IAM Committee Meeting Notes 11/9/2015

Similar documents
IAM Committee Meeting Agenda 3/14/2016

DESIGN BUILD TEST TRAIN/DEPLOY MAINTENANCE. This project is part of the Identity and Access Management Roadmap.

Project Charter. Identity & Access Management Strategy. Executive Summary. Business Need and Background. Document Version 1.

DESIGN BUILD TEST TRAIN/DEPLOY MAINTENANCE

CASI Project Charter. Centralized Authentication System Implementation. Executive Summary. Business Need and Background

HP Software as a Service. Federated SSO Guide

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Guide to Getting Started with the CommIT Pilot

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Logout in Single Sign-on Systems

Project Charter. Office Migrations Document Version 2.0 Prepared by Sabina Winters, ITS Last Edited February 19, 2015

Securing Web Services With SAML

Improving Security and Productivity through Federation and Single Sign-on

Evaluation of different Open Source Identity management Systems

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

SAML Security Option White Paper

Three Case Studies in Access Management

Identity and Access Management (IAM) Roadmap DRAFT v2. North Carolina State University

HP Software as a Service

Integrating Multi-Factor Authentication into Your Campus Identity Management System

Implementation Guide SAP NetWeaver Identity Management Identity Provider

PRIVACY, SECURITY AND THE VOLLY SERVICE

Biometric Single Sign-on using SAML

USING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS

WebNow Single Sign-On Solutions

STRATEGIC IT ACCOUNTABILITY BOARD (SITAB) AGENDA WEDNESDAY, JUNE 15, :30 3:30 p.m. STARK LIBRARY

Perceptive Experience Single Sign-On Solutions

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

The Florida Department of Education s Single Sign-On Solution. July - August 2012

PARTNER INTEGRATION GUIDE. Edition 1.0

Single Sign-On for the UQ Web

Identity & Access Management: Strategic Roadmap. April 2013

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Cybersecurity and Secure Authentication with SAP Single Sign-On

How To Use Saml 2.0 Single Sign On With Qualysguard

Copyright: WhosOnLocation Limited

SAP Cloud Identity Service Document Version: SAP Cloud Identity Service

How To Use Salesforce Identity Features

Using a Combination Proxy Server / PURL Server for Off-Campus Access to Restricted Databases: A Solution for the University of Iowa

Internet/Intranet Consultant Request for Proposal #511-09

Auth0 SSO Drives B2B Expansion

Task Force Charter. Mobile Strategy Document Version 3.0 Chief Information Officer, ITS Last Edited December 17, 2012.

Using SAML for Single Sign-On in the SOA Software Platform

Logout Support on SP and Application

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

The increasing popularity of mobile devices is rapidly changing how and where we

SAP: One Logon for All Systems SAP NetWeaver Single Sign-On

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

Identity Implementation Guide

Canadian Access Federation: Trust Assertion Document (TAD)

Configuring Salesforce

SharePoint 2013 Project Charter

Configuring. SuccessFactors. Chapter 67

Flexible Identity Federation

Single Log-Out. Andreas Åkre Solberg Malaga, June 2009

Configuring SuccessFactors

Operating Level Agreement for NYU Login Service

Hamilton Campus. Information Technology Strategic Project Plan

Password Management Before User Provisioning

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Authentication Methods

SAML-Based SSO Solution

Project Charter. UT Web Infrastructure Project Document Version 9.0 Prepared by John Lovelace & David Moss Last Edited March 13, 2012

Architecture Guidelines Application Security

Connected Data. Connected Data requirements for SSO

Adding Single Sign-On to CloudPassage Halo

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

Feide login (currently username/password)

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Vyom SSO-Edge: Single Sign-On for BMC Remedy

Questions and Information on Centers TWU Service Desk. Please kindly respond to the following for your center.

FREE E-BOOK HOW TO ENSURE A SUCCESSFUL CRM IMPLEMENTATION

Getting Started with AD/LDAP SSO

Configuring. SugarCRM. Chapter 121

The organization decided that creating a more robust approach to customerfacing identity management represented a strategic opportunity.

Egnyte Single Sign-On (SSO) Installation for OneLogin

Getting Started with Single Sign-On

Shibboleth N-Tier Support. Chad La Joie

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

integrate 2: Business Process Redesign

Biometric Single Sign-on using SAML Architecture & Design Strategies

ECM: Key Market Trends and the Impact of Business Intelligence

Transcription:

IAM Committee Meeting Notes 11/9/2015 Attendees: Thomas Beard, CW Belcher, Michael Bos, John Chambers, Cesar de la Garza, Fred Gilmore, Ty Lehman, Andy Loomis, Darin Mattke, Michelle McKenzie, Shelley Powers, Charles Soto Absent: Cam Beasley, Tim Fackler, Alison Lee, Steve Rung, Karen Weisbrodt Guest: Francis McGrath IAM Team Members: Justin Czimskey, Rosa Harris, Josh Kinney, Marta Lang, Aaron Reiser, David Strickland 1. Directory Services Roadmap Review (Josh Kinney) The team is developing a roadmap to determine the future direction of the IAM team s directory services. The next step will be to engage with current and potential directory services customers to help them understand how directory services can help them, better understand how the customers are currently using directory services, and elicit ideas for how to enhance directory services. While the team has quantitative metrics for directory services usage (search types and volumes, for example), qualitative data needs to be gathered to understand what sorts of use cases customers are meeting (or would like to meet) using directory services. More information about the roadmap will be shared with the committee by the end of November. Once the customer engagement portion of the roadmap has been completed, the committee s assistance will be needed to help prioritize and approve changes. 2. Proposed Change to UTLogin Logoff Workflow Discuss (Rosa Harris & David Strickland) The primary goal of the next release of UTLogin is to support the implementation of Duo two-factor authentication. However, the release also includes additional enhancements, including a change to the logout workflow. UTLogin now supports SAML integrations in addition to the traditional OpenAM WPA model. The introduction of SAML customers to the UTLogin environment it has introduced an issue with logout that the team would like to address. Logout functionality with SAML works differently than it does with WPAs. If a user is logged into multiple Service Providers (SPs) using SAML, and they log out of one SP, they will not be logged out of the other SPs. This is standard SAML behavior, but is a change from how logout with the on-campus WPAs work. The team proposes changing the current UTLogin flow that redirects customers to www.utexas.edu upon logout to instead redirect customers to a page that instructs them to close their browser to complete the logout process. This is how Shibboleth already works and UTLogin would be changed to match the Shibboleth behavior.

Q: Would this logout page be displayed for both WPA and SAML logouts? A: Yes. If a customer has both a WPA session and a SAML session, and the customer logs out of the WPA session, the SAML sessions would still be active. Therefore, the advice on the logout page would still apply. Q: Would it make sense to add a separate button under the text to close the window? A: The team will consider that suggestion. Q: What are the ramifications of a customer not closing their browser window? A: If a session is still active in a browser and the customer steps away from the machine (e.g. on a public terminal) the next person to use that machine could use the browser history to hijack the still-active authentication session. Q: What do other peer institutions do in these situations? A: The proposed change would bring us in line with the standard practices of other institutions. Decision: The committee voted to endorse this change. 3. IAM Services Web Site Review (CW Belcher) With the modernization of applications across campus, the team has found a growing need for campus to better understand IAM concepts and functions. The team has developed a web site, to be branded IAMservices.utexas.edu, to provide a one-stop resource for learning about IAM core concepts, understanding the questions campus customers need to ask themselves and vendors as they pursue application modernization, and finding more detailed information about IAM services and how the IAM integration process works. Most questions that the IAM Team is currently fielding are related to integrating new applications with the IAM environment, so an Integration section is provided to discuss basic concepts and explain the integration process. The Solutions section provides customers that are further along in the implementation process with more information about the IAM solutions available to them. The Developers section then goes into further technical detail for customers who are doing technical integration work. This site will be part of a larger outreach effort to provide campus groups with the information that they need to ensure that their modernized applications will integrate smoothly with the University s IAM environment. When the site is ready for review, a link will be sent out to the committee. 4. Other Initiative Updates a. Identity Assurance Framework (CW Belcher) Edits have not yet been finalized due to resource constraints, but the team s senior business analyst has been tapped to help complete the final changes.

b. IAM Integrations (Justin Czimskey) The team has completed several new integrations since the last meeting and the influx of new requests has slowed down. There are currently 6 integrations in progress. The Technology Architecture Implementation (TAI) project has presented a number of novel and interesting technological challenges that are taking extra time to work through. Standard SAML integration requests are being processed quickly, and the team is working with customers whose integration needs are urgent to help ensure that they meet their deadlines. c. Two Factor Authentication/Duo Implementation (Justin Czimskey) The Duo implementation is underway. Planning activities, including communication planning, are nearing completion. The project has been split into a technology component and a business process component which are working in parallel. The team is working closely with the Help Desk to ensure that they are ready to support customers through the transition. In addition to the main Duo implementation, the team is also working with the owners of applications currently using Toopher to plan their transition to Duo. For Financial Information Services (FIS) the migration is expected to take place in March. For Payroll, the migration is planned for June, after tax season is complete. d. Lightweight Authentication (Rosa Harris) The team is currently working on the Request for Proposal (RFP) for a lightweight authentication solution. Meetings with Purchasing are ongoing and the team plans to release the RFP to vendors in December. Oral presentations for the finalists are planned for February with vendor selection taking place in March. The team is also continuing to interview departments regarding how they are using Guest-class EIDs. e. SailPoint Implementation (Marta Lang) The contract with the SailPoint integration vendor is currently being finalized. The contract is scheduled to be submitted to UT System Administration for review this week.

Directory Services 2015 2016 Roadmap Background The utexas Enterprise Directory (TED) is used by campus applications as the consolidated source of student, faculty, staff and guest data. The Directory is fundamental to many of the services and resources used by campus on a daily basis. TED serves as the user store for the UTLogin and Shibboleth centralized authentication services and also provides LDAPbased user authentication for a variety of departmental systems on campus. The White Pages Directory is the web-based publically accessible version of this directory service. This Roadmap will provide an approach to evaluate and implement Directory architecture and service changes. These changes aim to increase performance, reliability and utility for the internal use of university departments. Project Description and Scope The Directory Services Roadmap will be divided into three broad phases. 1. Increase the performance and reliability of existing Directory Service 2. Customer Engagement Educate current and new customers on existing Directory Service offerings Elicit requirements for service improvements and enhancements Engage the Directory Services community with a survey to quantify current satisfaction and utility 3. Revise Directory Services Evaluate and prioritize initiatives to address requirements Implement proofs of concepts Engage IAM Committee for revising Directory Services mission based on customer feedback and available technology Implement revised Directory Services Engage the Directory Services community with an after state survey

UTLOGIN LOGOUT ENDPOINT CHANGE 11/9/2015 OVERVIEW An increasing number of UTLogin clients are using Security Assertion Markup Language (SAML), rather than Web Policy Agents (WPAs). SAML authentication provides the same single sign-on (SSO) capabilities as WPA authentication, but is limited in its single log-out (SLO) support. As a result, a user who is working in multiple applications may not be logged out of each application upon sign out. Currently, users are redirected to the University of Texas homepage upon logout. To help protect user privacy, UTLogin should instead redirect to a new page upon logout that instructs the user to close all browser windows. ACTION REQUIRED The IAM Committee s endorsement to change the UTLogin user s logout experience. IMPACT ANALYSIS If no change is made, users will likely have an incorrect set of expectations for logout, which could threaten their privacy. PROJECT GOALS Redirect users to a new logout endpoint, rather than the homepage. The logout endpoint will explain that the user has logged out of the application that was just in use, but may still have active sessions in other applications. The language will be copied from the Shibboleth logout endpoint at https://idp.its.utexas.edu/idp/profile/logout. SCHEDULE This change will be included in the UTLogin 2016.1.0 release scheduled for March 13, 2016. FOR MORE INFORMATION Thorough explanation of the limitations of SAML SLO: https://www.utexas.edu/its/help/shibboleth/2299 Current Shibboleth Logout Endpoint: https://idp.its.utexas.edu/idp/profile/logout 1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information