1 1

Extending Authenticated Extending Authenticated Online Services with "Friend Online Services with "Friend

Accounts" at Washington Accounts" at Washington State UniversityState University

Brian Foley Technology Architect/Application DeveloperWashington State University

Copyright @ 2007 Washington State University

This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2

SummarySummary About Washington State University Identity Management at WSU Need for Friend Accounts Friend Accounts Project Friend Accounts Demo Future Use Recap Questions

3

About Washington State UniversityAbout Washington State University Land-grant university founded in 1890 23,428 students statewide Research I status Four regional campuses Multiple learning centers Distance education program 10 Colleges and a Graduate School 245 Fields of Study with over 150 majors

4

Pullman

Tri-CitiesVancouver

Spokane~DDP~

5

6

Identity Management at WSUIdentity Management at WSU WSU’s technology environment as relevant to

Friend Accounts…

8

Identity Management at WSUIdentity Management at WSUActive Directory Primary identity store User accounts, user attributes, group

memberships, and computer accounts Authenticates users to web and computer

resources Group memberships for authorizations Single Sign On with Active Directory Federation

Services (ADFS) Provisioning of identity information with

Microsoft Identity Integration Server (MIIS)

9

Identity Management at WSUIdentity Management at WSU WSU Network ID’s– Must have a WSU ID Number to be eligible for a

Network ID WSU ID Number– Nine digit unique identifier– Only WSU Student, Faculty, or Staff are eligible for a

WSU ID Number– Assigned at the point that an associate is entered into

core legacy system and is the primary key

10

Need for Friend Accounts Need for Friend Accounts Non-WSU students attending WSU courses

and guest teachers/lecturers– Learning Management Systems • WebCT, Blackboard, SharePoint

– Lab access– “myWSU” portal access– VPN wireless network access

11

Need for Friend Accounts Need for Friend Accounts Parents/Guardians/Relatives/Spouse– Online electronic payments of tuition, housing,

child care, etc.• NACHA Requirements

– Precursor to “Proxy Access”

12

Need for Friend Accounts Need for Friend Accounts Prospective Employers & Outside

Advisors– View online portfolios (“mySite”)

Conference Attendees– VPN wireless network access

Search Committees/Advisory Groups with non-WSU members– SharePoint collaboration sites

13

Friend Accounts ProjectFriend Accounts ProjectProject Team Collaborative project between two ITS groups– University Information System Services

• Director, Student Systems Coordinator, Data Architect, Technology Architect, 2-3 Application Developer/Analysts

• Analysis, Design, Development, and Implementation of application

– Operations & System Support (Infrastructure)• Director, Coordinator, Systems Developer/Analyst• Analysis, Design, Development, and Implementation of

identity provisioning interfaces.

14

Friend Accounts ProjectFriend Accounts ProjectDesign Decisions Friend Accounts to reside in Active Directory– Parallel to Network IDs

Authentication identical to Network IDs– Resources that authenticate against Active Directory

should not have to change to be able to authenticate Friend Accounts (although some business rules may change after authentication)

Friend Account user ID is equal to the “friend’s” email address– friend@email.com

15

Friend Accounts ProjectFriend Accounts ProjectDesign Decisions Friend Account ID must be changeable– As email address changes we must allow user to

change Friend Account ID Different types of authorizations– Role-based sponsorship to specific resources

• VPN Wireless Network, Class resources, myWSU Portal, etc.– External authorizations

• Online portfolio, SharePoint collaboration sites, etc.– Automatic authorizations

• Authorized if authenticated (no authorization, just authentication)

16

Friend Accounts ProjectFriend Accounts ProjectDesign Decisions Friend Account does NOT have a WSU ID Number

– Friend Account holders do not have a student/faculty/staff official relationship with the university

– Not entered into WSU’s core legacy administrative systems

– Alternate unique identifier generated when created• CN = fred@email.com• sAMAccountName = “fred!F4679”

17

Friend Accounts ProjectFriend Accounts ProjectDesign Decisions Friend Account can be created by a sponsor or

by self-service– User with WSU Network ID or a Friend Account can

sponsor the creation of a Friend Account• Sponsor can grant authorizations to resources at the same

time (depending on sponsor’s role)

– “Friend” can create a Friend Account on their own• “Friend” cannot grant their own authorizations to resources

18

Friend Accounts ProjectFriend Accounts ProjectDesign Decisions Friend Account Activation/Verification– Friend Accounts are created in “expired” status, and

are non-functional– Activation Email is sent to the Friend Account holder

at the email address that his/her Friend Account ID is named after

– Friend Account holder receives the Activation Email containing a one-time randomly generated password

19

Friend Accounts ProjectFriend Accounts ProjectDesign Decisions Friend Account Activation/Verification– Friend Account holder must go to Friend Accounts

web page to activate their account and reset password– Friend Account holder verifies his/her Name and

Address information and indicates if that information should be restricted from the campus directory

– Friend Account is then set to active and resource authorizations (if any) are provisioned into Active Directory, myWSU portal, etc.

20

Friend Accounts ProjectFriend Accounts ProjectDesign Decisions Class Resource Authorizations– Needed for a non-WSU student taking a WSU course

or a guest teacher/lecturer– Authorization to class resources are sponsored by

authorizing to course section(s)• Only WSU employees can sponsor class resource

authorizations

– Class “membership” provisioned to Active Directory groups, myWSU portal groups, and Learning Management Systems

21

Identity Management at WSUIdentity Management at WSU WSU’s new technology environment as

relevant to Friend Accounts…

23

Friend Accounts DemoFriend Accounts Demo Scenario:– I am a WSU teacher with a non-WSU student attending

my course. I have a Blackboard site for my class that I need her to be able to participate in. The student also needs access to the myWSU Portal.• Sponsored creation and authorizations…

WSU Employee role

Non-WSU Student role

24

Future UseFuture Use Proxy Access– Granted Authorizations• Students would give parents/relatives/spouse/etc.

access to view their myWSU services/data

– Increased Security• Students would no longer feel the need to give their

parents their Network ID and Password

25

Future UseFuture Use Proxy Access– Example: Student gives access to her mom to be able

to see her account balances and class schedule. She also gives her dad access to see her grades and her DARS degree audit. Both mom and dad would have a Friend Account that she could give specific proxy authorizations to.• Note: She could also give proxy access to her spouse, who is

also a WSU student and has a WSU Network ID (proxy access not restricted to Friend Accounts).

26

RecapRecap Success!– Non-WSU students/teachers– Conference attendees– Parents/Guardians/Family– Outside advisors– Consultants

Excellent Feedback– Highlighted on front page of WSU newspaper– Departments are excited

27

Questions?Questions?

Brian FoleyTechnology Architect / Applications Developer Analyst

University Information Systems Services

Washington State University

bfoley@wsu.edu

509-335-5516