Identity Management - PowerPoint PPT Presentation

lila-hendrix
identity management n.
Skip this Video
Loading SlideShow in 5 Seconds..
Identity Management PowerPoint Presentation
Download Presentation
Identity Management

play fullscreen
1 / 51
Download Presentation
Identity Management
125 Views
Download Presentation

Identity Management

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Identity Management

  2. Authentication(Prove who you are) • Authentication techniques • Prompt for username / password • Relay network domain credentials • Digital Certificates • Smart Cards • Username / passwords the most common in our apps right now • Every application stores user information, including passwords • Every application is authenticating users only within the context of a single application • Security Risk: • Passwords stored in variety of locations • Individual applications may not have the resources to keep up with DOI password policies • Resolution – Security Token Services (STS) • Centralize user information in STSs • Only the STS knows the passwords, and/or other user information • DOI security policies are addressed in one place • STS exchange user credentials for an industry standard digitally signed token • Token is then passed around to apps and services • Applications/Services only have to know how to interpret the token

  3. Security Token Service • Validate User Credentials • Domain accounts / Windows NTLM • DOI’s Active Directory • For users on the DOI network • Usernames / Passwords • ADAM / AD LDS a light weight implementation of Active Directory • For users not on the DOI network • Other credential types • Digital Certificates • Authenticating partner applications / services running automated processes • Transform User Credentials • Make claims about a user • Wrap the claims within a digitally signed SAML Token

  4. Security Token Process • Apps and Services will never see usernames and passwords, just SAML tokens

  5. Authorization(What are you allowed to do) • Role based authorization • Users are placed in groups (roles) and permissions are applied to the group • Access to a resource is done by comparing the users role to roles defined for the resource • Advantages: • Permission management on small number of groups instead of many users • Limitations: • Permissions are applied to resources at a very broad level. Granular rules will require more and more groups • Roles only have meaning within individual applications • Resource based authorization (Access Control Lists) • Permissions are defined on the resource itself • Specify what operation / group / user can access a resource • Advantages: • Authorization rules are up held independent of what service is requesting it • Limitations • Every resource would have to implement attributes that identify what it is • In the case of system files, often requires some form of impersonation to get through operating system process rules

  6. Claims based authorization • Claims are properties that describe the capabilities of an entity • Type – allow services consuming claims to know what the claim is in reference to • Right –describes the capability the entity has over a resource • Resource - something to which a claim is made over • Essentially does role based authorization and more • Roles are based on identity. Identity one of many claims that can be made about a user • Advantages: • Separates authorization rules from the mechanisms used for authentication • Authorization policies, based on claims, can be created down to a very granular level • Very good at controlling access across platforms and applications

  7. Challenges Solved and Still to Solve • Authentication from multiple sources • Currently can do multiple types of STS • Transparent logins for domain users • Form based username / passwords against ADAM / AD LDS • Digital Certificates • Will be developing a flexible and reusable API for authorization • Determine general claim types that are needed across our services • Identify service specific claim types that will be needed • Make it all work for client applications other then web browser • Excel • Access • Etc.

  8. Unit IRMA Infrastructure Services

  9. Problems to Solve • Multiple copies of unit, park, etc. databases being used (every app had a different one!) • Inconsistent park codes and names used • No common maintenance practices

  10. Version 1.0.0 • Centralized data source • Initial IRMA coding standards, service structure • Very atomic methods (not user-friendly, but they work)

  11. Example • Reference Service – Search Page http://nrinfo.nps.gov • Pick List = data + web controls:

  12. Short-term Vision • Full integration with IRMA practices • Standardized park codes • More efficient fetch methods • More sophisticated web controls

  13. Longer-term Vision • Customizable web controls • Accessible service for networks and parks • Search and report page in NRInfo Portal • Subunits: • Management districts, ranger districts, etc. • Maintenance functions

  14. Taxonomy IRMA Infrastructure Services

  15. Problems to be Solved • Multiple applications need to manage information about taxa • We need a common currency for discussing taxa • We would like to use other taxonomic datasets besides ITIS, such as USDA Plants

  16. Version 1.0 • Four primary parts • Names • Categories • Sources • Classifications • Searching by Name and by Code • Taxon Profile pages • Integration with Species

  17. Search by Name

  18. Search by Code

  19. Search Results

  20. Taxon Profile

  21. Short-term Vision • Include authorities • Integrate USDA Plants list • Downloadable taxonomy lists • Saved searches and layouts • Transform a taxa list using Crosswalks • Links to external Classification Sources • More search options

  22. Long-term Vision • Adding and editing Taxa • Roll-up to Ranks • Authentication • Change History Management • Commenting • Other types of taxonomies

  23. Benefits • One-stop shopping for Taxonomy • NPS Taxon Code serves as common currency • New Classification Sources can be loaded, adding new sets of names

  24. Reference Service Update Data Manager’s Conference April, 2009

  25. Overview • Problem • Current Status • Short-Term Plans • Long-Term Vision • Benefits of Service

  26. What is the Problem? • Fundamental need to manage citations/metadata • Documents • Datasets • Photos • Other • Citations/Metadata in different systems • Hard to associate/group references • Applications do not adequately serve the needs of the natural resources program

  27. Reference Service 1.0 • Active, non-sensitive, and non-proprietary citations from NatureBib and Data Store • Limited subset of the Reference attributes • Basic searching and read-only viewing • No user-name or password required to search • Download attachments • Creating/Editing still done through NatureBib and Data Store

  28. Search • Simple search (search logic behind the scenes) • Must be easy to use

  29. Search Results

  30. Detailed View

  31. Short-Term Plans • 1.x Iterations • Functionality of NatureBib and DataStore • Begin to clarify definitions • Introduce Reference Owner and Unit Steward roles • Begin Reference Relationships • Split into related references (e.g., book chapter is part of book) • Begin to Combine duplicates • Show related references as one in Portal • Create Reference from XML record • Integrate with other services • 2.0 + • Turn off NatureBib and Data Store • Begin following Long-Term Road Map for adding functionality

  32. Long-Term Road Map • Stakeholder Interviews • Project Scope • Version Timeline

  33. Stakeholder Interviews • Fall of 2008 • Gather user needs • 100+ people interviewed • 25+ meetings

  34. Road Map - Project Scope • Out for review - March 2009 • Integrates user needs • Proposes long-term functionality • Very general and… dry • Minimize risks • Get everyone on the same page • Identify logical flaws • Survey to Get Feedback/Comments

  35. Survey Results

  36. Road Map – Version Timeline • Prioritize functionality in Project Scope • Can begin once Project Scope is completed • Very important beyond 2.0

  37. Further Development and Refinement • Progressive elaboration • Regular user feedback

  38. Benefits • Leverages functionality of other services • Taxonomy • Units • Authentication • File • Can be leveraged by other services • Species • Project • Data Clearinghouses

  39. NPSpecies Update Presented by: Alison Loar

  40. New NPSpecies is Useful Because • Shared infrastructure • Units, Taxonomy, Authentication, etc • Reusable controls • New user friendly user interface on the NRInfo Portal • Ability to access service fetch operations to “build your own”

  41. Current Status • NPSpecies 2.0.3 on NRInfo Portal • Certified Species Lists • For data that have been certified • ability to download lists • Live Demo…

  42. Upcoming Release • NPSpecies 2.1.0 • Released next month • Species lists with more views • Park-Species Profile • Simple stats • List of Units (where one species is found) • Live Demo…

  43. Roadmap Release PlanShort Term • NPSpecies 2.2 • Integrate NPSpecies with New Match List Application • NPSpecies 2.3 • Integrate NPSpecies with New Evidence Applications (Vouchers, Observations, References) • NPSpecies 3.0 • Add/Edit/Delete • Turn off NPSpecies 1.0

  44. Roadmap Release PlanLong Term • NPSpecies 3.1 • Ability to have multiple species lists for one category & one unit in NPSpecies • Tools to Compare and Merge data • NPSpecies 3.2 • QA toolbox with QA Filters • Automated workflow

  45. IRMA Summary: What this Means for You Data Manager’s Conference April, 2009

  46. Accessing Information • Web Portal • Consistent Interface • Brings multiple services together • SOAP Messages

  47. SOAP Messages • Simple Object Access Protocol • Get information without a web interface • Text messages • Industry Standard (e.g., Travelocity) • Supported by other Languages and Applications • MS Products • Python

  48. Example SOAP Message • <CreateReference> • <Title>Birds of ROMO<\Title> <Publisher> NPS<\Publisher> • <DateOfIssue>20080104</DateOfIssue> • <\CreateReference>

  49. Example Messages • FetchReferenceList • CreateReference • FetchReferenceHolding • DeleteReference