(Rev 1/11)

UW System Identity and Access Management (IAM)

UW System Identity and Access Management (IAM)

Current Status and Roadmap

Tom Jordan, IAM-TAG Chair

Ty Letto, IAM Support Team Manager

January, 2015

Where IAM Fits StrategicallyWhere IAM Fits Strategically

Identity is fundamental to flexible sourcing, both for customers and for services.

“Gone is the black-and-white, all-or-nothing fantasy of the early days of IT outsourcing: in those days, either you continued to perform a function internally or you threw it over the transom, pocketed the savings, and washed your hands of it. Sourcing today is a discipline—a set of practices, competencies, tools, and nuanced choices made over a range of possible configurations for a variety of reasons.”

Michael R. McPhersonAssociate Vice President and Deputy CIOUniversity of Virginia

Today’s AgendaToday’s Agenda

1. Background and Governance

2. Current Infrastructure

3. Campus Visits and Findings

4. Open Discussion

UW System IAM BackgroundUW System IAM Background

2001 2015IAA MoU established

with campuses

IAA Registry Created

IAA Working Group Formed

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

Auth Hub DevelopedFederated Authentication for UW System-wide Apps

Cross-System Identity Reconciliation

Wisconsin Identity Federation Created

Transition from Auth Hub to Shibboleth

OIM Deployed for HRS Automated Provisioning,

Access Request Mgmt

IAA MoU updated

IAM Steering Committee Formed

IAM-TAG Formed

UWS Reverse Proxy Deployed

OIM10g Upgrade

OIM11g Upgrade

Multi-Factor AuthN Deployed for HRS & SFS

IAM Steering Committee IAM Support TeamIAM-TAG

Representation:

- CIO- Campus- ERPs

- Library- Legal- Security

Charter:

- Data Governance- Budget / Resource Governance- Strategic Oversight of

Infrastructure

Representation:

- Campus IAM Technologists- ERP Technologists- IAM Support Team Members- SME’s as needed

Charter:

- Technical analysis and recommendation

- Advise on UWS IAM Policy- Outreach and Awareness

Composition:

- Infrastructure Engineers- Support Technicians- PM / BA as needed

Responsibilities:

- Operate and maintain UWSA IAM Infrastructure

- Coordinate with Campus and Common Systems customers

UW System IAM Current Infrastructure

UW System IAM Current Infrastructure

Campus Infrastructure UWS IAM Infrastructure Common Systems

Campus Student Information Systems

Campus Authentication Services

HRSUW System Person Hub

Wi-FedDiscovery Service

Hosted Identity Providers (9)

CampusIdentity Providers (4)

Campus Credentialing / Provisioning Processes

Student Data Employee Data

D2L

SFS

Libraries

etc

WAYF?

Login Process

Validate Credentials

Attribute Delivery

Attri

bute

Del

iver

y

IAM Campus VisitsIAM Campus Visits

• Discussions with:

– UW Oshkosh

– UW Green Bay

– UW Platteville

– UW La Crosse

– UW Stout

– UW Eau Claire

• IAM-TAG Member participation included:

– UW Madison

– UW Milwaukee

– UW Whitewater

– UW Parkside

– IAM Support Team

– Common Systems Applications – D2L, Libraries

• More to do, but some trends emerging..

IAM Campus VisitsIAM Campus Visits

• Main points covered with each campus:

– User account provisioning / deprovisioning

– Local directory environment

– Email infrastructure

– Local authentication infrastructure

– Federation / Cloud Services

– Multi-Factor Authentication

– Mobile Authentication

– Support Model

– Future Projects / Initiatives

– Current and future needs for UW System IAM Infrastructure

IAM Campus TrendsIAM Campus Trends

• Use of UW System IAM Infrastructure

– Most campuses use centrally hosted Identity Providers (IdPs) for common systems applications (70%), but each campus we’ve talked to so far is running or experimenting with a local IdP.

– Most have cited inability to integrate centrally hosted IdP with 3rd party providers as a reason to run their own.

– Campuses are requesting that IAM Support Team customize hosted IdPs

– Look & feel

– Contextual information

– Integration with cloud services

IAM Campus TrendsIAM Campus Trends

• Active Directory and Office 365

– Most campuses migrating or exploring migration to Office 365

– MS Student Advantage is a driver for all campuses

– Drivers for Active Directory / Office 365 interoperability between campuses:

• Active Directory integration for Common Systems applications that support / require it

• Interoperability for hosting agreements between campuses (ImageNow, Lync, etc)

• Possible federation of Office 365 instances to enable cross-campus calendaring, resource sharing

– Campus Active Directory installations vary

Wisconsin Federation TrendsWisconsin Federation Trends

• Managing Federated Applications

– Most campuses engaged in some form of identity federation

– Increased need to federate campus applications

• Federated Application Support

– At least three parties involved in login problems:

• Common Systems Application Provider

• IAM Support Team

• Local Campus IAM Team / Helpdesk

– Need improved coordination between groups, including improved tools and service agreements

• Wisconsin Federation Administration

– Increased engagement by federation operators

– Onboarding process for federating campus apps

– Service provider commitment

Wisconsin Federation(WI-Fed)

Recommended Activities - 2015Recommended Activities - 2015

• Explore a new support model for currently hosted IdPs that allows for customization / 3rd party integration

– Encourage campuses to explore options for managing their IdPs

– Expand IAM Support Team offering for hosted IdPs

– Explore contracted service / 3rd party options

• Explore directory integration through virtual directories or other means

• Create a federated application support tool

• Engage with Flex and others to explore future cross-campus AuthN and AuthZ needs

Open DiscussionOpen Discussion