 Wikipedia Says… “Single Sign On (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.”

Reduce password fatigue Reduce time spent re-entering passwords Abstract authentication from systems Lower calls to Help Desk about passwords Centralized reporting for compliance Can rationalize multiple authentication methods Improved interaction with 3 rd Party

 True Single Sign On is often hard to accomplish  “keys to the castle”  High Availability becomes the new IdM buzzword (well one of them)

 Jasig CAS  CoSign  Kerberos  OpenSSO  JOSSO  Shibboleth

 What protocol do they use?  What kind of “clients” do they have?  Features:  Opt Out of Single Sign On  Management  Monitoring  High Availability / Scalability  Flexibility  “ClearPass”  Deployment/Maintainability

 Its easy! (relatively)  Assumes you’ve already solved your ID problem  It’s a “big” win  Highly visible  Oh, and all that stuff listed under Benefits

Documentation! Present, Present, Present! (Education) A Compelling Reason – Features – Ease-Of-Use – Auditing – Superior User Experience Support It! Strong Arm (not a pleasant experience)

 Goes well with…  Self-Password Reset/Change  Lookup Id  Profile  User Education  Help Desk Support  Trusted SSL Certificates

 Single Sign Out  OpenID – decentralized authentication system  Federation  Facebook Connect - API to let user log in via Facebook  InfoCards -

 Rolling out an SSO will raise some of the following questions/concerns:  We can’t use SSO because it doesn’t support all types of guests easily*  What’s your SLA?  Why does it take so long to get an ID?*  What about access control?*  What is the password policy?  What’s the identifier usage policy?

(but it sucks!)

 Store identity data about your people  Reconciles different versions  Makes (usually) intelligent choices  Helps feed other systems  Directory builder  Provisioning  Reporting

 Not too many!  Very few higher education options  Most non-Higher Education ones don’t get “higher ed” ▪ Multiple sources for a person ▪ Multiple possible hierarchies ▪ Every university is (slightly) different

 What is OpenRegistry?  OpenRegistry is an OpenSource Identity Management System (IDMS). It's a place for data about people affiliated with your organization.  Core Functionality  Interfaces for web, batch, and real-time data transfer  Identity data store  Identity reconciliation from multiple systems of record  Identifier assignment for new, unique individuals  Additional Functionality  Data beyond Persons: Groups, Courses, Credentials, Accounts  Business Rule based data transformations  More than just a Registry, some periphery too  Directory Builder  Provisioning and Deprovisioning

 Two Options: ▪ “The Big Bang” ▪ Transitional

 Benefits  Not maintaining two versions for extended period of time  Direct Developer Resources towards new project  Cons  This stuff better work! (or expect some pissed off people)  Significant investment in testing phase  What’s the back up plan?  Restrictions on flexibility

 Benefits  Significant time to test system “in production” with real data  Built-in Back Up Plan  More flexible scheduling  Cons  Maintaining multiple systems for extended period  Ambiguity about where to go for data  In some instances, double the work!

 We totally confuse the issue  We’ve “big banged” ourselves for Dec 2010 (PeopleSoft deployment)  We’ve committed to maintaining the legacy system feeds  We are gradually rolling it out!  Why?  It seemed like a good idea at the time!  “Big Bang” attachment to PeopleSoft gets IdM on the radar and stresses importance  Pilot Groups much earlier!  Unfortunately, it puts IdM on the radar  With schedule, no time to update all legacy feeds

 Building a registry is tough!  Deploying a registry is tougher!  Touches everything! ▪ Data is owned by others ▪ Policies around accessing data, identifiers, etc. ▪ Downstream concerns with new populations ▪ Poorly written tools that won’t work with the new system ▪ Help Desk Nightmare! ▪ Start Looking at EVERYTHING  What does it all mean?

 Governance is the activity of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems.  In the case of a business or of a non-profit organization, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data. (according to Wikipedia)

 Policies  Responsibility  Coordination and Prioritization  Compliance  Some of them like the details (i.e. text on the page!)  really really annoying  Making the Case  Communication

 Not too early  But not too late  Becomes important when you start depending on others

 Some level of actual authority  A method for measuring accountability  Transparent  Leave us better of!

 Fiefdoms continue to exist  Duplicate data everywhere!  Duplicate application development  Misuse of information

 None – just like it sounds  Explicitly Decentralized  High level group sets policy  Specialized groups implement policy  Centralized  Makes just about all the decisions  Hybrid

1. initial – no process. 2. repeatable – starting to understand processes 3. defined – process documented, standardized and integrated. 4. Managed 5. optimized (according to Burton)

 Two key points:  You need a champion of sufficient authority  Feedback mechanism needs to be in place