Yoshiaki Kasahara, Eisuke Ito, Naomi Fujimura, Masahiro Obana Kyushu University

Transcription

1 Migration of the student user ID scheme for intra-institutional information service in Kyushu University Yoshiaki Kasahara, Eisuke Ito, Naomi Fujimura, Masahiro Obana Kyushu University 2016/1/26 APAN 41st in Manila, Philippines 1

2 Introduction IT service is fundamental part of education and research activities in a university Maintaining user accounts independently for each service is troublesome for both users and admins Demand for unified user credentials Demand for unified authentication infrastructure Today I talk about user ID for students in Kyushu University 2

3 Fukuoka city, Kyushu Island of Japan Kyushu University Established 1911 Staffs (Academic Researcher) Students Undergraduates Post graduates 8,000 (3,000) 11,000 9,

4 "Student ID" Traditional user ID for each student since 1995 Derived from "Student Number" which is assigned by Student Affairs Department We gradually realized our Student ID had some disadvantages Security concerns Availability (especially for pre-entrance candidate) Discontinuity between undergraduate and graduate 2016/1/26 APAN 41st in Manila, Philippines 4

5 New user ID scheme In 2014, we introduced a new user ID scheme named "Student SSO-KID" independent from Student Number, to solve these problems Derived from a user ID scheme for staff members named "SSO-KID" I'll talk about the design, deployment, effects and future work about our "Student SSO-KID" 2016/1/26 APAN 41st in Manila, Philippines 5

6 Brief history of students' user ID Year Event 1994 Started issuing user accounts for all the students in Kyushu Institute of Design 1995 Started issuing user accounts for all the students in Kyushu University (based of student number) 2003 Merger of Kyushu University and Kyushu Institute of Design 2005 Started trial operation of unified authentication infrastructure (including LDAP servers) Feb Jul Decision made to issue campus-wide unified user ID for every staff member Started issuing campus-wide user ID for staff members (SSO-KID) 2011 Update of ID management system Mar Update of ID management system and introduction of Student SSO-KID 2016/1/26 APAN 41st in Manila, Philippines 6

7 Beginning of User ID for Students Replacement of "Educational Information System" in the end of 1995 Managed by Educational Center for Information Processing, Kyushu University At that time Internet and its service started to become popular Windows 95 Demand for "Information Literacy" education for all the students 7

8 New Educational Information System UNIX server and Windows PCs Server Sun Solaris 2.4 PC Fujitsu FMV running Windows 95 Decided to issue accounts for all the students Before that, accounts were issued on-demand Had to decide ID scheme ID strings created from Student Number 2016/1/26 APAN 41st in Manila, Philippines 8

9 Details of "Student Number" "Student Number" in Kyushu University Course Code [1-9] Faculty Code [A-Z][A-Z] Entrance Year [0-9][0-9] Serial Number [0-9][0-9][0-9] Check Code [A-Z] Student Number 1 A B X It should be straightforward to use this string as the ID string, but 9

10 Details of "Student ID" Limitation of Solaris2.4 (SunOS 5.4) No more than 8 characters (bytes) The first character should be an alphabetic SunOS 5.9, useradd(1) manpage Student Number 1 A B X Student ID (~2008) a b The login (login) and role (role) fields accept a string of no more than eight bytes consisting of characters from the set of alphabetic characters, numeric characters, period (.), underscore (_), and hyphen (-). The first character should be alphabetic and the field should contain at least one lower case alphabetic character. A warning message will be written if these restrictions are not met. A future Solaris release may refuse to accept login and role fields that do not meet these requirements. The conversion remained until the end of 2008 After that Student ID became identical to Student Number 10

11 After that 2007 Kyushu University introduced another ID managementsystem (IDM) and started to provide user IDs for all the staff members A unique 10-digit pseudorandom number SSO-KID Single Sign On - Kyushu University ID 2013 Two ID management systems (for students,and staff members) were merged Decided to introduce a new ID scheme for students similar to SSO-KID To solve problems with using Student ID derived from a student number 2016/1/26 APAN 41st in Manila, Philippines 11

12 End of fy 2012 Other workers data Personnel DB (Staff) Student DB User (staff members) Staff IDM Students Account activation Password change passchg server Sun LDAP (SJSDS) Student IDM (called UMS) Account activation Password change Office System AD Office Win PCs Matrix AuthN WisePoint SP (Reverse Proxy) Course Reg. School Rec. System (teachers) Library System EZ proxy My Library SPs (E-Journals) Shibboleth IdP Software DL Site Researcher DB Syllabus system Course Reg. Grading (Students) Open LDAP WebCT Net Academy Student Portal IC Staff ID Card Facility System kitenet LDAP kitenet (Wi-Fi) RADIUS edunet AD edunet (Wi-Fi) RADIUS LDAP for Mail Student Mail System Provision Module AXIOLE LDAP Staff Mail System Mac Open Directory AD Educational Info. PC room (Mac) PC room (Win PC) Open LDAP AD Campus Cloud (CloudStack) (VCL) (File server) (Win7, Linux)

13 New campus-wide authentication system (fy2014) Personnel DB (Staff) Student DB Other workers Manage all members in Kyushu Univ. Manage ID and password Provisioning to various IT system (Synchronization of various attribute data) Unified ID Management Account activation Password change Register emergency contacts users AuthZ data (CSV) Office System AD Matrix AuthN WisePoint SP (Reverse Proxy) (A) Open LDAP (B) Open LDAP Open w/ SSO-KID LDAP AD AD Open LDAP Provision System Open LDAP Provision System Open AD LDAP Provision System Open LDAP Library System Office PCs Course Reg. School Rec. System (teachers) Researcher DB Syllabus system Course Reg. Grading (Students) Others Net Academy Student Portal IC Staff ID Card Facility SMS Shibboleth IdP SPs (E-Journals) Others edunet Wi-Fi RADIUS Software DL Site Others kitenet Wi-Fi RADIUS Primary Mail Service (Staff, Students) Educational Information System WebCT Campus Cloud (CloudStack)

14 Demands for New ID Scheme Security Concerns Availability Especially in the beginning of new comers Discontinuity Between graduation/migration 2016/1/26 APAN 41st in Manila, Philippines 14

15 Security Concerns Same as Student number and considered public Commercial service providers and retail shops casually copy students ID Cards for their purposes Easy to forge valid IDs (contains a sequence number) Susceptible to reverse brute-force attacks Used for local-part (before ) of address Spammable Become a seed of other valid IDs 2016/1/26 APAN 41st in Manila, Philippines 15

16 Availability Student Number is finalized after April 1st Handed to students during an entrance orientation around April 7th Students cannot use IT services using Student ID immediately after entrance Demands to provide services for Pre-entrance candidates User ID independent from "Student number" is needed 2016/1/26 APAN 41st in Manila, Philippines 16

17 Health Checkup and BYOD PC Orientation All the newly enrolled students (~2,700) must Get a health checkup Join a BYOD orientation class before receiving their ID cards Efficient identification method without ID cards needed Provide student s SSO-KID with barcode printed on an acceptance letter 2016/1/26 APAN 41st in Manila, Philippines 17

18 Discontinuity of User Accounts A student number (= Student ID) changes when: Proceeding to a graduate school Moving to a different department because it contains course and faculty code They need to migrate their data by their own Introduce student SSO-KID as an unchanging unique ID throughout student s campus life 2016/1/26 APAN 41st in Manila, Philippines 18

19 Deployment We should consider Sudden change of ID scheme must be confusing for students Adopt all the IT systems in our university at once is impossible To compensate above 2016/1/26 APAN 41st in Manila, Philippines 19

20 Migration Strategy Internally sssign student SSO-KID to all the students, but Give SSO-KID information only to newly enrolled students Allow existing students to use their student IDs until graduation and/or proceeding to graduate school Continue to provide Student ID based authentication system for IT systems which cannot adopt student SSO- KID immediately 2016/1/26 APAN 41st in Manila, Philippines 20

21 Acceptance Letter Now we can include student SSO-KID and relevant information in an acceptance letter (including an activation code and a barcode of SSO-KID) Students can self-activate their IDs and use a part of IT services before entrance The letter is required for a health checkup and BYOD orientation class 2016/1/26 APAN 41st in Manila, Philippines 21

22 A sample of Acceptance Letter 2016/1/26 APAN 41st in Manila, Philippines 22

23 Modification of Student ID Card Student SSO-KID is printed on the backside of ID cards from 2014 Difficult to replace all the existing ID cards at once because it contains an IC chip The barcode still denotes student number, not SSO-KID for compatibility 2016/1/26 APAN 41st in Manila, Philippines 23

24 Modification of Student ID Card ~fy2013 fy2014~ Student ID Activation Code SSO-KID Barcode of Student ID Student SSO-KID 24

25 Effects Overall effects have been favorable The reception process of a BYOD class was reduced from 30 minutes to 5 minutes Staff of health checkup welcomed barcode of an acceptance letter because it simplified the identification process Pre-entrance service was partially provided in 2014, which was impossible before introducing student SSO- KID Account continuity couldn t be fully evaluated because most of students still needed to change their IDs (to student SSO-KID) 2016/1/26 APAN 41st in Manila, Philippines 25

26 Future Works Due to mismatch of account handling with IDM, service had several service interruption and need some modification in both system Need to refine and improve account management and IDM operation Each IT service needs some modification to adopt student SSO-KID, especially systems not under our direct control 2016/1/26 APAN 41st in Manila, Philippines 26

27 Also We realize that co-existing student ID and student SSO-KID caused more problems than we first expected Planning to migrate all the remaining students to use student SSO-KID in the end of fiscal year /1/26 APAN 41st in Manila, Philippines 27

28 Security Concerns? Actually it is hard to evaluate the effect There were a couple of account breaches with spam incidents during Student ID era Currently no such incident after Student SSO-KID migration But it should have little effect against phishing /1/26 APAN 41st in Manila, Philippines 28

29 2.3 全 学 共 通 認 証 基 盤 ID 管 理 データベース 構 成 員 の 身 元 情 報 ( 氏 名, 所 属, 職 種, 電 話 番 号, ) IDとパスワード アカウントデータのProvisioning 認 証 サーバ LDAP 認 証 サーバ Shibboleth IdP マトリックスパスワード 認 証 装 置 (+Reverse Proxy) 2013 年 度 末, 新 システムへ 更 新 この 機 会 に, 学 生 番 号 と 異 なる 利 用 者 ID 学 生 用 SSO- KID も 導 入 29

30 入 試 の 合 格 通 知 書 に 同 封 する 学 生 SSO-KIDの 通 知 書 学 生 SSO-KIDのバーコードも 印 字 別 紙 で 案 内 ガイダンスのWebページを 案 内 : 新 入 生 健 康 診 断,PC 必 携 化 講 習 会 学 生 SSO-KID とバーコードで 学 生 を 識 別 2014 年 3 月 24 日 以 降 にアカウント 有 効 化 Web 学 習 システムで 入 学 前 自 習 ( 情 報 リテラシー) 30