The Enterprise Authentication Implementation Roadmap
Several new business needs are pushing campuses to rethink their authentication and related identity management infrastructures to enable appropriate interoperability with sister institutions, the Federal Government, industry, and other partners. The Enterprise Authentication Implementation Roadmap describes a recommended approach that campuses can use in building enterprise authentication services in this new environment. It attempts to help campuses develop appropriate processes and architectures, whether you are implementing a small project with an authentication component or retooling your environment in preparation for joining a federation such as InCommon®. This Roadmap also discusses identity management and the relationship between associated concepts as well as specific technology, policy and management issues related to enterprise authentication.
Authentication (and Identity Management) require close collaboration of the business units, IT, service providers, and users. The security of a particular service or system is only as strong as its weakest link.
- If an IT shop runs a great Kerberos authentication server, creates initial credentials for the new students, but doesn't know if the userids and passwords are distributed to the right people in the orientation process, the security of the service could be compromised.
- If a service provider deploys an application that screen scrapes the central userid/password and stores it locally, the security of the service could be compromised.
- If IT spends time and money deploying a highly secure authentication service for an application that poses little risk to the institution, at least some of the resources could have been better used elsewhere.
- If a department deploys an application with its own authentication support and the usage grows enough that the deployer asks to add the service to the enterprise authentication system, campus authentication and thus the resources it protects could be compromised.
Setting overall priorities for the service, prioritizing where the dollars are to be spent, setting appropriate expectations and plans, and effective training and communication are all critical.
The Authentication Implementation Roadmap has been gleaned from the work and experiences of many campuses and offers the following aids to IT management:
- a model institutions can use to begin aligning their authentication systems to support the emerging trend towards federation in higher-education.
- an approach that encourages readers to consider the broader issues of risk related to operating in this new complex environment.
- a step-by-step process, case studies, and tools that readers can use to determine what should be changed on their campuses.
- a guide for generating the questions and determining the decision-points specific to a campus environment for authentication projects with either small, application-specific or large enterprise scopes.
The Roadmap does not:
- include detailed technical information about authentication methodologies
- replace a book on good IT project management approaches
You may review this roadmap with specific questions relating to password reset practices, technologies, and the like; or you may have a small or large scope for your authentication-related project. Whatever your interest, you are strongly encouraged to read through The Need for Change and Develop your Plan for Change sections and begin aligning your practices and infrastructure, even in a small way, to accommodate this new model
The bulk of this work is derived from the MACE (Middleware Architecture Committee for Education), Internet2 and EDUCAUSE working groups and is the second in a series of Roadmaps providing guidance to higher education about implementing identity management. (See the Enterprise Directory Implementation Roadmap for information on deploying enterprise directories.) For a history of this Roadmap, see the Change Log.
This web site is a compendium of many individuals' experiences and knowledge. Many thanks are offered to Daniel Arrasjid, Tom Barton, Kathleen Barzee, Andrea Beesing, Jessica Bibbee, Mark Bruhn, Gary Chapman, Jacqueline Craig, Jim Dillon, Renee Frost, Scott Fullerton, Andrea Gregg, Keith Hazelton, Karl Heins, Paul Hill, Kevin McGowan, Margaret O'Donnell, Steve Olshansky, Barry Ribbeck, Jack Suess, David Walker, Steve Worona, and the Case Study authors, as well as Mike Stockwell from Cranking Graphics. All errors, misrepresentations, and confusions are solely owned by the persons responsible for the compilation and editing.
|NSF Middleware Initiative
Steven Carmody, Brown University
Ann West, EDUCAUSE/Internet2/
Michigan Technological University
Copyright © 2006 by Internet2, EDUCAUSE, and/or the respective authors.
This material is based in whole or in part on work supported by the National Science Foundation under the NSF Middleware Initiative - Grant No. OCI-0330626. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF).
Comments to: awest at educause.edu