Prepared by Dept. of Information Technology & Telecommunication, May 1, 2015 DoITT Identity...
-
Upload
gabriel-hosler -
Category
Documents
-
view
216 -
download
0
Transcript of Prepared by Dept. of Information Technology & Telecommunication, May 1, 2015 DoITT Identity...
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
DoITT Identity Management
Security, Provisioning, Authentication
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
What is Identity Management
• Identity management deals with identifying individuals in a system and controlling their access to resources within that system throughout their employment by associating user rights and restrictions with the established identity. It is the core of what is termed “Employee Lifecycle Management.”
• In an enterprise setting, identity management is used to increase security and productivity, while decreasing cost and redundant effort.
• Includes:– Password synchronization (reduced sign-on)
– Automated password resets
– Provisioning and authorization to systems
– De-provisioning users when they are no longer in the agency
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
What is Identity Management?
Standard components of Identity Management:
AuthenticationAuthentication Access Management Access Management
User RegistrationUser Registration MaintenanceMaintenance TerminationTermination
SSO/
Federation
Framework
Provisioni
ng
Identity &
Policy
Administratio
nDirectory Services
Virtual
Directory
Directory
Repositories: LDAP,
AD, eDirectory
Meta
Directory
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
Today’s Enterprise LDAP
The City Meta-Directory
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
Project Overview
• The citywide Lightweight Directory Access Protocol (LDAP) project officially launched in January 2004 with a Citywide Employee Contact Directory as the end-product. Email lookups through agency mail clients has been available since July 2004.
• Novell’s eDirectory is the base of this LDAP enabled meta-directory. It resides on a Unix platform with an active-active redundancy.
• Agencies are connected to the LDAP directory via either a dynamic or manual batch connector that pulls identities from their agency’s directory.
• Windows servers are used for LDAP connector services as well as proxy appliances for the iChain web access control product.
• DoITT worked with over 45 agencies to create a meta-directory of employee contact information—totaling over 160,000 employees and growing.
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
Current Architecture
• Load balanced, fault tolerant, and scalable
• Foundation for future identity vault
citydirectory.nycnetldap.nycnet
(vvrp)
SLD
AP SLDAP
Rep
licat
ion R
eplication
ReplicationS
LD
AP
SL
DA
P
SSL
SS
L
Batch R
eplicatio
n Batch Replication
LDAP-BACKUP2eGuide
eDirectory 8.7.3.2iManager
LDAP-BACKUP1eGuide
eDirectory 8.7.3.2iManager
DirXML 1.1.1a FP2Loopback DriversText File Drivers
BatchSynceGuide 2.1iManager
DirXML 1.1.1a FP2Dynamic Drivers
eGuide 2.1iManager
CSSVIP2
Dyn
amic
Dyn
amic
Dyn
amic
Ba
tch
SLDAP
IDC
ldap-city2ldap-wp2
autheguide2
eDirectory 8.7.3.2eGuide 2.1iManager
SLDAP
IDC ldap-city1ldap-wp1
autheguide1
eGuide 2.1eDirectory 8.7.3.2
iManager
CSSVIP1
SSL
SS
L
IDCWindows
2003ServerDirXML
IDCWindows
2003Server
DirXML(alt)
Dyn
amic
Dyn
amic
Dynamic from Win 2003
SSL SSL
CityNet (WEB) Users CityNet (WEB) Users
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
Security and Uniqueness
• Agencies define what information is visible through the Citywide Employee Contact Directory.
• Agencies have a variety of means of hiding or removing data from the system.
• The biggest challenge and most important element of the project was to determine a preexisting unique identifier for each employee.
• Name and agency, email address, and even combinations of these aren’t sufficient since none of these are truly unique in NYC.
• Current unique identifier: Surname + Given name, Organizational Unit (s), Organization (nycnet)
• Future unique identifier: PMS Employee I.D.
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
Employee White Pages
• The web front-end for LDAP is the Citywide Employee Contact Directory. It is available through the City’s intranet, http://cityshare.nycnet.
• The directory has advanced filtering options.
• Data appearing in the directory or through email client lookups is based on what the agency feeds LDAP and what is defined as being visible to the public. Therefore, LDAP participating agencies need to keep data clean and sensitive accounts hidden.
• As part of the long-term identity management strategy, we encourage every agency to put every employee’s PMS ID and active code into the agency directory. DoITT is piloting a script to help agency LDAP liaisons provide this data along with the help from their HR Departments.
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
Simple Employee Lookup
A more simple Employee Search that ties into LDAP and displays the same data is globally available within CityShare.
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
Next Steps
Moving from White Pages to Identity Vault
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
High-level Plan
• LDAP meta-directory building block is in place for the next step in establishing a citywide identity management plan.
• Critical milestones will have to take place for successful implementation:– DoITT, FISA and NYCAPS are working together to use the PMS ID as
the unique identifier, which will populate every City employee in a large citywide identity vault. NYCAPS will be established as the sole identity source of employee data in the future.
– Establishment of an identity management policy board to guide the LDAP project team on key identity management issues found throughout the Employee Management Lifecycle .
– Determining the best products and approaches for authentication and authorization will enable enterprise applications and agency directories to utilize one citywide meta directory for authorization.
• The long-term goal is to eventually have reduced sign-on, provisioning capabilities, and digital signature capability for enterprise applications and participating agencies.
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
Key Considerations
• Work with agencies to identify their requirements and IM needs as well as bring currently non-participating ones into LDAP.
• Convert all batch connected agencies to dynamic connections. This will be instrumental with future user provisioning and de-provisioning in the Employee Management Lifecycle.
• Create a policy board consisting of multiple agencies to make decisions on:– Technologies– Timeframes– Functionality– Policies– Standards
• Determine the structure of the identity vault and all dependencies.
• Receive buy-in from agencies.
Prepared by Dept. of Information Technology & Telecommunication, April 18, 2023
Interested in Learning More?
Contact:
Dominic Pisciotta
Sr. Project Manager, ETD
212-232-1066
OR
Teri Moore
Director of Enterprise Technology Development
212-232-0938