Oracle Direct Seminar · pl/1 appc 3270 ispf idms ... vsam ims/db db2 idms 4gl ...
Introduction to IdMs-Ppt
-
Upload
drago-cmuk -
Category
Documents
-
view
254 -
download
6
Transcript of Introduction to IdMs-Ppt
-
7/29/2019 Introduction to IdMs-Ppt
1/22
Supporting education and research
Introduction to IdentityManagement Systems
Alan Robiette, JISC (UK)
-
7/29/2019 Introduction to IdMs-Ppt
2/22
2 March 2005 EuroCAMP, Torino 2
Overview
What is meant by identitymanagement?
What are identifiers (IDs) for?
How are they assigned and managed?
To which categories of people?
What properties of identifiers areimportant?
Comments on practical systems
ID management at national level And finally a little about personal net IDs
-
7/29/2019 Introduction to IdMs-Ppt
3/22
2 March 2005 EuroCAMP, Torino 3
History
For a long time every system hadits own IDs and login credentials
Poor user image users have to maintainmultiple identities and passwords
Leads to confusion and inconsistency not all parts of the organisation workingfrom the same data
Much duplication and waste of effort
Identity management aims tobring some order into all this
-
7/29/2019 Introduction to IdMs-Ppt
4/22
2 March 2005 EuroCAMP, Torino 4
What are IDs for?
All entities in IT systems needmachine-readable names
A name which machines can process is aprerequisite for building systems toprovide people with services etc.
Assigning IDs is a process ofmapping real-world identities to
machine-readable ones Ideally done once at institution level
Promotes consistency and data quality
-
7/29/2019 Introduction to IdMs-Ppt
5/22
2 March 2005 EuroCAMP, Torino 5
Registering people
Who qualifies for services? Students
Are there special categories: part-time,distance-learning, or others?
Do data from different sources need to bereconciled?
Staff
Full-time, part-time, visiting?
Alumni? Others
These can be problematic: e.g. visitingacademics/researchers, library affiliates etc.
-
7/29/2019 Introduction to IdMs-Ppt
6/22
2 March 2005 EuroCAMP, Torino 6
Registering people (2)
Business processes often vary Normally well established and robust for
full-time students and staff on payroll
Real-world identities checked against national
ID number (if this exists), bank details, taxreference etc.
But may differ for other categories, e.g.part-time students, library walk-ins
Typically leads to multiple sources of datawhich may need cleaning andreconciliation
Roland Hedberg will expand on this
-
7/29/2019 Introduction to IdMs-Ppt
7/22
2 March 2005 EuroCAMP, Torino 7
A simple example
-
7/29/2019 Introduction to IdMs-Ppt
8/22
2 March 2005 EuroCAMP, Torino 8
Assigning IDs
At institution level IDs must beunique to the individual
E.g. need to resolve cases where twoindividuals have the same or overlapping
names; the John Smith problem
Some other important properties Persistence: can an identifier ever be
reassigned? If so, when?
Human-understandable or opaque?
May need both for different purposes
Associated attributes (metadata)
-
7/29/2019 Introduction to IdMs-Ppt
9/22
2 March 2005 EuroCAMP, Torino 9
The central IDM system
Result of processes just described Alternative names include IDM system;person registry; metadirectory
Often implemented as a relationaldatabase Commercial products exist, but many
institutions build their own
RDBMS tools well adapted to buildingmanagement interfaces, updateprocedures etc.
-
7/29/2019 Introduction to IdMs-Ppt
10/22
2 March 2005 EuroCAMP, Torino 10
Provisioning systems
Central ID database can then feedother systems
IT sub-systems e.g. desktop network,email directory, library managementsystem, RADIUS server
Physical card systems, security
Etc.
Legacy systems may require theirown ID formats
Mapping between identifiers is important
-
7/29/2019 Introduction to IdMs-Ppt
11/22
2 March 2005 EuroCAMP, Torino 11
Dependent directories
Registries for IT sub-systems moreoften implemented as directories
For performance reasons, to support highvolume of look-ups
Directory systems exist as bothproprietary products ...
E.g. SunONE directory server, Microsoft ActiveDirectory, Novell e-Directory
John Paschoud's talk will explore AD
... and open source alternatives
E.g. OpenLDAP
-
7/29/2019 Introduction to IdMs-Ppt
12/22
2 March 2005 EuroCAMP, Torino 12
Basic IDM approach
Manual &
Automated
Processes
IT Staff
Calendar
VPN
Course
Mgmt
Document
Mgmt
E-Mail
LDAP
RADIUS
DirectoryServices
Data feeds
Look-ups
Active
Directory
Portal
Desktops
-
7/29/2019 Introduction to IdMs-Ppt
13/22
2 March 2005 EuroCAMP, Torino 13
More complex IDM system
Outreach
DB
Student
System
Payroll
Personnel
System
Alumni
System
Affiliates
DB
Identity
Management
Data feeds
Look-ups
SIS Self-
Service
Calendar
Remote
Access
VPN
Course
Mgmt
DocumentMgmt
E-Mail
RADIUS
Directory
Services
Portal
Print
ServersDesktops
Campus
Card Library
System
LDAP
Active
Directory
-
7/29/2019 Introduction to IdMs-Ppt
14/22
2 March 2005 EuroCAMP, Torino 14
IDM at national level
Several countries now committedto doing IDM at national level
Example: the UK Athens service
Built to manage access uniformly to licensedresources (e.g. e-journals)
Currently serves around 3 million users
Several hundred participating institutions
Virtually total coverage of academic
publishers Works by devolving ID management
back to individual institutions
-
7/29/2019 Introduction to IdMs-Ppt
15/22
2 March 2005 EuroCAMP, Torino 15
National level issues
Scale goes up by 1-2 orders ofmagnitude
So resolving name clashes etc. becomesmuch harder: the devolved model leaves
this to be done locally So the unique ID is the combination of locally
assigned ID + institution name
Cf. also eduPersonPrincipalName (uses syntaxuserID@domainname
) as in Shibboleth And eduRoam works essentially the same way
The alternative is a true national levelregistry, as in FEIDE project in Norway
-
7/29/2019 Introduction to IdMs-Ppt
16/22
2 March 2005 EuroCAMP, Torino 16
National level problems
Some people genuinely havemultiple identities!
For instance someone who takes up astaff post in University A, while still a
registered student at University B
In the devolved institutionally-managedmodel, the IDs will be quite separate
Because of this, not all resources are
visible at the same time
Problems are intensified with life-longlearning, student mobility etc.
-
7/29/2019 Introduction to IdMs-Ppt
17/22
2 March 2005 EuroCAMP, Torino 17
Person-centric IDMs?
Think more about life-long learning People study at different points in their
lives
At different institutions, and for different
qualifications
Sometimes doing more than one type ofstudy at once
A person-centric IDM system would
handle this much more naturally
And with appropriate safeguards mightcope with other personal needs also
-
7/29/2019 Introduction to IdMs-Ppt
18/22
2 March 2005 EuroCAMP, Torino 18
But who might provide one?
The two requirements are scaleand long-term stability
Really only governments havesuccessfully done this up till now
So for education, a national-level scheme(such as FEIDE) is a possible answer
Otherwise some options include
Banks? Telcos and/or larger ISPs?
Maybe in future, not-for-profit trusts???
-
7/29/2019 Introduction to IdMs-Ppt
19/22
2 March 2005 EuroCAMP, Torino 19
Conclusions
Institutional-level identitymanagement is the starting pointfor all core middleware
Relatively straightforward technically:most of the problems are to do withcultural issues, ownership, territory
National-level IDM schemes are on
the increase Most follow the devolved model, though
this has some negative consequences
-
7/29/2019 Introduction to IdMs-Ppt
20/22
2 March 2005 EuroCAMP, Torino 20
Finally
Robust, long-lived personalelectronic identities are aninteresting prospect
With many advantages, provided securityand user control could be guaranteed
But equally with corresponding dangers ifcompromised
If or when we get these, we'll haveto worry about linking them backinto our institutional systems
-
7/29/2019 Introduction to IdMs-Ppt
21/22
2 March 2005 EuroCAMP, Torino 21
More information
Identifiers, authentication, anddirectories: best practices forhigher education
Internet2 middleware pages,http://middleware.internet2.edu/internet2-mi-best-practices-00.html
-
7/29/2019 Introduction to IdMs-Ppt
22/22
Supporting education and research
Discussion ...