presenters (east to west): suresh balakrishnan, university system of maryland dennis cromwell,...
TRANSCRIPT
Presenters (East to West):
Suresh Balakrishnan, University System of Maryland Dennis Cromwell, Indiana University - BloomingtonMelinda Jones, University of Colorado at BoulderMark Crase, California State University David Bantz, University of Alaska
Strategies for Directory Deployment - Centralized, Distributed, Federated, Decentralized
University System of Maryland Identity Management InfrastructureVision, Architecture, and Strategies
Suresh Balakrishnan,
Vision• Create a unifying layer across autonomous
institutionsIdentificationAffiliation
• Provide transparent access to shared servicesAuthenticationAuthorization
• Provide a foundation for more advanced servicesE.g. PKI
• Provide vehicle for coordination with K-12 education in the State
• Integrate education in Maryland into a broader fabric
Library Applications
• Currently in Use/DevelopmentRock-n-Roll ReservesDigital Library Access
• Future PossibilitiesShared and unique resources for institutionsMultiple institutional affiliationsAuto-populating the patron database
Architecture & Collaborative Efforts• Highly Decentralized Implementation Context
• System-wide work group developing guidance materialsTool KitDemonstrations of local and collaborative apps
• Testing Shibboleth
Indiana University Global Directory Services
•Centralized Directory Structure•Flat name space – 150,000 actual users
100,000 students 20,000 faculty and appointed staff 30,000 others
•Seven Campuses•Provides updates for the two authentication services – Kerberos and ADS•Implements the Eduperson schema with extensions
Indiana UniversityDirectory Entries
•Directory automatically loaded from SIS, HR systems•IU faculty, staff and students•Sponsored Accounts
Affiliates of IUData is entered into PeopleSoft systemPicked up as part of load.
•Account can not be created until entry in the Directory
Indiana University – Architecture
•Open LDAP •Batch feeds from SIS and HRMS•API for LDAP abstracts access•ADS used in conjunction for non-enterprise type groups•Account Management System and Address Book reads Directory
Indiana University Future Directions
•Real time updates from SIS/HRMS•“Guest” stored in directory•Cleaning up old technology components and integrate technical components •Disaster Recovery replication and automatic failover•Better purge procedures•Decision Support functions
University of Colorado System 4 unique campuses – traditional, non-
traditional, and health sciences + System Services Campus 49,000 students total (28,000 at
Boulder campus) 22,000 employees
Melinda Jones, University of Colorado at Boulder
Directory Services Project: Goals
Develop common infrastructure Develop UCB Enterprise Directory Create trusted, authoritative data source Usable by variety of applications & services Identity, data & relationship management Authentication/Authorization
cndescriptionseeAlsosntelephoneNumberuserPassword
Uuid, au activities & researchalternateContactcampusdegreeInstitution & YremploymentStartDateExpertisefeesIndicatorhighestDegreehomeDepartmentISOmajor, minor, classPrivacy, SID, SSN
cuEduPerson
organizationalPersonperson
inetOrgPerson
departmentNumberdisplayName, employeeNumberemployeeTypehomePhone,homePostalAddressjpegPhoto, labeledURImail, uid
eduPerson
affiliationjobClassificationnickNameorgDNorgUnitDNprimaryAffiliationprincipalNameschoolCollegeName
facsimileTelephoneNumberou, postalAddress,street, st, postsalCode, lpostOfficeBoxpreferredDeliveryMethod,title
coloradoPerson
MacgridnumberMachomelocpathMachomedir
cusysPerson
Identifiers…
CoreTeam
SteeringTeam
CampusExperts
BusinessRules
SIS HR Boulder
4-CampusRegistry
Boulder/CentralEnterpriseDirectory
Campus-specific
University-wide
CommonInfrastructure
WebCT
AuthN
MacOSAuthN
UCB
calendarSpons.Entry
CardOffice
AuthN –
ITS svcs
BldrEmail
UCB
Directory
Identity
Recon.
Directory
Build
cu.edu(concept)
SISHR
Registry
White
Pages
CS
Directory
CUSYS
Directory
UCD
Directory
Faculty
“Portal”
Student
Portal
Library –
Digital
AuthN
Identity/
Access
Campus
File System
The California State University
23 Campuses1 Research Institution (R2)21 4-year Comprehensive InstitutionsCalifornia Maritime Academy
400,000 Students60,000 Faculty and Staff
Mark Crase, California
State University
Planning Activities• Identified internal and external drivers for
multi-campus approach• Defined Development Principles:
1.Foster collaborative efforts among CSU campuses
2.Foster collaboration with others (I2, UC, CCC, etc.)
3.Use directories as the starting point for more comprehensive middleware effort
4.Standards-based w/o mandatory apps/tools5.Initially, campus participation is voluntary,
but adoption of eduPerson was mandatory• Communicated at all levels of institution
Initial Deployment Objectives• Maintain appearance of unified directory
architecture• Adopt a common view (eduPerson, etc.)• Define common CSU objects and unique campus
objects• Adopt a system-wide unique identifier• Security of Directory had to be no less that most
secure application being supported • Standards compliant, but no mandatory tools
(LDAP now, others later)
Initial Architecture Proposal• Distributed directory model (campus
directories, LDAP v3 referrals to all others)• Domain component naming• Adoption of eduPerson 1.0 (now 2.0)• Extension to calstateEduPerson (affiliation,
major, SecurityFlag, VOIP address)• Provision for campusEduPerson attributes• Global unique ID based on “uniqueness”
algorithm• Secure directory servers (SSL)
Final Recommendations
• Central directory servers (redundant and diverse)
• Submit campus data to system wide directory registry service (like DoDHE CDS)
• Common view with extensions, unique ID, security,
• Minimum central attributes option• Expanded central attributes option
2003.10.14 [email protected]
UA Enterprise Directory
•Centralized core data
•Campus applications
•Contacts: self-service
UA Directory Status
67,000 students; 10,000 employees; 760 departments
Departments fork linked to employees
Web gateway interface supports searching, listing, self-service data
Scheduled & ad hoc batch updates from multiple sources
UA Enterprise Directory StrategyEnvironmental Challenges
Distributed implementation team
Complex interface constraints - based on attributes or roles
Sub-set vs. super-set philosophies
Two phase commit for self-service edits (Registry/EDir)
Registry (Oracle db) enforces UA rules (syntax, constraints, validation values)
Distributed admin facilitated by attribute-based roles (role-based ACIs)
UA Enterprise Directory Responses to Challenges