UC Identity Management Work Group
Meeting - 3/8/2004 - Notes
Time: 3/8/2004, 10:00-3:00
Location: "Library" Room of the University Club, UC Irvine
Attendees
Mike Baptista
Bruce James
Jacqueline Craig
Peter Brantley
Mark Askren
Marina Arseniev
Brian Roode
Scott Menter
Elazar Harel
Gabe Lawrence
Albert Wu
David Wasley
David Walker
Summary of Outcomes
- The goal of this project is to allow members of UC campus
communities (initially, UCSD, UCI, and UCLA) to access UC For Yourself
(UCFY), Your Benefits Online (YBO), and CDL-licensed resources by using
their local campus login systems.
- We will use Shibboleth (which, in turn, uses SAML) as the
technology to implement this federated authentication.
- We will implement support for the following attributes:
- UCFY/YBO
- UCnetID
- Campus ID (for debugging)
- Transaction ID (for debugging)
- CDL-Licensed Resources
- eduPerson attributes, particularly Entitlement and
Shibboleth's "Tracking" ID
- We will configure the origins to release attributes only to
registered target applications. Policies on the use of these
attributes will be developed.
- We will document the participating campuses' identity management
practices and ask for Vice Chancellor-level policy decisions on
assumption of risk.
Review of the Schedule
There will be a meeting of the ITLC in about a month. We will
target
completing the first phase of our project (a detailed project
description) in time for discussion at that meeting. The project
schedule will be developed during the second phase (one month), and
implementation will occur during the third phase (three months).
Current State of Authentication, Portals, etc.
UCLA has had a single sign-on (SSO) system, ISIS, since 1996; it is
used by hundreds of applications. Both campus and medical center
people are included. Currently, people are removed when they
leave the University, although that could change in the future.
Five authentication systems are available, and more are planned.
Independent of what authentication system is used for a session,
however, a common UID is passed to target applications, along with name
and electronic mail address. Target applications can request
re-authentication, based on inactivity timeouts that are determined by
the target applications. UCLA does not have a single, default
portal and expects UCFY/YBO users to browse directly to those
applications' URLs at UCOP.
UCSD has a single sign-on system for administrative applications.
The SSO is SAML-based with attributes similar to UCLA's; applications
must be registered in order to make use of the SSO. Not all
people at the medical center are registered with the SSO, but it is
available to all of them. People are removed when they leave the
University. Users start in BLINK, UCSD's portal, then use it to
navigate to applications. Students currently have a separate
authentication system for their
StudentLink portal, but that is planned to be migrated to BLINK
technology in 2005.
UCI has an SSO for both students and employees; they've had an
enterprise directory since before LDAP, so it's based on the CSO
Nameserver. Authentication is based on Kerberos with a
locally-developed web authentication system that uses Kerberos behind
the scenes. Medical center people are included. UCI uses
uPortal for its portal, SNAP, and expects people to navigate to
UCFY/YBO through SNAP.
All three campuses have written information about their authentication
systems, but not formal policy. It was agreed that each campus
would distribute a description of its system to the group.
Mike Baptista mentioned the danger of sharing login IDs for
administrative applications and then having them reused to access
personal information in UCFY/YBO. In general, this was viewed as
a path to stop such sharing, but education will be important.
What are We Doing?
The goal of this project is to allow people at UCSD, UCI, and UCLA to
use their local campus authentication systems to access UCFY, YBO, and
CDL-licensed resources from their campus web pages. There are
many issues associated with doing this, such as single sign-on/off and
session timeouts, that the group will consider, but there may be
insufficient time to implement solutions to all of them.
Technology Selection
The group agreed to use Shibboleth and SAML assertions to implement
UC's federated authentication after some discussion:
- David Walker gave a brief summary of how Shibboleth works and
what the InCommon and InQueue federations are. InCommon is
expected to become the federation of institutes of higher education in
the United States.
- The group discussed whether we should use the InCommon WAYF
(Where Are You From?) service for UC's internal purposes. It was
decided that we should take the simplest path of using the InCommon
WAYF, but that we should monitor InCommon's ability to provide a robust
WAYF service and be prepared to change this decision if there is a
problem.
- Liberty Alliance and WS-Federation were discussed as
alternatives, as well as Microsoft's strategies. From the point
of view of current deployment, particularly within higher education,
Shibboleth is our best choice. Liberty Alliance is very similar
to Shibboleth, and the two groups are communicating, so we expect good
synergies between Shibboleth and Liberty Alliance. Microsoft's
strategy is more to federate enterprise directories, something that was
found to be less than successful during the PKI project.
- We're actually making standards decisions at three levels:
- Trust agreements, attribute definitions, and attribute release
policies, etc. have the
longest lifetime.
- The decision to use SAML as the syntax for our attributes is in
line with multiple, competing transport decisions (e.g., Shibboleth and Liberty
Alliance). We expect that decision also to have a long lifetime,
but not as long as #1.
- The decision to use Shibboleth for transporting SAML assertions
will likely have the shortest lifetime, but it should be at least a few
years. Over time, we may provide multiple methods for
transporting assertions.
- UCI raised the issue of commercial packages, such as Netegrity
and Oblix. They tend to support the broadest range of "off the
shelf" applications. They should be able to share the same person
repository as Shibboleth. We also agreed to explore the
possibility of getting these vendors to implement integrated Shibboleth
origins.
- There is currently an issue for Shibboleth with respect to
authencation within portal channels. The Shibboleth architecture
is working to resolve this for JSR 168, the new standard for
portal/channel communication.
- We do not expect Shibboleth to present any difficulties for
implementing single sign-on as part of this project, as the campus's
existing SSO solutions would likely be used for Shibboleth's
authencation. Single sign-off does present a difficulty, and UCI
feels that it is important to have a UCFY/YBO logout cause a logout
from all of SNAP. We will explore allowing a "logout" URL to be
passed to UCFY/YBO from the campus's portal. UCFY/YBO would
redirect the user's browser to that URL after logout.
- Session timeouts are a complex issue. Typically, sessions
are maintained by the SSO, Shibboleth, and by applications (including
portals and channels). UCFY/YBO will log people out after a 20
minute period of inactivity, whereas SSO implementations may keep
sessions alive for longer periods of time. As we understand this
issue better, we will consider appropriate solutions. In the
interim, we do not believe that UCFY/YBO's potential 20-minute
extension of a campus's timeout policy to be an obstacle.
Attributes
UCFY/YBO
We will use UCNetID as the attribute
that will be sent from campus origins to the UCFY/YBO target.
People who left campuses prior to around 5-6 years ago will not have
UCnetIDs, so they will continue to use the existing UCFY/YBO login
process.
Marina Arseniev said that UCI has had some trouble with the integrity
of UCnetIDs; the other campuses have not seen this. We will
explore the causes of this and fix the problems as part of this project.
In order to facility debugging, we will also pass the campus's unique
ID (in the form of Shibboleth's "Scoped EduPerson Principal Name") and
a transaction ID (a transparent string created by the campus).
All three attributes will be logged.
CDL-Licensed Resources
There are only a few vendors supporting Shibboleth right now (e.g., JSTOR, OCLC), but the number
is increasing. In general, the eduPerson attributes are expected
to be supported, but the specific attributes of interest now are a
specific Entitlement string that has been defined for InCommon and the
opaque, target-specific ID that is computed by Shibboleth to provide
pseudonymous access to resources.
The CDL is also working with Ex Libris and Internet2 to investigate
synergies between OpenURL systems, such as Ex Libris's SFX, and
Shibboleth. Initially, this will require only identification of a
user's origin institution (e.g.,
UCSD, UCI, or UCLA).
Policy
- Attributes will be released only to registered targets.
This will create an operational issue at some time when all campuses
must register a new target, which is not an uncommon event for library
resources. Processes will need to be developed to address this,
although that is outside the scope of this current project.
- Each attribute we define will have an associated policy statement
governing its availability and subsequent use by the target
applications. We will need to create a process for defining new
attributes and deprecating old attributes that are no longer in use.
- We need to create an agreement to trust each other's identity
management processes for maitaining the person repository,
registration, authentication, etc.
for the purpose of making accurate assertions about the members of our
respective communities. That agreement should establish minimum
operational standards, identify responsible parties, etc. Elazar Harel pointed out
that, for this project, we need only to have agreements that UCFY/YBO
and the CDL's vendors will trust the three campuses. Elazar also
suggested that we ask the Vice Chancellors of Administration to certify
their campuses' identity management; everyone concurred.
Rollout
We will implement a phased rollout. We will, of course, utilize a
test instance of UCFY/YBO initially, but we will phase the introduction
of the production service to groups of users to allow us to understand
and absorb the support issues that will, undoubtedly, arise.
Initially, links to the federated login option for UCFY/YBO will be
from campus web pages, continuing to have UCFY/YBO's default entry page
prompt the user for the SSN/PIN-based login until an appropriate time
for the rollout plan to all campuses.
David
Walker - 3/15/2004