Identity and Access Management (IAM) Roadmap DRAFT v2. North Carolina State University
|
|
- Nelson Jefferson
- 8 years ago
- Views:
Transcription
1 Identity and Access Management (IAM) Roadmap DRAFT v2 North Carolina State University April, 2010
2 Table of Contents Executive Summary... 3 IAM Dependencies... 4 Scope of the Roadmap... 4 Benefits... 4 Risks... 4 Current and Major Foundation Projects... 5 The Internet2 IAM Model... 9 Policy and Governance Source Data / Systems of Record Enterprise Directory Services Identity Data Consumers (Applications, Services) Groups and Privilege Management NC State University Current Account Provisioning NC State University - Planned IAM Services NC State University IAM Governance and Team Structure Next Steps Conclusions Gantt Chart of IAM Initiative Projects APPENDIX A IAM Project List Page 2 of 23
3 Identity is such a crucial affair that one shouldn't rush into it. - David Quammen, writer Executive Summary The area of Identity and Access Management (IAM) has existed for a number of years, particularly in higher education. It has recently been gaining momentum at most universities in part due to an increasing amount of online collaboration between institutions and the growth of identity federations such as InCommon. These new collaboration efforts allow and encourage colleagues and students from academic environments to access shared resources within an identity federation without the need for an account and password on each resource. Additionally, with the growth of services being made available in the cloud (e.g. Google Apps for Education) many of our students and employees will be accessing external resources using their NC State campus credential (UnityID and password). But let s go back to identity and access management Digital identities are the electronic representations of individuals. Therefore, identity management is the management of data that is contained in an individual s digital record specifically data about who they are. Some identity attributes for employees would be their name, phone number(s), campus location and address, job classification, college and/or department and address. Similar attributes are captured for students, and additionally we might have information on program of study, year, college, course enrollment, and whether they have a FERPA privacy block in place. Access Management is the process of granting, maintaining or revoking the entitlements or authorizations individuals (or their digital identities) have to online resources - whether data, applications or services. Identity and Access Management (IAM) covers the entire spectrum of users and their digital identities; the data captured about them, how it is protected and who or what is authorized to access it, how users are designated and differentiated from other members of the community (e.g. students, faculty, staff, alumni, parents, guests, etc.); how sure we are that the electronic credential we issue (username and password) goes to the right person; what services individuals are entitled to use; and the mechanisms, directories and systems that allow them to securely access those services. The IAM Roadmap addresses each of these areas and shows how they re related and dependant on each other. Priority projects are identified that are needed to support current university programs and applications, or lay the foundation for later efforts. These include the current Shibboleth and Identity Federation Project (which is supporting the student and other projects), a Password Management Project to provide self-service password resets (saving the Helpdesk many hours of support calls), Non Name-Based UnityIDs (to protect user privacy and eliminate renaming issues), the Campus Affiliation and Services Matrix to match campus affiliates with the services they require, a Guest Account system, and an Enterprise Directory Services project to develop a central location for campus identity data. The benefits of a fully implemented IAM infrastructure in addition to improving the efficiency and effectiveness of our existing systems - are specified and become more apparent as each project is briefly explained. The risks of not implementing a complete IAM environment are redundant accounts, systems and services; not meeting or adhering to audit requirements, federal regulations and state and federal privacy laws; and not being able to provide access to university services in a timely manner or remove that access when a user s relationship with the university changes. Page 3 of 23
4 IAM Dependencies As part of the overall IAM initiative, there is a dependency on the campus IT and University governance groups and the university data stewards to establish policies and procedures that define the different relationships individuals have with the university, and what services and data they are entitled to access. This extends across the student and employee lifecycles as well as to all non-traditional affiliates. Decisions made by the IAM governance committee(s) will determine what data needs to be obtained about individuals and stored in the appropriate System of Record (SoR). This data is the source for IAM identifiers and attributes that make up the core of the IAM system and is centrally located in the Enterprise Directory Service. Scope of the Roadmap This document is structured to show the relationships between the components that make up the IAM environment and how authoritative and sufficient identity data (attributes) can provide data consumers with the information they need to make appropriate authorization decisions about who should have access to what. The Roadmap is not a comprehensive project plan for addressing the IAM needs of the university. Plans will be developed as specific projects are undertaken to implement or enhance some facet of the overall IAM infrastructure for NC State University. Benefits The IAM Roadmap shows how the functions and components of Identity and Access Management are integrated into an infrastructure that enables many of the university services and online resources to operate more efficiently, effectively, economically and securely. From defining who has what relationship with the university, and as a result of that relationship to what services they are entitled; to provisioning access to those services through account and privilege management, IAM provides a foundation for developing web applications, sharing information and collaborating with others at the university, UNC System, State, National and International level. Risks As with any service that enables people to interact with systems, applications and resources, the availability of IAM services is critical to providing online access to the NC State community. This requires a very robust IAM environment from redundant, fault-tolerant servers, power, and networks, to an appropriate level of support personnel. The underlying infrastructure and backend systems need to be in place for the full benefits of Identity and Access Management to be realized. Another risk is that the growth in demand for IAM services might exceed the resources available to build and grow the infrastructure required to support it. Page 4 of 23
5 Current and Major Foundation Projects The following projects are currently in progress or will be shortly, as they lay the foundation for future IAM projects. Shibboleth and Identity Federation Project The Shibboleth System is a standards-based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. NC State users of external resources that are members of an identity federation can use Shibboleth to access these resources. This allows the user accessing the remote service to authenticate at NC State using his or her own campus username and password. The user then presents a digital authentication assertion to the resource along with any requested attributes and the resource makes a determination on whether to allow access. NC State established a Shibboleth Identity Provider (IdP) for the university in August, 2008 in response to a UNC-GA requirement to participate in the UNC System identity federation. This was to allow students within the system to register for courses at any of the system schools by accessing an interinstitutional registration application. Since that time, we have become a member of the InCommon identity federation and have the ability to easily set up access to federation service providers (SPs). We are currently exploring the use of Shibboleth to access some of our current vendors that are members of InCommon, rather than having to maintain a username and password on the vendor site and we have recently launched Google Apps for Education for student , which uses Shibboleth for access. Current campus web services that use or are planning to use Shibboleth to provide access are VCL, Moodle/Wolfware, My Pack Portal, the NCSU Library services and a number of web applications in engineering. There is also a strong interest in setting up this application as a potential replacement for the existing web authentication service WRAP. A primary benefit of using Shibboleth is that NC State users authenticate at our campus and don t need to maintain accounts in another location. Additionally, access can frequently be determined by the resource provider without needing to exchange personally identifiable information (PII), thus protecting the privacy of individuals. Password Self-Service Reset & Initial Password This project is well underway and is a foundation project for automating the account provisioning process for new users. It uses the Sun IDM product along with an application developed by AegisUSA that will allow users to set their initial password automatically, as well as establish challenge-response (UIA) questions for future password resets. The ability to set an initial password eliminates the use of a guessable formula for the initial password that is currently in use. By requiring the user to set their challenge-response questions when the initial password is chosen a way is provided for the user to reset their own password if they forget what it is. Currently, a user must come to the OIT Helpdesk in person to have a password reset. A primary benefit of this project is that Sun IDM will be connected to all the Page 5 of 23
6 enterprise account systems (currently Active Directory, Novell edirectory, MIT Kerberos and Google Apps for Education). The connectors that tie Sun IDM to the account systems for synchronizing passwords will also be configured to allow the accounts to be disabled. Once this project has been completed, the Sun IDM connectors will be mapped to other fields in the account systems so that when a student or new hire employee requires access to services they will be provisioned automatically with a SIS or HR action. Consequently, when a student or employee leaves the university, these same accounts can be automatically disabled and access to the appropriate campus services can be de-provisioned. Campus Affiliation vs. Services Matrix This project starts by developing a list of affiliate types that are recognized by the university as distinct populations that receive a unique service or set of services. For example: Student, Faculty, Staff, Alumni or Guest. This affiliation (or list of affiliations) can then be carried as identity attributes for each campus user. To clearly distinguish who is entitled to what services on campus, it may be necessary to provide more granularity by carrying sub-affiliations. For example an Employee who is also a Student and an Alumni, with sub-affiliations of FTE and Grad (MBA). Another example is a Guest who carries a sub-affiliation of Library Patron. These individuals all receive some service or services from the university. These will be mapped against the affiliation type and possibly grouped into service categories. These affiliation attributes or groups could then be used to make authorization decisions about which individuals get access to specific web services. An example of this would be certain licensed online library services. These might only be available to those users who carried a faculty, student or staff affiliation, or guest with a library patron sub-affiliation. Non Name-based UnityIDs There are many issues associated with name-based identifiers (usernames). The biggest challenge from an IT support perspective is the time-consuming and labor-intensive effort to rename an employee when their last name changes. Many applications embed the username in account or record information and these all need to be changed to ensure the individual continues to receive services they re entitled to. Creating usernames (UnityID) that are not name-based will allow us to stop the practice of renaming accounts. An additional benefit is that having name-based identifiers makes it difficult to release a principle name to an application if it can be easily traced back to a student (if they have a FERPA privacy block in place). Just privacy concerns in general would be eliminated if the UnityIDs were randomly generated or used an algorithm that did not include the users name. This project should be relatively simple to implement as it only requires a change to how the UnityID is created. Coming up with an approved formula for the creation of the identifier might be the most difficult aspect of the project. Communicating to campus that renames will no longer be done to Page 6 of 23
7 usernames is also part of this project. An additional enhancement might be to allow users to choose from several usernames when initially entering the university. This might eliminate those situations where whatever method is chosen to create an identifier results in something that is offensive to the individual user. An extension of this project might be to use another numeric campus identifier (ncsuid) to store in records and applications, and only use the UnityID as an alias for logins. It would still be a permanent identifier, but could be changed if there is a problem with it, and not required changes to multiple records and account systems. Enterprise Directory Services An Enterprise Directory Service (EDS) provides campus with a single location for unique user identity data that can be consumed by authorized campus resources and applications. It can be used for many purposes from online person directories to user account information, and to make access decisions around who is entitled to various services. Systems of Record (SoR) would supply authoritative data feeds to the EDS to keep it current. If applications access the EDS rather than using extracts or copies of user data, they would always be using current data and eliminate the possibility of making decisions or reporting on aged data. It also reduces the need for extracts that must be created and copied to multiple systems. The data is much more controlled and secure than a distributed model which gives the data to another owner and must depend on them to keep it secured. The Directory would also hold group and role data that could be created dynamically or by users (either directly through a GUI or by a request to a support team that would create static groups). Groups could be created for any number of purposes classes, distribution lists, department groups, application groups, etc. Groups based on course or class membership could be used to provide appropriate student access to applications such as VCL or Moodle or services such as the Library book reservation system. Roles could be assigned to individuals based on affiliation types, job functions or responsibilities, etc. Application or resource owners could petition the EDS service team to add additional attributes to support their specific services. Guest Account System The Guest account system provides a mechanism to authenticate people who are loosely-affiliated with the university and allow them to access appropriate resources without allowing access to those services restricted to more traditional members of the university community (students, faculty and staff). It also provides a way to enable certain groups of individuals (parents, vendors, alumni, retirees, job applicants, etc.) access to services, without being entered into our HR system as No Pay Employees. These individuals are often provided access to campus services they are not entitled to (or the university is not licensed for) simply because they can login to certain university accounts. Many applications cannot determine a user s affiliation with the university at this time, and therefore assume if someone can login they must be someone who should have access to the service. Having a guest account system would Page 7 of 23
8 provide another way to help make this determination as well as improve the integrity of the HR and Student user data. It also would allow us to capture some limited amount of bio-demo data (to be defined by campus leaders and data stewards) that could be used to provide statistics to different university groups such as admissions, development, athletics, etc. Seminars, summer youth camps, sports camps, continuing education and conferences would fall into this group of campus programs that might need guest access to services. If these individuals transition to a more traditional relationship with the university over time, it could be determined where they first experienced contact with NC State and provide an opportunity to evaluate the effectiveness of these programs in encouraging a renewed and richer relationship with the university. Page 8 of 23
9 The Internet2 IAM Model This diagram was developed by the Internet2 - Middleware Initiative (I2MI) and highlights a model of Identity and Access Management for Higher Education. middleware.internet2.edu Page 9 of 23
10 Policy and Governance Define user Affiliation Types for the university and what Services should be provided to each affiliate or group of affiliates Determine the risk associated with enterprise applications and what Level of Assurance (LoA) and strength of authentication (e.g. Strong Passwords, Second password, multi-factor) should be required for access to each Approve and support implementation of procedures for identity-proofing employees, students, affiliates and guests to meet each Level of Assurance (LoA) required for access Approve access to university identity data in the Enterprise Directory Services (e.g. College, Department, Application/Server, Individual) Authorize the creation of IAM working groups or project teams to address IAM areas of need Set priorities of various IAM projects based upon the university business need and available resources Page 10 of 23
11 Source Data / Systems of Record Systems of Record (SOR) should be identified and the appropriate authoritative data elements or attributes made available to the Identity Management system and/or an Enterprise Directory Service (EDS). The University Data Stewards define what identity data is authoritative (above), approve population of the data into an EDS and who can access it. Traditional campus users (faculty, staff and students) are distinguished from those who are more loosely affiliated with the university. Create a Guest System System of Record, to contain accounts and identity data for non-traditional users. Provide for movement of users between the guest and enterprise systems as their affiliation changes over time. Page 11 of 23
12 Enterprise Directory Services Design the Enterprise Directory Service to hold all the commonly used authoritative identity attributes of traditional and nontraditional users to provide the most value to authorized university identity data customers/consumers Continually evaluate technologies, methodologies and peer solutions to determine if NC State is providing the best service for our customers Evaluate and make recommendations on how to use the IAM system to provide identity information that allows campus resources, services and applications to make appropriate access decisions (e.g. Library services, LMS, college or department web resources, enterprise applications, etc.) Promote appropriate technologies if they can facilitate effective, efficient access to Systems and Services (e.g. Federated Identities, Single Sign-on, Single Authentication environment, twofactor authentication) Page 12 of 23
13 Identity Data Consumers (Applications, Services) Evaluate customer business requirements and needs for identity data and other IAM services Enhance the IAM System (e.g. additional attributes, group and role management, entitlements, etc.) to meet these data needs and to facilitate appropriate and secure access to campus resources where required Provide appropriate attributes to Federated Partners where agreed to by federation policies or agreement (contract) with the Service Provider Page 13 of 23
14 Groups and Privilege Management Look at the implementation of fine-grained group management as a means of providing access to university applications and resources Find or develop tools (scripts) to create entitlements for users based on group membership or roles, and use where appropriate to facilitate access to applications, services and resources Work with campus to transition their resources and applications to use shibboleth and group, role and attribute/entitlement-based access Review and recommend a process or application for group creation (centrally and/or user managed) Look at functional role management and privilege management as a way to provide access to applications and services Page 14 of 23
15 NC State University Current Account Provisioning Page 15 of 23
16 NC State University - Planned IAM Services Page 16 of 23
17 NC State University IAM Governance and Team Structure Page 17 of 23
18 Next Steps After the adoption of the IAM Roadmap, projects will continue in support of the IAM Initiative. The priority of the projects and the resources required to implement them will be determined by the campus business needs and at the direction of the IAM Oversight Committee. The IAM Service Team will continue to review the roadmap and make updates to it and the IAM Project list. They will also continually evaluate the progress of existing projects and make recommendations to the IAM Oversight Committee for establishing new projects or forming new teams as campus demands, business needs, changes in regulations or new technologies dictate. Conclusions The IAM Roadmap is not a static document. As progress is made on various IAM Projects the priorities of the remaining areas of IAM will change. Also, new technology or tools may influence when and how IAM projects are prioritized. What won t change are the business needs of the university for accurate, authoritative and secure identity data about campus community members and guests, and the ability to quickly and securely authenticate those users who have a right to access the university s resources. Page 18 of 23
19 Gantt Chart of IAM Initiative Projects Page 19 of 23
20 APPENDIX A IAM Project List IAM Topics / Tasks Description / Comments Relationships Affiliation vs. Services Matrix Identification of Affiliations Mapping Affiliates to Services When they receive/lose services ID-Proofing & Initial Issuing of Credentials Student Employees Affiliates (non-students) Remote - Distance Education Creation of University Identifier? (ncsuid) Enterprise Directory Services Schema Changes Group Management Determine what different affiliations exist and whether to group into categories Identify what services the university provides to "each" affilate type (e.g. student, alumni, parent, staff, contractor) Needed to implement appropriate provisioning & de-provisioning of services for each affiliate (or group/class of affiliates) Elevate LoA at time of Campus ID receipt Completed when filling out Form I-9 Numeric Identifier that exists outside of ERP systems Adding attributes and Object Classes Some affiliations are part of the Student or Employee "life cycle" and transitions between affiliations result in the addition or removal of services provided People could be provisioned into "affilation groups" that have a specific set of services (e.g. MyPack Portal Self-Service, Library Services, Alumni Services) (see above) Handoff of campus credential (or recredentialing) Potentially need to achieve LoA "2" for certain apps (included for completeness) Required for access to resources Required for access to resources Would allow people to move between guest system and HR/SIS as their affiliation with the university changes Add eduperson, eduorg, educourse Object Classes as well as Student Class data Needed for centralized access management to resources; Requires tool(s) or scripts to Page 20 of 23
21 implement Entitlements (Attributes) Adding Attributes (Process) Federated Identity Attributes Identify Systems of Record Technical Implementation Decisions Shibboleth/SAML - Federation Production IdP (Identity Provider) NC State Federation Process for new SPs WRAP replacement MyPack Portal Currently in place, but need to improve robustness of service (failover, load-balancing) Shibboleth for campus resources and web apps Documentation and Approval Process Shibbolizing Portal authentication Usually created as a result of Group Membership or having a certain "role". Would also be used in access management decisions by web apps or protected resources Requires an approval group (Data Release Management Oversight Committee); Can be used for access management Same as other attributes, but need to be made available to federation SPs Needed to ensure that attribute data is "authoritative"; alternatively to consider additional identity data attributes added to the EDS? Required for any shibbolized services (either internal or external) - needs authentication mechanism and attribute data (EDS) Same prerequisites as above; Can provide WRAP replacement for campus web apps Required to create new SPs within NC State Federation IdP needs to be at full production capability; Process needs to be published, with review committee or approval workflow in place NC State Federation needs to be in place or portal may need to operate within the UNC System Federation; applications behind the portal may need to be modified to accept additional credentials (UNC-CH users?) Page 21 of 23
22 Attribute Release Policy (ARP) uapprove Privacy Flags Account Management & Authentication Sun IDM Hardware Upgrade - Production Account Provisioning Account De-provisioning Guest Authentication System Reduced AuthN Environments Multi-factor authentication Single Sign-On (SSO) Both the policy decisions and the technical execution of the policy that determines which identity attributes are released to which Service Providers (SPs) A tool/utility to allow a user to see what attributes are requested by a SP (above and beyond those attributes that would normally be released) and authorize their release Review uapprove and FERPA regulations with Internal Audit and Legal Affairs Authentication Environment for nontraditional campus affiliates Make effort to utilize a minimum set of authentication service(s) More than just username/password Should be in place prior to releasing student attributes to external federation resources - needs approval from HR and Student data stewards Policy decisions must be made in order to implement the ARP within the IdP.XML files as well as within uapprove; release of student attributes to any external SP require uapprove to be in place (must check FERPA privacy block) Must be checked by uapprove prior to releasing attributes for students Need additional hardware to handle increased load. Requires "trigger" from HR or SIS SOR; Effort to minimize the number of accounts provisioned (same as above - trigger; minimal number of accounts) Need policy to define different affiliation types, services provided, start/stop dates for services; Need to understand whether attribute data will be kept in EDS along with traditional campus members Stable, primary authentication environment for all services; reduce synchronization of credentials Requires application(s) ability to take advantage of another factor, or to implement a second password or reprompt Ability to re-use an authentication credential previously obtained by the user Page 22 of 23
23 Password Management Obtaining initial password; self-service password resets Single authoritative source for campus password; ability to securely sync with other systems if necessary Controls (FGPP)? Need application or tool to implement Issuing Initial Password FERPA and other regulation may determine "how" we can do this; also ties in with identity proofing for on-campus and remote students Need to have "Proponderance of Evidence" to issue to a user via US Mail, Cell Phone, ? Self-Service Password Resets (UIA) Probably through Sun IDM Need adaptors or connectors in place to implement UIA questions; UIA in place to do self-service pwd resets Privileged account management Use SAR? Connectors to required system; determine workflow to approve accounts and access; implement in SAR? SAR/SunIDM should push administration policies consistently to all systems it provisions Not clear on this one - implying that there needs to be consistent password policies across platforms, applications? Page 23 of 23
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES 1. Federation Participant Information 1.1 The InCommon Participant Operational Practices information below is for: InCommon Participant organization
More informationProvisioning and Deprovisioning 1 Provisioning/De-provisiong replacement 1
Item Count Provisioning/Deprovisioning Automated Deprovisioning 1 Automated on/off boarding from an authoritative source AUTOMATED [DE-]PROVISIONING 1 Removal of resources at the appropriate time 1 Timeliness
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationStephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15
Program Name Identity and Access Management (IAM) Implementation IAM Executive Sponsors Jim Livingston Stephen Hess 1 P age Project Scope Project Description The goal of this project is to implement an
More informationFederated Identity Management and Shibboleth: Policy and Technology for Collaboration
Federated Identity Management and Shibboleth: Policy and Technology for Collaboration Marianne Colgrove, Deputy CTO, Reed Joel Cooper, Director of Information Technology Services, Carleton John O Keefe,
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationIdentity Access Management IAM 101. Mike Conlon Director of Data Infrastructure mconlon@ufl.edu
Identity Access Management IAM 101 Mike Conlon Director of Data Infrastructure mconlon@ufl.edu 1 Three Processes Identity Answers the question Who is in our environment? Authentication Answers the question
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationBusiness and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis
Business and Process Requirements Business Requirements mapped to downstream Process Requirements IAM UC Davis IAM-REQ-1 Authorization Capabilities The system shall enable authorization capabilities that
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationFederated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications
Federated Identity Management and Shibboleth Noreen Hogan Asst. Director Enterprise Admin. Applications Federated Identity Management Management of digital identity/credentials (username/password) Access
More informationProject Charter for ITPC-0375
9-16-2011 Page 1 of 12 Project Charter for ITPC-0375 Prepared by: Daryl Fritchey Project Name ITPC-0375 Identity and Access Management (IAM) Implementation IAM Executive Sponsors Chair Michael Hites, Executive
More informationIDENTITY MANAGEMENT ROLLOUT: IN A HURRY. Jason Blackader, UNIX Systems Administrator
IDENTITY MANAGEMENT ROLLOUT: IN A HURRY Jason Blackader, UNIX Systems Administrator Undergraduate, Graduate, Continuing Ed Industrial Design, Communication Design, Design Sciences, Arts & Media Two Campuses
More informationNCSU SSO. Case Study
NCSU SSO Case Study 2 2 NCSU Project Requirements and Goals NCSU Operating Environment Provide support for a number Apps and Programs Different vendors have their authentication databases End users must
More informationNovell to Microsoft Conversion: Identity Management Design & Plan
Novell to Microsoft Conversion: Identity Management Design & Plan Presented To: 3/2/2011 1215 Hamilton Lane, Suite 200 Naperville, IL 60540 www.morantechnology.com Voice & Fax: 877-212-6379 Version History
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: McGill University Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationIdentity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees
Identity Management and Shibboleth h at MSU Jim Green Manager, Identity Management Michigan State t University it Academic Technology Services Identity Management Definition: Identity management is the
More informationIDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach
IDENTITY MANAGEMENT AND WEB SECURITY A Customer s Pragmatic Approach AGENDA What is Identity Management (IDM) or Identity and Access Management (IAM)? Benefits of IDM IDM Best Practices Challenges to Implement
More informationIdentity Assurance Framework
Executive Summary Assurance of a user s identity in an electronic system is required for many University business processes to function efficiently and effectively. As the risk associated with an electronic
More informationRFP BOR-1511 Federated Identity Services - Response to Questions / Answers
Q # 1 RFP BOR-1511 Federated Identity Services - Response to Questions / Answers Under Technical Requirements the following requirement is listed: 2. The solution is cloud-based softwareas-a-service, requiring
More informationThe Unique Alternative to the Big Four. Identity and Access Management
The Unique Alternative to the Big Four Identity and Access Management Agenda Introductions Identity and Access Management (I&AM) Overview Benefits of I&AM I&AM Best Practices I&AM Market Place Closing
More informationSTATE OF NEW YORK IT Transformation. Request For Information (RFI) Enterprise Identity and Access Management Consolidated Questions and Responses
STATE OF NEW YORK IT Transformation Request For Information (RFI) Enterprise Identity and Access Management Consolidated Questions and Responses June 8, 2012 Appendix B Consolidated Vendor Questions with
More informationFederated Identity: Leveraging Shibboleth to Access On and Off Campus Resources
Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources Paul Riddle University of Maryland Baltimore County EDUCAUSE Mid-Atlantic Regional Conference January 16, 2008 Copyright
More informationFederation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015
Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 About Fermilab Since 1967, Fermilab has worked to answer fundamental questions and enhance our understanding
More informationFederated Identity Management Checklist
Federated Identity Management Checklist This document lists the minimum (marked with an *) and recommended policy, process, and technical steps required to implement Federated Identity Management and operate
More informationThe State of Identity Management Self-assessment Questionnaire
Identity and the Cloud: Preparing Your Campus EDUCAUSE 2010 Pre-Conference Seminar The State of Identity Management Self-assessment Questionnaire Each entry below describes an aspect of identity management
More informationIntroduction to Identity and Access Management for the engineers. Radovan Semančík April 2014
Introduction to Identity and Access Management for the engineers Radovan Semančík April 2014 How it works now? Manager Admin Login Users Login Admin Login Login Login Theory Manager Admin Forgot password
More informationBusiness-Driven, Compliant Identity Management
SAP Solution in Detail SAP NetWeaver SAP Identity Management Business-Driven, Compliant Identity Management Table of Contents 3 Quick Facts 4 Business Challenges: Managing Costs, Process Change, and Compliance
More informationUW System Identity & Access Management (IAM) Recommended Strategic Roadmap
UW System Identity & Access Management (IAM) Recommended Strategic Roadmap Fall 2015 ITMC (Rev 1/11) Our challenge CIOs charged IAM-TAG with recommending an IAM strategy that would: Establish an identity
More informationSAML SSO Configuration
SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting
More informationEncore Software Solutions (V3) Identity Lifecycle Management and Federated Security Suite (ILM/FSS) Overview and Technical Requirements
Encore Software Solutions (V3) Identity Lifecycle Management and Federated Security Suite (ILM/FSS) Overview and Technical Requirements Encore Software Solutions (V3) provides a holistic Identity Lifecycle
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Canadian Access Federation: Trust Assertion Document (TAD) Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes
More informationBusiness-Driven, Compliant Identity Management
Solution in Detail NetWeaver NetWeaver Identity Business-Driven, Compliant Identity Using NetWeaver Identity Managing users in heterogeneous IT landscapes presents many challenges for organizations. System
More informationAchieving HIPAA Compliance with Identity and Access Management
Achieving HIPAA Compliance with Identity and Access Management A Healthcare Case Study Stephen A. Whicker Manager Security Compliance HIPAA Security Officer AHIS/St. Vincent Health DISCLAIMER: The views
More informationThe Top 5 Federated Single Sign-On Scenarios
The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3
More informationIdentity and Access Management Memorial s Strategic Roadmap
Identity and Access Management Memorial s Strategic Roadmap Executive Summary January 29, 2015 Identity and Access Management Identity and Access Management (IAM) is an integrated system of policies, business
More informationBrought to you by InCommon in cooperation with Internet2 and the EDUCAUSE Identity and Access Management Working Group.
IAM Online Brought to you by InCommon in cooperation with Internet2 and the EDUCAUSE Identity and Access Management Working Group. IAM Online is a new monthly series delivering interactive education on
More informationMulti-Factor Authentication, Assurance, and the Multi-Context Broker
Multi-Factor Authentication, Assurance, and the Multi-Context Broker IAM Online April 30, 2014 Keith Wessel, University of Illinois, Urbana-Champaign David Langenberg, University of Chicago David Walker,
More informationCurrent Environment Assessment Specification. Single Sign On Customer Relation Management Workstation Support
Current Environment Assessment Specification Single Sign On Customer Relation Management Workstation Support Georgia State University By: Team #2 Members: Igor Wolbers Tony Yuan Saeed Nadjariun Team2 Version
More informationEnterprise Identity Management Reference Architecture
Enterprise Identity Management Reference Architecture Umut Ceyhan Principal Sales Consultant, IDM SEE Agenda Introduction Virtualization Access Management Provisioning Demo Architecture
More informationThree Case Studies in Access Management
Three Case Studies in Access Management IAM Online June 10, 2015-2 pm EDT Andy Morgan, Oregon State University Mandeep Saini, GÉANT Albert Wu, UCLA Moderator: Tom Barton, University of Chicago Fit for
More informationA Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR
A Shibboleth View of Federated Identity Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR Short Section Title Agenda Assumptions and Trends Identity Management and Shibboleth Shibboleth
More informationEnhancing Collaboration by Extending the Groups Directory Infrastructure. James Cramton Brown University
Enhancing Collaboration by Extending the s Directory Infrastructure James Cramton Brown University Why We are Here De-duplication without all the facts Software in central business system identifies individuals
More informationIAM, Enterprise Directories and Shibboleth (oh my!)
IAM, Enterprise Directories and Shibboleth (oh my!) Gary Windham Senior Enterprise Systems Architect University Information Technology Services windhamg@email.arizona.edu What is IAM? Identity and Access
More informationAuthentication Integration
Authentication Integration VoiceThread provides multiple authentication frameworks allowing your organization to choose the optimal method to implement. This document details the various available authentication
More informationRegulatory Compliance Using Identity Management
Regulatory Compliance Using Identity Management 2015 Hitachi ID Systems, Inc. All rights reserved. Regulations such as Sarbanes-Oxley, FDA 21-CFR-11 and HSPD-12 require stronger security, to protect sensitive
More information<Insert Picture Here> Oracle Identity And Access Management
Oracle Identity And Access Management Gautam Gopal, MSIST, CISSP Senior Security Sales Consultant Oracle Public Sector The following is intended to outline our general product direction.
More informationAurora Hosted Services Hosted AD, Identity Management & ADFS
22/09/2013 Aurora Hosted Services Hosted AD, Identity Management & ADFS 1 Service Overview - Hosted Identity Management Core provides a fully managed solution hosted in Azure and connected directly to
More informationIdentity and Access Management Policy
Page 1 of 5 Identity and Access Management Policy Reference number 0605-IAM Interim HEMIS Classification 0605 Purpose Date of implementation 1 December 2012 Review date Previous reviews Policy owner Policy
More informationOpen Source Identity Management
Open Source Management OpenAlt 2015 Radovan Semančík November 2015 Ing. Radovan Semančík, PhD. Software architect Co-owner of Evolveum (open source company) Architect of midpoint project Apache committer
More information1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges
1 Building an Identity Management Business Case Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Justifying investment in identity management automation. 2 Agenda Business challenges
More informationInCommon Basics and Participating in InCommon
InCommon Basics and Participating in InCommon A Summary of Resources Updated October 25, 2013 Copyright 2011-2013 by Internet2, InCommon and/or the respective authors Table of Contents TABLE OF CONTENTS
More informationIT Commons Enterprise Directory Services Project
Business Case and Funding Proposal IT Commons Enterprise Directory Services Project Table of Contents Executive Summary...3 Introduction...4 Statement of Opportunity...4 Current State of Directories...5
More informationInformation Technology Services. Roadmap 2014-2016
Information Technology Services Roadmap 2014-2016 Introduction This document charts the direction for Humboldt State University s Information Technology Services department over the next three years. It
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and
More informationQuest One Identity Solution. Simplifying Identity and Access Management
Quest One Identity Solution Simplifying Identity and Access Management Identity and Access Management Challenges Operational Efficiency Security Compliance Too many identities, passwords, roles, directories,
More informationIdentity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE
Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication
More informationExtending Identity and Access Management
Extending Identity and Access Management Michael Quirin Sales Engineer Citrix Systems 1 2006 Citrix Systems, Inc. All rights reserved. Company Overview Leader in Access Infrastructure NASDAQ 100 and S&P
More informationGet Cloud Ready: Secure Access to Google Apps and Other SaaS Applications
Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications Matt Weisberg Vice President & CIO, Weisberg Consulting, Inc. matt@weisberg.net Paul McKeith Technical Sales, Novell, Inc. pmckeith@novell.com
More informationAccelerate Without Fear: Extend Your Enterprise with Identity Federation. Kirk Brown CTO, Identity Management Sun Microsystems
Accelerate Without Fear: Extend Your Enterprise with Identity Federation Kirk Brown CTO, Identity Management Sun Microsystems 1 Welcome to the Participation Age Enterprise Collaborative Industry Networks,
More informationApproaches to Enterprise Identity Management: Best of Breed vs. Suites
Approaches to Enterprise Identity Management: Best of Breed vs. Suites 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Executive Summary 1 3 Background 2 3.1 Enterprise Identity
More informationWIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM) www.wipro.com
WIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM) www.wipro.com Table of Contents 03...Introduction 04...Wipro Cloud (WIC) as a Service Type 05...Wipro Cloud Capabilities
More informationPROJECT CONTROL DOCUMENT
PROJECT CONTROL DOCUMENT PERSISTENT EMAIL (AKA EMAIL MODEL) EM-PCD-001 Draft 06/09/2004 Prepared by Don D Worth UCLA PERSISTENT EMAIL Copyright 2002-2004, The Regents of the University of California All
More informationBUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT
Solution in Detail NetWeaver BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING NetWeaver IDENTITY MANAGEMENT Identity management today presents organizations with a host of challenges. System landscapes
More informationPresentation to House Committee on Technology: HHS System Identity & Access Management
Presentation to House Committee on Technology: HHS System Identity & Access Management Bowden Hight Deputy Executive Commissioner Information Technology Services Health and Human Services Commission May
More informationMasdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae
Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation
More informationVermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0
Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0 EA APPROVALS EA Approving Authority: Revision
More informationSingle Sign On at Colorado State. Ron Splittgerber
Single Sign On at Colorado State Ron Splittgerber Agenda Identity Management Authentication Authorization The Problem The Solution: Federation Trust Between Institutions Trust Between Institution and Federal
More informationEasy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant
Easy as 1-2-3: The Steps to XE Mark Hoye Services Portfolio Consultant September 25, 2015 Objective / Agenda Objective Provide relevant information about Banner XE Provide a framework for understanding
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Royal Roads University_ Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationActive Directory User Management System (ADUMS)
Active Directory User Management System (ADUMS) Release 2.9.3 User Guide Revision History Version Author Date Comments (MM/DD/YYYY) i RMA 08/05/2009 Initial Draft Ii RMA 08/20/09 Addl functionality and
More information[Identity and Access Management Self-Service Portal]
2014 The University of Tennessee at Chattanooga Tony Parsley [Identity and Access Management Self-Service Portal] The following document is intended for all Students, Faculty, Staff, and Affiliates of
More informationThe Role of Federation in Identity Management
The Role of Federation in Identity Management August 19, 2008 Andrew Latham Solutions Architect Identity Management 1 The Role of Federation in Identity Management Agenda Federation Backgrounder Federation
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: University of Lethbridge 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources
More informationIdentity Management Issues for Multi-Campus Institutions - University of California -
Identity Management Issues for Multi-Campus Institutions - University of California - David Walker Jacqueline Craig Office of the President University of California Copyright Regents of the University
More informationEstablishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology
Establishing A Multi-Factor Authentication Solution Report to the Joint Legislative Oversight Committee on Information Technology Keith Werner State Chief Information Officer Department of Information
More informationIntelligent Security Design, Development and Acquisition
PAGE 1 Intelligent Security Design, Development and Acquisition Presented by Kashif Dhatwani Security Practice Director BIAS Corporation Agenda PAGE 2 Introduction Security Challenges Securing the New
More informationAugust 14, 2007 Chapter 2. Identity Management Requirements Identity Management. Table of Contents Definitions Bona fide identity. Digital identity.
August 14, 2007 Chapter 2. Identity Management Requirements Identity Management. A comprehensive set of tools and processes for creating and managing digital identities for all entities that are affiliated
More informationSecuring Physician and Patient Portals for HIPAA Compliance
Securing Physician and Patient Portals for HIPAA Compliance HIPAA Summit VIII Session 2.04 1:00 2:00 pm March 8 1 Agenda Identity and Access Management Technology and HIPAA Requirements Bob Tahmaseb, Principal
More informationIdentity Governance Evolution
Identity Governance Evolution Paola Marino Principal Sales Consultant Agenda Oracle Identity Governance Innovation Cloud Scenarios enabled by Oracle Identity Platform Agenda Oracle
More informationDESIGN BUILD TEST TRAIN/DEPLOY MAINTENANCE
SOLUTION PLAN REQUIREMENTS ANALYSIS DESIGN BUILD TEST TRAIN/DEPLOY MAINTENANCE Executive Summary The project will document campus requirements for IAM functionality and select and procure one or more technology
More informationEnterprise Directory Services Phase 2 Governance Board Recommendations
MAIS Information Technology Central Services and Michigan Administrative Information Services Enterprise Directory Services Phase 2 Governance Board Recommendations Populations and Data Sources The goal
More informationCAMPUS EXPERIENCES USING NET+ TRUST, IDENTITY, AND SECURITY SERVICES
CAMPUS EXPERIENCES USING NET+ TRUST, IDENTITY, AND SECURITY SERVICES Nicholas Roy Penn State (Pennsylvania State University, The) Andrea Harrington Penn State (Pennsylvania State University, The) Michael
More informationA HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD
A HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD By Gail Coury, Vice President, Risk Management, Oracle Managed Cloud Services 2014 W W W. OU T S O U R C IN G - CEN T E R. C O M Outsourcing
More informationGoogle Apps SSO to Office 365 Integration
KETS Google Apps SSO to Office 365 Integration Kentucky Department of Education Version 1.6 4/21/2015 Google Apps for Education (GAFE) + Microsoft Active Directory Integration Introduction Welcome to the
More informationUSING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS
USING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS Andy Ingham (UNC-Chapel Hill) NASIG Annual Conference, June 4, 2011 What I hope to cover Problem statement
More information- Identity & Access Management
IBM Software Group NSHE - Identity & Access Management 2006 IBM Corporation Identity & Access Management Access Management and The Monitoring, Auditing and Reporting for Compliance So What s The Problem
More informationDirectory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA 94107. info@okta.
Directory Integration with Okta An Architectural Overview Okta Inc. 301 Brannan Street San Francisco, CA 94107 info@okta.com 1-888-722-7871 Contents 1 User Directories and the Cloud: An Overview 3 Okta
More informationGoogle Apps SSO to Office 365 Integration
KETS Google Apps SSO to Office 365 Integration Kentucky Department of Education Version 1.5 12/3/2014 Google Apps for Education (GAFE) + Microsoft Active Directory Integration Introduction Welcome to the
More informationALA Technology Roadmap. All dates are subject to change at any time based on available resources. 01/16/2014 FY14: January 2014
FY14: January 2014 Solr Search Engine Our Google Mini Search Appliance in use on ala.org was no longer supported by Google, so we needed to replace it with Apache Solr Search, an open source search engine.
More informationUpdate on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing?
Update on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing? Ann West, Michigan Technology University Jackie Charonis, Stanford University Nancy Krogh, University of
More informationSAP Solution in Detail SAP NetWeaver SAP NetWeaver Identity Management. Business-Driven, Compliant Identity Management
Solution in Detail NetWeaver Business-Driven, Compliant Identity Table of Contents 3 Quick Facts 4 Business Challenges Identity for the User Lifecycle 5 The Solution Supporting a Heterogeneous IT Landscape
More informationCarleton College: Identity Management and Enterprise Directories at a Smaller Institution
NMI-EDIT Identity and Access Management Case Study Series Carleton College: Identity Management and Enterprise Directories at a Smaller Institution September 2004 NMI-EDIT Case Study Series In response
More informationnexus Hybrid Access Gateway
Product Sheet nexus Hybrid Access Gateway nexus Hybrid Access Gateway nexus Hybrid Access Gateway uses the inherent simplicity of virtual appliances to create matchless security, even beyond the boundaries
More informationIntegrating Multi-Factor Authentication into Your Campus Identity Management System
Integrating Multi-Factor Authentication into Your Campus Identity Management System Mike Grady, Unicon David Walker, Internet2 (both associated with the Internet2 Scalable Privacy Project) Agenda Multi-Context
More informationGeorgia Tech Active Directory Policy
Georgia Tech Active Directory Policy Policy No: None Rev 1.1 Last Revised: April 18, 2005 Effective Date: 02/27/2004 Last Review Date: April 2005 Next Review Date: April 2006 Status Draft Under Review
More informationSD Departmental Meeting November 28 th, 2006. Ale de Vries Product Manager ScienceDirect Elsevier
ש בולת SD Departmental Meeting November 28 th, 2006 Ale de Vries Product Manager ScienceDirect Elsevier Shi... whát? : Shibboleth ש בולת [...] "stream, torrent". It derives from a story in the Hebrew Bible,
More informationWHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES
WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES Executive Overview U.S. Federal mandates dictates that personal with defense related initiatives must prove access
More informationUser Guide. Version R91. English
AuthAnvil User Guide Version R91 English August 25, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as updated from
More information