(rev 1/11) uw system identity and access management (iam) current status and roadmap tom jordan,...
TRANSCRIPT
(Rev 1/11)
UW System Identity and Access Management (IAM)
UW System Identity and Access Management (IAM)
Current Status and Roadmap
Tom Jordan, IAM-TAG Chair
Ty Letto, IAM Support Team Manager
January, 2015
Where IAM Fits StrategicallyWhere IAM Fits Strategically
Identity is fundamental to flexible sourcing, both for customers and for services.
“Gone is the black-and-white, all-or-nothing fantasy of the early days of IT outsourcing: in those days, either you continued to perform a function internally or you threw it over the transom, pocketed the savings, and washed your hands of it. Sourcing today is a discipline—a set of practices, competencies, tools, and nuanced choices made over a range of possible configurations for a variety of reasons.”
Michael R. McPhersonAssociate Vice President and Deputy CIOUniversity of Virginia
Today’s AgendaToday’s Agenda
1. Background and Governance
2. Current Infrastructure
3. Campus Visits and Findings
4. Open Discussion
UW System IAM BackgroundUW System IAM Background
2001 2015IAA MoU established
with campuses
IAA Registry Created
IAA Working Group Formed
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Auth Hub DevelopedFederated Authentication for UW System-wide Apps
Cross-System Identity Reconciliation
Wisconsin Identity Federation Created
Transition from Auth Hub to Shibboleth
OIM Deployed for HRS Automated Provisioning,
Access Request Mgmt
IAA MoU updated
IAM Steering Committee Formed
IAM-TAG Formed
UWS Reverse Proxy Deployed
OIM10g Upgrade
OIM11g Upgrade
Multi-Factor AuthN Deployed for HRS & SFS
IAM Steering Committee IAM Support TeamIAM-TAG
Representation:
- CIO- Campus- ERPs
- Library- Legal- Security
Charter:
- Data Governance- Budget / Resource Governance- Strategic Oversight of
Infrastructure
Representation:
- Campus IAM Technologists- ERP Technologists- IAM Support Team Members- SME’s as needed
Charter:
- Technical analysis and recommendation
- Advise on UWS IAM Policy- Outreach and Awareness
Composition:
- Infrastructure Engineers- Support Technicians- PM / BA as needed
Responsibilities:
- Operate and maintain UWSA IAM Infrastructure
- Coordinate with Campus and Common Systems customers
UW System IAM Current Infrastructure
UW System IAM Current Infrastructure
Campus Infrastructure UWS IAM Infrastructure Common Systems
Campus Student Information Systems
Campus Authentication Services
HRSUW System Person Hub
Wi-FedDiscovery Service
Hosted Identity Providers (9)
CampusIdentity Providers (4)
Campus Credentialing / Provisioning Processes
Student Data Employee Data
D2L
SFS
Libraries
etc
WAYF?
Login Process
Validate Credentials
Attribute Delivery
Attri
bute
Del
iver
y
IAM Campus VisitsIAM Campus Visits
• Discussions with:
– UW Oshkosh
– UW Green Bay
– UW Platteville
– UW La Crosse
– UW Stout
– UW Eau Claire
• IAM-TAG Member participation included:
– UW Madison
– UW Milwaukee
– UW Whitewater
– UW Parkside
– IAM Support Team
– Common Systems Applications – D2L, Libraries
• More to do, but some trends emerging..
IAM Campus VisitsIAM Campus Visits
• Main points covered with each campus:
– User account provisioning / deprovisioning
– Local directory environment
– Email infrastructure
– Local authentication infrastructure
– Federation / Cloud Services
– Multi-Factor Authentication
– Mobile Authentication
– Support Model
– Future Projects / Initiatives
– Current and future needs for UW System IAM Infrastructure
IAM Campus TrendsIAM Campus Trends
• Use of UW System IAM Infrastructure
– Most campuses use centrally hosted Identity Providers (IdPs) for common systems applications (70%), but each campus we’ve talked to so far is running or experimenting with a local IdP.
– Most have cited inability to integrate centrally hosted IdP with 3rd party providers as a reason to run their own.
– Campuses are requesting that IAM Support Team customize hosted IdPs
– Look & feel
– Contextual information
– Integration with cloud services
IAM Campus TrendsIAM Campus Trends
• Active Directory and Office 365
– Most campuses migrating or exploring migration to Office 365
– MS Student Advantage is a driver for all campuses
– Drivers for Active Directory / Office 365 interoperability between campuses:
• Active Directory integration for Common Systems applications that support / require it
• Interoperability for hosting agreements between campuses (ImageNow, Lync, etc)
• Possible federation of Office 365 instances to enable cross-campus calendaring, resource sharing
– Campus Active Directory installations vary
Wisconsin Federation TrendsWisconsin Federation Trends
• Managing Federated Applications
– Most campuses engaged in some form of identity federation
– Increased need to federate campus applications
• Federated Application Support
– At least three parties involved in login problems:
• Common Systems Application Provider
• IAM Support Team
• Local Campus IAM Team / Helpdesk
– Need improved coordination between groups, including improved tools and service agreements
• Wisconsin Federation Administration
– Increased engagement by federation operators
– Onboarding process for federating campus apps
– Service provider commitment
Wisconsin Federation(WI-Fed)
Recommended Activities - 2015Recommended Activities - 2015
• Explore a new support model for currently hosted IdPs that allows for customization / 3rd party integration
– Encourage campuses to explore options for managing their IdPs
– Expand IAM Support Team offering for hosted IdPs
– Explore contracted service / 3rd party options
• Explore directory integration through virtual directories or other means
• Create a federated application support tool
• Engage with Flex and others to explore future cross-campus AuthN and AuthZ needs
Open DiscussionOpen Discussion