Campus Authentication: Identification Process and Related Policy Tom Barton University of Chicago & Internet2.

Slides:



Advertisements
Similar presentations
How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.
Advertisements

Data: Application requirements, data flow, and person registry Tom Barton University of Chicago.
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Flexible Information Literacy Alternatives for Independent Learners Suzanne Hayes March 17, 2003 Copyright Suzanne Hayes This work is the intellectual.
1 Penn State’s Identity & Access Management Initiative “It’s all about who you know … and what you know about them”
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity Management: The Legacy and Real Solutions Project Overview.
NLII Mapping the Learning Space New Orleans, LA Colleen Carmean NLII Fellow Information Technology Director, ASU West Editor, MERLOT Faculty Development.
Five Berkeley Campuses Three in NJ; Two in NY Bachelor of Science in Business Administration Degree Online Online Courses Hybrid Courses Web Enhanced Courses.
Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.
Embedded Librarian Program: Librarians and Faculty Partnering to Serve Online Students NERCOMP Annual Conference Innovation and Reliability: Finding the.
Identity Management Systems: Components and Constituents
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Copyright - L. Thanasides, 2002 Using the Right FACTS Can Be Informative: Florida’s Statewide Student Information System Linda Thanasides Marsha Stickel.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
Next Generation Strategic Planning for Educational Technology and IT: A Study of Process and Engagement Deborah Keyek-Franssen and Marin Stanek IT Initiatives.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
1 Data Strategy Overview Keith Wilson Session 15.
1 No More Paper, No More Stamps: Targeted myWSU Communications Lavon R. Frazier April 27, 2005 Copyright Lavon R. Frazier, This work is the intellectual.
Collaborative Associate of Arts Degrees. Collaboration In thought a good idea Every one wants to be invited to the dance. Sharing sounds good. In deed.
Management Track Monday afternoon … 1.Tom Barton – The Model: Policy & Politics 2.Amy Brooks & Bret Ingerman – Data, Policy, Stakeholders, and Governance.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Beyond the Campus Gates: Bringing Alumni, Parents, and Prospects into the Campus Portal William P. Wilson Mark R. Albert John C. Duffy Gettysburg College.
Serving MERLOT on Your Campus Gerry Hanley California State University and MERLOT Seminars on Academic Computing August 7, 2002 Snowmass CO Copyright Gerard.
Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.
NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Functional Model Workstream 1: Functional Element Development.
Middleware 101 Dave Tomcheck UC Irvine. Overview Drivers and Assumptions Objectives The Components of the Business Architecture Implications for Stakeholders.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
EDUCAUSE Midwest Regional March 24, 2003 Copyright Ann West This work is the intellectual property of the author. Permission is granted for this.
Enterprise Directories: Design, Implementation, and Operational Strategies Dr. Tom Barton.
Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
NMI-EDIT CAMP Synopsis, ISCSI Storage Solution, Linux Blade Cluster, And Current State Of NetID By Jonathan Higgins Presentation Template available from.
Directory Design: Campus Identifiers and Namespace Tom Barton University of Chicago.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
Internet2 Middleware Initiative. Discussion Outline  What is Middleware why is it important why is it hard  What are the major components of middleware.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.
More Allergic Reactions Some Potential Next Steps Tom Barton University of Chicago.
Introduction to Active Directory
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Moving Forward in Stages Tom Barton, University of Chicago.
Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Mark Luker, EDUCAUSE Copyright Mark Luker, This work is the intellectual.
University of Southern California Identity and Access Management (IAM)
John O’Keefe Director of Academic Technology & Network Services
University of Southern California Identity and Access Management (IAM)
Privilege Management: the Big Picture
October 20, 2004 CAMP: Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle Stage 1: Establishing a Relationship.
October 20, 2004 CAMP: Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle Stage 1: Establishing a Relationship.
Managing Enterprise Directories: Operational Issues
Presentation transcript:

Campus Authentication: Identification Process and Related Policy Tom Barton University of Chicago & Internet2

4 June 2003CAMP 2 Copyright Thomas J. Barton This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

4 June 2003CAMP 3 Outline Identity management framework Roundup of ID management policy & process issues Sidebar on I&A Remote account initialization Jump in with questions & comments!

4 June 2003CAMP 4 It’s identity management, stupid! Because an authentication process binds a person with an identity, and Because the level of assurance of the authentication process together with the attributes of that identity form the basis for access to be granted the person, It Follows That access control effectiveness is limited by identity management practice. Three components of the whole system: 1.authentication process 2.identity management 3.credential distribution Keith’s talk main focus minor focus

4 June 2003CAMP 5 What identity management is Integration of information about constituents (and other actors) from multiple sources. Processes that transform source data, maintain information about assigned information resources, derive affiliation information, and place resultant data where it can be of use. Locus for implementation of policies concerning visibility and privacy of identity information and entitlement policies. NB: Can still speak of identity management regardless of how extensively these are done.

4 June 2003CAMP 6 What effective identity management does Simplifies what users must know to access to online services. Enables IT organization to efficiently provide multitude of online services. Increases security. Enables online service for constituents earlier in their affiliation with us, wherever they are, and forever. Enables participation in new, inter-organizational, collaborative architectures.

4 June 2003CAMP 7 Core middleware for an integrated architecture

4 June 2003CAMP 8 Source system identifiers Personal & fundamental identifiers –Feed the join process Affiliations –Which source systems define which affiliations? How? –How do constituents become engaged in their various affiliations with the U? How disengaged? Associated attributes –Other attributes of value to online services. –How are they maintained, for what purposes? Are they reliable? Metadata –(De-)Assignment process; persistence; visibility; versions;… –What encumbrances, obligations, policies pertain? –Updatable (in source system)? Forever iterate over these considerations

4 June 2003CAMP 9 Registry identifiers Fundamental identifiers –Permanent guid. –Permanent pvid? –Versions? –All source & consumer identifiers to enable source join & consumer crosswalk. Derived identifiers –Username(s). –Attributes for provisioning processes. –Consumer specific? Affiliations –Course, program, org related identifiers & objects. –Group memberships. –Derived. Namespace issues –Multiple namespaces?  For registry objects?  For consumer systems? –Overloading. –Downstream format requirements. All is hidden from view

4 June 2003CAMP 10 Consumer identifiers Fundamental identifiers –Persistence, visibility, opacity, … Potential interaction with privacy policy –Store/use pvid? –Choice of naming components (LDAP only). Representation of attributes –Application use cases –Overloading & namespace collision. E.g.s: cn: name of person, name of group, name of … uid: orthogonal sets of usernames? –Consumer specific selection & transformation All is potentially exposed

4 June 2003CAMP 11 Service identifiers Ability to use or be provisioned with a user identifier derived in the metadirectory is a requirement for integration into this architecture. Attribute schema –Conventions for syntax & semantics Stresses on a common username space: –Least common denominator format requirements. –Number of persons assigned one (alums?, parents?, sibs?, patrons?, donors?). –Duration of assignment: forever? –Potential for shared administration of portions of username space might drive creation of orthogonal namespaces. Eg, OS usernames, uids, gids w/ nss-ldap. University “guest” registration. Username & related namespace issues

4 June 2003CAMP 12 Identifier Discovery Identify the identifiers, starting with key source systems and prevalent or important services. –ID Mapping Table columns: ID name, Primary Use, who assigns, who gets one, where stored, format. characteristics: opaque/transparent, lucent?, reassignable?, revokable?, unique within. More important than the technical details is the establishment of ongoing relationships between architect and people who assign and use fundamental identifiers.

4 June 2003CAMP 13 Abbreviated ID Mapping Table Fundamental ID Who Assigns? Who Gets One? idCentral ITPeople universal_userIDCentral ITPeople uidguest registrarsguests Central ITPeople clusterIDCentral ITShell account opt-ins sisIDRegistrarStudents & instructors hrsIDHRStaff frsIDControllerHolders of budget roles adsIDMarketing & AdvGraduates, other donors aprIDProvostFaculty operatorIDControllerERP security principals patronIDLibraryLibrary patrons

4 June 2003CAMP 14 PS: Personal Identifiers Who maintains name, birthday, SSN? 1.Registrar 2.Human Resources 3.Bursar 4.ID Office 5.Law School 6.University College 7.Library 8.Regents Online Degree Program 9.Central IT 10.Controller 11.Marketing & Advancement 12.Academic Personnel Records 13.Telecom/Network Services 14.Intensive English for Internationals This is an irrational business practice!

4 June 2003CAMP 15 Additional policy & process issues How will the University operate its identity management infrastructure? –What balance between centralized and distributed operation? Registry – singular, centralized function. Consumers – high degree of distribution possible. Registration Authorities – small number?? –Who may have which role with what authority & obligations? –Leverages & extends existing data administration policies & processes, or begs if those are insufficient. –Highly cross-functional activity demanding organizational flexibility.

4 June 2003CAMP 16 Additional policy & process issues What entitlements should attend each type of affiliation? –“Major” affiliations: student, faculty, alum, … Possibly former or recent student, faculty, …? –“Minor” affiliations: in course 123, in department X, in degree program Y, occupant of building Z, … –What processes should determine entitlements for each affiliation? How should affiliations be structured?

4 June 2003CAMP 17 Additional policy & process issues Who should be issued a credential? What assurance level should authentication for each constituency achieve? What constraints may pertain to each? –Applicants (student, faculty, staff) –Admitted students, accepted faculty or staff –Alums –Parents –Library patrons –Guests: visiting academics, conference attendees, hotel guests, arbitrary “friends”, …

4 June 2003CAMP 18 Identification & Authentication (I&A) Often thought of as the process used by a Registration Authority to validate a person’s identity, issue appropriate credential, and distribute it to the person, as in “initial I&A procedure”. Every PDP’s access control decision depends on a chain of trust whose first link is I&A. Net assurance is proportional to trustworthiness of the weakest link. Work in progress at OMB & NIST to develop standards for “level of assurance” for various I&A methodologies. Watch

4 June 2003CAMP 19 Identification & Authentication (I&A) Not all users are likely to need the same level of assurance. Assurance requirements for some users may change over time. Not all relying parties will trust credentials issued by just any University, regardless of self-asserted level of assurance.  Take the “initial” out of “initial I&A”. The lifecycle of a binding between a person and an identity may touch I&A procedures more than once.  N.B. an identity may well contain more than one credential. Extreme e.g.: “rational identity management” scenario…

4 June 2003CAMP 20 (Remote) account initialization The problem: how to reasonably do initial I&A without requiring physical presence of the person. –Past experience at U Memphis made it undesirable to rely solely on information the remote person already knows (birthdate, SSN). –Secondary requirement: autonomously handle lost username or password for remote user. –Interim solution: the procedure about to be described. –Long term solution: a less than fully resolved aspect of “rational identity management”.

4 June 2003CAMP 21 Account initialization: interim method Crux: USMail a rather opaque one-time secret, early in the process of engagement with the University. –Use guid generator to produce an “account initialization code”. Example: 1951 K21V 674I V106 0L03 Resembles a license code. Difficult to memorize or guess, easy to transcribe. –Code, birthday are used to identify person on an identity management web site and enable them to claim username, select password, setup security questions & . –Currently in use for new faculty, soon for admitted students.

4 June 2003CAMP 22 BoF Bait??

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.