UM Directory/Authentication Strategy
January 22, 2007
Goal The goal of the UM Directory Services/Authentication Strategy is to provide both easy and secure
access to contemporary computer systems. The Directory Services/Authentication strategy will protect
against security breaches, improve the management of identities, and support appropriate access to data
for UMB research, teaching, and administrative operations.
To implement and maintain a campus standard for Identity Management, Authentication, and
integration of UM applications and systems.
To maintain Authorization at the application allowing the University to provide more accurate solutions
for protecting data, while at the same time, ensuring access for those who need it.
To provide a compatible interface to connect the USM, UMMS and UPI applications and systems.
To develop an awareness, and to educate and communicate the need for standards regarding
Authentication to current and future systems.
Current State UM currently has a great many applications and systems with separate and distinct user identities and
passwords. Authorization and access to systems are difficult to obtain and the access removal process
is very manual in nature. Most users have several different userids and passwords which drastically
increase the cost to maintain these services and prohibit the integration of UM systems and services.
CITS has taken the following steps:
Created an Identity Management System that maintains data regarding people and their attributes in
the campus Enterprise Directory service. This system is already used by the campus Portal. An ID
and password is used to authenticate into the Portal which provides immediate access to human
resources, payroll, financials, and the RAVEN reporting application without logging in again.
Implemented an Enterprise Directory, which has been a breakthrough in establishing a common
UM authentication database, which can be used for the following purposes:
o Creation and use of common UMB identifiers.
o Account creation/removal processes.
o Improved security by granting/denying access to applications and services in a timely
manner based on a person’s affiliation.
o Single sign-on functionality.
The Enterprise Directory is allowing for the timely management of identities and access to UM
applications more quickly and effectively. The use of Directory Services will lead to more
automated and accurate solutions for protecting access to University data, while at the same time,
ensuring access for those who need it.
The UM One-Card, USM Library System, Coeus (pre-award), Maximus (effort reporting) and
other web applications are currently using this enterprise directory for authentication and identity
Standardize on “UM number” which is located on the back of the UM OneCard as the unique login
identifier for systems and applications. Consideration must be given to whether the application is
capable of using the Lightweight Directory Access Protocol (LDAP).
o All LDAP enabled applications should use the Enterprise Directory for authentication.
o For Non LDAP enabled applications the “UM number” should be used as the login
ID/key. This will provide at least a single login identifier for the end users. This also
provides a linking mechanism between applications and other systems.
o For the Networking Operating System (NOS) environment we are adding the “UM
number” to the system in a standard variable so that a connector can be established to
allow for an exchange of information between the Enterprise Directory and the NOS
environment. This could allow for password syncing. This will also allow for a more
secure and efficient account management process. While allowing system administrators
the freedom to create and manage their own school and department users.
o Please refer to the Directory Services Overview diagram for a visual depiction of the
Identity Management system.
Next steps (continued)
Standardize on using Directory Services authentication to UM applications.
Standardize on using Directory Services for University systems requiring access to people data.
Communicate the standard methods for authentication.
Communicate the standard methods for accessing/integrating Directory Service data.
Continue to enhance the enterprise Identity Management System.
Use the Enterprise Directory for authentication into the UM wireless network.
Integrate the Enterprise Directory with the campus Active Directory Forest (see definition).
Systematically integrate other Network Operating System (NOS) environments.
Continued local and enterprise controls of access and account creation.
Continued use of UM directories and directory infrastructures.
Leveraged use of the currently available UM Enterprise Directory Service.
Continued use of the unique ID which already exists on the UM OneCard.
More efficient account creation and maintenance process.
Creation of a Single Identifier for potential authentication into all UM systems.
The option of logging on with the common “UM number” ID, or with some other alias and more
preferred login ID, e.g., email address, etc.
UM Directory Services Overview
Fin SIMS HR
PW Raven SURFS One Card
Open Webmail Maximus
CMS Wireless Network Portal
End User Web Apps
SIMS id UserID
Email address Backend ID not
ALIAS used by end users
PW Syncronization Identity Data
Customer# used as key Athletic Center
Sys Adm creates Online Directory
accounts and adds
cust# to person Paper Phone book
Customer# used as key Pharmacy Laptop App
NOS Directories Demographic Data Data
End User Customer# used as
GroupWise Exchange Servers
All applications requiring
User login will use cust#
Data Flow Legend for login ID.
Authentication (PW sync will be pursued.)
Updates Identity Management
Enterprise Dir Registry Process
Creates/maintains a single
Updates External identity for campus users. Fname, Lname,
System Data Creates Bar Code and DOB, Last 4 SSN
customer# School, Affiliation
Maintains person’s affiliations
Synchronize Data and status Aux Services
Query Data HR/Affiliate SIMS App
Directory Overview C 10-26-06 NOS Independent
Active Directory is an implementation of LDAP directory services by Microsoft for use in Windows environments. Active
Directory allows administrators to assign enterprise-wide policies, deploy programs to many computers, and apply critical updates
to an entire organization. An Active Directory stores information and settings relating to an organization in a central, organized,
Authentication - the process of attempting to verify the digital identity of the sender of a communication such as a request to log
in. The sender being authenticated may be a person using a computer, a computer itself or a computer program.
Authorization - the part of the operating system that protects computer resources by only allowing those resources to be used by
resource consumers that have been granted authority to use them.
Authentication is the process of verifying a person's identity, while Authorization is the process of verifying that a known person
has the authority to perform a certain operation. Authentication, therefore, must precede authorization.
Database is a collection of logically related data designed to meet the information needs of one or more users. The central concept
of a database is that of a collection of records, or pieces of knowledge. Typically, for a given database, there is a structural
description of the type of facts held in that database: this description is known as a Schema. The schema describes the objects that
are represented in the database, and the relationships among them.
Directory Service is a software application — or a set of applications — that stores and organizes information about a computer
network's users and network shares, and that allows network administrators to manage users' access to the shares. Additionally,
directory services act as an abstraction layer between users and shared resources.
A directory service should not be confused with the directory repository itself; which is the database that holds information about
named objects that are managed in the directory service. In the case of the X.500 distributed directory services model, one or more
namespaces (trees of objects) are used to form the directory service. The directory service provides the access interface to the data
that is contained in one or more directory namespaces. The directory service interface acts as a central/common authority that can
securely authenticate the system resources that manage the directory data. As per a database, a directory service is highly
optimized for reads and provides advanced search on the many different attributes that can be associated with objects in a
directory. The data that is stored in the directory is defined by an extendible and modifiable schema.
Forest/Tree/Domain The framework that holds all the objects is viewed at a number of levels. At the top of the structure is the
Forest - the collection of every object, its attributes and rules (attribute syntax) in the AD. The forest holds one or more transitive,
trust-linked Trees. A tree holds one or more Domains and domain trees, again linked in a transitive trust hierarchy. Domains are
identified by their DNS name structure, the namespace. A domain has a single DNS name.
Lightweight Directory Access Protocol, or LDAP, is a networking protocol for querying and modifying directory services
running over TCP/IP. An LDAP directory usually follows the X.500 model: it is a tree of entries, each of which consists of a set of
named attributes with values.
Novell eDirectory (formerly called Novell Directory Services) is an X.500 compatible directory service software product for
centrally managing access to resources on multiple servers and computers within a given network. eDirectory is a hierarchical,
object oriented database that represents all the assets in an organization in a logical tree. Assets can include people, positions,
servers, workstations, applications, printers, services, groups, etc.
Novell Identity Manager previously known as DirXML, the product utilizes XML-based configuration files to determine the
product's implemented functions. With synchronization capabilities out of the box including various directories, databases, phone
systems, operating systems, and HR systems, IDM strives to ease the administrative efforts of large enterprises by preventing
administrative effort duplication.