Download - IdM Campus Developers Meeting 6/18/07
![Page 1: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/1.jpg)
IdM Campus Developers Meeting 6/18/07
IntroductionCUWebAuth 2.0 and K4-K5 UpgradeCentral AuthZ Phase 1ServiceID ManagerShibbolethIdM Provisioning Projects
OIT/CIT Security, Identity Management Team
![Page 2: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/2.jpg)
Opening Remarks
Fast-track projectsEmergency mass notification supportActive Directory for Exchange
Andrea Beesing [email protected]
![Page 3: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/3.jpg)
Fast-track projects
Launched at President Skorton’s request within the past few months/weeksImportant for different reasons Health and safety Cornell’s endowment
July targets for IdM work to complete with August go-lives
![Page 4: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/4.jpg)
Emergency Mass Notification Support
Charge to the Cornell Emergency Management CommitteeMechanism for notifying community members by voicemail, email and cell phoneChanges to WhoIAm by August 15 for students, affiliates, sponsored exceptionsChanges to self-service front end for contact info for faculty and staff in early fall from WhoIAm to Employee EssentialsNew attributes in directory (all private)Personal cell phone attribute will have privacy selection
![Page 5: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/5.jpg)
Active Directory for Exchange
Very narrow scope with attention to scalability for futureIntegration with other IdM infrastructure Kerberos Provisioning/enterprise directory
Phase II to follow Campus Steering Committee (members identified) Address broader campus needs, support model Please bring your concerns to my attention!
![Page 6: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/6.jpg)
CUWebAuth 2.0 and K4-K5Current schedule keying on PS Student Records roll-out in Mar ’08 to reduce customer resource requirementsIssues with current code base used for web single sign-on argue for reassessing our approach to the Kerberos 5-only releaseTimeline for retirement of Kerberos 4 now three to six months out
Tom Parker [email protected]
![Page 7: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/7.jpg)
Opportunity IdentifiedCan we use additional window in K4 shutdown schedule to position ourselves to better support our web-based authentication solution for the long term?Specifically:
Should we invest resources in rewriting CUWebAuth (used with applications) and CUWebLogin (infrastructure component)?
![Page 8: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/8.jpg)
Feb Mar Apr May Jun
Kerberos 5 Upgrade: Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
Campu
s Roll
out C
omple
te
K4 Shu
tdow
n
PS Stu
dent
Lau
nch
You A
re H
ere
Discretionary migration window
6/14
Iden
tity M
anag
emen
t Roll
out
2007 2008
![Page 9: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/9.jpg)
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
Campu
s Roll
out C
omple
te
K4 Shu
tdow
n
PS Stu
dent
Lau
nch
•Code review (4 code bases)
Discretionary migration window
2007 2008
6/14
Iden
tity M
anag
emen
t Roll
out
You A
re H
ere
![Page 10: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/10.jpg)
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
Campu
s Roll
out C
omple
te
K4 Shu
tdow
n
PS Stu
dent
Lau
nch
•Code review (4 code bases)•Security audit (new vulnerabilities)
Discretionary migration window
2007 2008
6/14
Iden
tity M
anag
emen
t Roll
out
You A
re H
ere
![Page 11: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/11.jpg)
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
Campu
s Roll
out C
omple
te
K4 Shu
tdow
n
PS Stu
dent
Lau
nch
•Code review (4 code bases)•Security audit (new vulnerabilities)•Rollout requirements
(PS launch)
Discretionary migration window
2007 2008
6/14
Iden
tity M
anag
emen
t Roll
out
You A
re H
ere
![Page 12: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/12.jpg)
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
PS Stu
dent
Lau
nch
Campu
s Roll
out C
omple
te
K4 Shu
tdow
n
Discretionary migration window
•Code review (4 code bases)•Security audit (new vulnerabilities)•Rollout requirements
(PS launch)
2007 2008
6/14
Iden
tity M
anag
emen
t Roll
out
You A
re H
ere
![Page 13: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/13.jpg)
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
PS Stu
dent
Lau
nch
K4 Shu
tdow
n
Discretionary migration window
•Code review (4 code bases)•Security audit (new vulnerabilities)•Rollout requirements
(PS launch)
2007 2008
Campu
s Roll
out C
omple
te
6/14
Iden
tity M
anag
emen
t Roll
out
You A
re H
ere
![Page 14: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/14.jpg)
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
2007 2008
PS Stu
dent
Lau
nch
K4 Shu
tdow
n
Discretionary migration window
•Code review (4 code bases)•Security audit (new vulnerabilities)•Rollout requirements
(PS launch)
Campu
s Roll
out C
omple
te
6/14
Iden
tity M
anag
emen
t Roll
out
You A
re H
ere
![Page 15: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/15.jpg)
Feb Mar Apr May Jun
Where Are We Now?
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
PS Stu
dent
Lau
nch
K4 Shu
tdow
n
window of opportunity
Discretionary migration window
•Code review (4 code bases)•Security audit (new vulnerabilities)•Rollout requirements
(PS launch)
2007 2008
Campu
s Roll
out C
omple
te
You A
re H
ere
6/14
Iden
tity M
anag
emen
t Roll
out
![Page 16: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/16.jpg)
Current State Age of code = complexity = support burden for CIT and the customer High potential for introducing security vulnerabilities when changes are made both to code itself and individual app config files Difficulty providing product support for standard tools and new releases of operating systems
![Page 17: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/17.jpg)
The Reasonable Options
CUWA/CUWL 1.5 – Attempt to fix what we haveCUWA/CUWL 2.0 – Re-build it the way it should beMove to an outside solution
- Yale CAS- Stanford WebAuth- CoSign
![Page 18: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/18.jpg)
Service goals consideredImpact of change on campus developer community Minimal work required to migrate to new versions Support for required functionality
Predictability of user experienceLong-term viability of CIT’s authentication solution for web-based services Performance and scalability as use of CUWA and CUWL
increase Support for new server operating systems and web servers
(Apache, IIS) Support for future enhancements to authentication and
authorization
Security of central authentication servicesEfficient use of scarce CIT resources
![Page 19: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/19.jpg)
Proposal
Consider rewrite of CUWA and CUWL based on high-level design reviewed by ATA, IS, IT Security and campus development partners Advantages identified to date Merging CUWA into one code base, down from two Separate security configuration from other
configuration parameters, leading to fewer security issues for apps
Ability to routinely support new operating systems Compatibility with standard tools (ex: PHP)
![Page 20: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/20.jpg)
Feb Mar Apr May Jun
Recommendation
Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
Ide
PS Stu
dent
Lau
nch
Develo
p CUW
ebAut
h 2.
0
•CUWebAuth 2.0 Implementation•Late Fall 2007 deployment•Maintain migration window
Discretionary migration window
2007 2008
K4 Shu
tdow
n
Campu
s Roll
out C
omple
te
Iden
tity M
anag
emen
t Roll
out
![Page 21: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/21.jpg)
Five Questions from SRM
1. Why not go with CUWA 1.5?2. What do we get by writing CUWA
2.0?3. Will we have to give up other work?4. What are the longer-term
implications?5. Would an outside solution be
smarter?
![Page 22: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/22.jpg)
1. Why not go with CUWA 1.5?
Condition of 8-year-old code has become a support burden Significant work required for even minor changes Impact of change on other portions of code difficult to test
prior to release, results in more problems for campus service providers
More bugs and security vulnerabilities as a result Currently requires 2 FTE’s
Increasing campus dependency on CUWebLogin = scalability and performance issues SideCar limitations and scheduled retirement Preference for web-based applications
![Page 23: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/23.jpg)
2. What do we get by writing CUWA 2.0?
Product that is easier to maintain Simpler protocol Legacy dependencies eliminated Less code duplication (one code base instead of four) More extensible code (and all within local control)
More secure protocolMore scalable web single sign-on solutionNo loss of required functions and featuresRelatively minimal impact on campus developers
![Page 24: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/24.jpg)
3. Will we have to give up other work?
Overall development effort not much different-CUWA 1.5 estimated 23.8 FTE weeks-CUWA 2.0 estimated 25.6 FTE weeks
CUWA 1.5 work requires the skill-set of four members of current IdM teamCUWA 2.0 work will require skill-set of only two members of current IdM teamCUWA 2.0 choice frees up skill set required for key projects like Active Directory, PS/STARS, Automated Provisioning, Grouper/Signet
![Page 25: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/25.jpg)
4. What are the longer-term implications?
Lower maintenance cost, from 2 FTE’s to 1Better securityMore predictable user experiencePositions us better for future enhancements to authentication and authorization servicesOpportunity for open-source release
![Page 26: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/26.jpg)
5. Would an outside solution be smarter?
Assessment is “no” based on more than 150 hrs of researchAlternatives may offer short-term wins for IdM development teamBut would have significantly higher impact on user communityUsing these solutions off-the-shelf, without mods:
-we give up features we currently have (ex: POST data support)-or we accept the same vulnerabilities we have with CUWA 1.5
Making mods to these outside solutions-may take as much or more time as re-writing CUWA 2.0-requires unknown level of cooperation with other
institutions -may cause entanglements and dependencies beyond our
control
![Page 27: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/27.jpg)
Summary Pros and Cons
Webauth 1.5 Lowest short-
term risk Limited benefit
Webauth 2.0 Best long term
solution Slightly more
short-term work
CAS Great java
integration Most expensive for
the rest of campus. Security not great
Stanford Lowest deployment
cost for Identity Management
Complex infrastructure and missing features
![Page 28: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/28.jpg)
A Closer look at the CAS Experience
Initial contacts with Rutgers and Indiana UniversityPosting to the Yale CAS mailing listResults from:
Rutgers Cal Poly University of Connecticut Indiana University Virginia Tech University of Hawaii Stanford Duke
![Page 29: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/29.jpg)
General FindingsCAS has an enthusiastic following and an active developer communityCAS works well for institutions which have no significant authentication and authorization infrastuctures already in placeCAS works close to the application layer. This is fundamentally different from CUWA CAS doesn’t address authorization at all
Cornell is ahead of most on the AuthZ front Going to CAS would be a significant step backwards on AuthZ
The Indiana University experience is likely a good example of what would happen if we attempted to make CAS work for us:
Post Data support GuestID and TokenID support IIS and Apache mods IU is now working from its own code base, rooted in CAS 2.0
![Page 30: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/30.jpg)
Converting to CASWe have roughly 212 services actively using CUWebAuth. Of these services 50% would be simple conversions to CAS, averaging 1 day each for application plus 2 days for training; 3 days total. Another 25% (50+ services) would be relatively easy conversions, but would need to add code to do central authorization. Add 5 days for that; 8 days per serviceThe remaining 25% (50+ services) would be in the more difficult category. some of this involves static content some involves vendor integration some would have special central authorization needs some are currently supported by non-programmers who will need to
outsource the deployment some are a combination of some or all of these..
Time required to convert these services: unknown, but we are conservatively estimating 25 days (or roughly one FTE month per service to develop, test, deploy..)
![Page 31: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/31.jpg)
Initial Estimate
CUWebAuth 2.0 FTE weeks per service: 0.5 weeks or less 0.5 x 212 = 106 FTE weeks FTE weeks IdMgt: 25.6 FTE ongoing Maint: 1
CAS FTE weeks per service: 2 weeks on average 2 x 212 = 424 FTE weeks FTE weeks IdMgt: 23 FTE ongoing Maint: 1
![Page 32: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/32.jpg)
Current Assumptions
AuthZ Project Dependency> Permit Server replacement complete> I2 Grouper in production
No significant higher priority projects tap our current (very limited) resource pool> Emergency Notification Service> Applicant Provisioning> Active Directory/Exchange Server deployment
![Page 33: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/33.jpg)
Transparent cutover of Permit Server to GrouperNew UI for service owners and application developers
Central Authorization Phase 1
Tom Parker [email protected]
![Page 34: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/34.jpg)
Under DevelopmentPermit ShimPermit migration applicationOrganizational namespaceGrouper UIServiceID Manager applicationUser documentation and trainingDetailed test planDetailed launch and back-out planLoad testing
![Page 35: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/35.jpg)
![Page 36: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/36.jpg)
New ServiceID Manager Application
What is a ServiceID? People are going to be requesting keytabs to replace their srvtabs as we move to Kerberos 5 Needed a more automated process Needed better information about who owns ServiceIDs and what they are used for ServiceIDs will need to be available in the Directory for the Grouper Authorization Project (Permit server replacement.)
Joy Veronneau [email protected]
![Page 37: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/37.jpg)
![Page 38: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/38.jpg)
![Page 39: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/39.jpg)
![Page 40: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/40.jpg)
![Page 41: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/41.jpg)
![Page 42: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/42.jpg)
Shibboleth Update
“Shibboleth is standards-based, open source middleware software [from Internet2] which provides Web Single SignOn (SSO) across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.”
Joy Veronneau [email protected]
![Page 43: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/43.jpg)
What Does Shibboleth Look Like?
![Page 44: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/44.jpg)
FederationsThink about your ATM card and various bank federations like: NYCE, PLUSThey trust each other.InCommon Federation: a group of 50+ Higher Education institutions (including Cornell-Ithaca) and sponsored participants (including EBSCO, Napster.)InCommon uses Shibboleth as its federating software.
![Page 45: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/45.jpg)
Why we’re interested in Shibboleth:
(Napster used Shibboleth.)We would like to eventually have a “Cornell Federation” with Ithaca, Weill and Qatar.Solves other problems. (example coming up!)Shibboleth fits in well with our electronic directory, CUWebLogin, and Grouper.
![Page 46: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/46.jpg)
Shibboleth SimplifiedIdentity Provider (IdP) - protected by CUWebLoginService Provider (SP) - protects an application like the EBSCO website. Knows how to ask “Where are you from?” and then talks to your Identity Provider.Both an IdP and an SP can be configured to talk to more than one Federation.
![Page 47: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/47.jpg)
![Page 48: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/48.jpg)
IdM Provisioning Projects
Alumni NetID CreationApplication ChangesSTARS Applicant ProvisioningStaff NetID Provisioning
Bill Turner [email protected]
![Page 49: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/49.jpg)
Alumni NetID CreationAlumni NetID creation began 12/12/2006 and was completed 12/22/2006189,661 records were identified by AAD as Alumni with mailable addresses66,974 had existing NetIDs121,562 new NetIDs were createdFinal count for mailing after deduping etc. was 188,782
![Page 50: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/50.jpg)
Cleanup processes
Lots of work identifying and dealing with duplicate and problem records And lots more to go
After further discussion and consideration, project sponsor decided to remove Activation Code for all active non-Alumni NetIDs
![Page 51: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/51.jpg)
Applications changes
New version of WhoIAm that is Alumni-friendlyRetired old “CU-Connect” processNew NetID Management Web application implemented 2/20/2007 Jointly developed by IS and Identity
Management Owned by Identity Management To be phased in for use by all
![Page 52: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/52.jpg)
User processes
Letters went out beginning 2/16NetID activation by Alumni began 2/20 Actual use by newly-provisioned Alumni
Authenticated trustee balloting began 2/20 Actual use by newly-provisioned Alumni
![Page 53: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/53.jpg)
Project timeline
3/5/2006 3/31/2007
4/1/2006 5/1/2006 6/1/2006 7/1/2006 8/1/2006 9/1/2006 10/1/2006 11/1/2006 12/1/2006 1/1/2007 2/1/2007 3/1/2007
3/06 - 10/06Planning
10/06 - 1/07Design and Implementation
1/07 - 2/07Batch
& mailings
2/07 - 3/07Activations
& voting
![Page 54: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/54.jpg)
Effects on campus
All mailable living alumni now have a NetID, an entry in the “cu.alumni” permit, and a Directory entry with type “alumni” (if not staff etc.) Alumni processes for Email forwarding etc. now the same as for students and staff
![Page 55: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/55.jpg)
Effects on campus
Still a lot more “cu-connect - directory” type individuals in the DirectoryElimination of “cu.alumni_directory” permit yet to be accomplishedStorage of Email addresses in the Directory, PS, etc. yet to be accomplished
![Page 56: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/56.jpg)
Pending work
Further de-duping of records 1000+ records that are known duplicates “cu-connect” records that are difficult to
match
![Page 57: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/57.jpg)
Project Successes
Provisioning went quite smoothlyA lot of data cleaned upManual processes now automated CU Connect Batch NetID creation by Production Control
Applications updatedSecurity questions/Forgotten password utilities in place
![Page 58: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/58.jpg)
STARS applicant provisioning
Beginning in Fall 2007, applicants will be processed in PeopleSoftInstead of custom provisioning in the Undergraduate Admissions self-service application, applicants will authenticate with Kerberos both to PeopleSoft self-service and to the Undergraduate Admissions self-service application
![Page 59: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/59.jpg)
Applicant provisioning
Applicants will be given an “ApplicantID”ApplicantID will be analogous to NetIDThe format will be “app” plus the 2-digit year for which the person is applying, followed by a period, followed by what the person’s NetID will be should they attend CornellExample: app08.wrt1
![Page 60: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/60.jpg)
Applicant provisioning
ApplicantID will be a Kerberos principalIt will be created in the “guest KDC” The “guest KDC” is somewhat of a
misnomer, but it’s the Kerberos server that we use for Blackboard “guest IDs”
![Page 61: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/61.jpg)
Applicant provisioning
Using the guest Kerberos server means that campus applications are not automatically opened up to applicants CUWebAuth can already be configured to use
the prod Kerberos and/or the guest Kerberos Application owners and service providers can
decide whether they want to accept applicant credentials
![Page 62: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/62.jpg)
Applicant provisioning
Applicants will be in the Directory, but in their own branch ou=Applicants not ou=People They will not show up in existing Directory
searches The same schema will be used, but not fully
populated
This is needed because PeopleSoft self-service relies on the Directory for authorization
![Page 63: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/63.jpg)
Applicant provisioning
Applicants will be in a cu.applicants permitThis allows the standard permit checks that are built into infrastructure components such as CUWebAuth
![Page 64: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/64.jpg)
Applicant provisioning
ApplicantIDs will be a less secure credential ApplicantIDs and activation codes will be
communicated to the end users via Email ApplicantIDs can be used only for less
secure information such as checklists ApplicantIDs cannot be used to
communicate financial or other sensitive information
![Page 65: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/65.jpg)
Applicant provisioning
ApplicantID management will be very similar to NetID management Activation Change password Set security questions Reset forgotten password
Web application will be a clone of http://netid.cornell.edu
![Page 66: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/66.jpg)
Applicant provisioning
When an applicant is accepted and pays the deposit, the NetID will be created as at present NetID and activation code will be
communicated via US mail When the NetID is activated, the
ApplicantID will be deactivated
All ApplicantIDs will be deleted at the end of the annual admissions cycle
![Page 67: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/67.jpg)
Project timelineAugust 2007: ApplicantID management Web application in place, NetID Admin software changes to support ApplicantID creationSeptember 2007: ApplicantID creation begins with STARS go-live Undergraduate Admissions self-service
application Kerberized and accepts ApplicantIDs for authentication
PeopleSoft self-service accepts ApplicantIDs for authentication
![Page 68: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/68.jpg)
Staff NetID provisioning
Beginning June 2006, NetIDs and activation codes for new staff are communicated to hiring offices via HR Online Not all units use HR Online Paper process of requesting an initial
password still in place
Results have in general been good
![Page 69: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/69.jpg)
Staff NetID provisioning
Over the past year, use of HR Online has increasedPaper “initial password” form does not pass Audit requirementsHR planning to phase out paper form this Fall
![Page 70: IdM Campus Developers Meeting 6/18/07](https://reader030.vdocument.in/reader030/viewer/2022012919/568145ca550346895db2d193/html5/thumbnails/70.jpg)
http://identity.cit.cornell.edu/projects/index.html