1 / 38

What is SSO?

What is SSO?. Wikipedia Says… “Single Sign On (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.”. Benefits.

akio
Download Presentation

What is SSO?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What is SSO? • Wikipedia Says… “Single Sign On (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.”

  2. Benefits • Reduce password fatigue • Reduce time spent re-entering passwords • Abstract authentication from systems • Lower calls to Help Desk about passwords • Centralized reporting for compliance • Can rationalize multiple authentication methods • Improved interaction with 3rd Party

  3. Potential Problems • True Single Sign On is often hard to accomplish • “keys to the castle” • High Availability becomes the new IdM buzzword (well one of them)

  4. Some of the Choices • Jasig CAS • CoSign • Kerberos • OpenSSO • JOSSO • Shibboleth

  5. What to Look For • What protocol do they use? • What kind of “clients” do they have? • Features: • Opt Out of Single Sign On • Management • Monitoring • High Availability / Scalability • Flexibility • “ClearPass” • Deployment/Maintainability

  6. Rolling Out SSO – Why? • Its easy! (relatively) • Assumes you’ve already solved your ID problem • It’s a “big” win • Highly visible • Oh, and all that stuff listed under Benefits

  7. Getting People to Use It • Documentation! • Present, Present, Present! (Education) • A Compelling Reason • Features • Ease-Of-Use • Auditing • Superior User Experience • Support It! • Strong Arm (not a pleasant experience)

  8. What Else Do You Need? • Goes well with… • Self-Password Reset/Change • Lookup Id • Profile • User Education • Help Desk Support • Trusted SSL Certificates

  9. Related • Single Sign Out • OpenID – decentralized authentication system • Federation • Facebook Connect - API to let user log in via Facebook • InfoCards -

  10. What Comes Next? • Rolling out an SSO will raise some of the following questions/concerns: • We can’t use SSO because it doesn’t support all types of guests easily* • What’s your SLA? • Why does it take so long to get an ID?* • What about access control?* • What is the password policy? • What’s the identifier usage policy?

  11. The Person Registry

  12. It can help with those *’d ones

  13. You Probably Already Have One! (but it sucks!)

  14. What Does It Do? • Store identity data about your people • Reconciles different versions • Makes (usually) intelligent choices • Helps feed other systems • Directory builder • Provisioning • Reporting

  15. Choices? • Not too many! • Very few higher education options • Most non-Higher Education ones don’t get “higher ed” • Multiple sources for a person • Multiple possible hierarchies • Every university is (slightly) different

  16. OpenRegistry Plug! • What is OpenRegistry? • OpenRegistry is an OpenSource Identity Management System (IDMS). It's a place for data about people affiliated with your organization. • Core Functionality • Interfaces for web, batch, and real-time data transfer • Identity data store • Identity reconciliation from multiple systems of record • Identifier assignment for new, unique individuals • Additional Functionality • Data beyond Persons: Groups, Courses, Credentials, Accounts • Business Rule based data transformations • More than just a Registry, some periphery too • Directory Builder • Provisioning and Deprovisioning

  17. Changing Your IdM System • Two Options: • “The Big Bang” • Transitional

  18. “The Big Bang” • Benefits • Not maintaining two versions for extended period of time • Direct Developer Resources towards new project • Cons • This stuff better work! (or expect some pissed off people) • Significant investment in testing phase • What’s the back up plan? • Restrictions on flexibility

  19. Transitional • Benefits • Significant time to test system “in production” with real data • Built-in Back Up Plan • More flexible scheduling • Cons • Maintaining multiple systems for extended period • Ambiguity about where to go for data • In some instances, double the work!

  20. What does Rutgers do? • We totally confuse the issue • We’ve “big banged” ourselves for Dec 2010 (PeopleSoft deployment) • We’ve committed to maintaining the legacy system feeds • We are gradually rolling it out! • Why? • It seemed like a good idea at the time! • “Big Bang” attachment to PeopleSoft gets IdM on the radar and stresses importance • Pilot Groups much earlier! • Unfortunately, it puts IdM on the radar • With schedule, no time to update all legacy feeds

  21. Bigger Than You Think • Building a registry is tough! • Deploying a registry is tougher! • Touches everything! • Data is owned by others • Policies around accessing data, identifiers, etc. • Downstream concerns with new populations • Poorly written tools that won’t work with the new system • Help Desk Nightmare! • Start Looking at EVERYTHING • What does it all mean?

  22. Rutgers Account Tools

  23. Rutgers Account Tools

  24. Rutgers NetID Activation

  25. Rutgers NetID Activation

  26. Rutgers Password Management

  27. Rutgers Password Management

  28. Rutgers NetID Management

  29. Rutgers NetID Management

  30. Governance

  31. What is Governance? (according to Wikipedia) • Governance is the activity of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems. • In the case of a business or of a non-profit organization, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data.

  32. What does IdM Governance cover? • Policies • Responsibility • Coordination and Prioritization • Compliance • Some of them like the details (i.e. text on the page!)  really really annoying • Making the Case • Communication

  33. When do you want it? • Not too early • But not too late • Becomes important when you start depending on others

  34. What Makes a Good One? • Some level of actual authority • A method for measuring accountability • Transparent • Leave us better of!

  35. What Happens When It Fails? • Fiefdoms continue to exist • Duplicate data everywhere! • Duplicate application development • Misuse of information

  36. Models • None – just like it sounds • Explicitly Decentralized • High level group sets policy • Specialized groups implement policy • Centralized • Makes just about all the decisions • Hybrid

  37. Levels of Maturity (according to Burton) 1. initial – no process. 2. repeatable – starting to understand processes 3. defined – process documented, standardized and integrated. 4. Managed 5. optimized

  38. And We’re Done with Governance • Two key points: • You need a champion of sufficient authority • Feedback mechanism needs to be in place

More Related