A low cost Identity Management Implementation Guide Current State Of NetID By Jonathan Higgins Presentation Template available from Microsoft What is Identity Management? • Identity Management is the integration of information about people from multiple sources for the purposes of managing access to services that protect online resources and user privacy while enabling ease of use. • Ok.. What is it really?!? • Identity Management is an abstract for a system that manages: Identification, Authentication, and Authorization. Identification NetID • Identification is the act of pre-assigning a unique namespace (a username or in our situation a NetID) to an individual. • Other attributes can be used to help identify an individual, but there should be a single unique identifier that associates a person with an online identity. Authentication AuthN • Authentication binds a person with an Identity • To authenticate a person, a system may require: • Something the person knows, like a password. • Something the person carries, like an ID card. • Some physical attribute of the person, like a fingerprint. Authorization AuthZ • The act of ensuring that a person is afforded access only to services and data required to support allowed tasks. • Authority can be associated with a person explicitly his/her account or implicitly to groups or roles. The Big Picture Growing Pains and Silos vs. Suites • Why? • Impending Growth of an organization • Scalability • Silos: authentication, authorization and application are all self contained and individually administrated. • Integrated Suites: Set of applications that authenticate and authorize from a central service for multiple applications. Using open source products • The choice to use open source products was fairly simple for us because of the prohibitive costs of a commercial implementation. • • • • • Linux Kerberos LDAP SASL SSL/TLS Linux • Pick your favorite distribution. If you don’t have a favorite take a few minutes to review some of the more popular versions and see which one may integrate the easiest into your current environment. Linux is a free Unix-type operating system originally created by Linus Torvalds. Developed under the GNU General Public License, the source code for Linux is freely available to everyone. • http://www.linux.org Kerberos • Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secretkey cryptography. A free implementation of this protocol is available from MIT and Heimdal. Kerberos is available in many commercial products as well. • http://web.mit.edu/kerberos/www/ LDAP • The OpenLDAP Project is a collaborative effort to develop a robust, commercial-grade, fully featured and open source LDAP suite of applications and development tools. OpenLDAP Software is an implementation of the Lightweight Directory Access Protocol based on the work started by the folks at University of Michigan. • http://www.openldap.org SASL • SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection. • http://asg.web.cmu.edu/sasl/ SSL/TLS • The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fullfeatured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. • http://www.openssl.org/ Data gathering and consolidation • Who has the data? • These people are the data custodians. • Conduct a survey of all the sources of information. • Identify: • who exists in your organization • how do they get entered into that source of data • what access to systems and services they are granted Namespace and Identifiers • Getting data is great, but now you need to figure out how to use it. • The first major goal will be to identify what piece of data will represent a unique namespace or username for each person. • The best solution is to identify a single source for username creation. • The format of usernames will probably also need at least a minimum amount of attention. Building a local user object class • The first step to creating a custom local user object class is to register for an OID with IANA at http://www.iana.org/cgi-bin/enterprise.pl or ANSI at http://web.ansi.org/public/services/reg_org.html. • The next step is to identify which pieces of data you plan to store in the directory that do not fit into a predefined object class. • Once you have defined all of the unique attributes that you wish to implement, it is time to actually create the new object. Technical Implementation • Covers packages required, compiling, installing, and configuring • Upgrades to current software • Other Building the Interface • Undergraduate Senior Project class Spring 2003 • • • • • Authentication Activation Password Reset Password Hardening Search • PHP, Perl, and HTML Load Balancing DNS • The pile of PC’s approach to implementation does have a few problems • How to distribute the load across multiple systems? • Rob Riepel of Stanford University wrote a program called lbnamed • Lbnamed is a load balancing name server written in Perl. Data Management or Metadirectory • Data repository • Home grown Perl scripts for: • • • • Adding users Modifying users Deleting users Managing groups and affiliations Administration • Web based administration tools: • Search by Last Name • Search by NetID • Reset NetID • The reset NetID will delete activation fields in the LDAP tree and remove the kerberos principal for the user. Activation is required for the account to function again. Application Integration • Authorization and Affiliations • Active Directory • Mail Transfer Agent • Other What can we expect in the future? • Inter-Institutional Applications • Shibboleth, a Web-based inter-organizational authorization system, leverages attribute repositories such as directories and the larger identity management infrastructure to service inter-institutional applications and resource sharing. • Authentication for users from another trusted organization to applications and services hosted here at a remote site and vice-versa.