identity management: the legacy and real solutions project overview
TRANSCRIPT
Identity Management:The Legacy and Real Solutions
Project Overview
Copyright @ 2007 Washington State University
This work is the intellectual property of WSU. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the copyright owner. To disseminate otherwise or to republish requires written permission.
The Legacy
• WSU Network ID
• Integrated Business Systems
• Multiple Authentication Stores
• Disparate Authorization Methods
• No Single Sign-On
• No Metadirectory
• Ad Hoc Provisioning
Business Drivers
• Strategic Goal: “Seamless, Intuitive, Integrated”
• Aging technology (DCE, custom programs)
• Performance and reliability
• Management of NIDs
• Management of WSU affiliates (not eligible for NIDs)
• Increasing reliance on Active Directory
Project History
• Core team construction (2004)
• Representatives from ITS, College of Business, Libraries, Center for Teaching Learning and Technology
• Six months information gathering
• Microsoft Technology Center invitation
• Clarification of project goals
Project History
• Project divided into sub-projects
Single sign-on Metadirectory services Group services WSU Friend IDs
Key Components
• Microsoft Active Directory (AD) Authoritative source for NIDs Authorization group structure
• Microsoft Identity Information Server (MIIS) Metadirectory services for NIDs Provisions AD groups
Key Components
• Microsoft Active Directory Federation Services (ADFS) Single sign-on, internal federation
• Microsoft Authorization Manager (Azman) Used in conjunction with claims (AD group
structure) for authorization
WSU Enterprise Directory Services
Intelligence & Business Rules
Source Systems
Active Directory
Feed
Authentication, Authorization, Attribute and Group Services
Metadirectory Services
PersonRegistryADABAS
ActiveDirectory
OnlinePhonebook
Portal Database
PortalOID
UPSLDAP
DCE
Apps&
Services
Portal Feed
Online Phonebook
Feed
NIDCreate
AsynchronousSources
WSU Identity Management Architecture 2004
Consumer Systems
WSU
Core Business Systems
Design Concept Courtesy of
Thomas J. Barton, University of
Chicago
Secure UNIX
Web Server
Secure zOS/CICS
Web Server
myWSUOracle Portal
DCESecurity Server
DCE Authentication
ADSecurity Server
Kerberosor LDAP
Authentication
ActiveDirectoryServices
zOS Data &Backend
Apps or OtherData Sources
DistributedSecure IIS
Web Servers
OnlineLearning
Environments
Distributed Data &
Backend Apps
LocalSSO
Ora
cle
Ext
erna
l App
s S
SO
NetworkServices
User
ADDomain
SSO
LocalDomain
SSO
LocalDomain
SSO
LocalDomain
SSO
WSU Network ID Authenticationand SSO Environment 2004
NID
NID
NID
NID
NID
Active Directory Enabled
Apps
DCE rpc
Direct Natural
Attunity
Attunity
WSU Enterprise Directory ServicesSource
Systems
MIIS
Authentication, Authorization, Attribute and Group Services
Metadirectory Services
PersonRegistryADABAS
PortalAppsDB
PortalOID
UPSSunOne
ActiveDirectory
Apps&
Services
Portal Feed
NIDCreate
AsynchronousSources
Core Business Systems
WSU Identity Management Architecture 2007
Consumer Systems
ADFS
AzmanActiveDirectory
Feed
Intelligence & Business Rules
Design Concept Courtesy of
Thomas J. Barton, University of
Chicago
Active Directory Group StructureWSU Authorization Groups
Application Groups
Enterprise Groups
Provisioned Groups
Role Groups
Employees
Employees.Appointed
Employees.Active
Students
Students.Admitted
Students.Enrolled
Term Groups
2007_sum
2007_fall
2008_spr
ITS Secure
IIS .NET ADFS
Web Servers
myWSUOraclePortal
OnlineLearning
Environments
ADFSAuthentication
ADSecurity Server LDAP
Authentication
ADFSEnabled Apps
(Potential)
DistributedSecure IIS.NET ADFS
Web Servers
Distributed Data &
Backend Apps
NetworkServices
User
ADFSFederation
SSO
WSU Network ID Authenticationand SSO Environment
Internal Federation 2007
NID
NID
NID
NID
NID
EntireX Connx
WSU ADFS Federation
Server
EntireX
Connx
EntireX Connx
ADFSFederation
SSO
ADFSFederation
SSO
ADFSFederation
SSO
ADFSFederation
SSO
zOS Data &Backend
Apps or OtherData Sources