CAMP Integration

Reflect & JoinA Case Study

The University of Texas Health Science Center at Houston

William A. Weems

Assistant Vice President

Academic Technology

CAMP Integration

Middleware Makes the Global Sharing of Resources

Invisible to Users.

3

CAMP Integration

Increasingly, people must easily and securely exchange

information in cyberspace among "known" individuals and to securely access restricted

resources they “know” can be trusted without having to struggle

with numerous and onerous security processes.

4

CAMP Integration

• How do you prove you are who you say you are?

• How do you know that someone is legitimate in his or her dealings with you, and how do you get redress if things go wrong?

• If your identity is stolen and used fraudulently, or personal records are altered without your knowledge or permission, how do you prove that it was not you?

• It is difficult enough to verify someone's identity in the tangible world where forgery, impersonation and credit card fraud are everyday problems related to authentication.

• Such problems take on a new dimension with the movement from face-to-face interaction, to the faceless interaction of cyberspace.

Identity and Authentication by Simon Rogerson

5

CAMP Integration

Ideally,  individuals would each like a single digital credential that

can be securely used to authenticate his or her identity

anytime authentication of identity is required to secure any

transaction.

6

CAMP Integration

UTHSC-H: An Identity Provider (IdP)

It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with

digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific

responsibilities and liabilities.

7

CAMP Integration

Two Categories of Identity

• Physical Identity – Assigned Identifier - Authentication– Facial picture,– Fingerprints– DNA sample

• Identity Attributes – Authorization Attributes– Common name,– Address,– Institutional affiliations - e.g. faculty, student, staff, contractor,– Specific group memberships,– Roles,– Etc.

8

CAMP Integration

Issuing a Digital Credential

• Individual appears before an Identity Provider (IdP) which accepts the responsibility to – positively determine and catalog a person's uniquely

identifying physical characteristics (e.g. picture, two fingerprints, DNA sample),

– assign a unique, everlasting digital identifier to each person identified,

– issue each identified person a digital credential that can only be used by that person to authenticate his or her identity,

– maintain a defined affiliation with each individual whereby the validity of the digital credential is renewed at specified intervals.

9

CAMP Integration

Identity Provider(IdP)

uth.tmc.edu

Person

IdP ObtainsPhysical

Characteristics

Identity Vetting & Credentialing

IdentifierPermanently

Bound

AssignsEverlasting

Identifier

Digital Credential

IssuesDigital

Credential

Person Only Activation

PermanentIdentity

Database

10

CAMP Integration

The University of Texas SystemSTRATEGIC LEADERSHIP COUNCIL

Statement of DirectionIdentity Management

April 27, 2004

• The University of Texas System Information Technology Strategic Leadership Council agrees that deployment of a robust, secure, interoperable infrastructure for identity management in support of inter-institutional collaboration is a strategic goal. This infrastructure will be based upon the available standards and best practices:

11

CAMP Integration

The University of Texas SystemSTRATEGIC LEADERSHIP COUNCIL

Statement of DirectionIdentity Management

April 27, 2004

• LDAP (Lightweight Directory Access Protocol) compliant directory services,

• eduperson schema as promulgated by EDUCAUSE and Internet2,

• utperson schema (to be developed)• inter-institutional access control utilizing Internet2

Shibboleth, and• consistent institutional definitions and identity

management trust policies for students, faculty, and staff as well as sponsored affiliates.

12

CAMP Integration

UTHSC-H Identity Management System

HRMS SIS GMEIS Guest MSUTP

INDIS

OAC7 OAC47

SecondaryDirectories

Sync

Person Registry

AuthoritativeEnterprise Directories

AuthorizationService

AuthenticationService

User Administration Tools

ChangePassword

AttributeManagement

Identity Reconciliation &

ProvisioningProcesses

13

CAMP Integration

Person Registry • Identity Reconciliation

– Unique Identifiers Generated by Source of Record• SSN – If Available (HRMS, GMEIS, UTP, Guest, SIS)• Student ID, • Employee Number - HRMS

– Full Name• First, Middle, Last

– Birth Information• Date of Birth, • City of Birth, • Country of Birth

– Gender

• UUID – An everlasting unique identifier

14

CAMP Integration

Person

Is New ?

Is SingleMatch ?

IsPossible

Or MultipleMatch ?

Add

Update

ManualProcessing

No matchesor possible matches

Identifiers match one and only one person

No possible matches

Identifiers match more than one person

And / or Name or Birth information

match one or more persons

yes

no

yes

yes

no

15

CAMP Integration

Database Schema

Person Table

UUIDDate of BirthPlace of Birth

Country of Birth

Identifier TableID NameID Value

Name TableFirst

MiddleLast

GenderMale / Female

16

CAMP Integration

UTHSC-H Identity Management System

HRMS SIS GMEIS Guest MSUTP

INDIS

OAC7 OAC47

SecondaryDirectories

Sync

Person Registry

AuthoritativeEnterprise Directories

AuthorizationService

AuthenticationService

User Administration Tools

ChangePassword

AttributeManagement

Identity Reconciliation &

ProvisioningProcesses

Sponsor SubmitsGuest Request

Applicant AppearsBefore LRAA

LRAA VerifiesApplicant’s Data

LRAA CertifiesApplicant’s Data

IdentityReconciliation

Assign UUID,Add to Person

Registry

Not in Person Registry

Guest Addedto GuestDatabase

Applicant inPerson Registry

ApplicantCurrentlyAffiliated

LRAA CredentialsGuest

LRAA CredentialsGuest

No

Guest RequestVoided

Yes

LRAA ResolvesID Uncertainty

Possible Identity Match Guest Addedto GuestDatabase

No

Sponsor’sRequestForms

Guest Management System

LRAA’sReview/Update

Forms

UnverifiedApplicant’s

Data

VerifiedApplicant’s

Data

Review/Update

Submission

Submit to Reconciliation

NewPerson?

LRAA’sApproval

Form

Yes

No Check PresentAffiliations

CurrentAffiliations

EnterpriseLDAP

Directory

ApprovalProcesses

Guest DBCreate LDAP

Entry

Void Sponsor’sRequest

Yes

PersonRegistry

Identity Management

System

19

CAMP Integration

20

CAMP Integration

Identity Provider(IdP)

uth.tmc.edu

PersonIdentifier Digital CredentialPermanently

Bound

AssignsEverlasting

Identifier

IssuesDigital

CredentialIdP Obtains

PhysicalCharacteristics

Person Only Activation

Identity Vetting & CredentialingUTHSC-H Two Factor Authentication

PermanentIdentity

Database

?

?

21

CAMP Integration

Identity Provider(IdP)

uth.tmc.edu

PersonIdentifier Digital CredentialPermanently

Bound

AssignsEverlasting

Identifier

IssuesDigital

CredentialIdP Obtains

PhysicalCharacteristics

Person Only Activation

Using NetworkUsernamePassword

Identity Vetting & CredentialingUTHSC-H Username/Password Authentication

PermanentIdentity

Database

???????

?

22

CAMP Integration

UTHSC-H Strategic Authentication Goals

• Two authentication mechanisms.– Single university ID (UID) and password– Public Key Digital ID on Token (two-factor

authentication)• Digital Signatures• Highly Secure Access Control• Potential for inherent global trust