Directory Middleware and Services: Authentication, Authorization and Business Process Support

Mike ConlonDirector of Data Infrastructuremconlon@ufl.edu

One Slide About UF

49,000 students in Gainesville Fl 50,000 distance, continuing and executive

students $1.8 Billion annual budget, $450 million in

research -- growing at 12% per year, Health Sciences – 60% of research

140 academic departments in 23 colleges Land grant – extension in all 67 counties The Gators, Lady Gators, GatorAde

One Slide About UF Technology 500 IT professionals across campus Very decentralized Over 300 email servers 30,000 devices on the open network AD, NDS, iPlanet, OpenLDAP, Kerberos Directory Project 2002-2003 PeopleSoft implementation 2003-2007

UF Directory Background

Community effort to solve the directory problem at UF -- 17 sources for contact information. Limited sharing.

Information Systems, Academic Technology, Health Center, Registrar, Data Center involved from the beginning

UF reading, studying NMI documents – roadmap, early harvest, Metadirectory practices, identifier mappings

UF Directory Background

GatorLink – Kerberos-based authentication mechanism since 1997.

Unsponsored campus LDAP and NDS. DB2-based registry of people information. Many feeds to the registry, few from the

registry. Adhoc integration.

UF Directory Project

Start planning August 2000 Ken Klingenstein visit April 2001 Parallel effort to replace SSN merged August

2001 Finish report September 2001 Begin implementation October 2001 Deploy new directory January 23, 2003 http://www.it.ufl.edu/projects/directory

Directory Project Deliverables New Registry – 140 tables New LDAP schema (eduPerson, eduOrg) New IDs – UFID and UUID GatorLink tied to UFID 50,000 new Gator One cards 1,500 applications modified New self-service apps http://phonebook.ufl.edu New directory coordinator apps 800 directory coordinators trained New APIs for directory-enabling business

processes

UF Directory – Architecture Three major

interfaces

One data store One set of APIs

About 50 message queues

Each app receives consistent data

Authentication Services

Provide a single credential (GatorLink) environment, regardless of access technology

Support enterprise system sign on, LAN sign on, WebISO with same credential

Tie authentication to identity

Authentication Architecture

Authentication begins with identity

Automated processes populate the portal

Portal login produces cookie for WebISO

Middleware updates additional authentication services

Kerberos, AD, NDS supported

WebISO at UF

UF developed a local WebISO solution in 1998 – GLAuth

GLAuth provides a secure cookie-based Kerberos authenticated system

GLAuth is simple to install on Apache web servers

Legacy SIS and admin applications use GLAuth providing single credential access to these systems

Authorization Concept

Directory has “affiliations” for each person. Affiliations role up to eduPerson affiliations and to primary affiliation

Affiliations imply authorizations Authorization is based on roles Roles can often be algorithmically determined

by affiliations Additional roles are assigned by traditional

access request processes

Entity, Role and Service

Role Management

Roles are assigned algorithmically using processes accessing directory message queues

Department Security Coordinators use the Access Request System (ARS)

Roles are assigned following request based on university policy

Individuals can view their roles from the portal

My Roles Every portal user

can access their role information using My Roles

Additional options provide users with access to maintain their account

Business Process Support

The directory provides support for a wide variety of services, which in turn support additional applications Distance, Continuing, Executive education

support Password Management UF Active Directory PeopleSoft LDAP

Distance, Continuing, Executive education support DCE programs are administered at the unit

level Unit level directory coordinators can add

students to the directory, creating a UFID Students can then use self-service screens to

create a GatorLink account Directory message queues provide

information to create roles in the portal

Password Management

All GatorLink accounts have strong passwords Five password policies govern reset, use of hints,

password age Policies are determined by user roles – each role

has a related password policy Each users’ GatorLink password management

policy is the strongest policy required by the users’ roles

Password changing is done using portal screens Kerberos, AD, NDS are updated in real-time

UF Active Directory

UFAD accounts are built from directory message queues

UFAD accounts use GatorLink usernames and passwords

OUs are populated based on the value of a “Network Managed By” attribute in the directory – directory coordinators assign the value

Contact information in UFAD is populated from the directory

PeopleSoft

Directory coordinators enter people into the university directory and thereby create UFIDs for them. PeopleSoft Application Engine (AE) programs process message queues to automatically provision access to HR and Finance systems as appropriate based on the persons’ affiliations.

When a person is an employee, the HR system provides additional information to the directory and assigns employee affiliations.

Non-employees often participate in university business processes and the directory can record appropriate affiliations which lead to provisioning access. The ARS can then be used to provide specific roles needed to handle special cases.

UF LDAP

The UF LDAP service is populated from a message queue from the UF directory.

UF LDAP provides access to public contact information and is used by the university white pages as a data source.

UF LDAP is used by university applications requiring current contact information for university members.

UF LDAP supports the eduPerson schema standards.

Future Work

PeopleSoft Student Administration will be implemented with go-live Summer 2006

UF Directory will be migrated to PeopleSoft Campus Community as part of the SIS implementation

Legacy systems maintaining authorization information will be reimplemented using roles

Direct access to the directory via APIs will be replaced with messaging infrastructure

Additional applications will be integrated with directory services – VOIP, Lenel, unit applications