Getting Started
Planning | Identifiers/Directories | Authentication | Authorization
For most campuses, the order for implementing the pieces of identity and access management infrastructures is roughly the same.
The first step is the Project Planning, followed by mapping the electronic Identifiers and developing the campus namespace. Next, Directory Services are deployed, which merges data from diverse sources into one or more application lookup repositories. Typically, campus Authentication follows, and then most challenging, Authorization.
The sections below are the middleware function listed in the order outlined above, and the resources included under those sections provide an entry-level view for campuses planning for or just starting their deployments. For a complete list of the software, practices, schemas, and white papers developed and supported by NMI-EDIT, refer to Releases.
For information on current research, refer to the Internet2 Middleware web site. For background and overview of identity and access management, see the Context page.
Case Studies
NMI-EDIT is working with campuses to highlight interesting case studies on implementing identity management. Below are the first of a growing list.
- California State University System: The Identity Management Collaborative: Remote Middleware Support (PDF)
- University of Alaska System:Identity Management and Enterprise Directories in a University System (PDF)
- Great Plains Network Consortium:
- University of Texas System: "Extending the Reach" Case Studies (PDF)
- Carleton College: Identity
Management and Enterprise
Directories at a Smaller Institution (PDF) - University of Colorado at Boulder: Identity Management Governance (PDF)
- Georgia State University: Building an Identity Management Infrastructure for the eUniversity (PDF)
- Exploring Technical and Policy Considerations for Inter-Institutional Grids: NMI Testbed Grid (PDF)
- Technical Supplement: Authentication & Authorization in SURAgrid: Concepts and Technologies (PDF)
- Research Experiences for Undergraduates within the NMI Integration Testbed Program (PDF)
- University of Florida: Identifiers, Social Security Numbers, and Identity Management (PDF)
- Florida State University: Identity Management & NMI-Component Integration (PDF)
- University of Michigan: How Grid Science and MGRID are Changing Research and Education (PDF)
- University of Southern California: Shibboleth and Pubcookie at USC-Authentication and Authorization for All (PDF)
- University of Virginia: Campus PKI Services/Bridge CA (PDF)
- University of Virginia: Protein Folding on the Grid (PDF)
Project Planning
Below are resources you can use to help with the project planning. There are additional resources available in the Enterprise Directory Implementation Roadmap.
- Identity and Access Management: Technological Implementation of Policy (PDF) was published in AACRAO's College and University Journal and provides registrars with an overview of and business rationale for identity and access management.
- Identity Management Project Readiness Self-Assessment Checksheet (PDF) assessment is intended to identify factors at your school that other campuses have found to be important in their Identity Management projects.
- Sample Middleware Business Case (PDF) provides help in convincing decision-makers at your institution to commit resources to middleware deployments.
- Middleware Business Case: The Writer's Guide (PDF) provides suggestions for customizing the Business Case to meet institution-specific needs.
- The Middleware Connection (PDF) offers information about and short business case for middleware tailored to your institution's financial and business officers.
- Identifiers, Authentication, and Directories: Best Practices for Higher Education provides introductory background on the issues involved with implementing enterprise middleware.
Identifiers and Enterprise Directories
Enterprise Directory Implementation Roadmap is a step-based reference that campuses can use to deploy, and manage directories. It includes links to practice papers, articles, and additional resources to place the current findings in context and offer more detailed suggestions through the use of case studies. It covers the
There are many other directory-related components available from NMI-EDIT. Refer to Releases for a complete list.
Authentication
The revised Enterprise Authentication Implementation Roadmap outlines a process and checklist institutions can use to help deploy enterprise authentication. Includes recommendations for readying the infrastructure for use in federated environments and other inter-organizational relationships.
Current practices for enterprise authentication can be found in Identifiers, Authentication, and Directories: Best Practices for Higher Education. For web initial sign-on systems, there are three available from NMI-EDIT
- A-Select is a WebISO package that allows users to authenticate themselves for web applications. It supports 8 authentication methods out of the box and organizations can add their own authentication methods easily. Authentication methods supported are RADIUS and LDAP (username/password), one-time password via SMS, Internet banking, Passfaces, IP-address and generic PKI.
- Cosign, collaborative sign-on, consists of three components. A CGI, cosign.cgi, accepts credentials from the user and communicates the authenticated user ID to the second component, a daemon, cosignd. The third component, the authentication filter, intercepts requests on a protected web server and verifies authentication with cosignd. Since the last NMI release, CoSign has added additional proxy authentication (to support, for example, uPortal and SAKAI) and a robust replication system to allow the use of a pool of central login servers.
- Pubcookie is open source software for intra-institutional web initial sign-on. It allows users to authenticate to web based services across many web servers and fits into the Shibboleth framework as an origin's WebISO solution.
For more information on these software packages, click on the links above or refer to the Releases page for more information.
Authorization
There are several available software packages and approaches to authorization available from NMI-EDIT.
- Practices in Directory Groups includes concepts, good practices, open issues, and principals resulting from early experiences with authorization and group messaging using LDAP directory services at higher education institutions.
- Shibboleth® is an open-source, standards-based tool providing mechanisms for controlling access to web based resources (particularly in inter-institution use), while offering options for protecting personal privacy. It consists of origin site software (Handle Server and Attribute Authority) which manages the release of attribute information, and target side software (modules for the Apache and IIS web servers) which manages user sessions, obtains user attributes, and makes access control decisions. Together, these components provide an inter-institutional access control framework that allows for, but does not require, the preservation of personal privacy.
- PERMIS is an authorization infrastructure that uses X.509 attribute certificates (ACs) to hold a user's credentials for hierarchical Role Based Access. The software makes granted or denied access control decisions to a resource, based on a policy and the credentials of the user. The policy is written in XML by the administrator of the resource, encapsulated in an X.509 AC, and stored in the LDAP entry of that administrator. PERMIS supports the distributed management of roles, but does not mandate any particular authentication mechanism, as user authentication is left entirely up to the application.
There are other components that support inter-institutional authorization available from NMI-EDIT. Refer to the Software section of the Releases for more information.
