An IdM Architecture you can Build At Home Cal Poly Pomonas Scalable IdM Infrastructure

1
An IdM Architecture youcan Build At Home! -
Cal Poly Pomonas Scalable IdM Infrastructure

• Peter DeutschDirector, IIT Systems
• July 12, 2005

2
Goals for ID Management_at_ Cal Poly Pomona

• Protect and secure access to information
• Reduce provisioning and maintenance costs
• Meet legal and audit requirements
• Improve user experience and services
• Integrate with CSU and national projects

3
Key Components

• We have implemented a Campus-wide Identity
  Management System that provides
• Automated Multi-Role Account and Capabilities
  Provisioning System
• Distributed User Authentication and Authorization
• Directory and Registry Services
• Close integration with Peoplesoft, Blackboard and
  other key campus services

4
Directory andRegistry Services

• Heart of the system is the Identity Registry, a
  database that serves as the central identity
  management repository for people affiliated with
  CPP
• It enables authentication and authorization of
  individuals and serves as the authoritative
  repository for a number of attributes associated
  with each identity and associated roles

5
ImplementingID Management

• System Architecture
• Business Processes
• What Works So Far
• What Pieces Are Next?
• Lessons Learned So Far

6
System Architecture
Capabilities System
Systems of Record
Capability Feed Management System
Systems of Record Management System
LDAP
Peoplesoft
Active Directory
White Pages
Identity Registry
Blackboard
Photo IDs
. . .
. . .
Affiliate 1
Account Mgmt System
. . .
Photo IDs
Affiliate n
Namespace 1
. . .
Namespace 2
Namespace n
Namespace Management System
Federated Namespace System
7
Business Processes

• Not easily shown is the full effect of business
  rules processes
• Each System of Record had its own access issues
  (getting raw data is hard)
• Each Capability feed requires its own set of
  business rules
• Not shown is the implicit system governing data
  access
• Requires AVP or higher level authorization to
  initiate new capabilities
• Requires approval of originating data stewards
• This is intended to be a non-trivial process

8
What Works So Far

• Identity Registry Automated Account Management
  System up
• Peoplesoft is System of Record for Employee
  Student Roles
• LDAP alive and authoritative for multiple other
  systems
• Exchange feed with auto-population of groups
• Blackboard course feeds are up
• ID Card feeds work (in both directions)

9
What Pieces Are Next?

• Were still working at getting Affiliate Roles
  into Peoplesoft
• Were still working on improved password
  management (complexity, aging, etc)
• Were about to go live with the Student Applicant
  Role
• Were still looking at distributing Systems of
  Record, White Pages management

10
Lessons Learned So Far

• Technology is not the hard part
• But
• Getting people to think globally is hard
• Getting people to surrender control is hard
• Hidden business processes are hard
• Generating technical requirements is hard
• Writing things down is hard

11
Integrate with CSU National Initiatives

• Secure Identity Management Infrastructure (CSU)
• Shibboleth (Internet 2) (http//shibboleth.interne
  t2.edu)
• InCommon (built on Shibboleth)
• (http//www.incommonfederation.org)

12
Questions?