IAM Committee Meeting Notes 11/9/2015

Transcription

1 IAM Committee Meeting Notes 11/9/2015 Attendees: Thomas Beard, CW Belcher, Michael Bos, John Chambers, Cesar de la Garza, Fred Gilmore, Ty Lehman, Andy Loomis, Darin Mattke, Michelle McKenzie, Shelley Powers, Charles Soto Absent: Cam Beasley, Tim Fackler, Alison Lee, Steve Rung, Karen Weisbrodt Guest: Francis McGrath IAM Team Members: Justin Czimskey, Rosa Harris, Josh Kinney, Marta Lang, Aaron Reiser, David Strickland 1. Directory Services Roadmap Review (Josh Kinney) The team is developing a roadmap to determine the future direction of the IAM team s directory services. The next step will be to engage with current and potential directory services customers to help them understand how directory services can help them, better understand how the customers are currently using directory services, and elicit ideas for how to enhance directory services. While the team has quantitative metrics for directory services usage (search types and volumes, for example), qualitative data needs to be gathered to understand what sorts of use cases customers are meeting (or would like to meet) using directory services. More information about the roadmap will be shared with the committee by the end of November. Once the customer engagement portion of the roadmap has been completed, the committee s assistance will be needed to help prioritize and approve changes. 2. Proposed Change to UTLogin Logoff Workflow Discuss (Rosa Harris & David Strickland) The primary goal of the next release of UTLogin is to support the implementation of Duo two-factor authentication. However, the release also includes additional enhancements, including a change to the logout workflow. UTLogin now supports SAML integrations in addition to the traditional OpenAM WPA model. The introduction of SAML customers to the UTLogin environment it has introduced an issue with logout that the team would like to address. Logout functionality with SAML works differently than it does with WPAs. If a user is logged into multiple Service Providers (SPs) using SAML, and they log out of one SP, they will not be logged out of the other SPs. This is standard SAML behavior, but is a change from how logout with the on-campus WPAs work. The team proposes changing the current UTLogin flow that redirects customers to upon logout to instead redirect customers to a page that instructs them to close their browser to complete the logout process. This is how Shibboleth already works and UTLogin would be changed to match the Shibboleth behavior.

2 Q: Would this logout page be displayed for both WPA and SAML logouts? A: Yes. If a customer has both a WPA session and a SAML session, and the customer logs out of the WPA session, the SAML sessions would still be active. Therefore, the advice on the logout page would still apply. Q: Would it make sense to add a separate button under the text to close the window? A: The team will consider that suggestion. Q: What are the ramifications of a customer not closing their browser window? A: If a session is still active in a browser and the customer steps away from the machine (e.g. on a public terminal) the next person to use that machine could use the browser history to hijack the still-active authentication session. Q: What do other peer institutions do in these situations? A: The proposed change would bring us in line with the standard practices of other institutions. Decision: The committee voted to endorse this change. 3. IAM Services Web Site Review (CW Belcher) With the modernization of applications across campus, the team has found a growing need for campus to better understand IAM concepts and functions. The team has developed a web site, to be branded IAMservices.utexas.edu, to provide a one-stop resource for learning about IAM core concepts, understanding the questions campus customers need to ask themselves and vendors as they pursue application modernization, and finding more detailed information about IAM services and how the IAM integration process works. Most questions that the IAM Team is currently fielding are related to integrating new applications with the IAM environment, so an Integration section is provided to discuss basic concepts and explain the integration process. The Solutions section provides customers that are further along in the implementation process with more information about the IAM solutions available to them. The Developers section then goes into further technical detail for customers who are doing technical integration work. This site will be part of a larger outreach effort to provide campus groups with the information that they need to ensure that their modernized applications will integrate smoothly with the University s IAM environment. When the site is ready for review, a link will be sent out to the committee. 4. Other Initiative Updates a. Identity Assurance Framework (CW Belcher) Edits have not yet been finalized due to resource constraints, but the team s senior business analyst has been tapped to help complete the final changes.

3 b. IAM Integrations (Justin Czimskey) The team has completed several new integrations since the last meeting and the influx of new requests has slowed down. There are currently 6 integrations in progress. The Technology Architecture Implementation (TAI) project has presented a number of novel and interesting technological challenges that are taking extra time to work through. Standard SAML integration requests are being processed quickly, and the team is working with customers whose integration needs are urgent to help ensure that they meet their deadlines. c. Two Factor Authentication/Duo Implementation (Justin Czimskey) The Duo implementation is underway. Planning activities, including communication planning, are nearing completion. The project has been split into a technology component and a business process component which are working in parallel. The team is working closely with the Help Desk to ensure that they are ready to support customers through the transition. In addition to the main Duo implementation, the team is also working with the owners of applications currently using Toopher to plan their transition to Duo. For Financial Information Services (FIS) the migration is expected to take place in March. For Payroll, the migration is planned for June, after tax season is complete. d. Lightweight Authentication (Rosa Harris) The team is currently working on the Request for Proposal (RFP) for a lightweight authentication solution. Meetings with Purchasing are ongoing and the team plans to release the RFP to vendors in December. Oral presentations for the finalists are planned for February with vendor selection taking place in March. The team is also continuing to interview departments regarding how they are using Guest-class EIDs. e. SailPoint Implementation (Marta Lang) The contract with the SailPoint integration vendor is currently being finalized. The contract is scheduled to be submitted to UT System Administration for review this week.

4 Directory Services Roadmap Background The utexas Enterprise Directory (TED) is used by campus applications as the consolidated source of student, faculty, staff and guest data. The Directory is fundamental to many of the services and resources used by campus on a daily basis. TED serves as the user store for the UTLogin and Shibboleth centralized authentication services and also provides LDAPbased user authentication for a variety of departmental systems on campus. The White Pages Directory is the web-based publically accessible version of this directory service. This Roadmap will provide an approach to evaluate and implement Directory architecture and service changes. These changes aim to increase performance, reliability and utility for the internal use of university departments. Project Description and Scope The Directory Services Roadmap will be divided into three broad phases. 1. Increase the performance and reliability of existing Directory Service 2. Customer Engagement Educate current and new customers on existing Directory Service offerings Elicit requirements for service improvements and enhancements Engage the Directory Services community with a survey to quantify current satisfaction and utility 3. Revise Directory Services Evaluate and prioritize initiatives to address requirements Implement proofs of concepts Engage IAM Committee for revising Directory Services mission based on customer feedback and available technology Implement revised Directory Services Engage the Directory Services community with an after state survey

5 UTLOGIN LOGOUT ENDPOINT CHANGE 11/9/2015 OVERVIEW An increasing number of UTLogin clients are using Security Assertion Markup Language (SAML), rather than Web Policy Agents (WPAs). SAML authentication provides the same single sign-on (SSO) capabilities as WPA authentication, but is limited in its single log-out (SLO) support. As a result, a user who is working in multiple applications may not be logged out of each application upon sign out. Currently, users are redirected to the University of Texas homepage upon logout. To help protect user privacy, UTLogin should instead redirect to a new page upon logout that instructs the user to close all browser windows. ACTION REQUIRED The IAM Committee s endorsement to change the UTLogin user s logout experience. IMPACT ANALYSIS If no change is made, users will likely have an incorrect set of expectations for logout, which could threaten their privacy. PROJECT GOALS Redirect users to a new logout endpoint, rather than the homepage. The logout endpoint will explain that the user has logged out of the application that was just in use, but may still have active sessions in other applications. The language will be copied from the Shibboleth logout endpoint at SCHEDULE This change will be included in the UTLogin release scheduled for March 13, FOR MORE INFORMATION Thorough explanation of the limitations of SAML SLO: Current Shibboleth Logout Endpoint: 1