GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure
Copyright Notice Copyright Mike Conlon This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
NMI-EDIT Consortium Comprises Internet2, EDUCAUSE, and SURA NSF Middleware Initiative (NMI)-Enterprise and Desktop Integration Technologies Consortium (EDIT) Funded by NSF Middleware Initiative E-science and research Researches and develops inter-institutional Identity and Access Management tools Shibboleth for example Guided by MACE – Middleware Architecture Committee for Education Group of R&E IT architects from US and Europe
One Slide About UF 49,000 students in Gainesville Fl 15,000 distance, continuing and executive students $2.0 Billion annual budget, $475 million in research -- growing at 9% per year, Health Sciences – 58% of research 140 academic departments in 23 colleges Land grant – extension in all 67 counties The Gators, Lady Gators, Gatorade
One Slide About UF Technology 500 IT professionals across campus Very decentralized Estimated $90 million in annual IT spending Over 300 servers 30,000 devices on the open network AD, NDS, iPlanet, OpenLDAP, Kerberos Directory Project PeopleSoft implementation (Finance, HR, Warehouse, Portal)
Identity Management Identity management is authoritative association of people with identifiers such as ID numbers and ID cards and access credentials such as usernames/passwords. Identity management is fundamental for providing secure authentication and authorization services.
Old Process/ New Process Old process: System administrator gives out accounts on a local system. Varying degrees of local identity management, no referencing across systems New Process: Identity is established by trained coordinators and maintained centrally. Systems use authoritative sources for identity, credentials and authorization.
You need a Directory Authentication, Authorization, Directory identified as key problems to solve at UF in August 2000 Community effort to solve the directory problem at UF sources for contact information. Limited sharing. Information Systems, Academic Technology, Health Science Center, Registrar, Data Center involved from the beginning UF read, studied NMI documents – roadmap, early harvest, Metadirectory practices, identifier mappings
What we had to work with GatorLink – Kerberos-based authentication mechanism since Unsponsored campus LDAP and NDS. DB2-based registry of people information used by some administrative systems. Many feeds to the registry, few from the registry. Adhoc integration.
UF Directory Project Started an adhoc planning group August 2000 Ken Klingenstein visit April 2001 Parallel effort to replace SSN merged August 2001 Finished report September 2001 Began implementation October 2001 Deployed new directory January 23,
Directory Project Deliverables New Registry – 140 tables New LDAP schema (eduPerson, eduOrg) New IDs – UFID and UUID GatorLink tied to UFID 50,000 new Gator One cards 1,500 applications modified New self-service apps New directory coordinator apps New APIs for directory-enabling business processes 800 directory coordinators identified and trained
UF Directory – Architecture Three major interfaces One data store One set of APIs About 50 message queues Each app receives consistent data
Directory Coordinators Establish Identity Each new faculty or staff member is entered into the directory by their local directory coordinator. This creates a new directory entry with a new UFID Student UFIDs are created by directory processes initiated by the Registrar HR and Registrar update authoritative values for registry attributes
Goals for Authentication Services Tie authentication to identity – all system access should be attributable to a UFID Provide a single credential (GatorLink) environment, regardless of access technology Support enterprise system sign on, LAN sign on, web sign on with same credential and same support for identity attribution
Five Projects Web Initial Sign On – 2002/2003 Portal –2002/2003 Password Management – 2003/2004 UF Active Directory – 2004/2005 Account Management
Web Initial Sign On (WebISO) at UF UF developed a local WebISO solution in 1998 – GLAuth GLAuth provides a secure cookie-based Kerberos authenticated system GLAuth is simple to install on Apache web servers (Linux and Windows) Legacy SIS and admin applications use GLAuth providing single credential access to these systems In 2002, augmented GLAuth to support Windows, integrated portal, WebCT, Legacy Admin to use GLAuth. Subsequent grad school applications, athletic applications, career resource center, colleges and departments
Portal Implementation Implemented PeopleSoft/Oracle Enterprise Portal in 2002/2003 Identity changes in directory are synched into portal and into HR and Finance for SSO Portal provides GLAuth cookie for links to university services Portal provides authorization platform for enterprise systems
Authorization Concept Directory has “affiliations” for each person. Affiliations role up to eduPerson affiliations and to primary affiliation Affiliations imply authorizations Authorization is based on roles Some roles can be algorithmically determined by affiliations Additional roles are assigned by traditional access request processes
Entity, Role and Service
Role Management Roles are assigned algorithmically using processes accessing directory message queues Roles are also assigned following request based on university policy Department Security Coordinators use the portal Access Request System (ARS) Individuals can view their roles from the portal
My Roles Every portal user can access their role information using My Roles All roles are listed with descriptions
My Access History Every portal user can access their access history Suspicious access is referred to the university security team and potentially law enforcement
Password Management Password management policies are determined by user roles – each role has a related password policy Five password policies govern reset, use of hints, password age Each users’ GatorLink password management policy is the strongest policy required by the users’ roles All GatorLink accounts have strong passwords Password changing is done using portal screens Kerberos, AD, NDS are updated in real-time
UF Active Directory UFAD accounts are built from directory message queues Contact information in UFAD is populated from the directory UFAD accounts use GatorLink usernames and passwords OUs are populated based on the value of a “Network Managed By” attribute in the directory – directory coordinators assign the value Accounts are provisioned centrally, rights are managed locally
Authentication Architecture Authentication begins with identity Automated processes populate the portal, HR, FI Portal login produces cookie for WebISO Middleware updates additional authentication services Kerberos, AD, NDS supported
Current Status All major enterprise systems (WebCT, WebMail, SIS, PeopleSoft, Legacy) use GatorLink authentication attributable to UFID All major college/unit web sites use attributable authentication 25% of all desktops use attributable authentication (NDS and UFAD). By summer of 2006, over 50% of desktops will use attributable authentication (full Health Science Center implementation)
Current Project – Account Management Create a formal lifecycle and state chart for GatorLink computer accounts Increase the name space from 8 to 16 characters Consolidate/replace legacy apps for acct mgt into the portal Introduce web services – account state changes will be available to subscribing service providers Go live mid-September 2005
Future Work Directory/identity integration with VOIP services Directory/identity integration with building access services PeopleSoft/Oracle Campus Community will be implemented with go-live Summer 2006 Legacy systems maintaining authorization information will be reimplemented using roles Direct access to the directory via APIs will be replaced with messaging infrastructure
For More Information