HAKA project 30.1.2003 1 HAKA User administration inside Finnish Higher Education Institutes results from the KATO project Barbro Sjöblom EDS 2003 Uppsala.

Slides:

Advertisements

Similar presentations

Federation management A mess? Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science.

Advertisements

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Access Control Chapter 3 Part 3 Pages 209 to 227.

Resource Entitlement Management System Manne Miettinen Mikael Linden Janne Lauros CSC – IT Center for Science.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.

Password?. Project CLASP: Common Login and Access rights across Services Plan

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

Password?. Project CLASP: Common Login and Access rights across Services Plan

Active Directory: Final Solution to Enterprise System Integration

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

Understanding Active Directory

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Middleware & Enterprise Services at College Park David Henry Office of Information Technology November 16, 2001.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Peter Deutsch Director, I&IT Systems July 12, 2005

CSC Grid Activities Arto Teräs HIP Research Seminar February 18th 2005.

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

1 Terena Networking Conference 2003 Applying Radius-based Public Access Roaming in the Finnish University Network (FUNET) Sami Keski-Kasari Karri Huhtanen.

Vilnius, October 21st, 2002 © eEurope SmartCards Securing a Telework Infrastructure: Smart.IS - Objectives and Deliverables Dr. Lutz Martiny Co-Chairman,

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.

Feide is a identity management system on a national level for the educational sector in Norway. Federated Electronic Identity for Norwegian Education Tromsø,

Middleware challenges to service providers, the Nordic view TERENA, Ingrid Melve, UNINETT.

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

NMI-EDIT CAMP Synopsis, ISCSI Storage Solution, Linux Blade Cluster, And Current State Of NetID By Jonathan Higgins Presentation Template available from.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

GatorLink Password Management Policy March 31, 2004.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.

Update Finland TF-EMC Mikael Linden CSC, the Finnish IT Center for Science.

Shibboleth in Finnish Higher Education Organisations E-ICOLC 2005 Poznan, Poland.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Identity management, authentication and registration at the University of Helsinki Tietotekniikkaosasto Ismo Aulaskari

Introduction Moonshot workshop

10/25/2015 AEB/Yleisesittely Organising Federated Identity in Finnish Higher Education TNC2005 Mikael Linden June 8th, 2005.

Identity and Access Management Roadmap Presentations for Committee on Technology and Architecture March 21, 2012 Amy Day, MBA Director of GME IAM Committee.

Kalmar Union lessons: Findings in federation harmonisation REFEDS Mikael Linden, CSC.

11/9/2015 AEB/Yleisesittely Utilising City Card on the Campus TNC 2004, Rhodes 7th of June, 2004 Mikael Linden, Petteri Jekunen,

Comité Réseau des Universités News from CRU activities: Identity federation, eduroam, PKI, SCS, Sympa, security policies cru.fr 7th.

FSU Metadirectory Project The Issue of Identity Management Executive Overview.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

Federations round table Haka federation of Finland EuroCAMP Mikael Linden CSC, the Finnish IT Center for Science.

Athens – integrated AMS services Ed Zedlewski JISC/CNI Conference Edinburgh, June 2002.

VETUMA, the web portal for strong authentication Tietotekniikkaosasto Ismo Aulaskari

New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

/ 8 FEIDHE Electronic Identification in Finnish Higher Education Janne Kanner FEIDHE Electronic Identification in Finnish Higher Education.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Exploring Access to External Content Providers with Digital Certificates University of Chicago Team Charles Blair James Mouw.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

SharePoint and Active Directory Update March 18, 2010.

DocuShare Replacement with SharePoint and Active Directory

6/12/2016 AEB/Yleisesittely WLAN roaming experiences using Shibboleth TNC 2004, Rhodes 7th of June, 2004 Mikael Linden, Viljo Viitanen,

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Understand User Authentication LESSON 2.1A Security Fundamentals.

Novell Account Management Introduction and Overview

Dartmouth College Status Report

Management of users at UNIL

Amund Krane, Uninett FAS , PKI-coord meeting in Amsterdam

Presentation transcript:

HAKA project HAKA User administration inside Finnish Higher Education Institutes results from the KATO project Barbro Sjöblom EDS 2003 Uppsala

HAKA project HAKA FEIDHE FEIDHE (Electronic Identification in Finnish Higher Education) Goal: Investigate possibilities for implementing a smart card based electronic identification system Started in June 2000 and completed in March 2002 Cooperation between the Computer Centers at Finnish Higher Education Institutes (HEI), national student unions and Center for high-performance computing and networking (CSC) Documentation: New projects: HAKA and KATO

HAKA project HAKA HAKA – Directories in User Administration ”Hakemistot käyttäjähallinnossa” – Goal I: To give recommendations for a common interface for the User Administration that supports Electronic Identification and information exchange, both between HEI and between a HEI and a common service.

HAKA project HAKA HAKA – Directories in User Administration Actions: –document the existing needs (HEI, service providers) –document existing schemas –define a common schema –security and data protection issues –testing different architectures (LDAP, Shibboleth, PAPI) –minimi requirements for the user administration at a individual HEI –provide information about middleware and user administration to the HEI

HAKA project HAKA HAKA – Directories in User Administration Goal II: Support further development of the User Administration in the HEI Actions: –document best practices of user administration –encourage HEI to use strong authentication –will use the results from the KATO project

HAKA project HAKA KATO project April 2002 – October 2002 Goal: to document best practices of user administration in HEI Scope: inside the HEIs –not across HEI boundaries Computing center staff interviewed in 7 HEIs Document available since 10/2002 –in Finnish ( Some outcomings described here

HAKA project HAKA The operational environment: The users students –undergraduate, postgraduate, supplementary, visiting students… employees –universities: a lot of employees and new contracts –polytechnics: not so many employees some users both student and employee –very common in universities some legitimate users neither student nor employee –e.g. researchers of the Academy of Finland

HAKA project HAKA The operational environment: Number of users

HAKA project HAKA The operational environment: How the IT systems are maintained centralized: all the workstations, servers and services maintained by the computer center –typical in polytechnics and smaller universities distributed: maintainance is done by the institutes –typical in some larger universities –workstations used by faculty: maintained by the institutes –workstations used by students at TUT and University of Tampere: 50% maintained centrally, 50% by institutes

HAKA project HAKA A fundamental issue: The scope of user identity W2k HEI XHEI Y WWW students’ Unix WebCT W2k Dialup Unix W2k … WWW students’ Unix WebCT W2k Dialup Unix W2k … … Scope of one user id System specific identity (mostly) Organization wide identity

HAKA project HAKA A fundamental issue: The scope of user identity W2k WWW students’ Unix WebCT W2k Dialup Unix W2k … WWW students’ Unix WebCT W2k Dialup Unix W2k … … Scope of one user id System specific identity (mostly) Organization wide identity University of Jyväskylä & Tampere, TUT Univ of Helsinki, polytechnics

HAKA project HAKA Usernames passwords, roles Individual systems operating systems, services Basic registries personal data The fundamental architecture Employee registry Student registry User administration database (e.g. LDAP, RDB, eDirectory) W2000UnixWWWetc

HAKA project HAKA Different ways to implement (1/2) LDAP-directoryRelational database University of Helsinki, Tampere Tampere polytechnic, Åbo Akademi

HAKA project HAKA Different ways to implement (2/2) Relational database TUT, University of Jyväskylä Polytechnic of Helsinki, Jyväskylä LDAP Novell eDirectory

HAKA project HAKA A fundamental issue: roles If a user is both a student and an employee, does he have two usernames? –new services on the web with role-based access control If a user is neither a student nor an employee, how is his account administrated –there is no basic registry for them –in TUT they are called UFOs nobody knows who they really are and where they are coming from…

HAKA project HAKA A fundamental issue: unique identifiers identifiers represent the identity of a user –username, -address –student/employee number –social security number (what about foreigners?) –other identifiers related questions –Can identifiers be revoked? –Can identifiers be reassigned?

HAKA project HAKA A fundamental issue: authentication Passwords How may passwords per user? –One per user identity –Several per user identity (one low-security etc…) Single sign-on –On the web? Usability, trust relationships –On the workstation PKI and personal certificates –smart cards

HAKA project HAKA Further information: The FEIDHE project: HAKA: KATO: Mikael Lindén Leader of the HAKA and KATO Barbro Sjöblom User administration at Åbo