Identity Services Technical Briefing 1

Identity ServicesTechnical Briefing

Tuesday, November 5, 2013Nicholas Roy – Technical Manager

11/5/13

Identity Services Technical Briefing 2

Central Person Registry

• Current state– Primed with 1.2 million person records as of

September– Daily batch consumption of records from:

• ISIS• IBIS• CIDR• CACTUS• Hershey Medical Center Lawson (Hospital Staff HR)

– Affiliations using the current set of eduPerson values and rules, some gaps identified

11/5/13

Identity Services Technical Briefing 3

Central Person Registry

• Future State– New data from Hershey Medical Center Faculty

List (HY faculty, emeritus) to complete current affiliations

– Integration with CIDR and CACTUS to make CPR authoritative for person identity excluding SSN

– Allows real-time operations against web services– Implement rules engine and fine grained

affiliations better access control

11/5/13

Identity Services Technical Briefing 4

Access Management

• Grouper– Foundation for richer access control• Nesting, group math, enterprise groups, permissions,

privileges, roles

– LDAP Groups– Group Views– Group API

11/5/13

Identity Services Technical Briefing 5

Federated Identity

• InCommon– Multilateral Federation– Assurance

• Shibboleth– Core Technology

• SAML– Core Protocol– Other Protocols (the future?)

• Interfederation– Other Federations

• Social Identity– Other Sources of Authentication (maybe not attributes)

11/5/13

Identity Services Technical Briefing 6

Two Factor Authentication

• The problem with passwords• The current state of 2FA at Penn State• Enterprise solution – Duo Security• Pilots feedback and service refinement• Planning for self-enrollment and identity

verification• Service roll-out/planning a transition paths to

Duo

11/5/13