Presentation is loading. Please wait.

Presentation is loading. Please wait.

MIT Case Study Notes Paul B. Hill

Published byDina Meijer Modified over 5 years ago

Similar presentations

Presentation on theme: "MIT Case Study Notes Paul B. Hill"— Presentation transcript:

1 MIT Case Study Notes Paul B. Hill
Technical and Policy Requirements for Authentication Arising in Interboundary Work MIT Case Study Notes Paul B. Hill

2 Setting context MIT is a private institution
We don’t have a medical school… We are a Sakai partner… We have one Kerberos realm that is accepted by the financial system … Virtually all users have X.509 certificates… We have researchers at many medical schools and hospitals But the business school created its own LMS X.509 certificates are used for web authentication. Not for SMIME, not for long term encryption, not for VPN authentication, not for PKINIT, no use of tokens for multifactor authentication 9/11/2019 2

3 Kerberos is Primary authentication for…
Initial login on many machines IM (Jabber and Zephyr) SAP financial system File systems Remote shells All Library Journals MIT theses (non-MIT personnel are charged for access) WebSIS – Online Student Information System Lotteries – Campus ‘lotteries’ e.g., Housing, Phys.Ed. Obtaining an MIT user certificate Educational discounts for computer purchases Access to MIT-only web pages Ability to download MIT licensed software Sloan’s web portal 9/11/2019 3

4 Identifiers at MIT MIT ID card MIT ID number
Athena Kerberos principal name X.509 certificates for users UUID WIN SID WIN Kerberos principal name IDs created by Departments, Labs, and Centers (DLCs) 9/11/2019 4

5 Who can get an MIT ID card?
Incoming Students Special and Cross-Registered Students Employees Spouses and Partners Alumni Visiting Scholars and Post-Doctoral Associates Unofficial Members of the MIT community E.g. contractor 9/11/2019 5

6 Who can get an MIT ID number?
Issuers Human Resources Registrar IS&T Accounts office Students, Faculty, Staff, Contractors, Visiting Scholars, Post-Doctoral Associates, Affiliates, Contractors, Guests 9/11/2019 6

7 What is an MIT ID number The MIT ID number is a unique identifier for people in MIT Information Technology (I/T) systems. Having an MIT ID number does not in itself provide any status, relationship, access, responsibility, or privileges. These are conferred and defined by the Institute business processes for which I/T systems exist. Thus who has an MIT ID number is defined by the MIT businesses. The system of record of all MIT ID numbers is the MIT ID server operated by IS&T. 9/11/2019 7

8 Who can get an Athena Kerberos ID?
All MIT community members (faculty, students, and staff) are entitled to have a Kerberos ID. If you know your MIT ID number, you can obtain a Kerberos ID via the web “A sponsored guest account is required for voucher or temp staff, former students or staff who are no longer eligible but need continuing access to their account, as well as visitors who need an MIT electronic identity” Account can be sponsored by any current member of the MIT faculty or staff, but not students Guest accounts are valid for up to 2 years and easily renewed 9/11/2019 8

9 Sponsoring a guest account
9/11/2019 9

10 Deactivation MIT ID cards expire
MIT ID numbers are immutable and do not expire Athena Kerberos principal names do get deactivated 9/11/2019 10

11 How Kerberos IDs are deactivated
Automatically in January after the graduation of a student in the prior year. Manually when notice is received from HR that an employee has been terminated. Manually when a guest’s sponsor does not respond to a renewal request. Almost never for faculty. 9/11/2019 11

12 Existing Kerberos demographics on campus (2005)
Current (MIT Fact Book ‘05) Number with Kerberos IDs Faculty 983 2473 Staff 9780 11156 Undergrad 4136 4697 Grad 6184 6777 Guest -- 2415 Other* 988 Total of 28,506 IDs as of 2/13/2005 9/11/2019 12

13 *other Other includes vouchers/temp (308), system accounts (245), pre-frosh (142), random project staff (214), etc. 9/11/2019 13

14 Re-use or re-assignment
MIT ID numbers do not get reassigned MIT ID numbers should get re-used by the same person (transitions or returns) Kerberos names used to get re-used and re-assigned, they no longer do 9/11/2019 14

15 Identity at MIT People who have MIT Kerberos IDs – 28,500
[Ovals not to scale] People who have MIT Kerberos IDs – 28,500 People who are MIT employees, students, or “official” visitors – approx. 21,000 Small number of people who probably exist but we don’t know about (maybe null set) Approx people who are “sponsored” but with unknown affiliation Hundreds of graduate students, plus a few staff who never got Kerberos IDs Former students, staff, etc. who still have Kerberos IDs – approx 2500 People who have MIT ID numbers (includes former students, spouses, alums, etc.) – 113,800 9/11/2019 15

16 Getting started at MIT…post-docs and employees
MIT ID number Your ID number is automatically generated when Human Resources processes the paperwork for your appointment. Your appointment papers are handled by the department/lab/center where you will be working. Account registration page will ask these users for their MIT ID number and their name 9/11/2019 16

17 Getting started at MIT …students
Student receives “MIT Kerberos / Athena Account Coupon” upon acceptance. An assigned MIT ID number Six unique keywords that the student will use to initially authenticate to the registration server Instructions on how to use this information with the registration service to obtain a Kerberos principal name and choose a password 9/11/2019 17

18 Getting started at MIT…guests
Sponsor submits name, reason, and birth date to accounts office. Guest is provided with MIT ID number and directed to account registration page User is prompted for name and MIT ID number 9/11/2019 18

19 Practices Password expiration – we don’t on most accounts
Password reset Photo ID in person at the account office Self service via web form Exceptional cases have been done over the phone Password analysis and policy KDC evaluates the password (dictionary, history) 9/11/2019 19

Download ppt "MIT Case Study Notes Paul B. Hill"

Similar presentations

AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms

AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms
Office of Labor-Management Standards (OLMS)

Office of Labor-Management Standards (OLMS)
EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.

EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.
June 20131 Grading in Web Advisor. June 20132 Access WebAdvisor from Chapman University’s Faculty Resources page, or at www.chapman.edu/webadvisor.

June Grading in Web Advisor. June Access WebAdvisor from Chapman University’s Faculty Resources page, or at
Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.

Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.
Welcome to P.A.S.S. People Advantage Self Service March 1, 2007.

Welcome to P.A.S.S. People Advantage Self Service March 1, 2007.
Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland

Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland
Form I-9 Process An Online Training for Supervisors and Designees Presented by Human Resources Revised November 2009.

Form I-9 Process An Online Training for Supervisors and Designees Presented by Human Resources Revised November 2009.
UNIVERSITY OF CALIFORNIA, RIVERSIDE COMPUTING AND COMMUNICATIONS “GETTING CONNECTED” Presented by: Computing and Communications Josee Larochelle September.

UNIVERSITY OF CALIFORNIA, RIVERSIDE COMPUTING AND COMMUNICATIONS “GETTING CONNECTED” Presented by: Computing and Communications Josee Larochelle September.
Information for students Welcome to the S 3 P system. Login to the system by entering your User ID and password. The User ID is the same as your normal.

Information for students Welcome to the S 3 P system. Login to the system by entering your User ID and password. The User ID is the same as your normal.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
Gone are the days of initial passwords consisting of information your mail carrier knows! Learn how Anne Arundel Community College changed its process.

Gone are the days of initial passwords consisting of information your mail carrier knows! Learn how Anne Arundel Community College changed its process.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.

Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.
System Basics and Structure. NOTE: Not Rostered – refers to team assignment in club tab only. It DOES NOT mean the player is officially.

System Basics and Structure. NOTE: Not Rostered – refers to team assignment in club tab only. It DOES NOT mean the player is officially.
9/10/2015 What’s New? Edline at Valley View!! Joyce Potempa Technology Department presentation to Building Support Staff February 2, 2010 Institute Day.

9/10/2015 What’s New? Edline at Valley View!! Joyce Potempa Technology Department presentation to Building Support Staff February 2, 2010 Institute Day.
Student User Guide To ensure a quick and easy start to your course, check out the interactive, step-by-step MyMarketingLab Student Getting Started Guide.

Student User Guide To ensure a quick and easy start to your course, check out the interactive, step-by-step MyMarketingLab Student Getting Started Guide.
How Can NRCS Clients Use the Conservation Client Gateway

How Can NRCS Clients Use the Conservation Client Gateway
PIV-I Issuing Procedures for Applicants (Current Employee) v1.1.

PIV-I Issuing Procedures for Applicants (Current Employee) v1.1.
4 Options Proof of Entry Prior to 10 – Players who have entered the U.S. prior to the age of 10 (regardless of their current age) and have been continuously.

4 Options Proof of Entry Prior to 10 – Players who have entered the U.S. prior to the age of 10 (regardless of their current age) and have been continuously.

Similar presentations

Ads by Google