions
Mark ScheibleManager, Identity and Access Management
NC State University
Lynn FranzApplication Development & Data ManagementWestern Carolina University
Jan TaxIdentity and Access ManagementUNC Chapel Hill
Steven HopperDirector of Online Services & CTO for UNC OnlineUNC General Administration
Identity and Access Management “Identity Management has
evolved to include policies, procedures and the broad spectrum of technologies required to establish institutional identity management (IdM) systems” –
(EDUCAUSE IAM Working Group)
Identity and Access Management
• Identity Vetting & Proofing - making sure the information provided about an individual (e.g. name, DOB, address, phone number, degree(s) earned, etc.) is accurate and verified, and insuring a credential is issued to the appropriate person
• Credentialing - the issuing of a “username and password” for authentication purposes
• Directories – database(s) containing information associated with individuals and resources (in this context, identity data or “attributes”)
• Authentication Services – used to authenticate someone (the login process)
• Authorization Services – used to determine what access an individual has to applications, resources, etc., based on who they are, or their membership in a group
Major areas of interest
Internet2 Middleware Diagram
Panel Discussion • Identity Population Utilization
(Lynn Franz)
• Group Management(Jan Tax)
• Federated Identity Management
(Steven Hopper)
Each of our panelists will touch on a different aspect of IAM …
Identity and Access Management at
Western Carolina University
Where we started…
First decision:
Banner is the data source of
record.It drives access to IT resources and
services.
One of the first tasks was to look at the various populations…
A solid understanding of organizational roles is key for creating and maintaining identity and
access management.
At the highest level, our data consisted of three populations.
Each population consisted of further sub-categories.
STUDENT
Intending Student?
Cullowhee Commuter?
Currently Enrolled?
Continuing?
Former Student?
Future Student?
“Student” ?
Which
“Student” ???
This foundation is the core of our Identity Management processing.
Group
Group Members
Further Sub-Group Memberships
We defined and created a scalable mechanism for identifying, creating, and managing those groups.
Role
Security Groups and Distribution
Lists
Reports
Database
Database
Interfaces between data sources, on or off campus
Luminis Roles
Each group, or Role, is defined in one location.The Role may be consumed in many places.
If the Role definition changes, it’s changed in ONE place. Consumption of the Role is not interrupted.
Role definitions are consistent across consumers.
Security Groups and Distribution
Lists
Reports
Database
Database
Role
Luminis Roles Interfaces
between data sources, on or off campus
Roles can be defined, re-defined, and sub-grouped. Meanwhile, the organization keeps
rolling along…
Staff or (Full/Part-Time)
Faculty
Graduate Assistant (Teaching and Lab)
Graduate Assistant (Non-Teaching, Non-
Lab)
Student Worker
Hourly or Temporary
Worker
Cullowhee Commuter
Guest or Consultant
We had to make another key decision…
Banner allows for one external username association with one individual. One individual may exist in multiple roles!
Should these have the same external username?
Sally Sue
Graduate StudentEmploye
e
@catamount@wcu
Student accounts (email hosted off campus) and Non-Student accounts (email hosted on site) would have unique external usernames. Both are provisioned in Active Directory. A Banner mod was necessary for this association.
This simple SQL statement returns the Active Student member information.
( Banner PIDM, Role, Active Directory External Username )
The Blackboard integration components
can be easily
associated using a
single point of reference
for group membership
…
How do all these roles fit with the larger picture?
Identity Management
Banner
Other Systems
With the foundation in place…
Active Directory Outlook Properties Sync
Online Directory uses a Banner database view.
People review their information and send corrections to HR using an Online
Correction Form.
Banner data feeds to Active Directory and Outlook Properties are updated.
Oracle packages using DBMS_LDAP functionality are used for the updates behind the scenes...
Outlook Properties provide the campus with reliable contact data, which can be consumed by other applications (such as the help desk ticketing system, Paw-Print, and Shibboleth).
Supervisor Name
Method for managing roles that are not data driven from Banner.
Automation and management of these roles requires additional data to be stored in Oracle tables. The tables also provide audit information and access control.
Roles are managed by individual “owners”, who can assign “managers”. The owners and managers add/remove members, as defined by privilege assignments.
Manually Managed Roles
Committees
OrganizationsDigital Millennium Copyright Act Offenders
Registered Exchange Active Sync User
Automated AD Security Groups Automated Distribution Groups (in progress)
With automated and manual roles in place…
Additional building blocks and project components on the
way…
HR Intake/Outtake Interface
As individuals enter and exit HR positions, automated processes will provide accurate and timely account information (for create, terminate, and modify actions).
•No Affiliation with University
•Not a Student, Guest, or Employee
Not Affiliated
•University Identity/Email
•Access to University Information Resources
Affiliated
•No longer Affiliated with University
•No Access to University Information Systems
Not Affiliated
Position Change
(Personnel Action)
Health Services
Gym Usage
Parking PermitsLibrary
Cat Card
Personnel action events will be consumed by other organization entities.
Establishment of a practice for managing non-person accounts. These accounts must receive approval and have a WCU sponsor.
Examples of these accounts are email accounts for various groups such as Athletics ([email protected]) and departments (
Non-Person Account Management
Campus Security Request Process
Provide users on campus one method/location for requesting additional security and authorization to
university systems and resources.
Provost Office
FinanceFacilities
Along the way there have been some internal automations that have streamlined IT processes.
This WayManagementIdentity
o Managing INB Userso Managing Banner Securityo Banner Self-Service Password Changer (AD authentication for INB
accounts)o Help Desk unlock of Banner Accountso Reports
help us move toward our future goal of Role Based Access.
Identity role definitions, automated processes, and better internal and external procedures …
Taking a moment for lessons learned…
Challenges….Culture change is necessary… and sometimes very difficult to achieve.
Ownership and governance must belong to the stakeholders. (Not an IT problem!)
It is time consuming to review and define the various organizational business entities.
There are some tough issues to tackle (for example, account management of non-person accounts).
Processes have to be set up for managing identities.
Boundaries, for how groups can and can’t be used, need to be defined and enforced.
Removing bad data and standardizing data definitions provides better access for data consumption.
As data consumption increases, it is easier to identify and resolve problems.
Paves the way to help identify business processes that need to be reviewed and refined.
Readily highlights auditing concerns.
Systems that are not automated immediately can still utilize role information by seeing a person’s role information and adjusting local security to fit the roles.
Provides framework for retiring old systems and implementing new systems.
Rewards….
Proactive: • looking at campus-wide scope for 1 – 10 years down the road• reviewing institutional business level processes
Process:• creating well-defined procedures• implementing data driven events
Prevention:• decreasing resource issues through greater efficiencies• removing frustrations due to old, outdated business processes• warding off security threats and problems with solid role-based
identity
Following the 3 P’s to success….
… climbing on…
Identity and Access Management
Group Management
Jan TaxUNC Chapel Hill
Background
o UNC-CH has a heterogenous IAM environment
o Centrally managed directories and authentication:• OpenLDAP, Kerberos, Shibboleth SSO• Active Directory• Oracle OID and OSSO
o Distributed/school/departmental directories and authentication systems
o Lots of changes going on• new ERP• Email shift from in-house IMAP to Exchange and Live@Edu
o Want to have consistency across environments (and to reduce the number of environments over time!)
Central IdM system
Person data is managed by a homegrown system that aggregates data from multiple sources
o Inbound connectors Bio/demo data – PeopleSoft is single source Affiliation data – multiple sources (for now)
• Pre-Student/Student – 20+ categories• Faculty/Staff – 5 subcategories• Affiliates – 10 subcategories
o Outbound connectors• OpenLDAP – white pages, applications• Active Directory – Exchange, applications• Oracle Internet Directory – Calendar, AppServer
Authorization
Access decisions can be based on a person’s attributes …
Classification (faculty/staff/student) Department Entitlements
… or on memberships in groups Automatic (members defined by a filter or expression) Manual (members managed by a person) Composite
Groups are a very versatile mechanism
Groups Management
o Want to manage groups centrally, not have locally managed groups in each environment Reduces security risk (timely removal) Increases productivity (timely access)
o Ideally, a single point of management for the enterprise
o Allow delegation for managing groups as much as possible
o Provide consistent replication of groups data across different directories/environments/applications
Grouper
o Internet2 Middleware project – a toolkit for managing groups (http://grouper.internet2.edu)
o Integrates with an existing Identity Management system
oHandles the set logic used to combine groups
o Flexible configuration for sources – JDBC, JNDI
oCreate/maintain groups with SQL queries
o LDAP connector to provision directories
oAccess to group data with Web Services, .NET, PHP
oCommand line interface to Java API & tools
o Lite UI delivered with product can be reskinned
Grouper @ UNC-CH
Grouper is used to provision groups to the two main directory systems: ldap.unc.edu:
• ou=groups,dc=unc,dc=edu
ad.unc.edu: • ou=groups,ou=identity,dc=ad,dc=unc,dc=edu
o MDG_ distribution groupso MSG_ security groups
Existing uses of LDAP groups managed by Grouper Carolina Content Management
• Roles and content-specific rights
Web Services Manager• Web services mapped to group of authorized clients
Misc. Application Access Control• Determines what app. capabilities they have
LDAP Access Control• Membership makes categories of directory data visible
Case Study: Migrate ITS AppServer from Oracle to GlassFish
o Oracle AppServer had its own IAM environment Oracle SSO (OSSO) and Internet Directory (OID) Used OID groups for access control
o Move to GlassFish AppServer Supports groups for access control via LDAP realm concept, but requires
LDAP authentication Desire to use Shibboleth SSO for authentication
o Process Move OID groups into Grouper and sync to LDAP Configure Shibboleth to pass specific group memberships to application
o Results GlassFish uses campus standards for access management Oracle SSO and OID are decommissioned
Identity and Access Management
UNC Identity Federation Update
Steven HopperUNC-GA
UNC Identity Federation Background
oAugust 2008
Production federation (Shibboleth)
17 UNC institutions (Identity Providers)
Inter-institutional Registration (Service Provider)
WAYF
Development federation for testing, etc.
Existing Services
o Foundation for all system-wide application development.
o Examples include:
GA Services (inter-institutional registration, exam proctoring, www.northcarolina.edu, ActiveCollab)
RAMSeS (sponsored programs and research management tool from UNC-CH.
SciQuest (eProcurement)
VCL (Virtual Computing Lab at NCSU)
MCNC/NCREN (Videoconference scheduling, network status tools, etc)
Vendor Integration oEncouraging vendors to
Shibboleth-enable applications
oInCommon - vendors are hesitant to join
Cost (upfront and recurring) Arduous joining process
(legal) Want to pass joining costs
back to UNC Often not feasible given tight
implementation timelines
Solution: Affiliates Federation
oCreate a 3rd “Affiliates Federation”
Production Development Affiliates
oCreate a streamlined (and free) process for vendors to join
oAllows campus Identity Providers to have a separate “handle” when making attribute release decision.
Affiliations Federation Membership
oCurrent Members PeopleAdmin: HR Applicant Tracking SciQuest: eProcurement
oProspective Members ZimRide: Car Pooling Qualtrics: Survey & Feedback Software
Identity and Access Management
Questions?
Contact Information:
Mark [email protected]
Lynn [email protected]
Steven [email protected]
Thank you!
Lightening Round?
Identity and Access Management
(Extra Slides if Needed)
LDAP
Updates people data in:ou=People
LDAP ties together Person and Groups data
DirectoryMaster(Idm)
write ou=people
ou=groups
Reads people data so they can be added to groups
Grouper(Idm)
Updates groupdata in:ou=Groups
read
write
LDAP
Updates people data in:ou=People
Populating LDAP with Person Data
Peoplesoft
HRIS
AffiliateWeb
EpaWeb
DirectoryMaster(Idm)
ou=people
ou=groups
Directory Master aggregates person data updates from various sources and synchronizes this data to the directory
DB
LDAP
Reads people data so they can be added to groups
Populating LDAP with Groups Data
Grouper(Idm)
ou=people
ou=groups
Updates groupdata in:ou=Groups
Grouper stores group information natively in a relational database, but also writes groups data to the directory…
DB
Admin/user
Admin/user
Admin/user
Delegated Grouper users
Shib IdP(IdM)
IdP queries LDAP for membership information
Browser/App
IdP synthesizes attrib isMemberOf from group membership and app config (eg. limits to relevant groups)
LDAP Person Attributes Delivered with Shib IdP
LDAP
ou=people
ou=groups
IdP queries LDAP for person attributes
Idp asserts combined person attributes, including isMemberOf
IdP uses person attributes directly, but releases only those configured for each application