reflect & join a case study the university of texas health science center at houston
DESCRIPTION
Reflect & Join A Case Study The University of Texas Health Science Center at Houston. William A. Weems Assistant Vice President Academic Technology. Middleware Makes the Global Sharing of Resources Invisible to Users. - PowerPoint PPT PresentationTRANSCRIPT
CAMP Integration
Reflect & JoinA Case Study
The University of Texas Health Science Center at Houston
William A. Weems
Assistant Vice President
Academic Technology
CAMP Integration
Middleware Makes the Global Sharing of Resources
Invisible to Users.
3
CAMP Integration
Increasingly, people must easily and securely exchange
information in cyberspace among "known" individuals and to securely access restricted
resources they “know” can be trusted without having to struggle
with numerous and onerous security processes.
4
CAMP Integration
• How do you prove you are who you say you are?
• How do you know that someone is legitimate in his or her dealings with you, and how do you get redress if things go wrong?
• If your identity is stolen and used fraudulently, or personal records are altered without your knowledge or permission, how do you prove that it was not you?
• It is difficult enough to verify someone's identity in the tangible world where forgery, impersonation and credit card fraud are everyday problems related to authentication.
• Such problems take on a new dimension with the movement from face-to-face interaction, to the faceless interaction of cyberspace.
Identity and Authentication by Simon Rogerson
5
CAMP Integration
Ideally, individuals would each like a single digital credential that
can be securely used to authenticate his or her identity
anytime authentication of identity is required to secure any
transaction.
6
CAMP Integration
UTHSC-H: An Identity Provider (IdP)
It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with
digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific
responsibilities and liabilities.
7
CAMP Integration
Two Categories of Identity
• Physical Identity – Assigned Identifier - Authentication– Facial picture,– Fingerprints– DNA sample
• Identity Attributes – Authorization Attributes– Common name,– Address,– Institutional affiliations - e.g. faculty, student, staff, contractor,– Specific group memberships,– Roles,– Etc.
8
CAMP Integration
Issuing a Digital Credential
• Individual appears before an Identity Provider (IdP) which accepts the responsibility to – positively determine and catalog a person's uniquely
identifying physical characteristics (e.g. picture, two fingerprints, DNA sample),
– assign a unique, everlasting digital identifier to each person identified,
– issue each identified person a digital credential that can only be used by that person to authenticate his or her identity,
– maintain a defined affiliation with each individual whereby the validity of the digital credential is renewed at specified intervals.
9
CAMP Integration
Identity Provider(IdP)
uth.tmc.edu
Person
IdP ObtainsPhysical
Characteristics
Identity Vetting & Credentialing
IdentifierPermanently
Bound
AssignsEverlasting
Identifier
Digital Credential
IssuesDigital
Credential
Person Only Activation
PermanentIdentity
Database
10
CAMP Integration
The University of Texas SystemSTRATEGIC LEADERSHIP COUNCIL
Statement of DirectionIdentity Management
April 27, 2004
• The University of Texas System Information Technology Strategic Leadership Council agrees that deployment of a robust, secure, interoperable infrastructure for identity management in support of inter-institutional collaboration is a strategic goal. This infrastructure will be based upon the available standards and best practices:
11
CAMP Integration
The University of Texas SystemSTRATEGIC LEADERSHIP COUNCIL
Statement of DirectionIdentity Management
April 27, 2004
• LDAP (Lightweight Directory Access Protocol) compliant directory services,
• eduperson schema as promulgated by EDUCAUSE and Internet2,
• utperson schema (to be developed)• inter-institutional access control utilizing Internet2
Shibboleth, and• consistent institutional definitions and identity
management trust policies for students, faculty, and staff as well as sponsored affiliates.
12
CAMP Integration
UTHSC-H Identity Management System
HRMS SIS GMEIS Guest MSUTP
INDIS
OAC7 OAC47
SecondaryDirectories
Sync
Person Registry
AuthoritativeEnterprise Directories
AuthorizationService
AuthenticationService
User Administration Tools
ChangePassword
AttributeManagement
Identity Reconciliation &
ProvisioningProcesses
13
CAMP Integration
Person Registry • Identity Reconciliation
– Unique Identifiers Generated by Source of Record• SSN – If Available (HRMS, GMEIS, UTP, Guest, SIS)• Student ID, • Employee Number - HRMS
– Full Name• First, Middle, Last
– Birth Information• Date of Birth, • City of Birth, • Country of Birth
– Gender
• UUID – An everlasting unique identifier
14
CAMP Integration
Person
Is New ?
Is SingleMatch ?
IsPossible
Or MultipleMatch ?
Add
Update
ManualProcessing
No matchesor possible matches
Identifiers match one and only one person
No possible matches
Identifiers match more than one person
And / or Name or Birth information
match one or more persons
yes
no
yes
yes
no
15
CAMP Integration
Database Schema
Person Table
UUIDDate of BirthPlace of Birth
Country of Birth
Identifier TableID NameID Value
Name TableFirst
MiddleLast
GenderMale / Female
16
CAMP Integration
UTHSC-H Identity Management System
HRMS SIS GMEIS Guest MSUTP
INDIS
OAC7 OAC47
SecondaryDirectories
Sync
Person Registry
AuthoritativeEnterprise Directories
AuthorizationService
AuthenticationService
User Administration Tools
ChangePassword
AttributeManagement
Identity Reconciliation &
ProvisioningProcesses
Sponsor SubmitsGuest Request
Applicant AppearsBefore LRAA
LRAA VerifiesApplicant’s Data
LRAA CertifiesApplicant’s Data
IdentityReconciliation
Assign UUID,Add to Person
Registry
Not in Person Registry
Guest Addedto GuestDatabase
Applicant inPerson Registry
ApplicantCurrentlyAffiliated
LRAA CredentialsGuest
LRAA CredentialsGuest
No
Guest RequestVoided
Yes
LRAA ResolvesID Uncertainty
Possible Identity Match Guest Addedto GuestDatabase
No
Sponsor’sRequestForms
Guest Management System
LRAA’sReview/Update
Forms
UnverifiedApplicant’s
Data
VerifiedApplicant’s
Data
Review/Update
Submission
Submit to Reconciliation
NewPerson?
LRAA’sApproval
Form
Yes
No Check PresentAffiliations
CurrentAffiliations
EnterpriseLDAP
Directory
ApprovalProcesses
Guest DBCreate LDAP
Entry
Void Sponsor’sRequest
Yes
PersonRegistry
Identity Management
System
19
CAMP Integration
20
CAMP Integration
Identity Provider(IdP)
uth.tmc.edu
PersonIdentifier Digital CredentialPermanently
Bound
AssignsEverlasting
Identifier
IssuesDigital
CredentialIdP Obtains
PhysicalCharacteristics
Person Only Activation
Identity Vetting & CredentialingUTHSC-H Two Factor Authentication
PermanentIdentity
Database
?
?
21
CAMP Integration
Identity Provider(IdP)
uth.tmc.edu
PersonIdentifier Digital CredentialPermanently
Bound
AssignsEverlasting
Identifier
IssuesDigital
CredentialIdP Obtains
PhysicalCharacteristics
Person Only Activation
Using NetworkUsernamePassword
Identity Vetting & CredentialingUTHSC-H Username/Password Authentication
PermanentIdentity
Database
???????
?
22
CAMP Integration
UTHSC-H Strategic Authentication Goals
• Two authentication mechanisms.– Single university ID (UID) and password– Public Key Digital ID on Token (two-factor
authentication)• Digital Signatures• Highly Secure Access Control• Potential for inherent global trust