Presenters (East to West):

Suresh Balakrishnan, University System of Maryland Dennis Cromwell, Indiana University - BloomingtonMelinda Jones, University of Colorado at BoulderMark Crase, California State University David Bantz, University of Alaska

Strategies for Directory Deployment - Centralized, Distributed, Federated, Decentralized

University System of Maryland Identity Management InfrastructureVision, Architecture, and Strategies

Suresh Balakrishnan,

Vision• Create a unifying layer across autonomous

institutionsIdentificationAffiliation

• Provide transparent access to shared servicesAuthenticationAuthorization

• Provide a foundation for more advanced servicesE.g. PKI

• Provide vehicle for coordination with K-12 education in the State

• Integrate education in Maryland into a broader fabric

Library Applications

• Currently in Use/DevelopmentRock-n-Roll ReservesDigital Library Access

• Future PossibilitiesShared and unique resources for institutionsMultiple institutional affiliationsAuto-populating the patron database

Architecture & Collaborative Efforts• Highly Decentralized Implementation Context

• System-wide work group developing guidance materialsTool KitDemonstrations of local and collaborative apps

• Testing Shibboleth

Indiana University Global Directory Services

•Centralized Directory Structure•Flat name space – 150,000 actual users

100,000 students 20,000 faculty and appointed staff 30,000 others

•Seven Campuses•Provides updates for the two authentication services – Kerberos and ADS•Implements the Eduperson schema with extensions

Indiana UniversityDirectory Entries

•Directory automatically loaded from SIS, HR systems•IU faculty, staff and students•Sponsored Accounts

Affiliates of IUData is entered into PeopleSoft systemPicked up as part of load.

•Account can not be created until entry in the Directory

Indiana University – Architecture

•Open LDAP •Batch feeds from SIS and HRMS•API for LDAP abstracts access•ADS used in conjunction for non-enterprise type groups•Account Management System and Address Book reads Directory

Indiana University Future Directions

•Real time updates from SIS/HRMS•“Guest” stored in directory•Cleaning up old technology components and integrate technical components •Disaster Recovery replication and automatic failover•Better purge procedures•Decision Support functions

University of Colorado System 4 unique campuses – traditional, non-

traditional, and health sciences + System Services Campus 49,000 students total (28,000 at

Boulder campus) 22,000 employees

Melinda Jones, University of Colorado at Boulder

Directory Services Project: Goals

Develop common infrastructure Develop UCB Enterprise Directory Create trusted, authoritative data source Usable by variety of applications & services Identity, data & relationship management Authentication/Authorization

cndescriptionseeAlsosntelephoneNumberuserPassword

Uuid, au activities & researchalternateContactcampusdegreeInstitution & YremploymentStartDateExpertisefeesIndicatorhighestDegreehomeDepartmentISOmajor, minor, classPrivacy, SID, SSN

cuEduPerson

organizationalPersonperson

inetOrgPerson

departmentNumberdisplayName, employeeNumberemployeeTypehomePhone,homePostalAddressjpegPhoto, labeledURImail, uid

eduPerson

affiliationjobClassificationnickNameorgDNorgUnitDNprimaryAffiliationprincipalNameschoolCollegeName

facsimileTelephoneNumberou, postalAddress,street, st, postsalCode, lpostOfficeBoxpreferredDeliveryMethod,title

coloradoPerson

MacgridnumberMachomelocpathMachomedir

cusysPerson

Identifiers…

CoreTeam

SteeringTeam

CampusExperts

BusinessRules

SIS HR Boulder

Email

4-CampusRegistry

Boulder/CentralEnterpriseDirectory

Campus-specific

University-wide

CommonInfrastructure

WebCT

AuthN

MacOSAuthN

UCB

calendarSpons.Entry

CardOffice

AuthN –

ITS svcs

BldrEmail

UCB

Directory

Identity

Recon.

Directory

Build

cu.edu(concept)

SISHR

Registry

White

Pages

CS

Directory

CUSYS

Directory

UCD

Directory

Faculty

“Portal”

Student

Portal

Library –

Digital

AuthN

Identity/

Access

Campus

File System

The California State University

23 Campuses1 Research Institution (R2)21 4-year Comprehensive InstitutionsCalifornia Maritime Academy

400,000 Students60,000 Faculty and Staff

Mark Crase, California

State University

Planning Activities• Identified internal and external drivers for

multi-campus approach• Defined Development Principles:

1.Foster collaborative efforts among CSU campuses

2.Foster collaboration with others (I2, UC, CCC, etc.)

3.Use directories as the starting point for more comprehensive middleware effort

4.Standards-based w/o mandatory apps/tools5.Initially, campus participation is voluntary,

but adoption of eduPerson was mandatory• Communicated at all levels of institution

Initial Deployment Objectives• Maintain appearance of unified directory

architecture• Adopt a common view (eduPerson, etc.)• Define common CSU objects and unique campus

objects• Adopt a system-wide unique identifier• Security of Directory had to be no less that most

secure application being supported • Standards compliant, but no mandatory tools

(LDAP now, others later)

Initial Architecture Proposal• Distributed directory model (campus

directories, LDAP v3 referrals to all others)• Domain component naming• Adoption of eduPerson 1.0 (now 2.0)• Extension to calstateEduPerson (affiliation,

major, SecurityFlag, VOIP address)• Provision for campusEduPerson attributes• Global unique ID based on “uniqueness”

algorithm• Secure directory servers (SSL)

Final Recommendations

• Central directory servers (redundant and diverse)

• Submit campus data to system wide directory registry service (like DoDHE CDS)

• Common view with extensions, unique ID, security,

• Minimum central attributes option• Expanded central attributes option

2003.10.14 David.Bantz@Alaska.edu

UA Enterprise Directory

•Centralized core data

•Campus applications

•Contacts: self-service

University of Alaska

UA Directory Status

67,000 students; 10,000 employees; 760 departments

Departments fork linked to employees

Web gateway interface supports searching, listing, self-service data

Scheduled & ad hoc batch updates from multiple sources

UA Enterprise Directory StrategyEnvironmental Challenges

Distributed implementation team

Complex interface constraints - based on attributes or roles

Sub-set vs. super-set philosophies

Two phase commit for self-service edits (Registry/EDir)

Registry (Oracle db) enforces UA rules (syntax, constraints, validation values)

Distributed admin facilitated by attribute-based roles (role-based ACIs)

UA Enterprise Directory Responses to Challenges

UA Directory Architecture

SQL

B*ntz

Directory Search (Anon.)

Directory Search (Auth.)

Detailed Results (Anon.)

Self-service edits (Auth.)

Employee ids, student ids, social security identifiers are not stored in the Directory

Web gateway intermediary communicates only via SSL

Data changed only by “known” processes (web gateway or MAU IT)

Gateway limits bulk harvesting

Protecting Information