Skip to end of metadata
Go to start of metadata

ADTF - April 6, 2016

Usual Suspects: wderman, sandoval, dattilo, kimn, fredrick, erinmcd, chartier, estradar, tarrant, truss, mark, jlampe, jdiste, etc.

Identity and Access Management (IAM) presentation by Aaron Andersen

Aaron is lead on OPEX initiative on IAM.

Materials presented to the President’s Council


  • Gail acting as change management lead

  • Rebecca Swisher - resource for Gail

  • George Williams - working on enterprise service bus for “people sync”

  • Jill Lampe - project manager for identity and access management

UCAR has long needed an authoritative source of information - authentication, authorization, metrics (audits).  


  • Breadth and depth of collaborators.  We struggle with “tackling the whole enchilada at once”. (for the initial phase, let’s solve the paid person problem first).

  • Auditing is almost impossible.


  • Single login

  • Centralized single data store - consolidated administration

  • Collaborators federate with organizational credentials

  • Robust, centralized (automated) auditing - work within FISMA, other compliance requirements.


  • Update/Clean up “paid people” data

  • Shift to AD authentication exclusively

  • Initial pilot of collaboration federal ID

  • Expand 2-factor.

  • Use Agile methods to approach (short, task-oriented, iterative “sprints” with lots of feedback).  Fail fast should a solution not work.

  • Lab/Program AD Authn by 2016 Q4

  • SAML2 pilot in Q4


  • Was approved through OPEX funding sources - FY16 - $170K, FY17 - $400K

  • Some of George’s time, some of Ramsey’s time.

  • $90K subscription fee in FY17 is a placeholder pending which federated identity solution is chosen.  Estimate may fluctuate.  E.g., Centrify

Technical Discussion

Current Flow of information

  • Authoritative Data comes from...

  • HR

  • Phone Data (NETS)

  • SA Data (labs create logins, etc.)

Starting out, Active Directory is just “auth’ing” - authentication decisions are up who manages a resource.

“People Sync” updates LDAP, HPC LDAP, phone dir, and now Active Directory

In the above, UCAS draws from LDAP

AD Specific Architecture End Goal

  • AD info is referenced by SAML2 and Oauth.  Google Auth takes from SAML2 already but may be able to authenticate against AD directly.

  • AD in place of peopledb as authn/authz

2016 Roadmap ( “Done by August” )

  • Groups which are heavily into AD go first (to authN against AD)

  • Then those partially into AD

  • Summer (July, August) for groups which have mostly or little AD implementation.

  • Timecard authentication to AD by fall (along with other applications)

  • May bring in someone this summer to look at AD with regard to FISMA

To Dos

  • Matrix - level of AD adoption.  Which labs are using AD and for which platforms?  Garth will start us out with a matrix we can all fill out.  Provide earliest and latest date for all platforms.

  • Individual labs and programs implement authentication against AD

  • Documentation plan - ADTF could help with a canonical set of vetted “How To” documents.

  • Web password management plan - Aaron indicated it may be at the end of a 2-week sprint coming up.

  • Password creation remains an issue.

Should there be a standardized OU structure for users and computer objects?

  • Enable scripting by putting information in predictable places

Who owns information in AD?

  • George, Garth, and Ramsey will work to identify fields which will be modified by the peopledb sync process.

  • There may be applications which have dependencies on AD fields (e.g., the NETS call manager).

  • No labels