1 / 22

Reflect & Join A Case Study The University of Texas Health Science Center at Houston

Reflect & Join A Case Study The University of Texas Health Science Center at Houston. William A. Weems Assistant Vice President Academic Technology. Middleware Makes the Global Sharing of Resources Invisible to Users.

kioko
Télécharger la présentation

Reflect & Join A Case Study The University of Texas Health Science Center at Houston

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reflect & JoinA Case StudyThe University of Texas Health Science Center at Houston William A. Weems Assistant Vice President Academic Technology

  2. Middleware Makes the Global Sharing of Resources Invisible to Users.

  3. Increasingly, people must easily and securely exchange information in cyberspace among "known" individuals and to securely access restricted resources they “know” can be trusted without having to struggle with numerous and onerous security processes. 3

  4. How do you prove you are who you say you are? • How do you know that someone is legitimate in his or her dealings with you, and how do you get redress if things go wrong? • If your identity is stolen and used fraudulently, or personal records are altered without your knowledge or permission, how do you prove that it was not you? • It is difficult enough to verify someone's identity in the tangible world where forgery, impersonation and credit card fraud are everyday problems related to authentication. • Such problems take on a new dimension with the movement from face-to-face interaction, to the faceless interaction of cyberspace. Identity and Authentication by Simon Rogerson 4

  5. Ideally,  individuals would each like a single digital credential that can be securely used to authenticate his or her identity anytime authentication of identity is required to secure any transaction. 5

  6. UTHSC-H: An Identity Provider (IdP) It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific responsibilities and liabilities. 6

  7. Two Categories of Identity • Physical Identity – Assigned Identifier - Authentication • Facial picture, • Fingerprints • DNA sample • Identity Attributes – Authorization Attributes • Common name, • Address, • Institutional affiliations - e.g. faculty, student, staff, contractor, • Specific group memberships, • Roles, • Etc. 7

  8. Issuing a Digital Credential • Individual appears before an Identity Provider (IdP) which accepts the responsibility to • positively determine and catalog a person's uniquely identifying physical characteristics (e.g. picture, two fingerprints, DNA sample), • assign a unique, everlasting digital identifier to each person identified, • issue each identified person a digital credential that can only be used by that person to authenticate his or her identity, • maintain a defined affiliation with each individual whereby the validity of the digital credential is renewed at specified intervals. 8

  9. Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Permanently Bound Person Only Activation Identifier Digital Credential Identity Vetting & Credentialing Identity Provider (IdP) uth.tmc.edu Permanent Identity Database Person 9

  10. The University of Texas SystemSTRATEGIC LEADERSHIP COUNCILStatement of DirectionIdentity ManagementApril 27, 2004 • The University of Texas System Information Technology Strategic Leadership Council agrees that deployment of a robust, secure, interoperable infrastructure for identity management in support of inter-institutional collaboration is a strategic goal. This infrastructure will be based upon the available standards and best practices: 10

  11. The University of Texas SystemSTRATEGIC LEADERSHIP COUNCILStatement of DirectionIdentity ManagementApril 27, 2004 • LDAP (Lightweight Directory Access Protocol) compliant directory services, • eduperson schema as promulgated by EDUCAUSE and Internet2, • utperson schema (to be developed) • inter-institutional access control utilizing Internet2 Shibboleth, and • consistent institutional definitions and identity management trust policies for students, faculty, and staff as well as sponsored affiliates. 11

  12. UTHSC-H Identity Management System HRMS SIS GMEIS UTP Guest MS Identity Reconciliation & Provisioning Processes Person Registry INDIS Authoritative Enterprise Directories OAC7 OAC47 User Administration Tools Attribute Management Sync Authentication Service Authorization Service Change Password Secondary Directories 12

  13. Person Registry • Identity Reconciliation • Unique Identifiers Generated by Source of Record • SSN – If Available (HRMS, GMEIS, UTP, Guest, SIS) • Student ID, • Employee Number - HRMS • Full Name • First, Middle, Last • Birth Information • Date of Birth, • City of Birth, • Country of Birth • Gender • UUID – An everlasting unique identifier 13

  14. Person Is New ? No matches or possible matches Add yes no Is Single Match ? Identifiers match one and only one person No possible matches Update yes no Identifiers match more than one person And / or Name or Birth information match one or more persons Is Possible Or Multiple Match ? Manual Processing yes 14

  15. Database Schema Identifier Table ID Name ID Value Person Table UUID Date of Birth Place of Birth Country of Birth Name Table First Middle Last Gender Male / Female 15

  16. UTHSC-H Identity Management System HRMS SIS GMEIS UTP Guest MS Identity Reconciliation & Provisioning Processes Person Registry INDIS Authoritative Enterprise Directories OAC7 OAC47 User Administration Tools Attribute Management Sync Authentication Service Authorization Service Change Password Secondary Directories 16

  17. Sponsor Submits Guest Request Applicant Appears Before LRAA LRAA Verifies Applicant’s Data LRAA Certifies Applicant’s Data Assign UUID, Add to Person Registry Identity Reconciliation Applicant Currently Affiliated Not in Person Registry Yes Applicant in Person Registry Guest Added to Guest Database No Possible Identity Match Guest Added to Guest Database Guest Request Voided LRAA Resolves ID Uncertainty LRAA Credentials Guest LRAA Credentials Guest

  18. Guest Management System Sponsor’s Request Forms Submission Unverified Applicant’s Data LRAA’s Review/Update Forms Review/Update Person Registry Verified Applicant’s Data Identity Management System LRAA’s Approval Form Submit to Reconciliation Enterprise LDAP Directory New Person? No Check Present Affiliations Yes Current Affiliations Yes No Approval Processes Void Sponsor’s Request Create LDAP Entry Guest DB

  19. 19

  20. Identity Vetting & Credentialing UTHSC-H Two Factor Authentication Identity Provider (IdP) uth.tmc.edu Permanent Identity Database Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics ? ? Permanently Bound Person Only Activation Identifier Person Digital Credential 20

  21. Identity Vetting & Credentialing UTHSC-H Username/Password Authentication Identity Provider (IdP) uth.tmc.edu Permanent Identity Database Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics ? ??????? Permanently Bound Person Only Activation Using Network Username Password Identifier Person Digital Credential 21

  22. UTHSC-H Strategic Authentication Goals • Two authentication mechanisms. • Single university ID (UID) and password • Public Key Digital ID on Token (two-factor authentication) • Digital Signatures • Highly Secure Access Control • Potential for inherent global trust 22

More Related