Campus Identity and Access Management Services
description
Transcript of Campus Identity and Access Management Services
Managing Information Technology @ UTNovember 13-14, 2008
Campus Identity and Access Management Services
Managing Information Technology @ UTManaging Information Technology @ UT
Objectives Learn how the university assigns and manages electronic identities Learn how this information is used for authentication and authorization
Managing Information Technology @ UTManaging Information Technology @ UT
IAM Overview•Terms & Concepts•IAM Goals & Principles•IAM Services Overview
•Identity Management •Directory Services•Authentication Services•Authorization Services
Managing Information Technology @ UTManaging Information Technology @ UT
IAM Terms• Set of attributes and credentials
associated with an entityIdentity• Stores, organizes, and provides
information about identities to consuming systems
Directory Services
• Verifying the identity of a user (most commonly with a username and password) and providing assurances of their identity to a service.
Authentication
•Verifying whether an identity is permitted to take an actionAuthorization
Managing Information Technology @ UTManaging Information Technology @ UT
Attributes & CredentialsAttributes • Identity and affiliation characteristics of an entity which
are of interest to the universityCredentials• Used to establish a person’s identity and help the
university maintain a high degree of confidence in it• Helps to define the levels of service, access, or
privileges available to a particular identity• Physical Credentials – UT ID Cards• Electronic Credentials - UT EIDs
Managing Information Technology @ UTManaging Information Technology @ UT
IAM Goals & Principles• Entities have a single identity• Identity is a ubiquitous public user name• Identities have lifelong community membership• Consistent sign-on (authentication)• Self-service• Distributed management
Managing Information Technology @ UTManaging Information Technology @ UT
Identity Management Services
Enterprise Directory
Identity Management
System
Other Directory Services
Authentication Services
Authorization Services
Source Systems
Managing Information Technology @ UTManaging Information Technology @ UT
UT EID• An electronic identifier that contains two key
attributes – UT EID and UIN• Several EID types: Person, Business,
Department, Service, Group, Resource, ID-Only• Person UT EID is an individual’s public
username and their electronic credential that allows them to use online secure services
Managing Information Technology @ UTManaging Information Technology @ UT
Person EID Affiliations & ClassesGuest Class
EID w/out AffiliationProspective StudentProspective FacultyJob Applicant
Affili
ate Class
Library PatronDonor/Friend of the University/VIPUniversity Extension ParticipantRetireeGraduateFuture StudentFuture StaffFormer StaffFuture FacultyFormer FacultyFuture EmployeeFormer Employee
Me
mber
Class
Current StudentCurrent FacultyCurrent StaffOfficial VisitorCurrent Employee
Managing Information Technology @ UTManaging Information Technology @ UT
Additional Person EID Concepts• Specific endorsements, credentials, or
permissions• E.g. IDP, SIG, LLV, DPU, etc.
Entitlements
•IDP – UT has seen photo ID•SIG – Use your EID as legal signatureEID Upgrade
•Limits who may view information (FERPA)•Attributes or entire identity may be restrictedRestrictions
Managing Information Technology @ UTManaging Information Technology @ UT
Did You Know?• Approximately how many EIDs have been
issued by UT Austin?4.5 Million EIDs (3.8M Person)
• On an average day during the regular semester how many EID logons occur?
~130,000 EID logons
Managing Information Technology @ UTManaging Information Technology @ UT
Enterprise Directory Services
Enterprise Directory
Identity Management
System
Other Directory Services
Authentication Services
Authorization Services
Source Systems
Managing Information Technology @ UT
Enterprise Directories• uTexas Enterprise
Directory (TED)• TED on the Mainframe
(TOM)• White Pages Directory• Austin Active Directory
Attribute Name
Contents Multi- or Single-Valued/ Required Indicator
May Be Populated For
Access Group
Permitted Searches
Source & Format
Identifiers
, utexasEduPersonEid
Current UT EID (uid is the naming attribute for people)
Single Required
All people Basic, AffOnly (see notes)
equality Source: EID SystemFormat: Max 8 characters
utexasEduPersonPriorEid
Prior UT EIDs
Multi All people Basic equality Source: EID SystemFormat: Max 15 characters
utexasEduPersonUin
Current UIN
SingleRequired
All people Basic, AffOnly
equality Source: EID SystemFormat: 16-digit hex
Sample Person Attributes in TED
Managing Information Technology @ UTManaging Information Technology @ UT
Authentication Services
Enterprise Directory
Identity Management
System
Other Directory Services
Authentication Services
Authorization Services
Source Systems
Managing Information Technology @ UTManaging Information Technology @ UT
Web Authentication
Data Store
Authentication Service
Web Server
WebBrowser
AuthN. Agent
Managing Information Technology @ UTManaging Information Technology @ UT
Authentication Methods
Web Authentication• UT Direct/Fat Cookie• Shibboleth• TAM (next generation)
Mainframe Authentication
• RACF• EID
Managing Information Technology @ UTManaging Information Technology @ UT
Authorization Services
Enterprise Directory
Identity Management
System
Other Directory Services
Authentication Services
Authorization Services
Source Systems
Managing Information Technology @ UTManaging Information Technology @ UT
Authorizations
BACS
NRRECS
Task Manager
BACS Group –
App-empl.
Apollo Group - EID
Stewards
System Internal - Group
Group Mediated
System Internal - Individual
Auth: View unrestricted student records
Auth: Access Main 25th Floor
Auth: Update DPAuth: Submit DP
Managing Information Technology @ UTManaging Information Technology @ UT
Authorization Products
Apollo• a mainframe authorization repository with
customizable application profiles and group management functionality
*DPUSER• authorization system for mainframe services
including the management of Natural and Adabas resources
Managing Information Technology @ UTManaging Information Technology @ UT
In Closing• An entity has only one identity and this is
represented by the UT EID• UT EID is the ubiquitous public user name• Identities have lifelong membership in our
community• Identity & Access Management services include:
Identity Management, Directory Services, Authentication Services, & Authorization Services