Identity Access Management IAM 101. Mike Conlon Director of Data Infrastructure

Transcription

1 Identity Access Management IAM 101 Mike Conlon Director of Data Infrastructure 1

2 Three Processes Identity Answers the question Who is in our environment? Authentication Answers the question Should we accept a sign on? Authorization Answers the question What is this person permitted to access? 2

3 Identity Process Associates a person with a representation in a computer system The representation in the computer system may be a person object, a database record, a unique identifier or some combination of all three 3

4 Some Identity Processes Driver s License State issues a license with a photo and a birth date. The bearer of the ID claims to be the person issued the license. By checking the photo, the service provider can check the association of person and identity record. Birth Certificate State issues an official document at birth. Original is presented by the bearer to claim identity. ID Numbers Institution assigns an ID number to an individual and records it in a computer system. ID number is protected, but not secret 4

5 Level of Assurance Level of Assurance is a measure of how sure we are that a particular person has been assigned a particular identity record Federal Government has defined 4 levels of assurance. See UF uses two levels strong and weak Strong photo id and physical presence Weak web form 5

6 Directory and Identity Identity provides the association between a person and one or more identifiers A directory provides core information regarding people Institutions typically have more than one directory -- often a core directory that feeds other directories The core directory is also called a person registry, person data hub, or metadirectory 6

7 Sample Directory Architecture 7

8 Authentication Processes Provide a means for a person to sign on to a computer system, typically with a username and password, that is, a credential Tie authentication to identity. When a credential is presented, systems should be able to determine what person is presenting the credential Support enterprise system sign on, LAN sign on, web sign on with the same credential 8

9 LAN Sign On Systems such as Active Directory, Netware Directory Services and Kerberos provide LAN sign on Systems can be tied together (cross realm) or credentials can be replicated Michigan uses cross realm. UF uses replication 9

10 Web Initial Sign On (WebISO) WebISO is technique for creating a seam less sign on experience to web-based applications User access a WebISO site if already sign on the user enters the site, others is prompted for credentials Initial site prompts for credentials, other sites accept credentials already in place Several WebISO options available. pubcookie, is open source and used widely 10

11 WebISO at UF UF developed a local WebISO solution in 1998 GLAuth GLAuth provides a secure cookie-based Kerberos authenticated system GLAuth is simple to install on Apache web servers Legacy SIS and admin applications use GLAuth providing single credential access to these systems Departments use GLAuth to authenticate web applications and to protect materials 11

12 Enterprise Sign On Enterprise Systems (PeopleSoft, WebCT, Mainframe) may have unique authentication requirements PeopleSoft can use LDAP UF used this, then turned it around Web-based applications on mainframe can use WebISO Credentials can be replicated RACF can use Kerberos 12

13 Authorization Concept Directory has affiliations for each person. Affiliations roll up to eduperson affiliations and to primary affiliation Affiliations imply authorizations Authorization is based on roles Roles can often be algorithmically determined by affiliations Additional roles are assigned by traditional access request processes 13

14 Affiliation Affiliation indicates the relationship a of a person to the institution Affiliation is multi-valued Different systems are authoritative for different affiliations (SIS for student affiliations, HR for employee affiliations) EduPerson affiliations: Faculty, Staff, Student, Employee, Member, Alumni, Affiliate Affiliation may imply authorization by policy 14

15 Role The unit of authorization is a role. A role grants access to a service. Examples: UF_PORTAL_USER grants access to my.ufl.edu, the UF Portal. All Faculty, Staff and Students have this role UF_GRADER grants access to assign grades UF_GM_BUDGET_APP grants access to approve grant budgets Roles are often scoped with parameters 15

16 Entity, Role and Service 16

17 Role Management Roles are assigned algorithmically using processes accessing directory message queues Security Coordinators request roles using the Access Request System (ARS), a portal application. See Signet ( for an open source privilege management system Roles are assigned following request based on university policy Individuals can view their roles from the portal 17

18 My Roles Portal users can access their role information using My Roles Additional options provide users with access to maintain their account 18

19 UF has 427 Roles (and growing) PeopleSoft Roles 235 Legacy Roles 126 Non-PeopleSoft Roles 86 UF has PeopleSoft HR, Finance, EPM and Portal. Expect to add 100+ roles when student is implemented 19

20 Computer Account In a single credential environment, computer account becomes an abstraction The collection of identity, contact information, credential, access and authorizations belonging to a person System administrators speak of an AD account or an account on my system but end users do not End users see one enterprise identity, one enterprise credential, one enterprise account At UF, this is referred to as a GatorLink Account 20

21 One Credential To have one credential, you will need to solve two problems (at least!) Technical problems how can all (most) computer systems use the enterprise credential Operational problems if there is only one credential, how can it be strong enough for highly secure applications, and weak enough (!) for many applications UF uses replication to a variety of authentication systems to address the technical problems. UF uses a variety of password policies related to authorization to address the operational problems 21

22 The basic idea Control the strength of the user s credential by the roles assigned to the user Each role has an associated password policy roles that provide limited access are assigned low password policy. Roles that provide broad access are assigned high password policy A user s password policy is the maximum of the password policies assigned to the roles belonging to the user. As roles are granted or rescinded, the users password policy automatically goes up or down. 22

23 What s a Password Policy? A password policy is a collection of attributes that define how the password must be managed: How often must it be changed? Can it be changed on line or only in person? Can a password hint be used? How long must the password be? How complex must the password be? And so on 23

24 UF has 5 password policies Attribute P1 P2 P3 P4 P5 1. Minimum length of password Password is character checked Yes Yes Yes Yes Yes 3. Max age of password (in days) Security class before pwd is issued No No No Yes Yes 15. Must use 2-factor authentication No No No No Yes 16. Account is expired if pwd is cracked No No No Yes Yes Each policy has 16 attributes see 24

25 The Rationale for various password policies P1 used for applicants, guests, visitors limited interaction with university information systems P2 information about oneself. Students. Some staff P3 provide and access information about others. Faculty and most admin staff P4 Significant authorization to allocate university resources. Core, Dean and VP admin staff P5 Direct access at system level to university systems 25

26 Password Policy Tally Count PCT Policy Policy 2 175, Policy 3 13, Policy Policy Total 189,

27 Password Policy is not Level of Assurance Level of Assurance answers the question How sure are we that this person object represents that person? UF has two levels of assurance Strong (picture ID and physical presence) and Weak (web or mail process). LOA is an attribute of the person object in the directory. Password Policy answers the question How strong is this credential? Password policy is an attribute of a role. 27

28 IDM Entity Relationships 28

29 Some Technical Details 1.5 M Person Objects in Registry in mainframe in DB2 Roles are stored and managed in PeopleSoft Password Policies are stored and managed in PeopleSoft Passwords are managed in PeopleSoft Credentials are managed in legacy apps will be managed in PeopleSoft Affiliations are managed in the Registry LDAP has all user objects Active Directory has all user objects with credentials 29

30 Some Policy Details and Consequences Identity is established by 800 directory coordinators Identity resolution is manual, 50 cases per year Identity theft is rare, 1-2 cases per year All users are required to change passwords at least each year All passwords are strong Password hints have reduced help desk calls 30

31 More Information Eduperson Directory project and structure Password Policy Or write 31