1 / 14

Provisioning and Combining Accounts

Provisioning and Combining Accounts. Using Identity Pointers in LDAP. September 22, 2005. Agenda. Overview of Account Provisioning at K of C Define problem encountered with multiple accounts Potential Solution---Thoughts? Opinions? Ideas?. Knights of Columbus.

Download Presentation

Provisioning and Combining Accounts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Provisioning and Combining Accounts Using Identity Pointers in LDAP September 22, 2005

  2. Agenda • Overview of Account Provisioning at K of C • Define problem encountered with multiple accounts • Potential Solution---Thoughts? Opinions? Ideas?

  3. Knights of Columbus • Fraternal Benefit Society with 1.7 million members throughout the world, mostly in United States, Canada, but also in Latin America and the Philippines. • Membership driven • Insurance Organization that insures its membership and their relatives with whole life, term, fixed annuities and long term care. • Career Agency System

  4. Account Provisioning at K of C • Active Directory holds Employee Information • LOB Systems hold Agent and other membership information • Single LDAP server holds all provisioned accounts from both places.

  5. The Problem… • Some people are in both source systems • Take Mr. Statemp: • He works in Accounting (Employee) • He’s also a State Deputy (Fraternal Role) • Remember Our Model….

  6. The Problem. . . • Active Directory holds one account for Mr. Statemp • Fraternal and Agent DB’s hold one account for Mr. Statemp. • Two accounts exist. • Applications exist that require roles for Mr. Statemp as an employee and others that require roles for Mr. Statemp as a Fraternal Member.

  7. The Problem. . . • LDAP is kept in sync with all sources • The provisioning tools will remove accounts and roles that are in LDAP and not in sources • There might, in the future, be a third source as well (such as self registration) • Problem: multiple logins does not provide a good user experience.

  8. Create Identity pointers in LDAP Extra attribute in LDAP to link multiple ID’s together At run time application queries LDAP to get all roles from all linked accounts Algorithm allows for provisioning to come from any number of sources without disturbing the sources themselves Advantages: Algorithm allows for provisioning to come from any number of sources without disturbing the sources themselves Allows ability to aggregate roles across accounts allowing for single sign-on ID’s can continue to be auto-provisioned. Possible Solution: Identity Pointers • Disadvantages: • At provisioning time, some extra work required to manage the pointers • Need an interface to LDAP to gather all the roles from all linked accounts • Approach allows for either administrative aliasing or self-service.

  9. View of LDAP Initial View Combine ACCTUSER and USER3—ACCTUSER is the primary

  10. View of LDAP Combined ACCTUSER and USER3—ACCTUSER is the primary • Cross link active and joined account using new attribute. • This allows provisioning programs to perform maintenance. • Run time interface must walk relationships to aggregate roles. • Note: disable unused account (USER3) to prevent misuse.

  11. View of LDAP Combine STATEUSER and ACCTUSER—ACCTUSER is the primary • Only one account is enabled. • Single sign on is achieved.

  12. Removing an Account Person is no longer a State Deputy. Remove STATE USER. Before After • The STATEUSER ID is removed. • The pointer references are also removed.

  13. Feedback • Questions • Feedback? • Are there other better ways?

  14. Any more questions.. Contact: George Dobbs- George.Dobbs@kofc.org John Ricci- John.Ricci@kofc.org Knights Of Columbus One Columbus Plaza New Haven CT 06510-3326 And For the Results Oriented we’re at: N41 18’ 12.384” W72 55’ 34.576” Ele: 12 feet (plus 18 floors in the building)

More Related