ucla enterprise directory identity management infrastructure uc enrollment service technical...
TRANSCRIPT
UCLA Enterprise DirectoryIdentity Management Infrastructure
UC Enrollment Service Technical Conference
October 16, 2007Ying Ma
Identity Management Overview
Automate processes for:• Identifying and grouping individuals• Granting permissions and access
transparently• Revoking access efficiently• Streamlining administration and
management• Tracking and reporting access patterns
** ENTERPRISE-WIDE! **
Benefits
• Single enterprise-wide solution– Simplifies and standardizes– Reduces errors
• Automatic provisioning workflow• Instantaneous ability to revoke at-risk access
across campus• Reduction of hidden costs of independent
solutions• Full auditability – who has access to what &
when ** Better User Experience and Tighter Security **
Planning & Budgeting
• Consultant from the Burton Group• Project funded for $1.5 Million• Evaluated JES and other Commercial IdM
products • Purchased Sun Java Directory only• Hired 2 new staffs – A team of 5 but not
dedicated to IdM
Current Features
• Enterprise-wide identity repository – Enterprise Directory
• Single Logon ID – UCLA Logon ID• Integrated account creation with URSA
(student portal)• Web Single Sign-on - ISIS• Federation support - Shibboleth /
UCTrust
Enterprise Directory
• Every person at UCLA has one electronic identity in ED – Consolidate data between different sources – Map multiple IDs together– Analyze on attribute by attribute basis:
• common definition of attribute• data collection / transformation logic• access control rules• Standard way for conflict resolution
• Superset of the legacy University ID system – Traditional UID is a 9 digit number for students and
employees– UCLA Logon ID is a string of 2-15 alphanumeric
characters for everyone
UCLA Logon ID
• Anyone who needs access is eligible for a UCLA Logon ID– Students and employees– Donors, parents, visiting scholars, hospital
staff, conference attendees, library patron, etc.
• Separating authentication from authorization – having an account does not imply access
• For students, created at the time they file their intent to register (SIR)
• For employees and other affiliates, created on demand.
Integrated Account Creation
• Students are prompted to create their UCLA Logon at the time they SIR using URSA
• Either a new identity is created in ED, or the UCLA Logon ID matched to an existing identity
• Bruin Online Services (web email, free software, wireless access, web hosting, computer labs) are automatically provisioned upon creation of UCLA Logon
• Account is immediately available for use in hundreds of web applications via ISIS logon across campus
Web Single Sign-On
• ISIS– First implemented in 1996– Highly secured web authentication engine – Standard SOAP web service interface– Features session management– Allows multiple logon types– Integrated with Enterprise Directory– 200 participating web applications,
including most student service applications
UCLA EDIMI Technical Architecture
Users
Administration Tools
Web Applications
Provisioning Service
Back Up Devices Load Balanced Servers SAN Storage
Redundant Network Infrastructure Firewall / Intrusion Detection System
Services Layer
Physical InfrastructureLayer
Data Respository Layer
Web Single Sign-On (Authentication and Authorization) Services
Authentication Service
Attribute Service
Authorization Decision Service
Session Management
Service
Federation Support
Management Services
UCLA Logon Account
Management System
Directory Data
Update Service
Privilege Management
Service
Attribute Release Policy
Management Service
WWW
URSA Online
StudentFaculty
Staff
Alumni
WWW
DACSS Web
Edge Systems
Active Directories
NOS Directoies
VPN and Network Access
Campus Whitepage Directories
WWW
Administrative Portal
UCLA Logon ID Engine
Enterprise DirectoryData Transformation/
Collection EngineMeta Data Repository
WWW
MyUCLA
WWW
WWW
External Service
ProvicersDirectory Update
Application
WWW
WWW
WWW
Campus Web Applications
Library Patrons
Research Partners
Administrator
Console
Legacy Applications
Consumer Layer
Third Party View
• New feature in URSA that enables parents to create UCLA Logon ID and pay bills online
• Relatively easy implementation becausea. Availability of UCLA
Logon ID spaceb. URSA is already
integrated in UCLA EDIMI framework
Users
Administration Tools
Web Applications
Provisioning Service
Back Up Devices Load Balanced Servers SAN Storage
Redundant Network Infrastructure Firewall / Intrusion Detection System
Services Layer
Physical InfrastructureLayer
Data Respository Layer
Web Single Sign-On (Authentication and Authorization) Services
Authentication Service
Attribute Service
Authorization Decision Service
Session Management
Service
Federation Support
Management Services
UCLA Logon Account
Management System
Directory Data
Update Service
Privilege Management
Service
Attribute Release Policy
Management Service
WWW
URSA Online
StudentFaculty
Staff
Alumni
WWW
DACSS Web
Edge Systems
Active Directories
NOS Directoies
VPN and Network Access
Campus Whitepage Directories
WWW
Administrative Portal
UCLA Logon ID Engine
Enterprise DirectoryData Transformation/
Collection EngineMeta Data Repository
WWW
MyUCLA
WWW
WWW
External Service
ProvicersDirectory Update
Application
WWW
WWW
WWW
Campus Web Applications
Library Patrons
Research Partners
Administrator
Console
Legacy Applications
Consumer Layer
Parents
Moving Forward
• Migrate ISIS toward standard-based Shibboleth• Develop across campus common groups -
Grouper • Implement integrated permission management
- Signet• Push more granular authorization data through
ED/Shibboleth
Challenges
• Current decentralized help desk structure does not work for IdM - sometimes causes more user shuffle
• Convincing applications to integrate with IdM is hard without all components in place
• Getting all the players to agree on common definitions for data is complicated
• Addressing data release and privacy issues consistently with IdM consumers requires co-effort from departments at management level.