Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005
27 June 2005 – CAMP Identity & Access Management Discussion Items Setting the stage UT’s portal service – UT Direct UT’s authentication service – UT EID Credentialing & Support Challenges & Responses Future Directions
27 June 2005 – CAMP Identity & Access Management Setting the Stage UT Austin has large number of core constituents: –~50,000 students –~18,000 faculty & staff And even larger groups of “extended” populations (e.g., prospective students, former students, parents, job applicants)
27 June 2005 – CAMP Identity & Access Management UT’s Portal – UT Direct Created in 2000, upgraded in 2003 “Home-grown” using local custom development tools Serves as both a portal and a web application framework (look & feel, menus, bookmarks, etc.) Personalization is based on user’s affiliations
27 June 2005 – CAMP Identity & Access Management UT Direct Usage UT Direct has achieved strong penetration – –80% of students use it at least weekly –70% of faculty & staff use it weekly –100,000 distinct users login weekly UT Direct user interface is used for most business/administrative web services at UT Austin
27 June 2005 – CAMP Identity & Access Management UT’s Authentication Service – UT EID UT EID system created in 1995, upgraded in 1999, major overhaul coming this fall All members of UT community have EIDs Unified namespace for all EIDs Sponsoring departments control the affiliations attached to EIDs
27 June 2005 – CAMP Identity & Access Management EID Classes EIDs are grouped into 3 major classes based on affiliation and status of identity verification –Low assurance – Self-registered EIDs –Medium assurance – Sponsored by an approved UT department –High assurance – ID verified in-person & electronic signature agreement signed Required password strength depends on EID class
27 June 2005 – CAMP Identity & Access Management EID Populations The EID system currently contains 1.7M identity accounts, including: –Current students (~50K) –Former students (since ’74) (~600K) –Current employees (~35K*) –Former employees (since ’72) (~300K*) –Prospective students (~650K) –Guests (~400K) * Includes employees from certain other UT System universities that use shared administrative services.
27 June 2005 – CAMP Identity & Access Management Relationship between UT Direct & the EID System UT EID Authentication UT Direct Black- board Web- space Web- mail UT Direct and UT EID authentication are distinct systems Most but not all UT Direct Services are EID- authenticated UT EID authentication also used by many other services at UT Austin
27 June 2005 – CAMP Identity & Access Management EID Credentialing EID Creation –Guest EID suite (self-registration) –EID-on-demand (inline registration) –Automated EID creation Physical ID verification is required for most core affiliates, but not for extended populations EID eProxy allows one person to act on behalf of another for certain services (e.g., a parent who is paying a student’s housing bill)
27 June 2005 – CAMP Identity & Access Management EID Support EID web help suite lists contacts and provides password help options based on user’s current affiliations Passwords can be reset online via challenge/response questions or via ticketing (w/other credentials) EID phone support is delegated to affiliation sponsors; Central ITS help desk is the last resort
27 June 2005 – CAMP Identity & Access Management Challenges Part 1 Risks posed by a unified identifier (for example, FERPA compliance) –One set of credentials shared by multiple systems can expose data in unexpected ways –User support systems/options are complicated by need to prevent inappropriate access to confidential data
27 June 2005 – CAMP Identity & Access Management Challenges Part 2 Duplicate EIDs and merging of EIDs –Extended populations tend to be future or former core constituents, so duplicate EIDs can cause problems Privacy & identity theft concerns –Data elements used for identity reconciliation raise privacy concerns for the university community
27 June 2005 – CAMP Identity & Access Management Challenges Part 3 Relentless increase in identity registry size: +20% per year –New extended populations regularly being identified –Campus departments replacing local SSN-based identifiers with EIDs –Ongoing migration of campus systems to EID authentication (simplified sign-on initiative)
27 June 2005 – CAMP Identity & Access Management Responses Part 1 Risks posed by a unified identifier (for example, FERPA compliance) –Proactively coordinate EID support and password reset policies across sponsoring departments, especially when new affiliations are added –Move toward more granular authentication status and control
27 June 2005 – CAMP Identity & Access Management Responses Part 2 Duplicate EIDs and merging of EIDs –Increase intelligence of self-registration process with adaptive questionnaire –Push EID usage to start of business processes to limit backend EID merges Privacy & identity theft concerns –Remove SSN from EID System –Institute stricter controls on access to identity registry data
27 June 2005 – CAMP Identity & Access Management Responses Part 3 Relentless increase in identity registry size: +20% per year –Improve flexibility & agility of identity registry to better cope with growth –Limit identity reconciliation efforts to close affiliates –Implement new classes of EIDs (e.g., identifier-only) with characteristics targeted to campus needs
27 June 2005 – CAMP Identity & Access Management Future Directions – UT Direct Bolster support for non-authenticated sessions Unify central UT web site architecture with UT Direct portal Support Shibboleth-style local-campus authentication for other UT System universities Explore commercial & open-source tools/products for next generation of UT Direct
27 June 2005 – CAMP Identity & Access Management Future Directions – UT EID Complete overhaul of EID system will occur in Fall 2005 Improve online support tools for users, especially for former students Allow affiliation sponsors to define populations within an affiliation to provide customized support options Support strong second-factor authentication options
27 June 2005 – CAMP Identity & Access Management My Contact Info CW Belcher (512)
Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005