Skip to Content

Identity Project Update from 2009-11-19 ITPG Meeting

Printer-friendly versionPrinter-friendly version

The following status report is extracted from the minutes 2009-11-19 ITPG Meeting.

Campus Directory, Identity, and Authentication Update and Issues
Powerpoint Presentation (pdf) – Arlene Allen

In 1997 the campus LDAP was created as a white pages, not as a repository for Identity Management – LDAP directories are not good for that, you need something with a database management system instead. We started with an open source solution, then Netscape, which evolved in to iPlanet, and now Sun. In 2003 we chose Oblix Netpoint as our web authorization method. We are still using Netpoint, but in FY 05/06 we went off maintenance and upgrades. UCOP wanted a global foreign key, but their UCNETID attempt failed. Now there is a legacy global key.

In 2007 we had the Password Reset event, which included:

  • Removing the functionality that allowed people to change their own passwords.
  • Using the Student Affairs Ureset application to enforce password strength rules.
  • Removing the functionality that allowed self activation and password reset.

This led to reengineering the design to be more appropriate, and to recreate old functions. We have moved forward with Sun software, but so far there are no third-party support organizations. The new design features a multi-master architecture.

For password reset there are secret questions, which are currently being refined. We need to dialogue to figure out what these questions should be. When a user does not remember any of their answers, they will go to the identity helpdesk. People in town are comfortable with process. Out-of-town people have a different process.

Karl will chair a group to explore and inform the process. There was a motion to reactivate the old Identity group. Matthew Dunham was the chair of the old group. The committee should define its scope for advice. It should examine common approach to authorizations. Initially, there will be a need for educating the committee on the issues/technologies. Authorization is a large issue. The current implementation does not support roles. There is no funded project for authorization.

The next steps:

  • Finish tech development by 12/31/09 (but they keep running into issues), then start coordination of cutover.
  • Customer acceptance of new system.
  • Run two systems in parallel.

What changes need to be made by application developers? None, there is absolute forward compatibility.

Espresso depends on Netpoint. It will continue to work, but uses unmaintained software that cannot be moved forward and this is a risk. Once we go live with the new architecture, we can no longer allow direct editing of ldap. It is the plan to use OpenSSO, but we have no ability to actually do any of this until identity management costs are stabilized by the campus.

One major component of the new design is decoupling the student UCSBNetID from the Umail account. New student UCSBNetIDs are not created until they have SIR’ed (i.e., filed an intent to register), but other providers may want to access the student prior to this step. They could now be created at the admit stage.

There are also issues, such as those for GauchoSpace, with non-regular students such as Extension students. There is not a smooth process for "miscellaneous demographics." There is a need to allow these external processes to integrate with the existing processes for populations. The hurdle is the funding to create such processes and to establish functional ownership of each miscellaneous process that might be created.

Internet2 MACE projects are Signet and Grouper. Neither of these adapts in a seamless fashion to our current engineering, but they do provide conceptual food for thought on methods for meeting needs in this space.