; Global Directory Services - an overview
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Global Directory Services - an overview

VIEWS: 9 PAGES: 50

  • pg 1
									Global Directory Services
and Shibboleth Single Sign-on




A Technical Seminar for the USC IT Community
Presented by the Information Technology Services
November 21, 2006
  Overview of the Seminar

      The Global Directory Services (GDS) Project Overview
      GDS Data Overview
      Shibboleth @ USC
      Shibboleth, SSO and You
      Q&A




USC ITS | Global Directory Services and Shibboleth Single Sign-on   2
Global Directory Services (GDS)
Project Overview




Asbed Bedrossian
Information Technology Services
asbed@usc.edu
  What is GDS?

      Identity Management (IdM) infrastructure provides a
       standards-based central clearinghouse through which
       users of restricted resources can be authenticated
       (AuthN) and authorized (AuthZ) to do their business.
      GDS is an identity management tool which provides
       AuthN + AuthZ and personalization resources to the USC
       community.
      AuthN + AuthZ = AuthX




USC ITS | Global Directory Services and Shibboleth Single Sign-on   4
  The IdM Vision
      Consistency with I2 Campus AuthX concepts
      Enable inter-institutional collaboration, federation
      All systems and databases that contain information about people are part
       of IdM
      AuthX is provided through widely adopted standards: GDS, LDAP,
       Shibboleth
      Transition local AuthX as much as possible to externalize application
       authorizations, facilitate timely role change updates
      Provision all services explicitly (not implicitly) i.e., authorization must
       accompany authentication
      Enhance USC data security by deprecating SOR-supplied local data
       feeds
      Formalize and streamline approval and access process for person
       information
      Advocate a USC data warehouse to power business intelligence tools
USC ITS | Global Directory Services and Shibboleth Single Sign-on                    5
  Key GDS Features

      Global
            Available anytime, anywhere (on-demand)
            Using the EDUCAUSE EduPerson schema standards
             to enable federalization and collaboration between
             higher education institutions
            Progressively including increasingly comprehensive
             USC community populations.




USC ITS | Global Directory Services and Shibboleth Single Sign-on   6
  Key GDS Features

      Directory
            LDAP technology, content sourced from Systems of
             Record (SORs).
            Collection of user attributes about who they are, and
             what resources they may access
            NOT an open pool of information – very tightly
             controlled




USC ITS | Global Directory Services and Shibboleth Single Sign-on    7
  Key GDS Features

      Services
            AuthN for primary identity confirmation
            AuthZ to determine who has access to what
            Personalization to deliver customized information and
             services to end-user




USC ITS | Global Directory Services and Shibboleth Single Sign-on    8
  What GDS is and is not

      GDS is a transactional system
      What GDS is NOT:
            not designed to provide reporting or analysis
            not a data warehouse
            not an alternative to bypass Data Steward oversight
            not a source for data to populate local databases and
             networks




USC ITS | Global Directory Services and Shibboleth Single Sign-on    9
  GDS Value Add
      Improve user experience
            Fewer Sign-ons (FSO), more personalization, current data

      Simplify service provisioning
            Less local AuthX

      Increase security
            Reduce local DBs, AuthX, better revocation, logging and auditing

            Reduce dependency on SOR-supplied data feeds to end-user systems

      Increase flexibility
            Inserts a layer of indirection between SORs and end-user services

      Decrease cost
            Reduce overhead, limit provisioning to intended services and times

      Enable multi-institutional collaboration
            InCommon, LOA, PKI


USC ITS | Global Directory Services and Shibboleth Single Sign-on                 10
  GDS Architecture




USC ITS | Global Directory Services and Shibboleth Single Sign-on   11
  GDS Functionality

      Support enterprise applications
            myUSC, Blackboard, Library apps, the new Online
             Directory, etc.
      Support community applications via the Directory
       Services Steering Committee’s (DSC) Attribute
       Access Request (AAR) process.
       http://www.usc.edu/gds/




USC ITS | Global Directory Services and Shibboleth Single Sign-on   12
  Community Interest & Activity
      Email clients – addressbook
      Provost: University Advisement, iTunesU, Mail lists, early online
       services for faculty
      Admissions: The new Student Information Gateway (SIG), Oasis
      Student Affairs: Student activity group app, Lyon Center waiver
      Registration & Records: Commencement Book
      uscCollege: College Wiki, Faculty/Staff app
      Library: DSpace, Digital Measures, Electronic Resources Proxy
       Server



USC ITS | Global Directory Services and Shibboleth Single Sign-on          13
  Community Interest & Activity (cont’d)
      University Park Student health Center: USCIDs for emergency
       service to non-members
      Viterbi: Faculty portal, Viterbi Blackboard
      Trojan Transportation apps
      CAPS employee apps
      AIS: SCERA Research Portal, ePay
      ITS Web Services: myUSC, myWiki, employee personal webpages,
       ITS intranet, Online Directory, Blackboard, Software download
       server, etc.
      and more…


USC ITS | Global Directory Services and Shibboleth Single Sign-on    14
  GDS Data
      Name                                                            Department
      uscPvid (A GDS system                                           Division
       persistent and unique
       identifier)                                                     Phone
      Account (a.k.a. username/uid)                                   Year-in-school
      Mail                                                            Majors
      Title                                                           Minors
      USCID                                                           Major Conferring School
      SIS PID                                                         Posix Data
      EmployeeID                                                      Employee business address
      Affiliation                                                     Data-based and discretionary
                                                                        groups

USC ITS | Global Directory Services and Shibboleth Single Sign-on                                      15
  In Progress
      Data Cleanup
      iVIP – Guest and Affiliate (VIP) System of Record
      A Groups management interface
      myInfo
      Additional populations in the GDS (VIPs, Admits, Alumni, etc.)
      Additional Person Data in the PR/GDS (enrollment, course
       instructors, term-based data, etc)
      Private alternate email addresses
      New Online Directory
      Grouper – analysis phase
      Signet – analysis phase
USC ITS | Global Directory Services and Shibboleth Single Sign-on       16
  In Progress (cont’d)
      Migrating Legacy Shib 1.2 environment users to
       GDS/Shib 1.3. Retiring legacy environment.
      Shibboleth
      Test environments
      Provisioning hub
      Performance monitoring
      Policy development
            Definitions of active student, faculty, staff
            Policies for Guest & Affiliates (VIPs)
            One person One account
      Much more…
USC ITS | Global Directory Services and Shibboleth Single Sign-on   17
  Challenges
      Fractured data environment
      Data quality and practices
      ITS resources
      Temporary administrative home for IdM policy, iVIP
      Communication
      Data dictionary, education, promulgation
      Prioritizing the IdM initiative with other IT departments.




USC ITS | Global Directory Services and Shibboleth Single Sign-on   18
  Strengths

      Community participation
      Support of Data Stewards
      Technical Operational partnership
      I2/EDUCAUSE involvement, leadership, prestige
      Highly skilled team, recognized talents




USC ITS | Global Directory Services and Shibboleth Single Sign-on   19
  Next Steps

      Secure executive and community endorsement of the
       University’s IdM initiative
      Articulate institutional expectations
      Continue building on the IdM “Cloud” (PR/GDS)
      Expand GDS populations




USC ITS | Global Directory Services and Shibboleth Single Sign-on   20
  ITS Resources

      Subscribe to the Shibboleth listservs
            Email listproc@usc.edu and type the following
             instruction:
               For       Shibboleth Announcements:
                       “Subscribe shib-announce-l@usc.edu yourname”

               For       Shibboleth Announcements:
                       “Subscribe shib-discuss-l@usc.edu yourname”




USC ITS | Global Directory Services and Shibboleth Single Sign-on      21
                                                             Q&A

      Thank you for your time!



                                                      Asbed Bedrossian
                                                        asbed@usc.edu
                                                            213-740-2878




USC ITS | Global Directory Services and Shibboleth Single Sign-on           22
Global Directory Services (GDS)
Policy and Data Overview




Brendan Bellina
Information Technology Services
bbellina@usc.edu
USC ITS | Global Directory Services and Shibboleth Single Sign-on   24
USC ITS | Global Directory Services and Shibboleth Single Sign-on   25
  IdM/GDS Collaborative Committees
   -   All committees are chaired by Margaret Harrington, the Director of the Office of
       Organization Improvement Services

   -   Data Team - technical committee

   •   focuses on operational issues affecting SOR’s and PR/GDS

   •   attendees include representatives from SOR’s and GDS team

   •   meets bi-weekly, generally 12-15 attendees

   -   GDS Executive Committee - management committee

   •   focuses on technical and staffing issues affecting direction and prioritizations

   •   attendees include management representatives from SOR’s and GDS team

   •   meets bi-weekly, generally 8-10 attendees

   -   Directory Steering Committee - management committee

   •   focuses on policy regarding data acquisition and release, integration, and communication

   •   Attendees include senior management representatives from academic schools,
       administrative departments, IT Security Office, General Counsel

   •   Meets every 3 weeks, generally 15-20 attendees
USC ITS | Global Directory Services and Shibboleth Single Sign-on                                 26
        Distributed Identity = Identity Compromised

            QuickTime™ and a
 TIF F (U ncompressed) decompressor
    are needed to see this picture.
                                                     Security Breach
                                                                                     SSN
                                                     User Error            Name

                                                                              Date of Birth
                                                     Intentional Email
                   Qu i ckTi me ™ a nd a
        TIFF (Un co mp res se d) de co mp res so r
          a re ne ed ed to se e th is pi ctu re.                           Gender
                                                     Inadequate Training
                                                                                  Ethnicity
                                                     Equipment Theft
                                                                           Address
               Qu i ckTi me ™ an d a
    TIFF (Un co mp re ss e d) de co mp re ss or      Recycled Equipment             Phone
       a re ne ed ed to se e thi s p i ctu re .




                                                                            Email




USC ITS | Global Directory Services and Shibboleth Single Sign-on                             27
          January 2006 - University of Notre Dame Development Office server hacked. Notre Dame
           refuses to comment on the number of people compromised, but the number is believed to be
           significant. http://idtheft.about.com/od/databreaches/p/Notre_Dame.htm

          March 2006 - Vermont State Colleges laptop stolen from under car seat with personal
           information for 20,000 employees and students of the Vermont College System.
           http://idtheft.about.com/od/2006/p/VSU_Breach.htm

          March 2006 - Metropolitan State College of Denver laptop stolen from the home of an
           Admissions Office employee with SSN’s of more than 93,000 students.
           http://idtheft.about.com/od/2006/p/Metro_State.htm

          March 2006 - Georgetown University researcher server hacked for SSN’s, names, and birth
           dates of 41,000 elderly. http://idtheft.about.com/od/2006/p/GeorgeTown.htm

          April 2006 - University of South Carolina department chair mistakenly emailed the SSN’s of
           1,400 students to 1,000 classmates.
           http://www.myrtlebeachonline.com/mld/myrtlebeachonline/news/local/14340642.htm

          April 2006 - Texas University School of Business database server hacked for 197,000 student
           and employee identities. http://idtheft.about.com/od/2006/p/Texas_U.htm

          May 2006 - Ohio University alumni database server hacked and releases information on
           300,000 alumni and 137,000 SSN’s. http://idtheft.about.com/od/2006/p/Ohio_data_theft.htm

          May 2006 - Ohio University medical records system hacked for 60,000 identities.
           http://idtheft.about.com/od/2006/p/Ohio_University.htm

          May 2006 - Sacred Heart University system hacked and compromises 135,000 SSN’s.
           http://idtheft.about.com/od/2006/p/Sacred_Heart.htm


USC ITS | Global Directory Services and Shibboleth Single Sign-on                                        28
Global Directory Model                                                                     LDAP-enabled
                                                                                            Application
                                                                                               LDAP-enabled
                                                                                LDAP             Application
                                                                                Service
                                                                                accounts
                System of                                                                  Shib
                 Record of
                  System                           User Info         Global
                                                                                           IdP
                     System
                   Record of                                        Directory
                      Record                                                                          Shibbolized
                                                                           Groups                     Application

                                                                                                      Shibbolized
                                                                                                      Application

            Because the Global Directory contains all people who use all applications and all their
            attributes, population and attribute filtering must be done between the application and the
            directory.
            LDAP-enabled applications use assigned LDAP Service accounts to filter based on
            directory ACI’s.
            Shibbolized applications use Shibboleth ARP’s maintained at USC in the IdP.
            Shibboleth is the USC preferred technology for communicating service user attributes to a
            service.




USC ITS | Global Directory Services and Shibboleth Single Sign-on                                              29
    USC Shibboleth 1.2                                              USC Shibboleth 1.3
     SSO for Intra-Institutional                                      SSO enhanced to support
      Services                                                          federated services
     Focus on Technology                                              Focus on Policy
     Technical Decision Makers                                        Administrative Decision Makers
     Convenience for Service                                          Privacy Preserving for Service
      Providers                                                         Users
     Limited AA                                                       Robust AA
     Attribute-based authorization                                    Group-based authorization
      at applications following                                         managed centrally preventing
      attribute release                                                 inappropriate attribute release
     Guests with NetIDs inherit a                                     Unbundled services for “VIP”s
      bundle of services, including all                                 through new iVIP service
      Shibbolized services


USC ITS | Global Directory Services and Shibboleth Single Sign-on                                         30
  Privacy Preserving

      GDS provides public access via LDAP to only released
       employee data, but not student data or employees who
       have requested DNR. Additional access requires an
       approved LDAP service account.
      No attributes released through Shibboleth by default
      Well-defined Attribute Request Process supported by
       Data Stewards
      Shibboleth does not release attributes for non-authorized
       users (via Rule Constraint Patch)
      Shibboleth can prevent access by anonymous Service
       Providers (via USC patch, default in Shibboleth 2.0)
USC ITS | Global Directory Services and Shibboleth Single Sign-on   31
  Privacy Preserving
      Release entitlement rather than attributes
      Name-based identifiers replaced with persistent non-
       name-based id’s (uscPvid, eduPersonTargetedId)
       wherever possible
      Privacy preserving email address (under development)
      Confidentiality respected
      iVIP system will be used to register University guests
      Guests will receive only approved services




USC ITS | Global Directory Services and Shibboleth Single Sign-on   32
  Authorization Model
      Service Provider must explicitly define user population
            based on attributes in the GDS provided by the SOR’s, or
            as a discretionary (exception) group recorded in the GDS
      GDS Authorization Group is used to record the application
       user population and assign an entitlement for the service
      Shibboleth releases attributes to the Service Provider only
       for users with the entitlement value for the service
      Authorization to use a service is determined at the Identity
       Provider based on GDS attributes BEFORE any attributes
       about the user are released to the service.


USC ITS | Global Directory Services and Shibboleth Single Sign-on       33
  Groups, Rules, and Exceptions


                   System of                                                  Rule-based
                     System
                    Record of of
                        System               User Info                        Membership
                      Record                                         GDS
                         Record                                     Entries     Groups


                                                                                              Service
                                                                                            Authorization
                                                                                              Groups



                                                                                Exception
                                       Groups interface               GDS      Membership
                                                                     Groups      Groups
               Application Owner




USC ITS | Global Directory Services and Shibboleth Single Sign-on                                           34
  Attribute Access Request Process
       Service Provider contacts DSC convener (Margaret Harrington) to
        schedule AAR meeting. SP should download form from GDS
        website prior to meeting and consider service user population,
        information needs, and department approvals.
       AAR meeting will include DSC convener, the SP representative(s),
        and ITS GDS team members. During the meeting the information
        requirements will be discussed and AAR form will be completed.
       AAR will be added to agenda for first available DSC meeting. SP
        representative should be prepared to attend the DSC meeting to
        answer questions.
       Data Steward approval may follow the DSC meeting. DSC convener
        will obtain any required signatures.
       Following all approvals the GDS team will schedule the creation of
        the service authorization group. This is generally completed within
        2-4 business days of final approval. Required time may vary with
        complexity of the request.
USC ITS | Global Directory Services and Shibboleth Single Sign-on             35
  GDS Attributes

      Recast SOR data to make it more usable for end-user
       applications and services
      Turn data into information
      Data accessible via LDAP and Shibboleth
      Standards based where possible
      Population into GDS is complicated - documentation at
       GDS website
      LDAP Schema documented at GDS website



USC ITS | Global Directory Services and Shibboleth Single Sign-on   36
  Standard Attributes: Persistent Identifiers
      Persistent Identifiers - used to recognize an individual, an
       alternate key (applications should have their own non
       name-based primary key)
            Person uscPvid - public, affected by merges, non name-based
            Account uscPvid - private, not affected by merges, non name-
             based, one per unique enterprise account name per person
            Targeted ID - based on Account uscPvid; scoped to the Service
             Provider; not susceptible to profiling
            eduPersonPrincipalName - defined in eduPerson standard;
             based on primary account; name based and non-persistent
            Net ID - based on primary account; name based and non-
             persistent
            Account name - usually name-based and non-persistent

USC ITS | Global Directory Services and Shibboleth Single Sign-on            37
  Standard Attributes: Linkage Identifiers

      Linkage Identifiers - used to link to a non-GDS
       data source, such as a datafeed from SIS or AIS
            USCID (for sponsored accounts created via SASU, this
             is the USCID of the account sponsor, not the user of
             the account)
            SIS PID
            Employee ID




USC ITS | Global Directory Services and Shibboleth Single Sign-on   38
  Standard Attributes: Name Attributes
       Student Reported Name - not verified, informal
       Employee Verified Name - formal
       Employee Preferred Name - informal, may be a nickname
       Common Name - all names; designed for searching via
        LDAP
       Display Name - Single name, derived based on current
        affiliation and preferences, designed for display
       Surname - List of complete surname and each part of a
        multi-part surname; designed for searching via LDAP
       Given Name - The parts of the name that are not included
        in surname

USC ITS | Global Directory Services and Shibboleth Single Sign-on   39
  Standard Attributes: Contact Attributes
       Email address - Single value; for employees preferred
        email address; for students assigned USC email address
        for student account
       telephoneNumber - multi-valued; for employees Office
        Telephone Number; for students local telephone number
       facsimileTelephoneNumber - multi-valued; for employees
        Office Fax; for students local fax
       postalAddress - multi-line; for employees based on
        Employee Office Address; for students local address
       Student permanent and foreign addresses (based on last
        term the person was a student)


USC ITS | Global Directory Services and Shibboleth Single Sign-on   40
  Standard Attributes: Student Information
       Term-based (prior, current, next)
            Major Code and Description
            Minor Code and Description
            School (based on Major)
            Student Year (based on completed credits)




USC ITS | Global Directory Services and Shibboleth Single Sign-on   41
  Standard Attributes: Employee Information
       Title - either preferred title or first formal title
       Department - Employee Department name
       Division - Employee Division name
       Employee Type - staff, faculty, or student worker




USC ITS | Global Directory Services and Shibboleth Single Sign-on   42
   Standard Attributes: Group Affiliation Information
       Affiliation - multi-valued; indicates all affiliations the
        person has based on their accounts - student, staff,
        faculty, member
       Primary Affiliation - single-valued; indicates primary
        affiliation based on accounts - student, staff, faculty
       uscFaculty, uscStaff, uscStudent - individual flags that
        indicate that a person has active accounts of these types
       Group memberships may be accessed via the LDAP
        protocol




USC ITS | Global Directory Services and Shibboleth Single Sign-on    43
   Standard Attributes: Other Information
       uscEntryReleasePolicy - records whether an entry is
        confidential or DNR
       uscAttributeReleasePolicy - records DNR attributes




USC ITS | Global Directory Services and Shibboleth Single Sign-on   44
  What is the GDS Shibboleth Interface For?
      Information about the user accessing the web application
      Authentication using enterprise account without the
       application handling the enterprise password
      Authorization using pre-established populations defined
       based on SOR data and managed exceptions
      Single sign-on (SSO) experience
      Extension of services to GDS user populations - students,
       staff, faculty, affiliates (through iVIP) and future
       populations (alumni, parents, donors, etc.)
      Federated integration with other Shibbolized institutions



USC ITS | Global Directory Services and Shibboleth Single Sign-on   45
  What is the GDS LDAP Interface For?

      Information about users who are not the user
       logging in to the web application
      Information about groups
      For non-Shibbolizable applications, provides
       Authentication using enterprise credentials (single
       account, though not single sign-on)
      For non-Shibbolizable applications, provides
       Authorization using pre-defined populations


USC ITS | Global Directory Services and Shibboleth Single Sign-on   46
  What are Data Feeds from the SORs For?

      Pre-population of users (provisioning) prior to first
       user access. The GDS does not yet contain a
       provisioning engine.
      Access to attributes about users that are not in the
       GDS.
      Should see a reduction in the need for data feeds
       as the GDS expands in attributes, populations, and
       capabilities.
      Reporting needs. The GDS does not yet contain a
       data warehouse.
USC ITS | Global Directory Services and Shibboleth Single Sign-on   47
                                                             Q&A

      Thank you for your time!



                                                         Brendan Bellina
                                                      bbellina@usc.edu




USC ITS | Global Directory Services and Shibboleth Single Sign-on           48
Global Directory Services (GDS)
Shibboleth and SSO @ USC




William Norris
Information Technology Services
wnorris@usc.edu
                                                             Q&A

      Thank you for your time!



                                                               Will Norris
                                                       wnorris@usc.edu




USC ITS | Global Directory Services and Shibboleth Single Sign-on             50

								
To top