ADTF - April 6, 2016
Usual Suspects: wderman, sandoval, dattilo, kimn, fredrick, erinmcd, chartier, estradar, tarrant, truss, mark, jlampe, jdiste, etc.
Identity and Access Management (IAM) presentation by Aaron Andersen
Aaron is lead on OPEX initiative on IAM.
Materials presented to the President’s Council
Gail acting as change management lead
Rebecca Swisher - resource for Gail
George Williams - working on enterprise service bus for “people sync”
Jill Lampe - project manager for identity and access management
UCAR has long needed an authoritative source of information - authentication, authorization, metrics (audits).
Breadth and depth of collaborators. We struggle with “tackling the whole enchilada at once”. (for the initial phase, let’s solve the paid person problem first).
Auditing is almost impossible.
Centralized single data store - consolidated administration
Collaborators federate with organizational credentials
Robust, centralized (automated) auditing - work within FISMA, other compliance requirements.
Update/Clean up “paid people” data
Shift to AD authentication exclusively
Initial pilot of collaboration federal ID
Use Agile methods to approach (short, task-oriented, iterative “sprints” with lots of feedback). Fail fast should a solution not work.
Lab/Program AD Authn by 2016 Q4
SAML2 pilot in Q4
Was approved through OPEX funding sources - FY16 - $170K, FY17 - $400K
Some of George’s time, some of Ramsey’s time.
$90K subscription fee in FY17 is a placeholder pending which federated identity solution is chosen. Estimate may fluctuate. E.g., Centrify
Current Flow of information
Authoritative Data comes from...
Phone Data (NETS)
SA Data (labs create logins, etc.)
Starting out, Active Directory is just “auth’ing” - authentication decisions are up who manages a resource.
“People Sync” updates LDAP, HPC LDAP, phone dir, and now Active Directory
In the above, UCAS draws from LDAP
AD Specific Architecture End Goal
AD info is referenced by SAML2 and Oauth. Google Auth takes from SAML2 already but may be able to authenticate against AD directly.
AD in place of peopledb as authn/authz
2016 Roadmap ( “Done by August” )
Groups which are heavily into AD go first (to authN against AD)
Then those partially into AD
Summer (July, August) for groups which have mostly or little AD implementation.
Timecard authentication to AD by fall (along with other applications)
May bring in someone this summer to look at AD with regard to FISMA
Matrix - level of AD adoption. Which labs are using AD and for which platforms? Garth will start us out with a matrix we can all fill out. Provide earliest and latest date for all platforms.
Individual labs and programs implement authentication against AD
Documentation plan - ADTF could help with a canonical set of vetted “How To” documents.
Web password management plan - Aaron indicated it may be at the end of a 2-week sprint coming up.
Password creation remains an issue.
Should there be a standardized OU structure for users and computer objects?
Enable scripting by putting information in predictable places
Who owns information in AD?
George, Garth, and Ramsey will work to identify fields which will be modified by the peopledb sync process.
There may be applications which have dependencies on AD fields (e.g., the NETS call manager).