Directory Middleware and Services:
Authentication, Authorization and
Business Process Support
Mike Conlon
Director of Data Infrastructure
mconlon@ufl.edu
One Slide About UF






49,000 students in Gainesville Fl
50,000 distance, continuing and executive
students
$1.8 Billion annual budget, $450 million in
research -- growing at 12% per year, Health
Sciences – 60% of research
140 academic departments in 23 colleges
Land grant – extension in all 67 counties
The Gators, Lady Gators, GatorAde
One Slide About UF Technology







500 IT professionals across campus
Very decentralized
Over 300 email servers
30,000 devices on the open network
AD, NDS, iPlanet, OpenLDAP, Kerberos
Directory Project 2002-2003
PeopleSoft implementation 2003-2007
UF Directory Background



Community effort to solve the directory
problem at UF -- 17 sources for contact
information. Limited sharing.
Information Systems, Academic Technology,
Health Center, Registrar, Data Center
involved from the beginning
UF reading, studying NMI documents –
roadmap, early harvest, Metadirectory
practices, identifier mappings
UF Directory Background





GatorLink – Kerberos-based authentication
mechanism since 1997.
Unsponsored campus LDAP and NDS.
DB2-based registry of people information.
Many feeds to the registry, few from the
registry.
Adhoc integration.
UF Directory Project







Start planning August 2000
Ken Klingenstein visit April 2001
Parallel effort to replace SSN merged August
2001
Finish report September 2001
Begin implementation October 2001
Deploy new directory January 23, 2003
http://www.it.ufl.edu/projects/directory
Directory Project Deliverables










New Registry – 140 tables
New LDAP schema (eduPerson, eduOrg)
New IDs – UFID and UUID
GatorLink tied to UFID
50,000 new Gator One cards
1,500 applications modified
New self-service apps http://phonebook.ufl.edu
New directory coordinator apps
800 directory coordinators trained
New APIs for directory-enabling business
processes
UF Directory – Architecture

Three major
interfaces

One data store
One set of APIs


About 50
message queues

Each app receives
consistent data
Authentication Services



Provide a single credential (GatorLink)
environment, regardless of access
technology
Support enterprise system sign on, LAN sign
on, WebISO with same credential
Tie authentication to identity
Authentication Architecture





Authentication begins
with identity
Automated processes
populate the portal
Portal login produces
cookie for WebISO
Middleware updates
additional
authentication services
Kerberos, AD, NDS
supported
WebISO at UF




UF developed a local WebISO solution in
1998 – GLAuth
GLAuth provides a secure cookie-based
Kerberos authenticated system
GLAuth is simple to install on Apache web
servers
Legacy SIS and admin applications use
GLAuth providing single credential access to
these systems
Authorization Concept





Directory has “affiliations” for each person.
Affiliations role up to eduPerson affiliations
and to primary affiliation
Affiliations imply authorizations
Authorization is based on roles
Roles can often be algorithmically determined
by affiliations
Additional roles are assigned by traditional
access request processes
Entity, Role and Service
Role Management




Roles are assigned algorithmically using
processes accessing directory message
queues
Department Security Coordinators use the
Access Request System (ARS)
Roles are assigned following request based
on university policy
Individuals can view their roles from the
portal
My Roles


Every portal user
can access their
role information
using My Roles
Additional options
provide users with
access to maintain
their account
Business Process Support
The directory provides support for a wide
variety of services, which in turn support
additional applications





Distance, Continuing, Executive education
support
Password Management
UF Active Directory
PeopleSoft
LDAP
Distance, Continuing, Executive education
support




DCE programs are administered at the unit
level
Unit level directory coordinators can add
students to the directory, creating a UFID
Students can then use self-service screens to
create a GatorLink account
Directory message queues provide
information to create roles in the portal
Password Management






All GatorLink accounts have strong passwords
Five password policies govern reset, use of hints,
password age
Policies are determined by user roles – each role
has a related password policy
Each users’ GatorLink password management
policy is the strongest policy required by the users’
roles
Password changing is done using portal screens
Kerberos, AD, NDS are updated in real-time
UF Active Directory




UFAD accounts are built from directory
message queues
UFAD accounts use GatorLink usernames
and passwords
OUs are populated based on the value of a
“Network Managed By” attribute in the
directory – directory coordinators assign the
value
Contact information in UFAD is populated
from the directory
PeopleSoft
Directory coordinators enter people into the university
directory and thereby create UFIDs for them. PeopleSoft
Application Engine (AE) programs process message
queues to automatically provision access to HR and
Finance systems as appropriate based on the persons’
affiliations.
When a person is an employee, the HR system provides
additional information to the directory and assigns
employee affiliations.
Non-employees often participate in university business
processes and the directory can record appropriate
affiliations which lead to provisioning access. The ARS
can then be used to provide specific roles needed to
handle special cases.
UF LDAP




The UF LDAP service is populated from a
message queue from the UF directory.
UF LDAP provides access to public contact
information and is used by the university
white pages as a data source.
UF LDAP is used by university applications
requiring current contact information for
university members.
UF LDAP supports the eduPerson schema
standards.
Future Work





PeopleSoft Student Administration will be
implemented with go-live Summer 2006
UF Directory will be migrated to PeopleSoft Campus
Community as part of the SIS implementation
Legacy systems maintaining authorization
information will be reimplemented using roles
Direct access to the directory via APIs will be
replaced with messaging infrastructure
Additional applications will be integrated with
directory services – VOIP, Lenel, unit applications