UM Directory and Authentication Strategy by n8o0ei


									                                 UM Directory/Authentication Strategy
                                                                                                               January 22, 2007

Goal                The goal of the UM Directory Services/Authentication Strategy is to provide both easy and secure
                    access to contemporary computer systems. The Directory Services/Authentication strategy will protect
                    against security breaches, improve the management of identities, and support appropriate access to data
                    for UMB research, teaching, and administrative operations.

                   To implement and maintain a campus standard for Identity Management, Authentication, and
                    integration of UM applications and systems.
                   To maintain Authorization at the application allowing the University to provide more accurate solutions
                    for protecting data, while at the same time, ensuring access for those who need it.
                   To provide a compatible interface to connect the USM, UMMS and UPI applications and systems.
                   To develop an awareness, and to educate and communicate the need for standards regarding
                    Authentication to current and future systems.

Current State       UM currently has a great many applications and systems with separate and distinct user identities and
                    passwords. Authorization and access to systems are difficult to obtain and the access removal process
                    is very manual in nature. Most users have several different userids and passwords which drastically
                    increase the cost to maintain these services and prohibit the integration of UM systems and services.
                    CITS has taken the following steps:
                     Created an Identity Management System that maintains data regarding people and their attributes in
                         the campus Enterprise Directory service. This system is already used by the campus Portal. An ID
                         and password is used to authenticate into the Portal which provides immediate access to human
                         resources, payroll, financials, and the RAVEN reporting application without logging in again.
                     Implemented an Enterprise Directory, which has been a breakthrough in establishing a common
                         UM authentication database, which can be used for the following purposes:
                              o Creation and use of common UMB identifiers.
                              o Account creation/removal processes.
                              o Improved security by granting/denying access to applications and services in a timely
                                  manner based on a person’s affiliation.
                              o Single sign-on functionality.
                     The Enterprise Directory is allowing for the timely management of identities and access to UM
                         applications more quickly and effectively. The use of Directory Services will lead to more
                         automated and accurate solutions for protecting access to University data, while at the same time,
                         ensuring access for those who need it.
                     The UM One-Card, USM Library System, Coeus (pre-award), Maximus (effort reporting) and
                         other web applications are currently using this enterprise directory for authentication and identity
                         management purposes.

Next steps
                       Standardize on “UM number” which is located on the back of the UM OneCard as the unique login
                        identifier for systems and applications. Consideration must be given to whether the application is
                        capable of using the Lightweight Directory Access Protocol (LDAP).
                            o All LDAP enabled applications should use the Enterprise Directory for authentication.
                            o For Non LDAP enabled applications the “UM number” should be used as the login
                                  ID/key. This will provide at least a single login identifier for the end users. This also
                                  provides a linking mechanism between applications and other systems.
                            o For the Networking Operating System (NOS) environment we are adding the “UM
                                  number” to the system in a standard variable so that a connector can be established to
                                  allow for an exchange of information between the Enterprise Directory and the NOS
                                  environment. This could allow for password syncing. This will also allow for a more
                                  secure and efficient account management process. While allowing system administrators
                                  the freedom to create and manage their own school and department users.
                            o Please refer to the Directory Services Overview diagram for a visual depiction of the
                                  Identity Management system.
Next steps (continued)

                            Standardize on using Directory Services authentication to UM applications.
                            Standardize on using Directory Services for University systems requiring access to people data.
                            Communicate the standard methods for authentication.
                            Communicate the standard methods for accessing/integrating Directory Service data.
                            Continue to enhance the enterprise Identity Management System.
                            Use the Enterprise Directory for authentication into the UM wireless network.
                            Integrate the Enterprise Directory with the campus Active Directory Forest (see definition).
                            Systematically integrate other Network Operating System (NOS) environments.

                            Continued local and enterprise controls of access and account creation.
                            Continued use of UM directories and directory infrastructures.
                            Leveraged use of the currently available UM Enterprise Directory Service.
                            Continued use of the unique ID which already exists on the UM OneCard.
                            More efficient account creation and maintenance process.
                            Creation of a Single Identifier for potential authentication into all UM systems.
                            The option of logging on with the common “UM number” ID, or with some other alias and more
                             preferred login ID, e.g., email address, etc.
                                                                         UM Directory Services Overview

                                                                                           Fin                   SIMS                                                         HR
                                                                                                                                          Blackboard                                          COEUS
                               PW                                                         Raven                  SURFS                                                   One Card
                                                                                                                                        Open Webmail                                          Maximus
                                                                                           CMS          Wireless Network                                                     Portal

    End User                                                                                                                                                             Web Apps


                                                                                                                  System UserID

             SIMS id                                                                                                                 UserID

           Email address                                                                                                           Backend ID not
              ALIAS                                                                                                               used by end users

                                                                            PW Syncronization                                          Identity Data
                                                                          Customer# used as key                                                                                  Athletic Center
                                                     Sys Adm creates                                                                                                            Online Directory
                                                     accounts and adds
                                                     cust# to person                                                                                                           Paper Phone book
                                                                              Email address
                                                     object                                                                             Application
                                                                          Customer# used as key                                                                              Pharmacy Laptop App
             NOS userid
                              System Admin
                                                                                                                                                                              Software Licensing
           (Email address)
                PW                                                                                                                      Application
                                                     NOS Directories       Demographic Data                                               Data
End User                                                                   Customer# used as

                                                                                                  Enterprise Directory
                                 GroupWise Exchange Servers
                                    eDir         AD
                                                                                                                                                                      All applications requiring
                                                                                                                                                                      User login will use cust#
 Data Flow Legend                                                                                                                                                            for login ID.
     Authentication                                                                                                                                                  (PW sync will be pursued.)

       Updates                                                                                            Identity Management
     Enterprise Dir                                                                                         Registry Process
                                                                                                          Creates/maintains a single
   Updates External                                                                                       identity for campus users.                    Fname, Lname,
    System Data                                                                                             Creates Bar Code and                       DOB, Last 4 SSN
                                                                                                                   customer#                           School, Affiliation
                                                                                                         Maintains person’s affiliations
   Synchronize Data                                                                                                and status                                                                           Aux Services
                                                                                                                                                                              Stub Record
      Query Data                                 HR/Affiliate            SIMS                                                                                                     App

     Directory Overview C 10-26-06 NOS Independent

Active Directory is an implementation of LDAP directory services by Microsoft for use in Windows environments. Active
Directory allows administrators to assign enterprise-wide policies, deploy programs to many computers, and apply critical updates
to an entire organization. An Active Directory stores information and settings relating to an organization in a central, organized,
accessible database.
Authentication - the process of attempting to verify the digital identity of the sender of a communication such as a request to log
in. The sender being authenticated may be a person using a computer, a computer itself or a computer program.
Authorization - the part of the operating system that protects computer resources by only allowing those resources to be used by
resource consumers that have been granted authority to use them.
Authentication is the process of verifying a person's identity, while Authorization is the process of verifying that a known person
has the authority to perform a certain operation. Authentication, therefore, must precede authorization.
Database is a collection of logically related data designed to meet the information needs of one or more users. The central concept
of a database is that of a collection of records, or pieces of knowledge. Typically, for a given database, there is a structural
description of the type of facts held in that database: this description is known as a Schema. The schema describes the objects that
are represented in the database, and the relationships among them.
Directory Service is a software application — or a set of applications — that stores and organizes information about a computer
network's users and network shares, and that allows network administrators to manage users' access to the shares. Additionally,
directory services act as an abstraction layer between users and shared resources.
A directory service should not be confused with the directory repository itself; which is the database that holds information about
named objects that are managed in the directory service. In the case of the X.500 distributed directory services model, one or more
namespaces (trees of objects) are used to form the directory service. The directory service provides the access interface to the data
that is contained in one or more directory namespaces. The directory service interface acts as a central/common authority that can
securely authenticate the system resources that manage the directory data. As per a database, a directory service is highly
optimized for reads and provides advanced search on the many different attributes that can be associated with objects in a
directory. The data that is stored in the directory is defined by an extendible and modifiable schema.
Forest/Tree/Domain The framework that holds all the objects is viewed at a number of levels. At the top of the structure is the
Forest - the collection of every object, its attributes and rules (attribute syntax) in the AD. The forest holds one or more transitive,
trust-linked Trees. A tree holds one or more Domains and domain trees, again linked in a transitive trust hierarchy. Domains are
identified by their DNS name structure, the namespace. A domain has a single DNS name.
Lightweight Directory Access Protocol, or LDAP, is a networking protocol for querying and modifying directory services
running over TCP/IP. An LDAP directory usually follows the X.500 model: it is a tree of entries, each of which consists of a set of
named attributes with values.
Novell eDirectory (formerly called Novell Directory Services) is an X.500 compatible directory service software product for
centrally managing access to resources on multiple servers and computers within a given network. eDirectory is a hierarchical,
object oriented database that represents all the assets in an organization in a logical tree. Assets can include people, positions,
servers, workstations, applications, printers, services, groups, etc.
Novell Identity Manager previously known as DirXML, the product utilizes XML-based configuration files to determine the
product's implemented functions. With synchronization capabilities out of the box including various directories, databases, phone
systems, operating systems, and HR systems, IDM strives to ease the administrative efforts of large enterprises by preventing
administrative effort duplication.

To top