Identity Management for the Rest of Us:

How to Grow a New Infrastructure

Mark BermanWilliams College

Joel CooperCarleton College

A Word from the Sponsors

• National Science Foundation Middleware Initiative (NMI)

• Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT)

• Internet2 and EDUCAUSE• Project Goals

– Create a common, persistent and robust core middleware infrastructure for the R&E community

– Provide tools and services in support of inter-institutional and inter-realm collaborations

Seminar Agenda

• Definitions, Role, and Functions• Discovery and Implementation Steps• Leveraging for the Future • Vendor Overview• More Information

What is an Identity and Access Management Infrastructure?

A collection of technology, business processes, and underlying policy that enables networked systems to determine who has access, when they get and lose access, what they are authorized to access, while protecting individual privacy and access to confidential information.

The Key Functions:

• Who am I - Identification• Am I really who I say I am - Authentication• What am I allowed to do - Authorization• When do I get an account, when do I get

authorization, and when is my authorization changed - Provisioning

• When is my account, and the resources associated with it, removed - Deprovisioning

• How does everything work together to provide an effective, accurate, secure set of services - Technology and Business Processes

• The Why - The underlying Policy

A “typical” college campus - does this sound familiar?

• Users have multiple accounts to access different systems• User identity is not consistent across systems• The policies and procedures for creating/removing

accounts vary from system to system• Policies are implicit, dated, inconsistent, nonexistent• Users and staff are frustrated by the amount of time

“wasted” dealing with accounts, passwords, etc.• Some accounts never go away, and there are legacy

accounts that nobody can identify but can’t be closed because no one knows what side effects that might cause!

• Identity and access management practices are not compliant or auditable and put campus at risk

An Intro to IAM Architecture

Datasources

PersonRegistry

Directories Apps &Platforms

Potential Simplification: Using a core system as the

registry

Datasources

PersonRegistry

Directories Apps &Platforms

Potential Simplification: Use Directory as Person

Registry

Datasources

PersonRegistry

Directories Apps &Platforms

What's the Scope?• WHO?

• Faculty• Staff• Students• Alumni• Applicants• Prospects• Parents• Guests• Visitors• Employee Spouse/Partner• Employee Children• Library Patrons• Museum Patrons

• WHAT?• E-Mail• Web Pages• File & Print Services• Course Management Systems• Registration• Directory• Financials• Benefits• Departmental Systems• Research Systems• VPN• Wireless• Dining Services• Door Access• Library Circulation

Discovery:Document Business Processes• For each system and/or application:

– Map existing policies and business processes

• How are users identified• When and how is access granted, modified, and revoked• How do policies differ for users in differing roles, and what happens when their roles change

• How are, or should, changes be communicated to interested parties

• How do changes propagate through the organization• Who is the authority for each system• How are exceptions handled

Sample Business Process Table

VariesVaries

On Role ChangeOn Role Change

On RequestOn Approval

EmailFileserver

Guest

Last DayLast Day

On HR ChangeOn Request

First DayFirst Day

EmailFileserver

Staff

6mo. Post Termination6mo. Post Termination

Username on HR ChangeQuota on Request

On HireOn Arrival

EmailFileserver

Faculty

2mo. Post GradOn Graduation

Username on Class-Yr ChangeQuota: on Approval

On AdmissionOn Matriculation

EmailFileserver

Student

DeleteChangeAddAccessRole

Discovery #5: Assess Candidate Technologies

• Choose a platform for the registry– What fits best with the existing environment: ERP? DB? LDAP? AD? E-dir?

– How do candidate technologies mesh with current staff skill sets?

– What are the drawbacks and pitfalls associated with each candidate technology?

– What are the costs associated with each candidate technology?

Implementation Phase 1: Environmental Readiness

• Clean the data!– Comb for spurious or obsolete identity records– Ensure there is an appropriate unique identifier for each identity record

– Check for compatibility with global unique identifier that will be used in the registry

– Perform any necessary data synchronization– Perform any possible business process synchronization

– Develop a bulk loading and migration strategy

Phase 5: Deployment• Communicate with the community

– Make sure everyone’s on board– Make sure everyone knows what will happen

• Final data cleanup and synchronization• Pilot IAM system implementation

– Install registry in the production environment

– Populate registry with pilot user community– Disable legacy synchronization procedures for the pilot community

– Enable input and output conduits for the pilot

– Conduct user acceptance testing of the pilot

Leveraging for the Future

Federated Identity Management

• Federated Identity Management– A system that allows individuals to use the same user name, password, or other personal identification to authenticate and be authorized to use services hosted by another organization.

• Single Sign-on for the Web – Institutional applications– External partner applications– Can protect privacy. Doesn’t give away your data

Interinstitutional Collaboration Drives

Federations• One institution hosting course-content for another

• Students at one college taking an on-line course from another college

• Libraries purchasing licenses for multiple vendors with specific access policies

• Researchers making resources available to project members at other schools

• Schools in state systems or articulation relationships that require mutual access to services

What is a Federation?

• An association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.

• Uses common policy, technology, and business practices to establish trust

• Access services from (or provide services to) other institutions, corporate partners, government organizations

• A contractual arrangement

US Federal E-Authentication

• Hundreds of Federal services are available to Americans electronically – Many require some form of identity verification

• The E-Authentication Initiative will provide a trusted and secure standards-based authentication architecture for ALL services– A Federated SAML-based architecture

• Significant benefits for – Gov’t agencies (lower costs, better IAM)– Citizens and businesses (only one set of credentials to remember)

How Federal e-auth Will Affect Us:

• Students, faculty, staff will want to use their campus credentials to Authn to the Federal Apps

• For this to be possible, the campus will have to be “certified”

• Campus technology, process, policy must meet certain criteria– Review compliance with Password Credential Profile

– http://www.cio.gov/eauthentication/CredSuite.htm

• An important reason to keep Federation standards in mind when implementing IAM….

Some Identity and Access Management Vendors

• Computer Associates eTrust® Identity and Access Management (formerly Netegrity)

• Courion Enterprise Integration Suite• Microsoft Identity Integration Server• RSA ClearTrust® and RSA® Federated

Identity Manager• Novell Identity Manager

• IBM Tivoli• Thor XcellerateIM

• Sun Java System Identity Manager

Most were reviewed inOct. 2005 Infoworld:

http://www.infoworld.com/article/05/10/07/41FEidm_1.html?s=feature

Open Source Tools

• Open Metadirectory– http://dweller.catalogix.se:8200/

• Cerebrum Project– http://cerebrum.sourceforge.net/

• Nexus Provisioning System– check the www.nmi-edit.org in May

Thanks!

• Presenters:– Mark Berman, Williams College

mark.berman@williams.edu– Joel Cooper, Carleton College

jcooper@acs.carleton.edu

• Contributors:– Michael Berman, Art Center College of Design– Steven Carmody, Brown University– Andrea Gregg, Instructional Designer– Ann West, EDUCAUSE/Internet2

The Williams Process

• Performed Business Process Analysis• Began the process of Policy Review• Determined initial project scope• Wrote and distributed RFP to selected vendors

• Selected and contracted with chosen vendor• Continued Policy Review• Data cleanup (does it ever end?)• Developed test system• Deployment at end of this month!• (Sounds easy huh?)

Issues:

• Existing IAM systems and procedures• Other departments (Registrar, HR) needed to take on additional responsibility for data entry and maintenance

• LOTS of exceptions needed to be taken into consideration

• Ability to manually override any policy or procedure needed to be designed in

Anticipated Benefits

• Reduced workload for Sysadmin staff and Desktop Support staff

• Timely provisioning and deprovisioning of user accounts

• Ability to tie in other systems as needed

• Self Service password maintenance