Deployment Panel: Planning and Implementing for the Big Day Daniel Arrasjid University at Buffalo Copyright Daniel Arrasjid 2004. This.

Slides:



Advertisements
Similar presentations
How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.
Advertisements

Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman This.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Planning: Project Readiness and Costs Mike Conlon Director of Data Infrastructure University of Florida Copyright Michael Conlon, This work is the.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Copyright Ann West This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Directories at the University of Florida Mike Conlon Director of Data Infrastructure University of Florida.
FSU Directory Project The Issue of Identity Management Jeff Bauer Florida State University
1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
February 2006 copyright Michael Welch, Blinn College This work is the intellectual property of the author. Permission is granted for this material to be.
Virtualization Across The Enterprise Rob Lowden Director, Enterprise Infrastructure Indiana University 23 May 2007.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
July 12, 2005 CSU SIMI Workshop - Melding Policy and Technology to Manage Identity1 Provisioning Services Collaborative CSU, East Bay and CSU, San Bernardino.
Peter Deutsch Director, I&IT Systems July 12, 2005
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
Identity Management: The Legacy and Real Solutions Project Overview.
Copyright Statement © Jason Rhode and Carol Scheidenhelm This work is the intellectual property of the authors. Permission is granted for this material.
Copyright Dong Chen, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure
Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Understanding Active Directory
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Sharing MU's SharePoint Experience 2005 Midwest Regional Conference Innovative Use of Technology: Getting IT Done Wednesday, March 23, 2005.
Herding CATS: the Community of Academic Technology Staff Lou Zweier, Director CSU Center for Distributed Learning The California State University NLII,
NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Georgia State University Case.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
EDUCAUSE Midwest Regional March 24, 2003 Copyright Ann West This work is the intellectual property of the author. Permission is granted for this.
Uniting Cultures, Technology & Applications A Case Study University of New Hampshire.
Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.
Middleware: Addressing the Top IT Issues on Campus Renee Woodten Frost Internet2 and University of Michigan CUMREC May 13, 2003.
Shibboleth as Attribute Delivery for Authorization Renee Shuey Penn State University June 27, 2006.
USERS Implementers Target Communities NMI Integration Testbed The NMI Integration Testbed NMI Participation Developed and managed by SURA Evaluate NMI.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.
FSU Metadirectory Project The Issue of Identity Management Executive Overview.
6 Nov 2003 A. Vandenberg © Teach A Man to Fish Educause 2003 Anaheim, CA 1 Enterprise Directory Implementation Roadmap – Directions Provided Art Vandenberg.
Digital Diversity: Multi- institutional Access to Distributed Course Resources Barry Ribbeck UT HSC - Houston.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Renee Woodten Frost Internet2/University of Michigan.
WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.
Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Mark Luker, EDUCAUSE Copyright Mark Luker, This work is the intellectual.
University of Southern California Identity and Access Management (IAM)
Secure Connected Infrastructure
John O’Keefe Director of Academic Technology & Network Services
Disaster Recovery Technical Infrastructure at George Mason University
Life After Implementation: Ensuring 24 x 7 Availability
University of Southern California Identity and Access Management (IAM)
Shibboleth as Attribute Delivery for Authorization
Open Source Web Initial Sign-On Packages
Identity Management at the University of Florida
Shibboleth Today and Tomorrow Over the last year, Shibboleth, the inter-institutional authorization system, has progressed from advanced testing to widespread.
Managing Enterprise Directories: Operational Issues
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Deployment Panel: Planning and Implementing for the Big Day Daniel Arrasjid University at Buffalo Copyright Daniel Arrasjid This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

CAMP Directory Workshop Feb 3-6, 2004 University at Buffalo  Doctoral/research extensive university  NY's largest and must comprehensive public university  27,000+ students  13,000+ employees  Two main campuses  Part of the SUNY system

CAMP Directory Workshop Feb 3-6, 2004 Prevalent UB Drivers  Technology and Business Drivers –Critical Technology Specific Directory (DCE) set to retire –Business Continuity and Disaster Recovery –Server Consolidation –Virtualization of services, dynamic provisioning –Staff resource issues –SUNY-wide Federation –Applications seeking more robust attributes –Library resource access management

CAMP Directory Workshop Feb 3-6, 2004 UB Brief History Some Highlights  1986 SSN eliminated as primary key – replaced by “Person Number”  1990 White Pages  1993 developed primitive provisioning system for unix accounts, with University-wide unix namespace.  Mid 1990s major projects/initiatives –Access ’99 – transition mainframe to distributed computing, culture change –1995 Data Warehouse - Data access policies, stewards, trustees, process –1995 Multi-purpose Identification Card System - Final linkage of single public identifier HR/Student –1996 Web-based Workflow & Paperless Processing – Major initiative in culture change, and re-tooling staff, for distributed computing  1997 initial Identity Management System(it wasn’t called that), and DCE –Person registry, biz rules, data transformation, provisioning of services and directories, self-service, special “affiliations”, data Access, security, acceptable use policy  2001 MyUB Portal  2002 Business Continuity & DR, Geographically distributed data center, SAN  2003 Kerberos 5, Active Directory, eduPerson-based Sun ONE DS

CAMP Directory Workshop Feb 3-6, 2004 Example Services Leveraging the 1997-based Infrastructure  Central - (IMAP/POP3/Webmail/filters)  MyUB Portal  UB Business apps  Wings web service protected files  Whitepages LDAP service  Library public access workstations  UBUNIX time-sharing  Blackboard  Telephony Applications  UB Business Portal  Open Ports, Wireless, VPN, Firewall, ResNet  Usenet News  Web password change  Web registration  Web grading  Web address & declared major change  Web Parking hang-tags  e-payment  Public Sites workstations  Software distribution  Distributed File System  Dept. Public Workstations and other applications  Exchange, SQL Server, MS apps

CAMP Directory Workshop Feb 3-6, idM Drivers  NIS+ out of steam  Web-based Workflow & Paperless Processing requirements  Enterprise File Service

CAMP Directory Workshop Feb 3-6, idM Communication  Infrastructure change intended to be transparent  Proposals, executive briefs, technical documents  Campus News Outlets –Web –Newspaper  Campus IT Stakeholders  Campus Forums –IT Fair –Distributed Computing Consultants  Data Custodians

CAMP Directory Workshop Feb 3-6, idM Training  No published roadmap or best practices  Leveraged experience from prior related activities –Earlier provisioning system –Data Warehouse –Operational Datastore –Campus ID Card  Intensive Training Program –6 support staff, approx 18 person-weeks  Transparent change to applications  AuthN/AuthZ modules/libraries for campus use

CAMP Directory Workshop Feb 3-6, idM Technology Considerations  High Availability 24x7 requirement  Meta-Directory –Oracle for repository and queues, w/Stand-by system –Perl Scripts & “C” programs for processing –Delegation of account management, based on roles –Automated monitoring tools, log analysis –DR  Physical Directory –DCE Replicas distributed across several subnets –Private network for replication –Automated monitoring tools –DR  AuthN/AuthZ modules/libraries for campus use

CAMP Directory Workshop Feb 3-6, idM Costs & System Configurations  Physical Directory –8 physical directory replicas, Sun Enterprise Systems, Solaris, DCE  Meta-Directory –1 primary system, 1 stand-by system, Sun Enterprise Systems, Solaris, Oracle.  Total Cost –Approx $250,000 –Approx 3.0 FTE x 9 Months

CAMP Directory Workshop Feb 3-6, 2004 What problems were we trying to solve with “I2” DS and Shibboleth?  Transition from DCE  Make more information available to support Authorization decisions  Biz continuity and service resiliency  Ease integration of applications into campus idM/middleware infrastructure  Be mainstream  Reduce vendor dependency  Authenticated Anonymous access, Privacy issues  Include non-institutional attribute data  Data co-location in a single directory  Ability to do groups as well as individual attributes  Single/Initial log-on  Inter–institutional log-on

CAMP Directory Workshop Feb 3-6, 2004 Existent Prior to Deployment of “I2” DS  Project Management Culture  Campus Governance, Prioritization, Resource Process  “Identity Management”-awareness  “Service”-based culture w/ SLAs/SLSs  Data access, security, and appropriate use policies w/roles and responsibilities  Opaque and persistent identifiers(see )  Identity Management System –Oracle-based registry –Perl and C programs to process intelligence and business rules –Automatic provisioning of services and directories –Large set of existing user attributes/profiles(groups)

CAMP Directory Workshop Feb 3-6, 2004 Roadmap  Completed –ASAB(Governance) support for activity –Discussions with ASAB infrastructure committee, members of the campus community, and peer institutions –Proposal to the Campus, and demonstration –Seek feedback  Outstanding –Determine schema governance model –Develop policies – biz rules, privacy, security, management, attribute ownership –Integrate applications –Continuous process

CAMP Directory Workshop Feb 3-6, “I2” DS Communication  Help from campus –Other UB IT folks following I2 middleware and NMI  Governance/Prioritization –Initiation Proposal to ASAB –Proposal to ASAB Infrastructure  Key Campus IT Stakeholders –1-on-1’s to the discuss proposal and issues –Discussed proposal with IT Coordinating Committee  Campus Forum –Proposal, Demo, and Ken. –Sought Feedback and held follow-up discussions

CAMP Directory Workshop Feb 3-6, “I2” DS Training  Existing expertise with Sun ONE DS  Leveraged existing infrastructure  Books, Roadmaps, Recipes  New modules, libraries, APIs  Just another physical DS  Either cost “a lot” or “fairly little” –When do you start tallying the cost, 1995? –Or just for this quiet deployment of yet another physical directory

CAMP Directory Workshop Feb 3-6, “I2” DS Technology Considerations  Meta-Directory –Leveraged infrastructure, added new feed  Production, but no anticipated production use for 8 months  Service Level Agreements  Physical Directory –High Availability –Load testing(collaborate with App Group, web-load, Jmeter, SAR) –Replicas across geographically distributed data center –Health Monitoring(Big Brother, Spectrum, RRD/mrtg, auto-paging) –Security(Firewalls, VPN, etc) –Layer 4 switches(Cisco local directors)  Infrastructure Costs – $54,000  Some director-switch issues –Combining LDAP farm and Shibboleth farm behind same switch, currently have work-around.

CAMP Directory Workshop Feb 3-6, 2004 Costs & System Configurations  LDAP –394 Hours –4x Sun Enterprise 280 systems, 2Gig RAM, 2x900MHz CPUs, Sun crypto accelerator cards, Solaris 9, Sun ONE DS, $54,000  Kerberos –365 Hours –4x Sun V120 systems with 512Meg RAM and 650MHz CPUs, Solaris 9, Kerberos 5, $14,000  Shibboleth Origin/AA/Cosign –407 Hours –Test w/ 2x Dell 6650 systems, 4x1.9GHz CPUs, 2Gig RAM, Redhat Advanced Server 2.1a. –Production, scaleable app farm with probably at least 4 systems

CAMP Directory Workshop Feb 3-6, 2004 Architecting for Business Continuity

CAMP Directory Workshop Feb 3-6, 2004 Architecting for Business Continuity

CAMP Directory Workshop Feb 3-6, 2004 Architecting for Business Continuity

CAMP Directory Workshop Feb 3-6, 2004 Meta-Directory Dataflow

CAMP Directory Workshop Feb 3-6, 2004 Meta-Directory Dataflow A Nice Diagram

CAMP Directory Workshop Feb 3-6, 2004

UB LDAP Schema Object NameAttribute NamePermissionsExample TopobjectClass (required) aci Anon Admin top posixAccount person organizationalPerson InetOrgPerson eduPerson UBEduPerson PosixAccountuidNumber gidNumber homeDirectory loginShell gecos posixdat posixdat (*) /home/staff/tks/mruser /bin/tcsh Mike R User Personcn (commonName) (required) sn (surname) (required) telephoneNumber Anon (*) Anon Mike R User User OrganizationalPersonou (organizationUnitName) physicalDeliveryOfficeName title Anon (*) Anon Technical Services 123 Computing Center Unix Systems Analyst I

CAMP Directory Workshop Feb 3-6, 2004 UB LDAP Schema InetOrgPersondepartmentNumber displayName employeeNumber employeeType givenName labeledURI mail roomNumber uid (userID) userCertificate userSMIMECertificate Anon (*) Admin Anon Anon (*) Admin Anon Admin 0790 Mike R User staff Mike 123 Mruser eduPersoneduPersonAffiliation eduPersonOrgDN eduPersonOrgUnitDN eduPersonPrimaryAffiliation eduPersonPrincipalName eduPersonEntitlement eduPersonPrimaryOrgUnitDN Anon (*) Anon Admin Anon (*) staff student dc=buffalo,dc=edu ou=People,dc=buffalo,dc=edu staff urn:mace:incommon:entitlement:common:1 ou=People,dc=buffalo,dc=edu UBEduPersonUBEduPersonKswitch UBEduPersonSunycard UBEduPersonPersonNumber UBEduPersonEntityAbbr UBEduPersonPrimaryEntityAbbr UBEduPersonInfoRelease UBEduPersonDegree UBEduPersonLibraryBarcode UBEduPersonSENSHomedir Admin Anon (*) Admin tks cse tks Y BS /home/sens/foo/mruser

CAMP Directory Workshop Feb 3-6, 2004 SUNY Federation  The Four University Centers considering shibboleth on their campuses as part of AuthN/AuthZ infrastructure  Smaller Schools may need various levels of help.  SUNY Central Administration or ITEC – potential outsourcer or consulting services.  NMI “compliant”, eduPerson schema the foundation, SUNYPerson?

CAMP Directory Workshop Feb 3-6, 2004 SUNY System-Wide Strategy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.