Organizing a Campus Change: Planning for Identity and Access Management Improvements at UF Dr. Mike Conlon Director of Data Infrastructure June 3, 2008
University of Florida $2B annual revenue, $518M in grants, $750M state $2B annual revenue health care business Land grant 20 research centers, 67 CEOs #2 in total Fall 2007 student enrollment, 50,576 #4 public university incoming merit scholars $1.5B capital campaign 145 academic departments, 16 colleges
University of Florida IT $100M annual spend. 900 IT professionals Central IT reports to multiple vice presidents. $48M Legacy mainframe Student system PeopleSoft HR, Finance, Grants. Cognos BI. WebCT UF Exchange, UFAD HPC, FLR, FCLA College/Unit IT Some at college level. Most at department level. Centers, institutes, research groups Five network providers UF, IFAS, Shands HealthCare, Housing, Health Science Center
Identity and Access Mgt (IAM) Identity Associate people with electronic records UFID UF Directory. 1.7M people. Authentication Provide credentials for people to access computer systems. Associate authentication with identity. GatorLink username and password managed in myufl, pushed into PeopleSoft, Active Directory, Kerberos, NDS GLAuth local cookie based WebISO solution Authorization Control access to resources based on attributes of people Affiliations (UF Directory) and roles (PeopleSoft), pushed into UFAD. Declarative authorization: Is person x in group y?
IAM at UF
Challenges for IAM Security GLAuth has security flaws Platform Support Can not currently support the common platforms Apache and IIS on Linux and Windows WebISO Need a solution to provide Web Initial Sign On across participating sites Declarative Authorization Need a simple tool for units to control access via group membership If x is a y then allow access
How to Create Change? Complex technical environment Many systems Many thought leaders Complex managerial environment Many independent units Many competing interests
Partnering Evaluation Roles and Responsibilities Implementation Eight Step Change Process Identify the Needs Action Planning Measure Write the Project Charter 8
Partnering Using existing governance structures, raise the issue of improvements in IAM. IT Advisory Council Data Infrastructure ITAC Security ITAC UFAD ITAC Academic Identify the key individuals who must plan an execute an improvement
Roles and Responsibilities Clarify roles and responsibilities in IAM Across central IT providers Relationship of central IT providers to local IT Presentations at ITAC meetings, UFAD meetings Consistent communication Develop expectations regarding participation
Identify Business Needs Two years of discussion Four business needs emerge Symmetric WebISO across enterprise and local apps More environments. Support Windows and Linux. Apache and IIS. Improve Security. Replace existing local cookie based system Use group information for declarative authorization Town Hall presentation for technical community September 2, 2007 Educause CAMP, Tempe, February 3 4, 2008 Shibboleth identified as addressing all 4 needs Form planning team in February 2008
Shibboleth Internet2 project with lead site at Ohio State InCommon Trust Federation http://incommonfederation.org NSF, NIH, Microsoft DreamSpark, Elsevier, Mobile Campus, many more Federated identity (multiple identity providers) as well as declarative authorization (attribute release) Shibboleth Demo http://shibboleth.internet2.edu/demo/shib_de mo.html See http://shibboleth.internet2.edu
Shibboleth Flow
UF Shibboleth Flow
Shibboleth Planning Team Eli Ben Shoshan, CNS John Bevis, CNS Dr. Mike Conlon, chair Alan Cook, CIO Office Warren Curry, Bridges Tim Fitzpatrick, CNS Rodger Hendricks, AT Mike Kanofsky, UFAD Iain Moffat, CNS Erik Schmidt, UFAD Barb Sedesse, CNS
Attribute Release Shibboleth is designed to provide data about users (attributes) to authorized requestors Attribute Release is governed by Attribute Release Policy Attribute Release Policy is associated with an Application (typically a URL) At UF, an application is associated with a Responsible Party via UFID.
Attribute Release Control 1. Each Application has exactly one responsible party. A responsible party may have many applications 2. An Attribute Release Policy (ARP) may be assigned to many applications. An application may have more than one ARP. 3. An ARP may release multiple attributes. An attribute may be released via many different policies 4. Many attributes may come from a particular attribute source. Each attribute comes from exactly one source
Example of Attribute Release Policy UF_CID release primary affiliation along with a service provider specific identifier. The CID can be used by the service provider as a key to provide persistent access The CID is not the UFID. It is managed by Shibboleth. An application can assume that if a CID value recurs in a subsequent transaction, that it belongs to the same individual CID is not sensitive nor privileged and can be used outside UF. An application such as Mobile Campus could use this policy to verify that the user is a student and then manage preferences within their service for the student based on the CID. Note: The application does not get the user identity!
Mike Goes to a Web Site Mike enters a URL for an application using Shibboleth The application is authorized for UF_CID policy and asks Shibboleth for attributes Shibboleth looks to see if Mike is signed on, if not, prompts for GatorLink username and password and verifies via Kerberos Shibboleth then gets Mike s affiliation from Active Directory and computes a CID based on Mike s UFID Shibboleth presents the CID and affiliation to the application Application sees that the user is a student (Mike s primary affiliation) and can record the CID The Application lets Mike in If Mike returns to the site, Shibboleth will compute the same CID for Mike and the application can use the CID to retrieve history and store preferences Note: The Application never learns any protected identity information about Mike
Measurement and Assessment 170,000 active GatorLink usernames Attributes in multiple data stores 34 UF affiliations; 7 primary affiliations 465 security roles 5,000 course sections per term Over 1,000 web sites, many with controlled content 5 key enterprise applications ISIS, WebCT, PeopleSoft, Cognos, Mail
Write the Charter One Page Shibboleth charter Rationale Goals Sponsor Impact Timeline Written by the planning team March 2008 Vetted through advisory committees April, May 2008
Partnering through the Action Plan June 2, 2008 Town hall with IT community June 16, 2008 Early beta testing July 2008 Full beta testing August 2008 Opening day ARP collection September 2008 Production service October 2008 Begin converting enterprise apps October 2009 Remove legacy
Reality Check on Business Needs: IAM Opportunities and Shibboleth Symmetric WebISO Shibboleth provides Symmetric WebISO across all Shibbolized applications More environments Shibboleth supports by IIS and Apache on Windows and Linux. Also Solaris and Mac servers. Improve Security Shibboleth has welldefined ARPs and technical controls to support appropriate data release Use group information for declarative authorization ARPs support declarative authorization
Implementation Proof of concept complete. Multiple web servers in CNS and Bridges. WebISO. Two simple ARPs. DRAFT ARP management and governance process Production environment planning Production launch anticipated fall 2008 Ready for early beta testing
Evaluation Have verified WebISO and platform support Will decommission two existing IAM systems Cosign and GLAuth, reducing operating costs Will have security review verifying improvement Will have MOU and controlled ARP for all web sites
More information Web Sites http://www.bridges. ufl.edu/directory http://www.ad.ufl.e du Questions, Comments mconlon@ufl.edu