Current State Of NetID

1
Current State Of NetID
A low cost Identity Management Implementation
Guide

• By Jonathan Higgins

Presentation Template available from Microsoft
2
What is Identity Management?

• Identity Management is the integration of
  information about people from multiple sources
  for the purposes of managing access to services
  that protect online resources and user privacy
  while enabling ease of use.
• Ok.. What is it really?!?
• Identity Management is an abstract for a system
  that manages Identification, Authentication,
  and Authorization.

3
Identification NetID

• Identification is the act of pre-assigning a
  unique namespace (a username or in our situation
  a NetID) to an individual.
• Other attributes can be used to help identify an
  individual, but there should be a single unique
  identifier that associates a person with an
  online identity.

4
Authentication AuthN

• Authentication binds a person with an Identity
• To authenticate a person, a system may require
• Something the person knows, like a password.
• Something the person carries, like an ID card.
• Some physical attribute of the person, like a
  fingerprint.

5
Authorization AuthZ

• The act of ensuring that a person is afforded
  access only to services and data required to
  support allowed tasks.
• Authority can be associated with a person
  explicitly his/her account or implicitly to
  groups or roles.

6
The Big Picture
7
Growing Pains and Silos vs. Suites

• Why?
• Impending Growth of an organization
• Scalability
• Silos authentication, authorization and
  application are all self contained and
  individually administrated.
• Integrated Suites Set of applications that
  authenticate and authorize from a central service
  for multiple applications.

8
Using open source products

• The choice to use open source products was fairly
  simple for us because of the prohibitive costs of
  a commercial implementation.
• Linux
• Kerberos
• LDAP
• SASL
• SSL/TLS

9
Linux

• Pick your favorite distribution. If you dont
  have a favorite take a few minutes to review some
  of the more popular versions and see which one
  may integrate the easiest into your current
  environment. Linux is a free Unix-type operating
  system originally created by Linus Torvalds.
  Developed under the GNU General Public License,
  the source code for Linux is freely available to
  everyone.
• http//www.linux.org

10
Kerberos

• Kerberos is a network authentication protocol.
  It is designed to provide strong authentication
  for client/server applications by using
  secret-key cryptography. A free implementation
  of this protocol is available from MIT and
  Heimdal. Kerberos is available in many
  commercial products as well.
• http//web.mit.edu/kerberos/www/

11
LDAP

• The OpenLDAP Project is a collaborative effort to
  develop a robust, commercial-grade, fully
  featured and open source LDAP suite of
  applications and development tools. OpenLDAP
  Software is an implementation of the Lightweight
  Directory Access Protocol based on the work
  started by the folks at University of Michigan.
• http//www.openldap.org

12
SASL

• SASL is the Simple Authentication and Security
  Layer, a method for adding authentication support
  to connection-based protocols. To use SASL, a
  protocol includes a command for identifying and
  authenticating a user to a server and for
  optionally negotiating protection of subsequent
  protocol interactions. If its use is negotiated,
  a security layer is inserted between the protocol
  and the connection.
• http//asg.web.cmu.edu/sasl/

13
SSL/TLS

• The OpenSSL Project is a collaborative effort to
  develop a robust, commercial-grade,
  full-featured, and Open Source toolkit
  implementing the Secure Sockets Layer (SSL v2/v3)
  and Transport Layer Security (TLS v1) protocols
  as well as a full-strength general purpose
  cryptography library.
• http//www.openssl.org/

14
Data gathering and consolidation

• Who has the data?
• These people are the data custodians.
• Conduct a survey of all the sources of
  information.
• Identify
• who exists in your organization
• how do they get entered into that source of data
• what access to systems and services they are
  granted

15
Namespace and Identifiers

• Getting data is great, but now you need to figure
  out how to use it.
• The first major goal will be to identify what
  piece of data will represent a unique namespace
  or username for each person.
• The best solution is to identify a single source
  for username creation.
• The format of usernames will probably also need
  at least a minimum amount of attention.

16
Building a local user object class

• The first step to creating a custom local user
  object class is to register for an OID with IANA
  at http//www.iana.org/cgi-bin/enterprise.pl or
  ANSI at http//web.ansi.org/public/services/reg_or
  g.html.
• The next step is to identify which pieces of data
  you plan to store in the directory that do not
  fit into a predefined object class.
• Once you have defined all of the unique
  attributes that you wish to implement, it is time
  to actually create the new object.

17
Technical Implementation

• Covers packages required, compiling, installing,
  and configuring
• Upgrades to current software
• Other

18
Building the Interface

• Undergraduate Senior Project class Spring 2003
• Authentication
• Activation
• Password Reset
• Password Hardening
• Search
• PHP, Perl, and HTML

19
Load Balancing DNS

• The pile of PCs approach to implementation does
  have a few problems
• How to distribute the load across multiple
  systems?
• Rob Riepel of Stanford University wrote a program
  called lbnamed
• Lbnamed is a load balancing name server written
  in Perl.

20
Data Management or Metadirectory

• Data repository
• Home grown Perl scripts for
• Adding users
• Modifying users
• Deleting users
• Managing groups and affiliations

21
Administration

• Web based administration tools
• Search by Last Name
• Search by NetID
• Reset NetID
• The reset NetID will delete activation fields in
  the LDAP tree and remove the kerberos principal
  for the user. Activation is required for the
  account to function again.

22
Application Integration

• Authorization and Affiliations
• Active Directory
• Mail Transfer Agent
• Other

23
What can we expect in the future?

• Inter-Institutional Applications
• Shibboleth, a Web-based inter-organizational
  authorization system, leverages attribute
  repositories such as directories and the larger
  identity management infrastructure to service
  inter-institutional applications and resource
  sharing.
• Authentication for users from another trusted
  organization to applications and services hosted
  here at a remote site and vice-versa.