Each quarter we provide an update on what's happening with UW Identity & Access Management (IAM) services. Here's our October 2011 edition.
- Enabled self-service requests for InCommon CA certificates through a new consolidated interface called UW Certificate Services.
- Added self opt-in/opt-out of group memberships and two-factor authentication to the management options for UW Groups.
- Released mod_gws 1.4.1, an Apache module compatible with Pubcookie and Shibboleth, supporting access control based on UW Group memberships.
- UW Medicine worked with UW-IT to bring new affiliate populations into the UW Person Registry, including personnel from UW Physicians Network and Fred Hutchinson Cancer Research Center.
- Spotlight on UW Libraries: With staff scattered across four Windows domains on three UW campuses, managing Windows resources has become more difficult and time consuming for the UW Libraries. They decided to consolidate the two largest domains into the NetID domain run by UW-IT. Although still a work in progress, the benefits are already apparent. Mike Reynolds, UW Libraries network administrator explained, "We have migrated over 450 staff workstations to the NetID domain and haven't looked back. Any resistance by staff to this change melted immediately when we explained to them that they'd no longer need separate passwords for logon and email. Departments that manage groups have responded positively to the switch from the Active Directory Users and Groups tool to the UW Groups web interface, which they find less intimidating to use for group management. And don't get us started on the benefits to our ITS department of not having to deal with firewall issues between us and trusted outside domains!" The Libraries has another 200 workstations and several dozen Windows servers left to migrate, at which point the lib.washington.edu and hslib.washington.edu domains will be shut down.
- The National Institutes of Health (NIH) has federated with nearly 50 InCommon participating research universities, including the UW. Using iTrust, NIH's Federated Identity Management System, UW researchers can use their UW NetID account via the weblogin service for access to more than forty NIH applications. SAML 2.0 federation protocols underlie this capability. To learn more refer to NIH Federation InCommon Wiki.
- As a National Science Foundation grantee institution and member of InCommon, the UW has enabled SAML-based federated single sign-on to Research.gov. Once logged into Research.gov, PIs and co-PIs can browse to FastLane's Principal Investigator services without having to log in again. The UW was one of the first institutions to enable this service. To learn more refer to their press release or visit ORIS's Simplified Access to Research.gov page.
- In July, a pilot program went live to improve access to the University HealthSystem Consortium (UHC) website and applications via federated logins from the UW. The pilot included about 20 users from UW Medicine, with a plan to offer the option to all UW Medicine UHC users in November. UWMC Center for Clinical Excellence, UW-IT, and UHC collaborated on the project. This collaboration included UW sponsoring UHC into InCommon, which will eventually enable SAML-based federation with UHC for other InCommon member institutions.
- In July, the Graduate School upgraded MyGradProgram to Windows 2008 R2 and transitioned its integration with the weblogin service from Pubcookie to Shibboleth, including use of both single and two-factor authentication. Now all 1400 faculty/staff users of MyGradProgram, as well as all student access for degree requests, general/final exams, and petitions use the weblogin service via Shibboleth and its industry standard SAML protocol.
- In August, representatives from Internet2/InCommon, the Kuali Foundation, Jasig, and several universities, including the UW, met in Chicago to discuss futures for open-source IAM products for higher education and research. The two-day workshop identified capability gaps and redundancies, focusing on identity registries, service provisioning, and access management. Small subgroups have been chartered to make recommendations this autumn to align initiatives with community needs. To learn more refer to the Open Source Identity Management for Higher Education initiative website.
- The UW Medicine Physician Liaison Program (PLP) partnered with UW-IT and UW Medicine IT Services to use the UW NetID identity verification process to verify the identities of potential users of U-Link: the internet portal provided by PLP to allow non-UWMC referring physicians, other licensed referring healthcare professionals, and their support staff, located throughout the Pacific Northwest, to access the electronic medical records of patients they refer to the UW Medicine (including UW Medical Center, Harborview Medical Center, and Seattle Cancer Care Alliance). For U-Link 4.0 and to meet UW Medicine requirements for secure access to patient data, PLP leveraged UW-IT's work on "identity assurance" in categorizing the processes used to verify the identities of prospective U-Link users. Here the high-assurance remote sponsorship features of the Sponsored UW NetID service proved useful. We expect the experience gained in working with PLP and refining identity assurance concepts in this project will help other UW business units that also need good security while working with similarly diverse user populations.
- Our scheduled attempts to cut over UW Kerberos to version 1.9.1 revealed problems requiring a rollback. Having fixed the issues, UW-IT's project team is now rescheduling the upgrade (third time's the charm!) and will decommission the old Kerberos servers at the end of the year. To learn more refer to UW Kerberos Service Upgrade - Summer 2011.
- On the Application UW NetID front, we've lowered the green flag and raised the yellow caution flag, signaling our limited capabilities, documentation, and support. We're still manually issuing this type of UW NetID account for system access to the Enterprise Data Warehouse, but other uses are subject to closer review and might be served better by a Shared UW NetID, at least until additional project work is completed to clarify policy and appropriate uses, enable self-service management, and transition support for Application UW NetIDs to the UW-IT Service Center.
- In September, F2 Decision Support, UW HR, Academic HR, and UW-IT refined the My People report definitions and capabilities for analyzing UW employee organizational affiliation by Home Department and by Appointing Department. To learn more refer to the Human Resources reports in the Report Catalog on the Decision Support website.
- Since June, MI Public Discussions added 10 more delegated OUs and another trust. Since January, the number of computers in the domain has more than doubled, to over 3,300.
- Because X.509 certificates issued by the InCommon CA are trusted by browsers and OSes, adoption on UW-owned websites has been steady: 117 InCommon CA certs have been issued to the UW so far, and now are in use on several prominent UW-IT services like MyUW, the UW homepage, and the "deskmail" IMAP servers.
- The UW Services CA continues to be used by UW applications that need a client certificate to access UW web services requiring TLS client authentication based on UW's internal trust fabric.
- UW Groups use trends: 239 groups have been used in Catalyst, 180 groups are activated in UW Google Apps, over 50 groups are being synchronized to the Nebula domain, 60 or more are synchronized to a UW Mailman list, and a handful are being used to assert SAML isMemberOf attribute values to Shibboleth service providers for federated access management.
Our objectives in the months ahead include:
- Complete UW Kerberos upgrade to v1.9; retire old infrastructure
- Integrate UW IAM capabilities with Office 365; via UWWI
- Integrate UW Groups with Tegrity to support non-course uses
- Upgrade the Token Authentication Service (i.e. Entrust Identity Guard)
- Plan how to use employee separation data to auto-deprovision access
- Evaluate My People report definitions/data for operational uses
- Plan how to replace and retire the Whatami client component
- Add People Finder report to My People reports
- Map the UW application integration genome
Overall autumn quarter priorities, operational support, and general resource availability will determine what we get done.
Supporting your needs for integration with IAM services offered through the Basic Services Bundle is our highest priority, so we welcome your feedback on how we can make progress updates like this, as well as the services themselves, more valuable to you. If you have needs, ideas, or feedback, please send them to email@example.com.