Enterprise Directories: Design, Implementation, and Operational Strategies Dr. Tom Barton.

Slides:



Advertisements
Similar presentations
Managing User, Computer and Group Accounts
Advertisements

Data: Application requirements, data flow, and person registry Tom Barton University of Chicago.
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
On Beyond Z Building a Directory Service educause presentation #074 University of Colorado at Boulder Deborah Keyek-Franssen Marin Stanek Paula J. Vaughan.
1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
A Different View of IdM Biz Process? Michael R Gettes Duke University Denver, June 2005.
Campus Authentication: Identification Process and Related Policy Tom Barton University of Chicago & Internet2.
Lecture Nine Database Planning, Design, and Administration
Identity Management: The Legacy and Real Solutions Project Overview.
Copyright Statement © Jason Rhode and Carol Scheidenhelm This work is the intellectual property of the authors. Permission is granted for this material.
1 sm Using E-Business Solutions to Meet Management Challenges: Interoperability & Flexibility Bring Success to the Implementation of Specialized Components.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.
University of California, Irvine Security Access Management at UC Irvine: Adding Decentralization and Ending Paper Mark Askren, Assistant Vice Chancellor.
Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.
GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure
Darrel S. Huish Katherine J. Ranes Arizona State University Lessons Learned During the First Year of myASU, a Large Institution Portal Copyright Darrel.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Understanding Active Directory
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Baylor University and Xythos EduCause Southwest 2007 Dr. Sandra Bennett Program Manager Online Teaching and Learning System Copyright Sandra Bennett 2007.
Sharing MU's SharePoint Experience 2005 Midwest Regional Conference Innovative Use of Technology: Getting IT Done Wednesday, March 23, 2005.
1 No More Paper, No More Stamps: Targeted myWSU Communications Lavon R. Frazier April 27, 2005 Copyright Lavon R. Frazier, This work is the intellectual.
Collaborative Associate of Arts Degrees. Collaboration In thought a good idea Every one wants to be invited to the dance. Sharing sounds good. In deed.
Management Track Monday afternoon … 1.Tom Barton – The Model: Policy & Politics 2.Amy Brooks & Bret Ingerman – Data, Policy, Stakeholders, and Governance.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Serving MERLOT on Your Campus Gerry Hanley California State University and MERLOT Seminars on Academic Computing August 7, 2002 Snowmass CO Copyright Gerard.
Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.
NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Georgia State University Case.
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
Database System Development Lifecycle © Pearson Education Limited 1995, 2005.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
EDUCAUSE Midwest Regional March 24, 2003 Copyright Ann West This work is the intellectual property of the author. Permission is granted for this.
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
NMI-EDIT CAMP Synopsis, ISCSI Storage Solution, Linux Blade Cluster, And Current State Of NetID By Jonathan Higgins Presentation Template available from.
Directory Design: Campus Identifiers and Namespace Tom Barton University of Chicago.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
Security Access Management at UCI – Slaying the Paper Forms Dragon Mark Askren, Assistant Vice Chancellor Valerie Jones, Project Lead Jennifer Lane, Help.
Directory Workshop Parallel Sessions Rob Banz, Univ. of Maryland, Baltimore County Tom Barton, University of Memphis Keith Hazelton, University of Wisconsin,
Authority Process & Policy   Advanced CAMP July 9, 2003 Copyright Sandra Senti This work is the intellectual property of the author. Permission.
Two Issues in Directory Operations Dr. Tom Barton The University of Memphis & Internet2.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.
What’s Happening at Internet2 Renee Woodten Frost Associate Director Middleware and Security 8 March 2005.
Topics in Directories: Groups Dr. Tom Barton The University of Memphis.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
File Transfer And Access (FTP, TFTP, NFS). Remote File Access, Transfer and Storage Networks For different goals variety of approaches to remote file.
Moving Forward in Stages Tom Barton, University of Chicago.
NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Renee Woodten Frost Internet2/University of Michigan.
Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
© Scottsdale Community College Leveraging the Power of E-Learning Taking your course to a higher level Presented by Sidne Tate Director, Instructional.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Mark Luker, EDUCAUSE Copyright Mark Luker, This work is the intellectual.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
OpenRegistry MACE-Dir 5/18/09 1 OpenRegistry Initiative Revisiting the Management of Electronic Identity Benjamin Oshrin Rutgers University May 2009.
University of Southern California Identity and Access Management (IAM)
Breaking Down Barriers & Building Bridges Improves Customer Satisfaction & Efficiency Wendy Woodward | March 15, 2011 Copyright Wendy Woodward 2011.
How to Use Social Media, Identity Management, and Your Campus Portal to Efficiently and Effectively Communicate with Students Sarah Alpert, Senior Project.
John O’Keefe Director of Academic Technology & Network Services
University of Southern California Identity and Access Management (IAM)
myIS.neu.edu – presentation screen shots accompany:
Managing Enterprise Directories: Operational Issues
Presentation transcript:

Enterprise Directories: Design, Implementation, and Operational Strategies Dr. Tom Barton

19 February 2003EDUCAUSE SW Regional 2 Copyright Statement Copyright Thomas J. Barton, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

19 February 2003EDUCAUSE SW Regional 3 What we’re trying to accomplish Simplify what users must know to access to online services. Enable IT organization to efficiently provide multitude of online services. Increase security. Enable online service for our constituents earlier in their affiliation with us, wherever they are, and forever. Participate in new, inter-organizational, collaborative architectures.

19 February 2003EDUCAUSE SW Regional 4 Terminology Identity: set of attributes about a person. Operationalized as a “person object”. Authentication: process used to associate a user with an identity. Often a login process. Authorization: process of determining if policy permits an intended action to proceed. Customization: presentation of user interface tailored to user’s identity. Subsumes personalization.

19 February 2003EDUCAUSE SW Regional 5 Comparative service architectures StovepipesiloStovepipe (or silo): Service performs its own authentication and consults its own database for authorization and customization attributes. service authNattributes

19 February 2003EDUCAUSE SW Regional 6 Comparative service architectures Stovepipes are run by separate offices. –Environment is more challenging to users, who may need to contact each office to arrange for service and remember several sets of credentials. –Any life cycle management of service specific resources must be undertaken by service specific office. –Per-service identifiers and security practices make it more difficult to achieve a given level of security across the enterprise.

19 February 2003EDUCAUSE SW Regional 7 Comparative service architectures IntegratedIntegrated: Suite of services refer authentication to and obtain attributes for authorization and customization from enterprise infrastructure services. Service 1 authentication service attribute service Service N

19 February 2003EDUCAUSE SW Regional 8 Comparative service architectures Enterprise authentication & attribute services are provisioned by a central office. –All attributes known by the organization about a person can be integrated and made appropriately available to services. –Automated life cycle resource management across the enterprise is facilitated. –Common identifiers across integrated services enables an easier and more secure user environment. –Lower marginal cost to implement a new service.

19 February 2003EDUCAUSE SW Regional 9 Core middleware for an integrated architecture

19 February 2003EDUCAUSE SW Regional 10 Examples Common “basket” of services: (reading & sending), calendar, shell & cluster accounts, network access services, myriad web apps, LMS, library databases, home directories,…. Remote account initialization & admitted students Academic Personnel Records –Leverages common security & data architecture

19 February 2003EDUCAUSE SW Regional 11 Identifiers Preceding slides sketched the overall technical architecture. Now we’ll dig into the identifiers that are fundamental to providing integration…

19 February 2003EDUCAUSE SW Regional 12 Source system identifiers Affiliations: –Which source systems define which major affiliations? How? –How do constituents become engaged in their various affiliations with the U? How disengaged? Associated attributes: –What other attributes of value to online services are maintained in which source systems? –How are they maintained, for what purposes? Are they reliable? Metadata: –(De-)Assignment process; persistence; visibility; versions;… –What encumbrances/obligations/policies pertain? –Updatable (in source system)? Forever iterate over these considerations

19 February 2003EDUCAUSE SW Regional 13 Registry identifiers Fundamental IDs –Permanent, unreleased guid. –Permanent pvid? –Versions? –Source join & consumer crosswalk. Derived identifiers –username(s). –Attributes for provisioning processes. –Consumer specific? Affiliations Derived. Course, program, org related identifiers & objects. Group memberships. Namespace issues Multiple namespaces? For registry objects? For consumer systems? Overloading. Format. All is hidden from view

19 February 2003EDUCAUSE SW Regional 14 Consumer identifiers Fundamental IDs –Persistence, visibility, opacity, … Potential interaction with privacy policy –Store/use pvid? –Choice of naming components (LDAP only). Representation of attributes –Application use cases –Overloading & namespace collision. E.g.s: cn: name of person, name of group, name of … uid: orthogonal sets of usernames? –Consumer specific selection & transformation All is potentially exposed

19 February 2003EDUCAUSE SW Regional 15 Service identifiers Ability to use or be provisioned with a user identifier derived in the metadirectory is a requirement for integration into this architecture. Attribute schema –Conventions for syntax & semantics Stresses on a common username space: –Least common denominator format requirements. –Number of persons assigned one (alums?, parents?, sibs?, patrons?, donors?). –Duration of assignment: forever? –Potential for shared administration of portions of username space might drive creation of orthogonal namespaces. Eg, OS usernames, uids, gids w/ nss-ldap. University “guest” registration. Username & related namespace issues

19 February 2003EDUCAUSE SW Regional 16 Stateful Provisioning

19 February 2003EDUCAUSE SW Regional 17 The Problem Unclear process for lifecycle management of accounts & other IT resources –Seat of pants policy determination Inconsistent operational practices –Done differently by different people at different times Common business logic forced to reside in applications to determine eligibility –Eg. Is this user “currently a member of community”? –Inconsistent service levels for users results.

19 February 2003EDUCAUSE SW Regional 18 Automated stateful provisioning Basic account provisioning is guided by a finite state machine. Managed resources include –shell accounts –IMAP/POP/HTTP mailbox service –campus-wide computing cluster access –variety of directory enabled application and web services that use an LDAP directory for access control, or that use the LDAP directory to determine eligibility for service.

19 February 2003EDUCAUSE SW Regional 19 States embody levels of service Provisioning profiles –Full access to basic services Faculty, staff, enrolled student – & identity management, including PIN maintenance for access to administrative web applications Accepted student, registered student –Identifiers maintained for continued support for outsourced services Alum, id retained Steps between these and oblivion –Notification of impending doom –Access denied –Resources deleted

19 February 2003EDUCAUSE SW Regional 20 Independent variables for state transitions state substate date the present state was reached date by which the present state might end (expiration date) major affiliation (faculty, staff, enrolled student, accepted student, registered student, alum, id retained) multivalued attribute holding the identifiers of resources being managed for this account.

19 February 2003EDUCAUSE SW Regional 21 Not shown: transitions to prospective state from grace, limbo, slide, IDonly.

19 February 2003EDUCAUSE SW Regional 22 Benefits Smooth over issues with feeds from source systems (grace state). Provide continuity of service to persons who temporarily drop out of source systems. –Absence from a source system need not imply absence from University community. Avoid deletion of resources for persons not in fact departed (limbo state). Organizing principle for business logic that determines provisioning.

19 February 2003EDUCAUSE SW Regional 23 Benefits Authorization policy in applications can leverage knowledge of user’s “state”. –Details of how to determine “standing” of a person from data in source systems is only instantiated once. –Administrative exceptions need only be represented once, in the metadirectory. Source of IT resource management policy. Increases value of integrated architecture (cf. “Middleware Business Case” – middleware value proposition)Middleware Business Case