Identity Management at Kennesaw State University

advertisement
A low cost Identity Management
Implementation Guide
Current State Of NetID
By Jonathan Higgins
Presentation Template available from Microsoft
What is Identity Management?
• Identity Management is the integration of
information about people from multiple sources
for the purposes of managing access to
services that protect online resources and user
privacy while enabling ease of use.
• Ok.. What is it really?!?
• Identity Management is an abstract for a
system that manages: Identification,
Authentication, and Authorization.
Identification
NetID
• Identification is the act of pre-assigning a
unique namespace (a username or in our
situation a NetID) to an individual.
• Other attributes can be used to help identify an
individual, but there should be a single unique
identifier that associates a person with an
online identity.
Authentication
AuthN
• Authentication binds a person with an Identity
• To authenticate a person, a system may
require:
• Something the person knows, like a password.
• Something the person carries, like an ID card.
• Some physical attribute of the person, like a
fingerprint.
Authorization
AuthZ
• The act of ensuring that a person is afforded
access only to services and data required to
support allowed tasks.
• Authority can be associated with a person
explicitly his/her account or implicitly to groups
or roles.
The Big Picture
Growing Pains and Silos vs. Suites
• Why?
• Impending Growth of an organization
• Scalability
• Silos: authentication, authorization and
application are all self contained and
individually administrated.
• Integrated Suites: Set of applications that
authenticate and authorize from a central
service for multiple applications.
Using open source products
• The choice to use open source products was
fairly simple for us because of the prohibitive
costs of a commercial implementation.
•
•
•
•
•
Linux
Kerberos
LDAP
SASL
SSL/TLS
Linux
• Pick your favorite distribution. If you don’t have
a favorite take a few minutes to review some of
the more popular versions and see which one
may integrate the easiest into your current
environment. Linux is a free Unix-type
operating system originally created by Linus
Torvalds. Developed under the GNU General
Public License, the source code for Linux is
freely available to everyone.
• http://www.linux.org
Kerberos
• Kerberos is a network authentication protocol.
It is designed to provide strong authentication
for client/server applications by using secretkey cryptography. A free implementation of this
protocol is available from MIT and Heimdal.
Kerberos is available in many commercial
products as well.
• http://web.mit.edu/kerberos/www/
LDAP
• The OpenLDAP Project is a collaborative effort
to develop a robust, commercial-grade, fully
featured and open source LDAP suite of
applications and development tools.
OpenLDAP Software is an implementation of
the Lightweight Directory Access Protocol
based on the work started by the folks at
University of Michigan.
• http://www.openldap.org
SASL
• SASL is the Simple Authentication and
Security Layer, a method for adding
authentication support to connection-based
protocols. To use SASL, a protocol includes a
command for identifying and authenticating a
user to a server and for optionally negotiating
protection of subsequent protocol interactions.
If its use is negotiated, a security layer is
inserted between the protocol and the
connection.
• http://asg.web.cmu.edu/sasl/
SSL/TLS
• The OpenSSL Project is a collaborative effort to
develop a robust, commercial-grade, fullfeatured, and Open Source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols as
well as a full-strength general purpose
cryptography library.
• http://www.openssl.org/
Data gathering and consolidation
• Who has the data?
• These people are the data custodians.
• Conduct a survey of all the sources of
information.
• Identify:
• who exists in your organization
• how do they get entered into that source of data
• what access to systems and services they are
granted
Namespace and Identifiers
• Getting data is great, but now you need to
figure out how to use it.
• The first major goal will be to identify what piece
of data will represent a unique namespace or
username for each person.
• The best solution is to identify a single source
for username creation.
• The format of usernames will probably also
need at least a minimum amount of attention.
Building a local user object class
• The first step to creating a custom local user
object class is to register for an OID with IANA
at http://www.iana.org/cgi-bin/enterprise.pl or
ANSI at
http://web.ansi.org/public/services/reg_org.html.
• The next step is to identify which pieces of data
you plan to store in the directory that do not fit
into a predefined object class.
• Once you have defined all of the unique
attributes that you wish to implement, it is time
to actually create the new object.
Technical Implementation
• Covers packages required, compiling, installing,
and configuring
• Upgrades to current software
• Other
Building the Interface
• Undergraduate Senior Project class Spring
2003
•
•
•
•
•
Authentication
Activation
Password Reset
Password Hardening
Search
• PHP, Perl, and HTML
Load Balancing DNS
• The pile of PC’s approach to implementation
does have a few problems
• How to distribute the load across multiple
systems?
• Rob Riepel of Stanford University wrote a
program called lbnamed
• Lbnamed is a load balancing name server
written in Perl.
Data Management or Metadirectory
• Data repository
• Home grown Perl scripts for:
•
•
•
•
Adding users
Modifying users
Deleting users
Managing groups and affiliations
Administration
• Web based administration tools:
• Search by Last Name
• Search by NetID
• Reset NetID
• The reset NetID will delete activation fields in
the LDAP tree and remove the kerberos
principal for the user. Activation is required for
the account to function again.
Application Integration
• Authorization and Affiliations
• Active Directory
• Mail Transfer Agent
• Other
What can we expect in the future?
• Inter-Institutional Applications
• Shibboleth, a Web-based inter-organizational
authorization system, leverages attribute
repositories such as directories and the larger
identity management infrastructure to service
inter-institutional applications and resource
sharing.
• Authentication for users from another trusted
organization to applications and services
hosted here at a remote site and vice-versa.
Download