1.  Wikipedia Says… “Single Sign On (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.”

2. Reduce password fatigue Reduce time spent re-entering passwords Abstract authentication from systems Lower calls to Help Desk about passwords Centralized reporting for compliance Can rationalize multiple authentication methods Improved interaction with 3 rd Party

3.  True Single Sign On is often hard to accomplish  “keys to the castle”  High Availability becomes the new IdM buzzword (well one of them)

4.  Jasig CAS  CoSign  Kerberos  OpenSSO  JOSSO  Shibboleth

5.  What protocol do they use?  What kind of “clients” do they have?  Features:  Opt Out of Single Sign On  Management  Monitoring  High Availability / Scalability  Flexibility  “ClearPass”  Deployment/Maintainability

6.  Its easy! (relatively)  Assumes you’ve already solved your ID problem  It’s a “big” win  Highly visible  Oh, and all that stuff listed under Benefits

7. Documentation! Present, Present, Present! (Education) A Compelling Reason – Features – Ease-Of-Use – Auditing – Superior User Experience Support It! Strong Arm (not a pleasant experience)

8.  Goes well with…  Self-Password Reset/Change  Lookup Id  Profile  User Education  Help Desk Support  Trusted SSL Certificates

9.  Single Sign Out  OpenID – decentralized authentication system  Federation  Facebook Connect - API to let user log in via Facebook  InfoCards -

10.  Rolling out an SSO will raise some of the following questions/concerns:  We can’t use SSO because it doesn’t support all types of guests easily*  What’s your SLA?  Why does it take so long to get an ID?*  What about access control?*  What is the password policy?  What’s the identifier usage policy?

13. (but it sucks!)

14.  Store identity data about your people  Reconciles different versions  Makes (usually) intelligent choices  Helps feed other systems  Directory builder  Provisioning  Reporting

15.  Not too many!  Very few higher education options  Most non-Higher Education ones don’t get “higher ed” ▪ Multiple sources for a person ▪ Multiple possible hierarchies ▪ Every university is (slightly) different

16.  What is OpenRegistry?  OpenRegistry is an OpenSource Identity Management System (IDMS). It's a place for data about people affiliated with your organization.  Core Functionality  Interfaces for web, batch, and real-time data transfer  Identity data store  Identity reconciliation from multiple systems of record  Identifier assignment for new, unique individuals  Additional Functionality  Data beyond Persons: Groups, Courses, Credentials, Accounts  Business Rule based data transformations  More than just a Registry, some periphery too  Directory Builder  Provisioning and Deprovisioning

17.  Two Options: ▪ “The Big Bang” ▪ Transitional

18.  Benefits  Not maintaining two versions for extended period of time  Direct Developer Resources towards new project  Cons  This stuff better work! (or expect some pissed off people)  Significant investment in testing phase  What’s the back up plan?  Restrictions on flexibility

19.  Benefits  Significant time to test system “in production” with real data  Built-in Back Up Plan  More flexible scheduling  Cons  Maintaining multiple systems for extended period  Ambiguity about where to go for data  In some instances, double the work!

20.  We totally confuse the issue  We’ve “big banged” ourselves for Dec 2010 (PeopleSoft deployment)  We’ve committed to maintaining the legacy system feeds  We are gradually rolling it out!  Why?  It seemed like a good idea at the time!  “Big Bang” attachment to PeopleSoft gets IdM on the radar and stresses importance  Pilot Groups much earlier!  Unfortunately, it puts IdM on the radar  With schedule, no time to update all legacy feeds

21.  Building a registry is tough!  Deploying a registry is tougher!  Touches everything! ▪ Data is owned by others ▪ Policies around accessing data, identifiers, etc. ▪ Downstream concerns with new populations ▪ Poorly written tools that won’t work with the new system ▪ Help Desk Nightmare! ▪ Start Looking at EVERYTHING  What does it all mean?

31.  Governance is the activity of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems.  In the case of a business or of a non-profit organization, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data. (according to Wikipedia)

32.  Policies  Responsibility  Coordination and Prioritization  Compliance  Some of them like the details (i.e. text on the page!)  really really annoying  Making the Case  Communication

33.  Not too early  But not too late  Becomes important when you start depending on others

34.  Some level of actual authority  A method for measuring accountability  Transparent  Leave us better of!

35.  Fiefdoms continue to exist  Duplicate data everywhere!  Duplicate application development  Misuse of information

36.  None – just like it sounds  Explicitly Decentralized  High level group sets policy  Specialized groups implement policy  Centralized  Makes just about all the decisions  Hybrid

37. 1. initial – no process. 2. repeatable – starting to understand processes 3. defined – process documented, standardized and integrated. 4. Managed 5. optimized (according to Burton)

38.  Two key points:  You need a champion of sufficient authority  Feedback mechanism needs to be in place