CAMP Integration Reflect & Join A Case Study The University of Texas Health Science Center at Houston William A. Weems Assistant Vice President Academic.

Slides:



Advertisements
Similar presentations
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Advertisements

Implementing Federated Identity Management across a Multi-campus Statewide System: The Texas Experience William A. Weems Assistant Vice President Academic.
HRMS 8.9 Upgrade Person Model. Introduction One of the significant changes to HRMS with the upgrade to 8.9 is the new Person Model. This course provides.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland
Technical Primer: Identifiers Internet2 Base CAMP Boulder, Colorado June, 2002.
Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey This work is the intellectual property.
CAMP Med Identity and Access Management for HIPAA: Technology Model William A. Weems Assistant Vice President Academic Technology The University of Texas.
1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Why Users Like PKI & Directory Services William A. Weems University of Texas Health Science Center at Houston.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Active Directory: Final Solution to Enterprise System Integration
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 Identity Management and Access Control Status UNITS Forum, June 2006 Tom Board, NUIT Info Systems Architecture.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Peter Deutsch Director, I&IT Systems July 12, 2005
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Directory Services Project University of Colorado at Boulder.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Understanding Active Directory
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
Managing Information UT November 13-14, 2008 Campus Identity and Access Management Services.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Chapter 10: Authentication Guide to Computer Network Security.
Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
FEDERATIONS Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO September 27,
Identity Management Practical Issues Associated with Sharing Federated Services William A. Weems The University of Texas Health Science Center at Houston.
Opening Up OpenStack’s Identity Service David W Chadwick, Ioram S Sette, Kristy W Siu.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
University of Southern California Identity and Access Management (IAM)
Identity Management (IdM)
University of Texas System
Punching data to the authentication server
University of Southern California Identity and Access Management (IAM)
PASSHE InCommon & Federated Identity Workshop
HIMSS National Conference New Orleans Convention Center
Identity Management at the University of Florida
UF Directory Coordinator Training
Presentation transcript:

CAMP Integration Reflect & Join A Case Study The University of Texas Health Science Center at Houston William A. Weems Assistant Vice President Academic Technology

CAMP Integration Middleware Makes the Global Sharing of Resources Invisible to Users.

CAMP Integration 3 Increasingly, people must easily and securely exchange information in cyberspace among "known" individuals and to securely access restricted resources they “know” can be trusted without having to struggle with numerous and onerous security processes.

CAMP Integration 4 How do you prove you are who you say you are? How do you know that someone is legitimate in his or her dealings with you, and how do you get redress if things go wrong? If your identity is stolen and used fraudulently, or personal records are altered without your knowledge or permission, how do you prove that it was not you? It is difficult enough to verify someone's identity in the tangible world where forgery, impersonation and credit card fraud are everyday problems related to authentication. Such problems take on a new dimension with the movement from face-to-face interaction, to the faceless interaction of cyberspace. Identity and Authentication by Simon Rogerson

CAMP Integration 5 Ideally, individuals would each like a single digital credential that can be securely used to authenticate his or her identity anytime authentication of identity is required to secure any transaction.

CAMP Integration 6 UTHSC-H: An Identity Provider (IdP) It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific responsibilities and liabilities.

CAMP Integration 7 Two Categories of Identity Physical Identity – Assigned Identifier - Authentication –Facial picture, –Fingerprints –DNA sample Identity Attributes – Authorization Attributes –Common name, –Address, –Institutional affiliations - e.g. faculty, student, staff, contractor, –Specific group memberships, –Roles, –Etc.

CAMP Integration 8 Issuing a Digital Credential Individual appears before an Identity Provider (IdP) which accepts the responsibility to –positively determine and catalog a person's uniquely identifying physical characteristics (e.g. picture, two fingerprints, DNA sample), –assign a unique, everlasting digital identifier to each person identified, –issue each identified person a digital credential that can only be used by that person to authenticate his or her identity, –maintain a defined affiliation with each individual whereby the validity of the digital credential is renewed at specified intervals.

CAMP Integration 9 Identity Provider (IdP) uth.tmc.edu Person IdP Obtains Physical Characteristics Identity Vetting & Credentialing Identifier Permanently Bound Assigns Everlasting Identifier Digital Credential Issues Digital Credential Person Only Activation Permanent Identity Database

CAMP Integration 10 The University of Texas System STRATEGIC LEADERSHIP COUNCIL Statement of Direction Identity Management April 27, 2004 The University of Texas System Information Technology Strategic Leadership Council agrees that deployment of a robust, secure, interoperable infrastructure for identity management in support of inter-institutional collaboration is a strategic goal. This infrastructure will be based upon the available standards and best practices:

CAMP Integration 11 The University of Texas System STRATEGIC LEADERSHIP COUNCIL Statement of Direction Identity Management April 27, 2004 LDAP (Lightweight Directory Access Protocol) compliant directory services, eduperson schema as promulgated by EDUCAUSE and Internet2, utperson schema (to be developed) inter-institutional access control utilizing Internet2 Shibboleth, and consistent institutional definitions and identity management trust policies for students, faculty, and staff as well as sponsored affiliates.

CAMP Integration 12 UTHSC-H Identity Management System HRMSSISGMEISGuest MSUTP INDIS OAC7OAC47 Secondary Directories Sync Person Registry Authoritative Enterprise Directories Authorization Service Authentication Service User Administration Tools Change Password Attribute Management Identity Reconciliation & Provisioning Processes

CAMP Integration 13 Person Registry Identity Reconciliation –Unique Identifiers Generated by Source of Record SSN – If Available (HRMS, GMEIS, UTP, Guest, SIS) Student ID, Employee Number - HRMS –Full Name First, Middle, Last –Birth Information Date of Birth, City of Birth, Country of Birth –Gender UUID – An everlasting unique identifier

CAMP Integration 14 Person Is New ? Is Single Match ? Is Possible Or Multiple Match ? Add Update Manual Processing No matches or possible matches Identifiers match one and only one person No possible matches Identifiers match more than one person And / or Name or Birth information match one or more persons yes no yes no

CAMP Integration 15 Database Schema Person Table UUID Date of Birth Place of Birth Country of Birth Identifier Table ID Name ID Value Name Table First Middle Last Gender Male / Female

CAMP Integration 16 UTHSC-H Identity Management System HRMSSISGMEISGuest MSUTP INDIS OAC7OAC47 Secondary Directories Sync Person Registry Authoritative Enterprise Directories Authorization Service Authentication Service User Administration Tools Change Password Attribute Management Identity Reconciliation & Provisioning Processes

Sponsor Submits Guest Request Applicant Appears Before LRAA LRAA Verifies Applicant’s Data LRAA Certifies Applicant’s Data Identity Reconciliation Assign UUID, Add to Person Registry Not in Person Registry Guest Added to Guest Database Applicant in Person Registry Applicant Currently Affiliated LRAA Credentials Guest LRAA Credentials Guest No Guest Request Voided Yes LRAA Resolves ID Uncertainty Possible Identity Match Guest Added to Guest Database

No Sponsor’s Request Forms Guest Management System LRAA’s Review/Update Forms Unverified Applicant’s Data Verified Applicant’s Data Review/Update Submission Submit to Reconciliation New Person? LRAA’s Approval Form Yes No Check Present Affiliations Current Affiliations Enterprise LDAP Directory Approval Processes Guest DB Create LDAP Entry Void Sponsor’s Request Yes Person Registry Identity Management System

CAMP Integration 19

CAMP Integration 20 Identity Provider (IdP) uth.tmc.edu PersonIdentifierDigital Credential Permanently Bound Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Person Only Activation Identity Vetting & Credentialing UTHSC-H Two Factor Authentication Permanent Identity Database ? ?

CAMP Integration 21 Identity Provider (IdP) uth.tmc.edu PersonIdentifierDigital Credential Permanently Bound Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Person Only Activation Using Network Username Password Identity Vetting & Credentialing UTHSC-H Username/Password Authentication Permanent Identity Database ??????? ?

CAMP Integration 22 UTHSC-H Strategic Authentication Goals Two authentication mechanisms. –Single university ID (UID) and password –Public Key Digital ID on Token (two-factor authentication) Digital Signatures Highly Secure Access Control Potential for inherent global trust

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.