1 / 51

Identity Management

Identity Management. Authentication (Prove who you are). Authentication techniques Prompt for username / password Relay network domain credentials Digital Certificates Smart Cards Username / passwords the most common in our apps right now

lila-hendrix
Download Presentation

Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management

  2. Authentication(Prove who you are) • Authentication techniques • Prompt for username / password • Relay network domain credentials • Digital Certificates • Smart Cards • Username / passwords the most common in our apps right now • Every application stores user information, including passwords • Every application is authenticating users only within the context of a single application • Security Risk: • Passwords stored in variety of locations • Individual applications may not have the resources to keep up with DOI password policies • Resolution – Security Token Services (STS) • Centralize user information in STSs • Only the STS knows the passwords, and/or other user information • DOI security policies are addressed in one place • STS exchange user credentials for an industry standard digitally signed token • Token is then passed around to apps and services • Applications/Services only have to know how to interpret the token

  3. Security Token Service • Validate User Credentials • Domain accounts / Windows NTLM • DOI’s Active Directory • For users on the DOI network • Usernames / Passwords • ADAM / AD LDS a light weight implementation of Active Directory • For users not on the DOI network • Other credential types • Digital Certificates • Authenticating partner applications / services running automated processes • Transform User Credentials • Make claims about a user • Wrap the claims within a digitally signed SAML Token

  4. Security Token Process • Apps and Services will never see usernames and passwords, just SAML tokens

  5. Authorization(What are you allowed to do) • Role based authorization • Users are placed in groups (roles) and permissions are applied to the group • Access to a resource is done by comparing the users role to roles defined for the resource • Advantages: • Permission management on small number of groups instead of many users • Limitations: • Permissions are applied to resources at a very broad level. Granular rules will require more and more groups • Roles only have meaning within individual applications • Resource based authorization (Access Control Lists) • Permissions are defined on the resource itself • Specify what operation / group / user can access a resource • Advantages: • Authorization rules are up held independent of what service is requesting it • Limitations • Every resource would have to implement attributes that identify what it is • In the case of system files, often requires some form of impersonation to get through operating system process rules

  6. Claims based authorization • Claims are properties that describe the capabilities of an entity • Type – allow services consuming claims to know what the claim is in reference to • Right –describes the capability the entity has over a resource • Resource - something to which a claim is made over • Essentially does role based authorization and more • Roles are based on identity. Identity one of many claims that can be made about a user • Advantages: • Separates authorization rules from the mechanisms used for authentication • Authorization policies, based on claims, can be created down to a very granular level • Very good at controlling access across platforms and applications

  7. Challenges Solved and Still to Solve • Authentication from multiple sources • Currently can do multiple types of STS • Transparent logins for domain users • Form based username / passwords against ADAM / AD LDS • Digital Certificates • Will be developing a flexible and reusable API for authorization • Determine general claim types that are needed across our services • Identify service specific claim types that will be needed • Make it all work for client applications other then web browser • Excel • Access • Etc.

  8. Unit IRMA Infrastructure Services

  9. Problems to Solve • Multiple copies of unit, park, etc. databases being used (every app had a different one!) • Inconsistent park codes and names used • No common maintenance practices

  10. Version 1.0.0 • Centralized data source • Initial IRMA coding standards, service structure • Very atomic methods (not user-friendly, but they work)

  11. Example • Reference Service – Search Page http://nrinfo.nps.gov • Pick List = data + web controls:

  12. Short-term Vision • Full integration with IRMA practices • Standardized park codes • More efficient fetch methods • More sophisticated web controls

  13. Longer-term Vision • Customizable web controls • Accessible service for networks and parks • Search and report page in NRInfo Portal • Subunits: • Management districts, ranger districts, etc. • Maintenance functions

  14. Taxonomy IRMA Infrastructure Services

  15. Problems to be Solved • Multiple applications need to manage information about taxa • We need a common currency for discussing taxa • We would like to use other taxonomic datasets besides ITIS, such as USDA Plants

  16. Version 1.0 • Four primary parts • Names • Categories • Sources • Classifications • Searching by Name and by Code • Taxon Profile pages • Integration with Species

  17. Search by Name

  18. Search by Code

  19. Search Results

  20. Taxon Profile

  21. Short-term Vision • Include authorities • Integrate USDA Plants list • Downloadable taxonomy lists • Saved searches and layouts • Transform a taxa list using Crosswalks • Links to external Classification Sources • More search options

  22. Long-term Vision • Adding and editing Taxa • Roll-up to Ranks • Authentication • Change History Management • Commenting • Other types of taxonomies

  23. Benefits • One-stop shopping for Taxonomy • NPS Taxon Code serves as common currency • New Classification Sources can be loaded, adding new sets of names

  24. Reference Service Update Data Manager’s Conference April, 2009

  25. Overview • Problem • Current Status • Short-Term Plans • Long-Term Vision • Benefits of Service

  26. What is the Problem? • Fundamental need to manage citations/metadata • Documents • Datasets • Photos • Other • Citations/Metadata in different systems • Hard to associate/group references • Applications do not adequately serve the needs of the natural resources program

  27. Reference Service 1.0 • Active, non-sensitive, and non-proprietary citations from NatureBib and Data Store • Limited subset of the Reference attributes • Basic searching and read-only viewing • No user-name or password required to search • Download attachments • Creating/Editing still done through NatureBib and Data Store

  28. Search • Simple search (search logic behind the scenes) • Must be easy to use

  29. Search Results

  30. Detailed View

  31. Short-Term Plans • 1.x Iterations • Functionality of NatureBib and DataStore • Begin to clarify definitions • Introduce Reference Owner and Unit Steward roles • Begin Reference Relationships • Split into related references (e.g., book chapter is part of book) • Begin to Combine duplicates • Show related references as one in Portal • Create Reference from XML record • Integrate with other services • 2.0 + • Turn off NatureBib and Data Store • Begin following Long-Term Road Map for adding functionality

  32. Long-Term Road Map • Stakeholder Interviews • Project Scope • Version Timeline

  33. Stakeholder Interviews • Fall of 2008 • Gather user needs • 100+ people interviewed • 25+ meetings

  34. Road Map - Project Scope • Out for review - March 2009 • Integrates user needs • Proposes long-term functionality • Very general and… dry • Minimize risks • Get everyone on the same page • Identify logical flaws • Survey to Get Feedback/Comments

  35. Survey Results

  36. Road Map – Version Timeline • Prioritize functionality in Project Scope • Can begin once Project Scope is completed • Very important beyond 2.0

  37. Further Development and Refinement • Progressive elaboration • Regular user feedback

  38. Benefits • Leverages functionality of other services • Taxonomy • Units • Authentication • File • Can be leveraged by other services • Species • Project • Data Clearinghouses

  39. NPSpecies Update Presented by: Alison Loar

  40. New NPSpecies is Useful Because • Shared infrastructure • Units, Taxonomy, Authentication, etc • Reusable controls • New user friendly user interface on the NRInfo Portal • Ability to access service fetch operations to “build your own”

  41. Current Status • NPSpecies 2.0.3 on NRInfo Portal • Certified Species Lists • For data that have been certified • ability to download lists • Live Demo…

  42. Upcoming Release • NPSpecies 2.1.0 • Released next month • Species lists with more views • Park-Species Profile • Simple stats • List of Units (where one species is found) • Live Demo…

  43. Roadmap Release PlanShort Term • NPSpecies 2.2 • Integrate NPSpecies with New Match List Application • NPSpecies 2.3 • Integrate NPSpecies with New Evidence Applications (Vouchers, Observations, References) • NPSpecies 3.0 • Add/Edit/Delete • Turn off NPSpecies 1.0

  44. Roadmap Release PlanLong Term • NPSpecies 3.1 • Ability to have multiple species lists for one category & one unit in NPSpecies • Tools to Compare and Merge data • NPSpecies 3.2 • QA toolbox with QA Filters • Automated workflow

  45. IRMA Summary: What this Means for You Data Manager’s Conference April, 2009

  46. Accessing Information • Web Portal • Consistent Interface • Brings multiple services together • SOAP Messages

  47. SOAP Messages • Simple Object Access Protocol • Get information without a web interface • Text messages • Industry Standard (e.g., Travelocity) • Supported by other Languages and Applications • MS Products • Python

  48. Example SOAP Message • <CreateReference> • <Title>Birds of ROMO<\Title> <Publisher> NPS<\Publisher> • <DateOfIssue>20080104</DateOfIssue> • <\CreateReference>

  49. Example Messages • FetchReferenceList • CreateReference • FetchReferenceHolding • DeleteReference

More Related