1 / 33

FSU Directory Project

FSU Directory Project. The Issue of Identity Management Jeff Bauer Florida State University http://fsuid.fsu.edu/admin. The Problems (2003). Individuals have to remember too many different names and passwords to access our systems; accounts were created on different web pages

jasia
Download Presentation

FSU Directory Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FSU Directory Project The Issue of Identity Management Jeff Bauer Florida State University http://fsuid.fsu.edu/admin

  2. The Problems (2003) Individuals have to remember too many different names and passwords to access our systems; accounts were created on different web pages With new PeopleSoft ERP, we wanted to avoid yet another username & password We have too many LDAP directories, with almost the same information in each (need to consolidate!) Many of our systems (electronic and in-person) still rely on asking an individual for their Social Security Number as a method for authentication

  3. The SSN Problem SSN is used as a method for authenticating students and employees via web and in-person challenges Mandates to protect & hide SSN abound SSN is still required for certain business processes (HR, external identity of students to Feds, etc.)

  4. The Proposal (2003) This proposal is an attempt to combine identity terms and solve the SSN/multiple identity problem Proposal: FSUID = new public “login name”/password FSUSN = new “SSN-like” private number A combined directory will manage this information

  5. The Identity Problem C.A.R.S. (”ldap1”) All students, faculty & staff plus visitors Tied into automated systems on campus, such as FSUCard, HRMS, etc. Used for authorizing “garnet/mailer” email servers, dialup service

  6. The Identity Problem C.A.R.S. (”ldap1”) Blackboard authentication

  7. The Identity Problem O.P.S. (Secure Login; ”ldap2”) All students, faculty & staff plus visitors Tied into automated systems on campus, such as FSUCard, HRMS, etc. Used for authorizing many administrative applications (many, but not all of which, were replaced by PeopleSoft functionality)

  8. The Identity Problem Web registration for classes (SSN)

  9. The Identity Problem Administrative Email (“@admin.fsu.edu”) Managed in the enterprise “FSU” Microsoft Active Directory (Outlook users) Semi-manual account management Mostly used by some ~6,000 administrative employees

  10. The Identity Problem Netware Account Provides authentication & file service Manual account management Mostly used by some ~6,000 administrative employees

  11. The Identity Merger (2004)

  12. https://fsuid.fsu.edu

  13. FSUID Initial Signup

  14. FSUID Helpdesk Utility

  15. Behind the Scenes Novell eDirectory 8.7.3.6 Five production RedHat servers Two development RedHat servers Separate iPlanet LDAP strictly for public employee attributes and quick searches Multitude of Perl scripts updating attributes All LDAP over SSL (port 636)

  16. eDirectory Ring (production) • One master node • Four R/W replicants • R/Ws can happen anywhere • eDir will sync values over time (up to 30 mins) • Housed in different physical locations • All LDAP-reachable

  17. Schema & eDir Details Schema is EduPerson compliant (200312) ~150 FSU-specific attributes (“fsuEduXXXX”) Many attributes are indexed to increase performance Use proxy accounts and ACLs to limit view of attributes to specific applications Used Perl for rapid app development and ease of data sources (LDAP, flat files, Oracle, AD, iPlanet, DB2, etc.)

  18. Example of FSU-specific attribute

  19. LDAP clients using FSUID authentication Central Authentication Service (CAS) instance, connecting Blackboard & FSUID PeopleSoft instances Business Objects instance VPN Concentrators directly or via RADIUS; BlueSocket boxes for Wireless A&A Java properties for business applications UNIX hosts

  20. Departmental Identity Management Number of departments now use FSUID-driven data to manage their student & employee accounts Mostly Active Directories with information “pushed” via LDAPS (account creation, directory attribute updating, password resets, etc.)

  21. Good, Bad & the Ugly DirXML Main reason decided to purchase eDir instead of using, say, iPlanet or OpenLDAP because of PeopleSoft integration piece (real time directory updates from HR) We have not implemented this as yet, alas “ndsd” (eDir daemon) Multi-threaded memory problems (crashes); still not fully resolved eDir’s unencrypted “database”

  22. What Next? Shorten up “hire/admit to login” time lag Rewrite FSUID web pages as native Blackboard Java/JSP pages Merge more FSU identities into the FSUID directory Push FSUSN usage across campus Manage more departmental identities Set up production Shibboleth using this directory

More Related