IAM in Service Catalog
Wiki Audience: UW Identity and Access Management (IAM) services customers and development partners.
Wiki Purpose: Collaboration and publishing of IAM information; supplements Identity and Access Management Services customer documentation.
Wiki Status: As of June 2009, limited use; pages and navigation under development.
Here's an update on recent happenings with the UW Windows Infrastructure.
Work to replace aging NETID domain controllers has resulted in 3 new DCs. This work included applying the WS2012 schema and also partially addressed some geo-redundant disaster recovery goals by locating a domain controller out of the Puget Sound region. Work to refresh existing WS2008R2 DCs to WS2012 continues.
Our objectives for the months ahead include:
Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.
The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we've been doing. You can "vote" for items in the backlog to help us rank priorities, or you can contact us via firstname.lastname@example.org.
This post summarizes several changes concerning the UW weblogin service.
On Tuesday, December 18, we plan to deploy a more mobile-friendly version
of the current user interface for the "weblogin" service. This update
preserves the current look-and-feel of its web design, but makes it more
responsive to the kinds of devices and browsers in use today.
To review the design go to https://webloginprodtest.cac.washington.edu.
To provide feedback and/or to test it on one of your registered Pubcookie
service provider websites, email email@example.com.
On Tuesday, November 13, the SSL website certificate for the weblogin
service was changed to one issued by the InCommon CA. Apologies for the
postprandial notification. We had a lot of confidence this wouldn't impact
you as customers, nor impact all of our end users. Yet, the change
surprised some folks and I plan to do better with notifications next time.
You can now use a certificate issued by the InCommon CA to authenticate
your keyclient connections to the Pubcookie keyserver. Previously, the
keyserver only trusted the UW Service CA and Thawte CA. Now you can obtain
a certificate from InCommon and use it for website SSL and with the
For folks integrating with the weblogin service using Shibboleth service
provider software, you may have received an email on November 29th
(Subject: Changes to U of Washington Shibboleth IdP) notifying registered
contacts about changes to the X.509 certificates used by the UW Shibboleth
IdP and published in the UW IdP metadata. Per the email, action may be
required by Tuesday, January 22. Please review that email if you received
it, and email questions to firstname.lastname@example.org with a subject line of "IdP
Just posted this to the group-discuss list:
Subject: GID proposal: random, immutable values, above 65, 535
Over the last year, we've had several spurty discussions about adding GIDs to UW groups to help integrate linux systems via UWWI delegated OUs.
We'd like to add this feature during our next groups 2.1.6 release, and need your feedback on the proposed strategy documented in our wiki:
We're recommending a design based on random, immutable integer values greater than 65,535 that are assigned at the time a UW group is created.
For existing UW groups, we'll assign a random value within the allowed range.
We developed this strategy thru discussions with Kris and Matt in Statistics, as well as a few others inside and outside of UW-IT.
By October 15th, we'd apprecicate some additional eyes, scrutiny and comments on the proposal.