1 / 22

Directory Middleware and Services: Authentication, Authorization and Business Process Support

Directory Middleware and Services: Authentication, Authorization and Business Process Support. Mike Conlon Director of Data Infrastructure mconlon@ufl.edu. One Slide About UF. 49,000 students in Gainesville Fl 50,000 distance, continuing and executive students

chaz
Download Presentation

Directory Middleware and Services: Authentication, Authorization and Business Process Support

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Directory Middleware and Services: Authentication, Authorization and Business Process Support Mike Conlon Director of Data Infrastructure mconlon@ufl.edu

  2. One Slide About UF • 49,000 students in Gainesville Fl • 50,000 distance, continuing and executive students • $1.8 Billion annual budget, $450 million in research -- growing at 12% per year, Health Sciences – 60% of research • 140 academic departments in 23 colleges • Land grant – extension in all 67 counties • The Gators, Lady Gators, GatorAde

  3. One Slide About UF Technology • 500 IT professionals across campus • Very decentralized • Over 300 email servers • 30,000 devices on the open network • AD, NDS, iPlanet, OpenLDAP, Kerberos • Directory Project 2002-2003 • PeopleSoft implementation 2003-2007

  4. UF Directory Background • Community effort to solve the directory problem at UF -- 17 sources for contact information. Limited sharing. • Information Systems, Academic Technology, Health Center, Registrar, Data Center involved from the beginning • UF reading, studying NMI documents – roadmap, early harvest, Metadirectory practices, identifier mappings

  5. UF Directory Background • GatorLink – Kerberos-based authentication mechanism since 1997. • Unsponsored campus LDAP and NDS. • DB2-based registry of people information. • Many feeds to the registry, few from the registry. • Adhoc integration.

  6. UF Directory Project • Start planning August 2000 • Ken Klingenstein visit April 2001 • Parallel effort to replace SSN merged August 2001 • Finish report September 2001 • Begin implementation October 2001 • Deploy new directory January 23, 2003 • http://www.it.ufl.edu/projects/directory

  7. Directory Project Deliverables • New Registry – 140 tables • New LDAP schema (eduPerson, eduOrg) • New IDs – UFID and UUID • GatorLink tied to UFID • 50,000 new Gator One cards • 1,500 applications modified • New self-service apps http://phonebook.ufl.edu • New directory coordinator apps • 800 directory coordinators trained • New APIs for directory-enabling business processes

  8. UF Directory – Architecture • Three major interfaces • One data store • One set of APIs • About 50 message queues • Each app receives consistent data

  9. Authentication Services • Provide a single credential (GatorLink) environment, regardless of access technology • Support enterprise system sign on, LAN sign on, WebISO with same credential • Tie authentication to identity

  10. Authentication Architecture • Authentication begins with identity • Automated processes populate the portal • Portal login produces cookie for WebISO • Middleware updates additional authentication services • Kerberos, AD, NDS supported

  11. WebISO at UF • UF developed a local WebISO solution in 1998 – GLAuth • GLAuth provides a secure cookie-based Kerberos authenticated system • GLAuth is simple to install on Apache web servers • Legacy SIS and admin applications use GLAuth providing single credential access to these systems

  12. Authorization Concept • Directory has “affiliations” for each person. Affiliations role up to eduPerson affiliations and to primary affiliation • Affiliations imply authorizations • Authorization is based on roles • Roles can often be algorithmically determined by affiliations • Additional roles are assigned by traditional access request processes

  13. Entity, Role and Service

  14. Role Management • Roles are assigned algorithmically using processes accessing directory message queues • Department Security Coordinators use the Access Request System (ARS) • Roles are assigned following request based on university policy • Individuals can view their roles from the portal

  15. My Roles • Every portal user can access their role information using My Roles • Additional options provide users with access to maintain their account

  16. Business Process Support The directory provides support for a wide variety of services, which in turn support additional applications • Distance, Continuing, Executive education support • Password Management • UF Active Directory • PeopleSoft • LDAP

  17. Distance, Continuing, Executive education support • DCE programs are administered at the unit level • Unit level directory coordinators can add students to the directory, creating a UFID • Students can then use self-service screens to create a GatorLink account • Directory message queues provide information to create roles in the portal

  18. Password Management • All GatorLink accounts have strong passwords • Five password policies govern reset, use of hints, password age • Policies are determined by user roles – each role has a related password policy • Each users’ GatorLink password management policy is the strongest policy required by the users’ roles • Password changing is done using portal screens • Kerberos, AD, NDS are updated in real-time

  19. UF Active Directory • UFAD accounts are built from directory message queues • UFAD accounts use GatorLink usernames and passwords • OUs are populated based on the value of a “Network Managed By” attribute in the directory – directory coordinators assign the value • Contact information in UFAD is populated from the directory

  20. PeopleSoft Directory coordinators enter people into the university directory and thereby create UFIDs for them. PeopleSoft Application Engine (AE) programs process message queues to automatically provision access to HR and Finance systems as appropriate based on the persons’ affiliations. When a person is an employee, the HR system provides additional information to the directory and assigns employee affiliations. Non-employees often participate in university business processes and the directory can record appropriate affiliations which lead to provisioning access. The ARS can then be used to provide specific roles needed to handle special cases.

  21. UF LDAP • The UF LDAP service is populated from a message queue from the UF directory. • UF LDAP provides access to public contact information and is used by the university white pages as a data source. • UF LDAP is used by university applications requiring current contact information for university members. • UF LDAP supports the eduPerson schema standards.

  22. Future Work • PeopleSoft Student Administration will be implemented with go-live Summer 2006 • UF Directory will be migrated to PeopleSoft Campus Community as part of the SIS implementation • Legacy systems maintaining authorization information will be reimplemented using roles • Direct access to the directory via APIs will be replaced with messaging infrastructure • Additional applications will be integrated with directory services – VOIP, Lenel, unit applications

More Related