Directory Middleware and Services: Authentication, Authorization and Business Process Support
description
Transcript of Directory Middleware and Services: Authentication, Authorization and Business Process Support
Directory Middleware and Services: Authentication, Authorization and Business Process Support
Mike ConlonDirector of Data [email protected]
One Slide About UF
49,000 students in Gainesville Fl 50,000 distance, continuing and executive
students $1.8 Billion annual budget, $450 million in
research -- growing at 12% per year, Health Sciences – 60% of research
140 academic departments in 23 colleges Land grant – extension in all 67 counties The Gators, Lady Gators, GatorAde
One Slide About UF Technology 500 IT professionals across campus Very decentralized Over 300 email servers 30,000 devices on the open network AD, NDS, iPlanet, OpenLDAP, Kerberos Directory Project 2002-2003 PeopleSoft implementation 2003-2007
UF Directory Background
Community effort to solve the directory problem at UF -- 17 sources for contact information. Limited sharing.
Information Systems, Academic Technology, Health Center, Registrar, Data Center involved from the beginning
UF reading, studying NMI documents – roadmap, early harvest, Metadirectory practices, identifier mappings
UF Directory Background
GatorLink – Kerberos-based authentication mechanism since 1997.
Unsponsored campus LDAP and NDS. DB2-based registry of people information. Many feeds to the registry, few from the
registry. Adhoc integration.
UF Directory Project
Start planning August 2000 Ken Klingenstein visit April 2001 Parallel effort to replace SSN merged August
2001 Finish report September 2001 Begin implementation October 2001 Deploy new directory January 23, 2003 http://www.it.ufl.edu/projects/directory
Directory Project Deliverables New Registry – 140 tables New LDAP schema (eduPerson, eduOrg) New IDs – UFID and UUID GatorLink tied to UFID 50,000 new Gator One cards 1,500 applications modified New self-service apps http://phonebook.ufl.edu New directory coordinator apps 800 directory coordinators trained New APIs for directory-enabling business
processes
UF Directory – Architecture Three major
interfaces
One data store One set of APIs
About 50 message queues
Each app receives consistent data
Authentication Services
Provide a single credential (GatorLink) environment, regardless of access technology
Support enterprise system sign on, LAN sign on, WebISO with same credential
Tie authentication to identity
Authentication Architecture
Authentication begins with identity
Automated processes populate the portal
Portal login produces cookie for WebISO
Middleware updates additional authentication services
Kerberos, AD, NDS supported
WebISO at UF
UF developed a local WebISO solution in 1998 – GLAuth
GLAuth provides a secure cookie-based Kerberos authenticated system
GLAuth is simple to install on Apache web servers
Legacy SIS and admin applications use GLAuth providing single credential access to these systems
Authorization Concept
Directory has “affiliations” for each person. Affiliations role up to eduPerson affiliations and to primary affiliation
Affiliations imply authorizations Authorization is based on roles Roles can often be algorithmically determined
by affiliations Additional roles are assigned by traditional
access request processes
Entity, Role and Service
Role Management
Roles are assigned algorithmically using processes accessing directory message queues
Department Security Coordinators use the Access Request System (ARS)
Roles are assigned following request based on university policy
Individuals can view their roles from the portal
My Roles Every portal user
can access their role information using My Roles
Additional options provide users with access to maintain their account
Business Process Support
The directory provides support for a wide variety of services, which in turn support additional applications Distance, Continuing, Executive education
support Password Management UF Active Directory PeopleSoft LDAP
Distance, Continuing, Executive education support DCE programs are administered at the unit
level Unit level directory coordinators can add
students to the directory, creating a UFID Students can then use self-service screens to
create a GatorLink account Directory message queues provide
information to create roles in the portal
Password Management
All GatorLink accounts have strong passwords Five password policies govern reset, use of hints,
password age Policies are determined by user roles – each role
has a related password policy Each users’ GatorLink password management
policy is the strongest policy required by the users’ roles
Password changing is done using portal screens Kerberos, AD, NDS are updated in real-time
UF Active Directory
UFAD accounts are built from directory message queues
UFAD accounts use GatorLink usernames and passwords
OUs are populated based on the value of a “Network Managed By” attribute in the directory – directory coordinators assign the value
Contact information in UFAD is populated from the directory
PeopleSoft
Directory coordinators enter people into the university directory and thereby create UFIDs for them. PeopleSoft Application Engine (AE) programs process message queues to automatically provision access to HR and Finance systems as appropriate based on the persons’ affiliations.
When a person is an employee, the HR system provides additional information to the directory and assigns employee affiliations.
Non-employees often participate in university business processes and the directory can record appropriate affiliations which lead to provisioning access. The ARS can then be used to provide specific roles needed to handle special cases.
UF LDAP
The UF LDAP service is populated from a message queue from the UF directory.
UF LDAP provides access to public contact information and is used by the university white pages as a data source.
UF LDAP is used by university applications requiring current contact information for university members.
UF LDAP supports the eduPerson schema standards.
Future Work
PeopleSoft Student Administration will be implemented with go-live Summer 2006
UF Directory will be migrated to PeopleSoft Campus Community as part of the SIS implementation
Legacy systems maintaining authorization information will be reimplemented using roles
Direct access to the directory via APIs will be replaced with messaging infrastructure
Additional applications will be integrated with directory services – VOIP, Lenel, unit applications