identity and access management infrastructure for oxford...
TRANSCRIPT
![Page 1: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/1.jpg)
Identity and Access ManagementInfrastructure
for Oxford University
John IrelandSystems Development and Support Section ManagerOxford University Computing Services
![Page 2: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/2.jpg)
Identity and Access Management
Digital Identity
The electronic representation of a
real-world entity:a “user”
Authentication
The process by which a user proves their claim to a specific
digital identity
Authorisation
The process of defining who can
access what (& enforcing that policy)
![Page 3: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/3.jpg)
Oxford's IAM Context
Organisation
44 colleges/PPH168 departments
28 libraries27 others
IT Staff
300-400 ITSS
Platforms
MicrosoftIBM/Oracle
LinuxNovell
Apple OS XSun
![Page 4: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/4.jpg)
Current Services
![Page 5: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/5.jpg)
Kerberos
Key Points
Passwords / hashes are not transmitted
during authentication
Different keys for each application
server
Single sign-on capability and good
resilience model
1
2
3
4
5
6
Key Distribution Centre
Application Server
Client / User
![Page 6: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/6.jpg)
Kerberos
● Preferred authentication protocol in Active Directory● Suitable for any Kerberised service, implementations for
SMB/CIFS, SSH, IMAP, SMTP, Active Directory● Resilience through clustering of KDC and client-side failover
Available Since:
2002
Active Users:
33,000
Registered
Servers:
1,200
Logins/Day:
27,000
1
2
3
4
56
KDC
Application Server
Client
![Page 7: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/7.jpg)
Webauth
● Wraps Kerberos tickets in web cookies
● Available as Apache module, included in popular Linux distros
● Support for HTTP-Negotiate, WAS-initiated re-auth, ...
● Supplementary module to lookup user attributes in LDAP
Available Since:
2002
Active Users:
33,000
Registered
Servers:
385
Logins/Day:
6970
1
2
3
4
56
WebKDC
Webauth Application Server
User Agent
![Page 8: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/8.jpg)
Oak LDAP
Available Since:
2008
Active Users:
n/a
Registered
Servers:
189
Queries/Day:
180,000
dc=oak,dc=ox,dc=ac,dc=uk
ou=people ou=units
Student Records
University Card
OUCS Registration
![Page 9: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/9.jpg)
Oak LDAP
dn: oakPrimaryPersonID=8455,ou=people,...cn: Nate Pobridgeo: University of Oxfordou: Department of Computer SciencedisplayName: Nate Pobridgesn: PobridgegivenName: Natemail: [email protected]: dc=ox,dc=ac,dc=ukeduPersonAffiliation: membereduPersonOrgUnitDN: oakUnitCode=cs,ou=units,dc=oak,...eduPersonPrimaryOrgUnitDN: oakUnitCode=cs,ou=units,dc=oak,...oakAlternativeMail: [email protected]: 8455oakUniversityBarcode: 2201423oakUniversityCardID: 10037759oakCardExpiry: 201201010000ZoakOSSID: 52683314oakStatus: senmemoakOxfordSSOUsername: alic3000oakITSSFor: oakGN=ITSS,oakUnitCode=cs,ou=units,...memberOf: oakGN=ITSS,oakUnitCode=cs,ou=units,...memberOf: oakUnitCode=cs,ou=units,dc=oak,dc=ox,...objectClass: oakPersonobjectClass: eduPerson
Available Since:
2008
Active Users:
n/a
Registered
Servers:
189
Queries/Day:
180,000
![Page 10: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/10.jpg)
Shibboleth
● Software implementation of SAML Web Browser Profile
● Available as Apache module, included in popular Linux distros
● Available as ISAPI filter for IIS (5,6,7) on Windows 2003
● User attributes requested / returned in initial sign-on
Available Since:
2007
Active Users:
22,500
Registered
Servers:
31
Logins/Day:
6742
1
2
3
4
56
Identity Provider (IdP)
Service Provider (SP)
User Agent
Windows
![Page 11: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/11.jpg)
Shibboleth
● Supports federated access management
● Enables 3rd parties to rely on our authentication of our users
● Enables us to rely on 3rd parties
● Enables us to federate internally
Available Since:
2007
Active Users:
22,500
Registered
Servers:
31
Logins/Day:
6742
IdP
SP IdP
IdP
![Page 12: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/12.jpg)
IAM Suite
Kerberos
Webauth
Oak LDAP
Shibboleth
Apache
Core HR
Interfase
Wordpress
Local AD
Krb Native
OSS +
Registr/n
IIS
TS/RDP
![Page 13: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/13.jpg)
Current Projects
![Page 14: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/14.jpg)
Core User Directory
● Provide a comprehensive central directory of people
● Consolidate and match person records from many sources
● Include foreign keys to assist drilling into primary data sources
Start Date:
2011-01
Finish Date:
2012-06
Sponsor:
UAS IS Board
Staff:
2
OSS
HRIS
OUCS
Coll'g
Libry
DARS
Card IMSU
?
Desktop
OxCORT
Intranet e-Journals
Door
Access
Network
WebLearn
Active
Directory
Other
eg. HP-UX
Novell e-
Directory
Open
Directory
OSS HRISSelf-reg
![Page 15: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/15.jpg)
Group Store
● Provide a central store for “managed” and “ad hoc” groups of people
● Currently running a development system based on Internet2 Grouper
● Project will be tied in against CUD as the services complement each other
Start Date:
2011-01
Finish Date:
Delayed
Sponsor:
OUCS
Staff:
1
![Page 16: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/16.jpg)
Oxford Active Directory
● SSO for AD using a cross-realm trust with Kerberos is available and works well for workstations in a domain, but...
● ...there are doubts about support for this model from Microsoft and application vendors
● Our plan is to carry out rigorous testing of a typical Microsoft AD deployment for an organisation like Oxford...
● ...and deploy an Oxford Active Directory domain if this looks beneficial
Start Date:
2011-07
Finish Date:
2011-10
Sponsor:
OUCS
Staff:
2
![Page 17: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/17.jpg)
Multi-factor Authentication
● Joint OUCS & Student Administration project
● Provide “enhanced authentication” for access to draft examination papers in VLE (WebLearn)
● Pilot solution based on SAML2 with one-time password delivered via SMS
● Infrastructure modifications suitable for general use
Start Date:
2011-01
Finish Date:
2011-09
Sponsor:
UAS IS Board
Staff:
3
![Page 18: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/18.jpg)
Enhanced IAM Suite
Kerberos
Webauth
Oak LDAP
Shibboleth
CUD
Group Store
AD
Multi-factor
Apache
Core HR
Interfase
Wordpress
Local AD
Krb Native
OSS +
Registr/n
IIS
TS/RDP
DARS
Financials
![Page 19: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/19.jpg)
Future Projects?
![Page 20: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/20.jpg)
Further Work
● There are still use cases that are not well supported● Commercial products which only support
proprietary authentication
● Products which “authenticate against LDAP”
● There is something awkward about Alumni needing to get a new login to access DARS
● Issuing credentials to new users is inefficient and not particularly secure
● There is a growing demand to be able to support non-members● Potential applicants (student & staff)
● 40,000 library readers
Some Ideas
Middleware solutions to handle IAM suite
integration for difficult applications
SSO “for life” - we don't reuse
usernames anyway
SSO “for all” with online self-registration
![Page 21: Identity and Access Management Infrastructure for Oxford …old.ictf.ox.ac.uk/conference/2011/presentations/wks02... · 2011. 7. 28. · Identity and Access Management Digital Identity](https://reader033.vdocuments.site/reader033/viewer/2022060909/60a3f060c16a446ace1614df/html5/thumbnails/21.jpg)
Questions
Please do use the feedback forms to requestworkshops covering any aspects in more detail