Download - Campus Identity and Access Management Services

Managing Information Technology @ UTNovember 13-14, 2008

Campus Identity and Access Management Services

Managing Information Technology @ UTManaging Information Technology @ UT

Objectives Learn how the university assigns and manages electronic identities Learn how this information is used for authentication and authorization


IAM Overview•Terms & Concepts•IAM Goals & Principles•IAM Services Overview

•Identity Management •Directory Services•Authentication Services•Authorization Services


IAM Terms• Set of attributes and credentials

associated with an entityIdentity• Stores, organizes, and provides

information about identities to consuming systems

Directory Services

• Verifying the identity of a user (most commonly with a username and password) and providing assurances of their identity to a service.

Authentication

•Verifying whether an identity is permitted to take an actionAuthorization


Attributes & CredentialsAttributes • Identity and affiliation characteristics of an entity which

are of interest to the universityCredentials• Used to establish a person’s identity and help the

university maintain a high degree of confidence in it• Helps to define the levels of service, access, or

privileges available to a particular identity• Physical Credentials – UT ID Cards• Electronic Credentials - UT EIDs


IAM Goals & Principles• Entities have a single identity• Identity is a ubiquitous public user name• Identities have lifelong community membership• Consistent sign-on (authentication)• Self-service• Distributed management


Identity Management Services

Enterprise Directory

Identity Management

System

Other Directory Services

Authentication Services

Authorization Services

Source Systems


UT EID• An electronic identifier that contains two key

attributes – UT EID and UIN• Several EID types: Person, Business,

Department, Service, Group, Resource, ID-Only• Person UT EID is an individual’s public

username and their electronic credential that allows them to use online secure services


Person EID Affiliations & ClassesGuest Class

EID w/out AffiliationProspective StudentProspective FacultyJob Applicant

Affili

ate Class

Library PatronDonor/Friend of the University/VIPUniversity Extension ParticipantRetireeGraduateFuture StudentFuture StaffFormer StaffFuture FacultyFormer FacultyFuture EmployeeFormer Employee

Me

mber

Class

Current StudentCurrent FacultyCurrent StaffOfficial VisitorCurrent Employee


Additional Person EID Concepts• Specific endorsements, credentials, or

permissions• E.g. IDP, SIG, LLV, DPU, etc.

Entitlements

•IDP – UT has seen photo ID•SIG – Use your EID as legal signatureEID Upgrade

•Limits who may view information (FERPA)•Attributes or entire identity may be restrictedRestrictions


Did You Know?• Approximately how many EIDs have been

issued by UT Austin?4.5 Million EIDs (3.8M Person)

• On an average day during the regular semester how many EID logons occur?

~130,000 EID logons


Enterprise Directory Services


Identity Management

System




Source Systems

Managing Information Technology @ UT

Enterprise Directories• uTexas Enterprise

Directory (TED)• TED on the Mainframe

(TOM)• White Pages Directory• Austin Active Directory

Attribute Name

Contents Multi- or Single-Valued/ Required Indicator

May Be Populated For

Access Group

Permitted Searches

Source & Format

Identifiers

, utexasEduPersonEid

Current UT EID (uid is the naming attribute for people)

Single Required

All people Basic, AffOnly (see notes)

equality Source: EID SystemFormat: Max 8 characters

utexasEduPersonPriorEid

Prior UT EIDs

Multi All people Basic equality Source: EID SystemFormat: Max 15 characters

utexasEduPersonUin

Current UIN

SingleRequired

All people Basic, AffOnly

equality Source: EID SystemFormat: 16-digit hex

Sample Person Attributes in TED




Identity Management

System




Source Systems


Web Authentication

Data Store

Authentication Service

Web Server

WebBrowser

AuthN. Agent


Authentication Methods

Web Authentication• UT Direct/Fat Cookie• Shibboleth• TAM (next generation)

Mainframe Authentication

• RACF• EID




Identity Management

System




Source Systems


Authorizations

BACS

NRRECS

Task Manager

BACS Group –

App-empl.

Apollo Group - EID

Stewards

System Internal - Group

Group Mediated

System Internal - Individual

Auth: View unrestricted student records

Auth: Access Main 25th Floor

Auth: Update DPAuth: Submit DP


Authorization Products

Apollo• a mainframe authorization repository with

customizable application profiles and group management functionality

*DPUSER• authorization system for mainframe services

including the management of Natural and Adabas resources


In Closing• An entity has only one identity and this is

represented by the UT EID• UT EID is the ubiquitous public user name• Identities have lifelong membership in our

community• Identity & Access Management services include:

Identity Management, Directory Services, Authentication Services, & Authorization Services