MIT Case Study Notes Paul B. Hill

Slides:



Advertisements
Similar presentations
AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms
Advertisements

Office of Labor-Management Standards (OLMS)
EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.
June Grading in Web Advisor. June Access WebAdvisor from Chapman University’s Faculty Resources page, or at
Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.
Welcome to P.A.S.S. People Advantage Self Service March 1, 2007.
Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland
Form I-9 Process An Online Training for Supervisors and Designees Presented by Human Resources Revised November 2009.
UNIVERSITY OF CALIFORNIA, RIVERSIDE COMPUTING AND COMMUNICATIONS “GETTING CONNECTED” Presented by: Computing and Communications Josee Larochelle September.
Information for students Welcome to the S 3 P system. Login to the system by entering your User ID and password. The User ID is the same as your normal.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
Gone are the days of initial passwords consisting of information your mail carrier knows! Learn how Anne Arundel Community College changed its process.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.
System Basics and Structure. NOTE: Not Rostered – refers to team assignment in club tab only. It DOES NOT mean the player is officially.
9/10/2015 What’s New? Edline at Valley View!! Joyce Potempa Technology Department presentation to Building Support Staff February 2, 2010 Institute Day.
Student User Guide To ensure a quick and easy start to your course, check out the interactive, step-by-step MyMarketingLab Student Getting Started Guide.
How Can NRCS Clients Use the Conservation Client Gateway
PIV-I Issuing Procedures for Applicants (Current Employee) v1.1.
4 Options Proof of Entry Prior to 10 – Players who have entered the U.S. prior to the age of 10 (regardless of their current age) and have been continuously.
Institutional Data Flows at MIT Paul B. Hill CSG, May 1999.
1 Revised 01/ What Is a gtID#? The Georgia Tech Identification Number, or gtID#, serves as a unique identifier for each individual (constituent)
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
Library and Information Center of the University of Crete
Getting Started at Walsall Learning Centre. General Information Key Facts Card Opening hours, contact details, loan information, fines, renewals, useful.
Tutorial Instructions for Completing the Online Certification Application © 2010 American Nurses Credentialing Center.
Software sales at U Waterloo Successfully moved software sales online Handle purchases from university accounts Integrated with our Active Directory and.
1 Web Grading Tutorial Updated 8/18/ Web Grading Tutorial What is Web Grading? >How to submit midterm and final grades >Password protected >Enter.
Information Technology Overview Welcome to NC State!
OVERVIEW OF HERITAGE HEALTH ENROLLMENT PROCESS AUTOMATED HEALTH SYSTEMS CONFIDENTIALITY NOTICE: THIS INFORMATION IS FOR THE SOLE USE OF THE INTENDED RECIPIENT(S)
◦ Services to Employees  Managed Desktop Computer  Phone, Network, Internet & Wireless Access  & Portal Services  Android and Apple Phone App.
On & Off Campus: The Do’s and Don’ts
IRT: Your Student’s Technology Partner at Rowan University
Payment Card Industry (PCI) Rules and Standards
On + Off Campus Employment
Students seeking NYS Certification must pass the following exams :
Microsoft Imagine Academy
AUU Website Solution Purpose built for the AUU
17-18 Willmar Public Schools
How Can NRCS Clients Use the Conservation Client Gateway
Welcome to P.A.S.S. People Advantage Self Service
INFORMATION TECHNOLOGY NEW USER ORIENTATION
Supervising Work-study
How to Access and Redeem Cisco Certification Exam Discount Vouchers Step-by-Step Guide August 2013.
Office of Information Technology October 18, 2016
Streamline your HR document management processes
Testing Irregularities Web Application System (TIWAS)
Supervising Work-study
NAME:NASHTE AJAYKUMAR KALYAN
Session 43: HR and Payroll Systems - Integrator 3 Enhancements
Information Hub.
IT Services for Students Community College of Rhode Island
IT Services for Students Community College of Rhode Island
HPCMP New Users’ Guide “How Do I Obtain a User Account?”
Concur Overview.
Website Usage Guide For Doctors.
CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov
Arizona House Calls CareLink
October 20, 2004 CAMP: Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle Stage 1: Establishing a Relationship.
INFORMATION TECHNOLOGY NEW USER ORIENTATION
Identity Management at the University of Florida
October 20, 2004 CAMP: Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle Stage 1: Establishing a Relationship.
Wallet Procedures.
INFORMATION TECHNOLOGY NEW USER ORIENTATION
Managing Enterprise Directories: Operational Issues
Federating and PKI: Case Studies Paul Hill, MIT
Concur Overview.
Provisioning of Services Authentication Requirements
College Now New Teacher Orientation
Family Educational Rights and Privacy Act of 1974
Presentation transcript:

MIT Case Study Notes Paul B. Hill Technical and Policy Requirements for Authentication Arising in Interboundary Work MIT Case Study Notes Paul B. Hill

Setting context MIT is a private institution We don’t have a medical school… We are a Sakai partner… We have one Kerberos realm that is accepted by the financial system … Virtually all users have X.509 certificates… We have researchers at many medical schools and hospitals But the business school created its own LMS X.509 certificates are used for web authentication. Not for SMIME, not for long term encryption, not for VPN authentication, not for PKINIT, no use of tokens for multifactor authentication 9/11/2019 2

Kerberos is Primary authentication for… Initial login on many machines Email IM (Jabber and Zephyr) SAP financial system File systems Remote shells All Library Journals MIT theses (non-MIT personnel are charged for access) WebSIS – Online Student Information System Lotteries – Campus ‘lotteries’ e.g., Housing, Phys.Ed. Obtaining an MIT user certificate Educational discounts for computer purchases Access to MIT-only web pages Ability to download MIT licensed software Sloan’s web portal 9/11/2019 3

Identifiers at MIT MIT ID card MIT ID number Athena Kerberos principal name X.509 certificates for users UUID WIN SID WIN Kerberos principal name IDs created by Departments, Labs, and Centers (DLCs) 9/11/2019 4

Who can get an MIT ID card? Incoming Students Special and Cross-Registered Students Employees Spouses and Partners Alumni Visiting Scholars and Post-Doctoral Associates Unofficial Members of the MIT community E.g. contractor http://web.mit.edu/mitcard/getcard.html 9/11/2019 5

Who can get an MIT ID number? Issuers Human Resources Registrar IS&T Accounts office Students, Faculty, Staff, Contractors, Visiting Scholars, Post-Doctoral Associates, Affiliates, Contractors, Guests 9/11/2019 6

What is an MIT ID number The MIT ID number is a unique identifier for people in MIT Information Technology (I/T) systems. Having an MIT ID number does not in itself provide any status, relationship, access, responsibility, or privileges. These are conferred and defined by the Institute business processes for which I/T systems exist. Thus who has an MIT ID number is defined by the MIT businesses. The system of record of all MIT ID numbers is the MIT ID server operated by IS&T. 9/11/2019 7

Who can get an Athena Kerberos ID? All MIT community members (faculty, students, and staff) are entitled to have a Kerberos ID. If you know your MIT ID number, you can obtain a Kerberos ID via the web “A sponsored guest account is required for voucher or temp staff, former students or staff who are no longer eligible but need continuing access to their account, as well as visitors who need an MIT electronic identity” Account can be sponsored by any current member of the MIT faculty or staff, but not students Guest accounts are valid for up to 2 years and easily renewed 9/11/2019 8

Sponsoring a guest account 9/11/2019 9

Deactivation MIT ID cards expire MIT ID numbers are immutable and do not expire Athena Kerberos principal names do get deactivated 9/11/2019 10

How Kerberos IDs are deactivated Automatically in January after the graduation of a student in the prior year. Manually when notice is received from HR that an employee has been terminated. Manually when a guest’s sponsor does not respond to a renewal request. Almost never for faculty. 9/11/2019 11

Existing Kerberos demographics on campus (2005) Current (MIT Fact Book ‘05) Number with Kerberos IDs Faculty 983 2473 Staff 9780 11156 Undergrad 4136 4697 Grad 6184 6777 Guest -- 2415 Other* 988 Total of 28,506 IDs as of 2/13/2005 9/11/2019 12

*other Other includes vouchers/temp (308), system accounts (245), pre-frosh (142), random project staff (214), etc. 9/11/2019 13

Re-use or re-assignment MIT ID numbers do not get reassigned MIT ID numbers should get re-used by the same person (transitions or returns) Kerberos names used to get re-used and re-assigned, they no longer do 9/11/2019 14

Identity at MIT People who have MIT Kerberos IDs – 28,500 [Ovals not to scale] People who have MIT Kerberos IDs – 28,500 People who are MIT employees, students, or “official” visitors – approx. 21,000 Small number of people who probably exist but we don’t know about (maybe null set) Approx. 3400 people who are “sponsored” but with unknown affiliation Hundreds of graduate students, plus a few staff who never got Kerberos IDs Former students, staff, etc. who still have Kerberos IDs – approx 2500 People who have MIT ID numbers (includes former students, spouses, alums, etc.) – 113,800 9/11/2019 15

Getting started at MIT…post-docs and employees MIT ID number Your ID number is automatically generated when Human Resources processes the paperwork for your appointment. Your appointment papers are handled by the department/lab/center where you will be working. Account registration page will ask these users for their MIT ID number and their name 9/11/2019 16

Getting started at MIT …students Student receives “MIT Kerberos / Athena Account Coupon” upon acceptance. An assigned MIT ID number Six unique keywords that the student will use to initially authenticate to the registration server Instructions on how to use this information with the registration service to obtain a Kerberos principal name and choose a password 9/11/2019 17

Getting started at MIT…guests Sponsor submits name, reason, and birth date to accounts office. Guest is provided with MIT ID number and directed to account registration page User is prompted for name and MIT ID number 9/11/2019 18

Practices Password expiration – we don’t on most accounts Password reset Photo ID in person at the account office Self service via web form Exceptional cases have been done over the phone Password analysis and policy KDC evaluates the password (dictionary, history) https://wserv.mit.edu/fcgi-bin/cpw 9/11/2019 19