APS 7 Identity Management: How and Why Kirk M. Anne Assistant Director, Systems & Networking State University of New York College at Geneseo [email protected].

APS 7Identity Management:

How and WhyKirk M. Anne

Assistant Director, Systems & NetworkingState University of New York College at Geneseo

[email protected] 2008 – October 7, 2008

A little about Geneseo

• Small public liberal arts college in Western NY• Around 5,300 undergrad, 200 grad students• Around 300 faculty• Around 700 support staff employees• Around 42,000 active alumni• An original campus of SUNY

A little about SUNY

• State University of New York formed in 1948– 64 campuses serve over 425,000 students– Over 7500 courses of study– Over 3400 D/L courses for over 100,000 students– Over 83,000 employees– Over 2.4 million alumni– Around a $10 billion budget

What is an Identity?

• noun (pl. identities)– 1 the fact of being who or what a person or thing is.– 2 the characteristics determining this. – 3 a close similarity or affinity.

• How do we deal with the fact component?• How does affinity affect those characteristics?• How do we deal with “multiple identities”?• How do we prove an electronic identity?

Problems we faced/are facing

• “Source of Record” for somebody’s identity?• Student versus Faculty/Staff?• How do you identify somebody electronically?• Where is the paperwork for HR/Records?• Why can’t people have just one SSN?• Keep and delete adjuncts at the same time?• What about “generic” accounts?

– “Service accounts”, student groups, “affiliates”

What is Identity Management?Definitions of identity management from the Web:• Strictly speaking identity management is the identification of authorized users and their enrollment in a system that is

used to manage their identity information. However, the management of identity information is not an end in itself-it is used to facilitate business activities such as physical access control, information systems access control, and workflow automation in accordance with business policies. This identity management is an integrated system of business processes, policies and technologies. http://www.corestreet.com/glossary/

• The creation of flexible definitions for individuals and groups which authenticates users and allows different levels of authorisation depending on the service used.http://www.ict.ox.ac.uk/strategy/plan/plan.xml.ID=appF

• An integrated system of business processes, policies and technologies that enables organizations to facilitate and control user access to critical online applications and resources — while protecting confidential personal and business information from unauthorized users. http://www.comcare.org/Patient_Tracking/IPTI-Glossary.html

• In information systems, identity management, sometimes referred to as identity management systems, involves the management of the identity life cycle of entities (subjects or objects) during which the system:1. Establishes the identity

1. Links a name (or number) with the subject or object;2. Re-establishes the identity (i.e. links a new or additional name, or number, with the subject or object);

2. Describes the identity1. Optionally assigns one or more attributes applicable to the particular subject or object to the identity;2. Re-describes the identity (i.e. changes one or more attributes applicable to the particular subject or

object);3. Destroys the identity

http://en.wikipedia.org/wiki/Identity management

What is Identity Management?

• Not an end in itself• Business processes, policies and programs• Flexible definitions of people and groups• Must protect confidential information• Handling the “identity life cycle” of an entity

– Establish the identity– Describe the identity

• #5 on EduCAUSE 2008 “Top 10 Issues”

The “Big Picture”

Let’s enter the “Wayback Machine”

• Identity (aka Account) Management (1998)– The “Über Database” Theory

• Contains all information for all accounts ever created• Tracks UNIX uid and username usage• Matches SSN to uid and username• Keep basic personal information for each identity

– Account Management tools• Easily create accounts for UNIX and NT• Easily delete accounts for UNIX and NT• Synchronize passwords between UNIX and NT (ssod)

“Now we stepped in it…”

• my.geneseo.edu portal project (2006)– We decided to concentrate on the “my” part

• Need personal information now• Need a way to synchronize account information• Need groups for permissions

• “Unfunded mandates”– iTunes University support needed– SUNY System Administration requires us to provide local info– “Mailing lists” for everyone and everything– Maintaining identities forever for Banner access

How are we going to get there?

• Directory Services– Contain the “characteristics” (attributes)– Provide a method for authentication

• Harvesters/Identity Mgmt Tools– Harvest “Sources of Truth” for attribute updates– Convert business processes to id mgmt action

• CAS/Shibboleth– Provide attributes to services (SOA)– Simplify passing information from identity store to apps

What we have now

Banner

HRMS

iPlanet AD

OID

Perl SSOD

Perl

Service AcctsDept AcctsOrg Accts“Affiliates”

Web AppsLibrary Apps

Angel

Web AppsSUNY Portal

Email System

mygeneseo

edu

“Sources of Truth”

SUNY HR System

SUNY Applications

System

Where we want to go

Banner

HRMS

OID

AD

OIF

PerlPL/SQL

DIP

Service AcctsDept AcctsOrg Accts“Affiliates”

Web AppsLibrary Apps

Angel

Web AppsSUNY Portal

Email System

“Sources of Truth”

SUNY HR System

SUNY Applications

System

Directory Services

• LDAP the protocol, LDIF the file format– PL/SQL to use Banner and HRMS for updating– Perl/VB to provision UNIX and Windows accounts

• Directory Integration Protocol (DIP)– Allow mapping into other directory servers (Active Dir)

• Delegated Administration Service (DAS)– Self service password reset– Self editable attributes

• Access Control Lists (ACL)– Protect information from prying eyes

LDAP/LDIF Information

• Data is stored in a hierarchy• Keyed by the “distinguished name” (DN)• objectclasses and attributes

– Objectclass is a defined group of attributes– Attributes hold the values (single/multiple)

• OID (Object IDentifier)• Base search paths• Tall versus flat tree design• Thick (a lot of data in tree) or thin (no data)

Tall versus Flatdc=edu

cn=users cn=groups

dc=geneseo

o=geneseo.edu

ou=Provostou=Alumni ou=business

ou=Artou=Chemistry ou=Education

DN formatcn=kma,cn=users,dc=geneseo,dc=edu

uid=kma,ou=Photo,ou=Art,ou=Provost,o=geneseo.eduou=Photo

Base DNdc=geneseo,dc=edu

o=geneseo.edu

organizationalPersonorganizationalPerson

cn common nameobjectClass object classsn Surnamedescription DescriptiondestinationIndicatorfacsimileTelephoneNumber Fax numberinternationaliSDNNumberl Locality (City)ou Organizational UnitphysicalDeliveryOfficeNamepostalAddresspostalCodepostOfficeBoxpreferredDeliveryMethodregisteredAddressseeAlso DN st Statestreet Street (Building/Office)telephoneNumber Telephone NumberteletexTerminalIdentifiertelexNumbertitle TitleuserPasswordx121Address

inetOrgPersoninetOrgPerson

audiobusinessCategory kind of business performedcarLicense LicensedepartmentNumber dept codedisplayName Name to be displayedemployeeNumber employee numberemployeeType type of employeegivenName First namehomePhone Home PhonehomePostalAddress Home addressinitials InitialsjpegPhoto JPEG photolabeledURI web pagemail "Official" mail addressmanager DN of managermobile Cell Phone Numbero organization namepager Pager NumberphotopreferredLanguage Preferred LanguageroomNumber Office Numbersecretary DN of secretaryuid UsernameuserCertificateuserPKCS12userSMIMECertificatex500uniqueIdentifier

person/eduPerson/sunyPerson

eduPersoneduPersonAffiliation relationship to institutioneduPersonNickname informal nameeduPersonOrgDN DN of org treeeduPersonOrgUnitDN DN of org unit eduPersonPrimaryAffiliation Primary relationshipeduPersonPrincipalName The "NetID"eduPersonEntitlement set of rightseduPersonPrimaryOrgUnitDN Primary org uniteduPersonScopedAffiliation "Security domain"eduPersonTargetedID

sunyPersonsunyPersonIdsunyStudentId

personsn Surnamecn Common (container) NameuserPassword PasswordtelephoneNumber Phone NumberseeAlsodescription Description

orclUserV2orclUserV2

orclHireDateorclDateOfBirthorclMaidenNameorclIsVisibleorclDisplayPersonalInfomiddleNameorclDefaultProfileGroupcorclTimeZoneorclIsEnabledorclPasswordHintAnswerorclPasswordHintorclWorkFlowNotificationPreforclActiveStartDateorclActiveEndDateorclGenderuserPKCS12orclPKCS12HintorclPasswordauthPasswordorclPasswordVerifierorclSecondaryUIDkrbPrincipalNameorclWirelessAccountNumberorclUIAccessibilityModeassistantorclSAMAccountNameorclUserProvMode

Unix classesposixAccount

cnuid UsernameuidNumber Unix user id numbergidNumber Unix group id numberhomeDirectory Home DirectoryloginShell Login Shellgecos Unix Display Namedescription Description

shadowAccountuidshadowLastChange Last change dayshadowMin min days before changeshadowMax max days before changeshadowWarning days for warningshadowInactive number of days after expire to disableshadowExpire days since 1/1/70 to expirationshadowFlag reserved fielddescription Description

Defining a new SUNY object classattributetype ( 1.3.6.1.4.1.27652.1.1.1.1.1.1

NAME 'sunyPersonId’ DESC 'Identifier for SUNY employee’ EQUALITY numericStringMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )

attributetype ( 1.3.6.1.4.1.27652.1.1.1.1.1.2 NAME 'sunyStudentId’ DESC 'Identifier for SUNY student’ EQUALITY numericStringMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )

# sunyPerson objectclass definition# can only be done after attributes establishedobjectclass ( 1.3.6.1.4.1.27652.1.1.1.1.2

NAME 'sunyPerson’AUXILIARYMAY ( sunyPersonId $ sunyStudentId

) )

Example LDIF filedn: uid=kma,ou=People,o=geneseo.eduobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: mailrecipientobjectClass: eduPersoncn: Kirk M AnnegivenName: Kirksn: Anneou: Computing & Information Technologytitle: Assistant Director of Systems & NetworkingemployeeType: StafftelephoneNumber: 585-245-5577street: South 124b2l: Geneseo

st: NYpostalCode: 14454mail: [email protected]: [email protected]: http://www.geneseo.edu/~kmauid: kmauserPassword: {crypt}GLsdfaS3wx1uguidNumber: 1605gidNumber: 1000gecos: Kirk M AnnehomeDirectory: /home/kmaloginShell: /bin/basheduPersonAffiliation: staffeduPersonPrimaryAffiliation: staffeduPersonPrincipalName: [email protected]:

Administrator@urn:mace:itunesu.com:sites:geneseo.edu

Identity Management Tools

• Harvester– Simplest version– Reads from a “source of truth”– Updates attributes

• Identity Management systems– More complex– Provision access automatically– Defined by business processes and policy

Example Harvesting MapsAttribute HR Feedback BANNER

givenName pers.fst_init+pers.fst_nam_rmt spriden_first_namesn pers.lst_nam spriden_last_namecn pers.fst_init+pers.fst_nam_rmt+pers.lst_nam spriden_first_name+sprident_mi+spriden_last_namedescription directory.dir_dpt+pers.prim_aff_cat_cd StudenttelephoneNumber directory.dir_area_cd+directory.dir_tel_nbr_shr sprtele_area_code+sprtele_phone_numbermail email.email_addr goremal_email_addressstreet directory.dir_bld spraddr_street_line_1title directory.dir_fre_ln StudentpostOfficeBox spraddr_line_1ou directory.dir_dpt StudenteduPersonOrgDn dc=geneseo,dc=edu dc=geneseo,dc=edueduPersonPrimaryOrgUnitDn cn=Users,dc=geneseo,dc=edu cn=Users,dc=geneseo,dc=edu

eduPersonAffiliation pers.prim_aff_cat_cd+position.nu_cd+position.pos_sal_grd_suf student

eduPersonPrimaryAffiliation pers.prim_aff_cat_cd+position.nu_cd+position.pos_sal_grd_suf student

CAS/Shibboleth

• Central Authentication System (from Yale)• Shibboleth (from Internet2 middleware)• Provide protected access to attributes• Provide the ability for single sign-on• Key concepts

– Identity Provider (IdP)– Service Provider (SP)– Security Assertion Markup Language (SAML)

Sample SAML 2.0 transaction

So why would we do this?

• Simplify– Reduce the number of usernames/passwords– Reduce the number of places for “personal info”

• Secure– One username, one password -> strong passwords– Enforce policies (force pw changes, remove access)

• Self-service– Password resets– Provide/update attribute information

Why should we do this?

• One word… “Facebook” (one BIG directory)• Students today expect personalized service• Attributes allows us to select affinity groups• Public versus private social networks

Other reasons

• Online phone books/directories• Central authentication/Single Sign On• Service Oriented Applications (SOA)

– “Portal” applications– iTunesU– SUNY Administration Applications (HR)– Google Gadgets?– iPod Touch/iPhones?– InCommon?

What will it look like?

Technology is not the whole answer

• We still need to develop policies.– Do we use last names for usernames?– What do we do about adjuncts?– When is a student a student?– What about leaves of absence?– Do we create staff accounts before signed letters?– Do we keep student accounts forever?– Who gets to see what attributes?

• Processes should be based on policies.

For more information…• Shibboleth

– http://shibboleth.internet2.edu/• Grouper

– http://grouper.internet2.edu/• COmanage

– http://middleware.internet2.edu/co/• Central Authentication System

– http://www.ja-sig.org/products/cas/index.html• InCommon

– http://www.incommonfederation.org/• Internet2 middleware

– http://middleware.internet2.edu/dir/