technical primer: identifiers
DESCRIPTION
Technical Primer: Identifiers. Internet2 Base CAMP Boulder, Colorado June, 2002. Identifiers – Why so important?. Foundation of middleware infrastructure – if you can find it , it will receive services . Policy laundry service – clean out the fuzz bunnies . - PowerPoint PPT PresentationTRANSCRIPT
Technical Primer: Identifiers
Internet2 Base CAMPBoulder, ColoradoJune, 2002
Identifiers – Why so important?Foundation of middleware infrastructure – if you can find it, it will receive services.Policy laundry service – clean out the fuzz bunnies.Crossing borders – mapping from one system’s identifier to another.Share the wealth – the right identifier may work across multiple systems.Abuse the wealth – one identifier may enable the activation of additional identifiers.
Identifiers – Key Issues
PolicyAuthoritative sourceHow formedPermanenceWhere used
RelationshipsMapping between/among subject and subject’s identifiersDependencies between identifiers
Identifier CharacteristicsLucent or Opaque? (human readability)
For human ease of use, names are goodMachines can handle numbers, big numbersConsider privacy issues
Provisioning – who/what/whenCentral vs. distributed assignmentResolving the identifier to the human
PersistencePermanent? Reassignable (when)?Revokable?
Identifier Types
Unique Universal Identifier (uuid)Primary internal identifier, centrally providedHuman unfriendlyAssigned to all current active usersNon-revokable, non-reassignableLinked to by all other identifiers
Identifier Types
Person Registry IDUsed to resolve identity among systemsOpaque, centrally administered, persistent, bigAll affiliates should have a registry ID
Account login, netidOften the same – provide access to electronic resourcesLucentAuthentication required for ownershipPreferable to have central provisioning
Identifier Types
Social Security NumberIt was such a great identifier (persistent, centrally provisioned) but…
• Legal restrictions to use• Not applicable to foreigners
Email addressTypically human-friendlyEspecially helpful if centrally provisionedMay use in combination with email aliases
Identifier TypesDepartmental IDs with enterprise scope
Library cards, ID cardsPolicies require scrutinyHelpful if linked to uuid
Pseudonymous IDsUnique, opaque identifier to ensure privacy to external world
Administrative system IDsEmployee IDs, Student IDs, etc.Typically centrally assignedMay have competing policies
Managing identifiers Preparation through understanding
Inventory of Identifiers
Scope…who issues, what populations, resources used for, entities, policy and enforcement
Operational issues… reassignment, directory access keywords, user or machine-assigned, proof of identity, change requests
Interrelationships… policies re. use of central authentication identifier, synchronization of authentication identifiers, assignment to all affiliates, prerequisite identifiers
Identifier Mapping
For each identifierMap to functional needsEstablish key characteristicsDocument relationship among identifiersIdentify policy issuesDocument data flows into/among identifiersFix – or acknowledge – problems
Identifier MapName Use Chars Notes Who
assignsWho receives
Where Format/Example
Unix login Account, modem, labs
Reassign,Revoke,Human
Multi-sys admin,Revoke if inactive affil
ITS,Sysadmins
Active fac, staff, students, sponsors
Indv servers,uniquid
8 char alpha-numericVaughan
SID SIS identifier
Non-reassignRevokeUnique sis
SSN else 9NChange allowed
Registrar or system
StudentsIncl cont ed
SIS 9N
SSN Former HR ID, FIS ID, ememo ID
Non-reassign, non-revke,Unique USA
Replaced by emplid in HR
US Gov All rcvg taxable $$ in US
PS HR, FIS, SIS, Buff1Card
9N
Identity Management - ReconciliationThe million dollar question:
Does this person already exist?Map incoming attributes to existing attributes
Incoming Employee ID = existing employee ID?Incoming SID = existing SID?Incoming SSN = existing SSN, existing SID, previous SID?If yes matching identifier, still check for (dob + gender) match If no matching identifier, look for (dob + gender + name) match
Registry Identifier MappingDistinct sources for distinct rolesUnique identifiers for each systemBlending together to build a CU PersonGenerating a unique directory entrydn: uuid=123456789,ou=people,dc=colorado,dc=edu
HRfac/staff;
empID
SISstudent;
SID
FISfaculty;
SSN
Uniquidaccounts;
unix ID
IDcardphotos;
ISO
Telecomphone locn
phone #
CU Personuuid
Identifier mapping results
Policy regarding registry uuid, directory dnAutomatically generated for each new affiliatePermanent, non-revokable, non-reassignablePublic
Policy-based identity reconciliation logicSIS and HR are the only trusted identity sourcesHR has precedence over SIS for SSNIdentifiers not guaranteed across systems (dob, gender)Source system identifiers must map to uuid
Identifier puzzlers
Resolving reconciliation exceptionsCoordination among system/data ownersCorrection process
Gathering identity attributes from ‘external’ affiliatesCoordinating policiesIdentity interoperability among technologies
Discuss!