IAM
Space shortcuts

Log in to ASTRA
Manage UW Groups
Manage UW NetID Resources
Manage Certificates
Register/Update Shibboleth SP

IAM in Service Catalog

Access Management
Authentication
Directory Services
UW NetID
UW Directory
Microsoft Infrastructure

Page Tree

Blog

Blog

UWWI News - January 2013
Nathan Dors posted on Jan 15, 2013

Here's an update on recent happenings with the UW Windows Infrastructure.

New Capabilities and Improvements

  • Work to replace aging NETID domain controllers has resulted in 3 new DCs. This work included applying the WS2012 schema and also partially addressed some geo-redundant disaster recovery goals by locating a domain controller out of the Puget Sound region. Work to refresh existing WS2008R2 DCs to WS2012 continues.

  • Windows 8, Windows Server 2012, and Office 2013 license activation capabilities were added by replacing the campus KMS server.
  • The mail attribute value for all UWWI user accounts was changed to <uwnetid>@uw.edu to facilitate Office 365 integration, eliminate user errors, and prevent multiple users from having the same email value.
  • Work to refactor the UWWI Group Sync Agent to provide near real-time sync for all UW group changes has been completed and deployed. Notable improvements include:
    • Group Service latency to UWWI is significantly reduced
    • UWWI groups are reconciled with the Groups Service now, which self-corrects any errors on UWWI groups that might creep in
    • Course group changes are provisioned to UWWI in near-real time

Spotlights

  • A majority of delegated OU customers have misconfigured their computers primary DNS suffix--with greater than 90% of all computers misconfigured. This problem subtly affects functionality, most notably reducing negotiated security levels. A separate announcement will include more details on this issue and plans to address it.
  • A project to decommission the UW Forest by mid-February 2013 continues. All remaining domains are in the process of domain migrations either to a delegated OU or to a new Windows forest, and all are making good progress.

  • Since June, UWWI has added: 10 delegated OUs (62 total), 1 trusts (54 total), ~1100 computers (5600 total), ~17k users (579k total).

  • UWWI support requests remain steady. 119 UWWI support tickets resolved since June (vs. 122 in prior period).
  • UWWI supports all the new types of institutional groups being piloted in the Groups Service: by degree level, class standing, curriculum, etc.
  • You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

What's Next

Our objectives for the months ahead include:

  • Continued support of the university-wide Business Continuity Initiative by creating geo-redundancy continuity plans for UWWI NETID domain services.
  • Continued support of the Office 365 project and the UW Exchange service as it integrates the UWWI NETID domain services with an Office 365 deployment.
  • Continue to investigate how Active Directory Federation Services (ADFS) integrates into our overall authentication architecture for customers. 
  • Invest in changes needed for Unix integration.
  • Support UW-IT effort to investigate SCCM 2012 delegation features to enable OU customers to deploy SCCM for computer management within the NETID domain. 

Your Feedback 

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we've been doing. You can "vote" for items in the backlog to help us rank priorities, or you can contact us via iam-support@uw.edu.


Weblogin Changes
Nathan Dors posted on Dec 07, 2012

This post summarizes several changes concerning the UW weblogin service.

1. Mobile-friendly weblogin release on December 18th

On Tuesday, December 18, we plan to deploy a more mobile-friendly version
of the current user interface for the "weblogin" service. This update
preserves the current look-and-feel of its web design, but makes it more
responsive to the kinds of devices and browsers in use today.

To review the design go to https://webloginprodtest.cac.washington.edu.

To provide feedback and/or to test it on one of your registered Pubcookie
service provider websites, email iam-support@uw.edu.

2. Weblogin now using an InCommon certificate

On Tuesday, November 13, the SSL website certificate for the weblogin
service was changed to one issued by the InCommon CA. Apologies for the
postprandial notification. We had a lot of confidence this wouldn't impact
you as customers, nor impact all of our end users. Yet, the change
surprised some folks and I plan to do better with notifications next time.

3. Pubcookie keyserver now trusts InCommon CA

You can now use a certificate issued by the InCommon CA to authenticate
your keyclient connections to the Pubcookie keyserver. Previously, the
keyserver only trusted the UW Service CA and Thawte CA. Now you can obtain
a certificate from InCommon and use it for website SSL and with the
Pubcookie keyclient.

4. Changes to UW Shibboleth IdP metadata

For folks integrating with the weblogin service using Shibboleth service
provider software, you may have received an email on November 29th
(Subject: Changes to U of Washington Shibboleth IdP) notifying registered
contacts about changes to the X.509 certificates used by the UW Shibboleth
IdP and published in the UW IdP metadata. Per the email, action may be
required by Tuesday, January 22. Please review that email if you received
it, and email questions to iam-support@uw.edu with a subject line of "IdP
certificate change".

GID Proposal Available For Comment By Oct 15th
Nathan Dors posted on Oct 03, 2012

Just posted this to the group-discuss list:

Subject: GID proposal: random, immutable values, above 65, 535

Over the last year, we've had several spurty discussions about adding GIDs to UW groups to help integrate linux systems via UWWI delegated OUs.

We'd like to add this feature during our next groups 2.1.6 release, and need your feedback on the proposed strategy documented in our wiki:

https://wiki.cac.washington.edu/x/ANMQAw

In summary:

We're recommending a design based on random, immutable integer values greater than 65,535 that are assigned at the time a UW group is created.

For existing UW groups, we'll assign a random value within the allowed range.

We developed this strategy thru discussions with Kris and Matt in Statistics, as well as a few others inside and outside of UW-IT.

By October 15th, we'd apprecicate some additional eyes, scrutiny and comments on the proposal.

InCommon News - August 2012
Nathan Dors posted on Aug 06, 2012

The August 2012 issue of InCommon News is now available online at http://www.incommon.org/newsletter/2012_08_web.html

In this issue:

  • Registration Open for Advance CAMP

  • IAM Online: Demystifying Privilege and Access Management

  • Bring Your Own Token — Your Mobile Phone

  • SafeNet, Duo Programs Open for Business

  • New Certificate Service Subscribers

New participants include:

 

Groups 2.1.5 Released
Nathan Dors posted on Aug 02, 2012

We recently released Groups 2.1.5 with the following changes.

Changes to the Groups Web Service (GWS) UI include:

  • new "watch" feature for email notifications on group changes
  • new "membership dependency" feature to make group membership conditional upon the membership of another group (like uw_employee)
  • new assistant tool to apply the same operation to multiple groups

Changes to the GWS REST API include:

  • v1 resources and representations are unchanged
  • v2 representations support new "dependson" attribute

Other recent changes include:

  • UW course group memberships now updated in near real-time!!
  • improved reliability of Groups Directory (openldap) provisioning
  • integration with Tegrity Manager to manage roles in Tegrity Courses
  • new Student Major subgroups by degree level/type; by request

Note: the near real-time updates to UW course groups doesn't apply to downstream applications and infrastructure, like UW Mailman and UWWI Active Directory, that cache local copies course groups.

To log in to the GWS UI, visit:
https://iam-ws.u.washington.edu/group_ws/v2/

The highest priorities for our next release include:

  • support "groups.uw.edu" or other easy location for GWS UI
  • update UWWI AD groups in real time
  • add support for GID attribute
RL "Bob" Morgan Tributes
Nathan Dors posted on Jul 16, 2012

As sent to UW-IT and the UW techsupport community...

It is with deep sadness that I share the news that RL "Bob" Morgan passed away last Thursday, July 12, at the UW Medical Center.

RL Bob was receiving treatment related to myelodysplastic syndrome, a form of cancer for which he received a stem cell transplant in June.

Although his title was that of our identity architect, many of us revered him and labeled him "spiritual adviser". He brought wisdom, humor, and clearheadedness to the complex problems presented by online identity, and to the challenges of getting key people in higher education and industry to agree on the mechanics needed to enable it, so that ultimately everyone would trust it. His contributions here were immeasurable, involving the foundations of identity federation, as well as major projects like InCommon, Shibboleth, SAML, and much, much more.

In April, he was honored with the Internet2 President's Leadership Award in recognition of his vision and ability to lead, mentor, and collaborate with others, which he continued to do via email and on conference calls right up to his recent admittance to the hospital.

RL Bob leaves us a rich legacy of ideas and examples to work on and live by. Among the latter: generosity, reciprocity, mumbleocity, and simply knowing when to close the laptop and go enjoy what one loves most: family, friends, baking, soccer, reading, dry wit, and a myriad of other things in his case. For me and many others, he exemplified human flourishing; he will be missed. Immensely.

Now our thoughts, hearts, and sympathies turn to RL Bob's family: his wife Eve and daughters Annika and Julia. They are planning a memorial event for the weekend of July 28, and suggesting that remembrances be made to a college fund for the girls or to Mercy Corps. As soon as details are known, I will share those with the UW-IT community.

-Nathan

P.S. A website has also been set up at Internet2 for remembrances:

https://spaces.internet2.edu/display/rlbob/Home

InCommon News - July 2012
Nathan Dors posted on Jul 09, 2012

The July 2012 issue of InCommon News is now available online at http://www.incommon.org/newsletter/2012_07_web.html

In this issue:

  • July 19 IAM Online: The Future of Federated Identity, or Whither SAML?
  • Quest Software Joins Affiliate Program
  • New Research & Scholarship Services
  • New Certificate Service Subscribers

New participants include:

UWWI News - July 2012
Nathan Dors posted on Jul 02, 2012

Here's an update on recent happenings with the UW Windows Infrastructure.

Readers should give special attention to the planned change to the UWWI user mail attribute values, as detailed below.

New Capabilities and Improvements

Reflecting the heavy growth of the UWWI line of business, UW-IT has increased the staff allocation:

  • Will Kaufman, a technical support representative who also works with UW-IT's managed workstation service, has begun fielding some 1st tier tickets
  • Eric Kool-Brown, a new hire, is going through on-board training. During his career at Microsoft, Eric worked on the original design of Active Directory Users and Computers--among many other things.

Spotlights

Work with the Office 365 project team has identified an urgent need to change the UWWI user mail attribute provisioning algorithm. Known problems include:

  • lack of user input validation (misspellings abound),
  • no constraints around the DNS subdomain specified,
  • the ability for more than a single user account to have the same address.

 A plan to address this has been formed:

  • During the summer, we'll reset all UWWI user account's mail value to <uwnetid>@uw.edu.
  • We'll add a capability to the UW NetID Manage page to allow users to change from this default value. The UW NetID Manage page will:
  • enforce input validation,
  • know about "accepted DNS domains", and
  • not allow more than a single user account to have the same address.

The UW NetID Manage page will also provide a method for users to control whether they are included in the UW Exchange/Office 365 global address list (GAL).

We'll have more info about this change as it approaches. If you have an application that integrates with the NETID domain which leverages the UWWI user mail attribute and you have concerns about this change, please let us know. We expect this change to happen in the next 3-6 weeks.

An Annual Service Assessment for the UW Windows Infrastructure line of business was completed. UW-IT has plans to make these customer visible, as they include relevant information like 1 and 3 year forecasts.

UW-IT kicked off a project to decommission the UW Forest. Customers in the forest have plans to migrate out by February 2013. 2 domains have shut down since the project started, 8 customer domains remain. Most of these customers plan to migrate to a delegated OU.

Brian Arkills, UW-IT's technical lead for the UW Windows Infrastructure line of business, was recently honored by Microsoft with their MVP award for his contributions in Directory Services technical communities during the past year.

  • Since December, UWWI has added: 14 delegated OUs (52 total), 2 trusts (53 total), ~1100 computers (4500 total), ~42k users (562k total).
  • UWWI support requests remain steady. 122 UWWI support tickets resolved since December.
  • OU utilization rates (based on requestor's projections) indicate that a lot of OUs are getting started. 16 OUs have more adoption than planned, 9 are making progress towards their plans, and 27 are getting started.

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

What's Next

Our objectives for the months ahead include:

  • Continued work and changes to support the Office 365 project. As noted above, this will include a change to the UWWI user mail attribute, and we may replace our existing ILM deployment with the newest FIM release.
  • Continue to refactor the UWWI Group Sync Agent to provide near real-time sync with reduced latency for all UW group changes. We think this work will be deployed in August. This improvement, together with another imminent improvement to the way course groups are provisioned to the Groups service, will result in near real-time course groups in the NETID domain.
  • Support of the university-wide Business Continuity Initiative by placing a NETID DC in a separate geo-zone. Other critical UWWI infrastructure will also be considered in the future.
  • Support the many delegated OU customers getting started and in the midst of migrations over the summer.

Additionally, some possibilities given enough resources:

  • Investigate what's needed to provide a scalable ADFS service that customers can leverage for federated authentication to/from the Windows platform.
  • Invest in changes needed for Unix integration
  • Investigate SCCM 2012 delegation features to enable OU customers to deploy SCCM for computer management within the NETID domain.

Your Feedback

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we've been doing. You can "vote" for items in the backlog to help us rank priorities, or you can contact us via iam-support@uw.edu.

InCommon News - June 2012
Nathan Dors posted on Jun 05, 2012

The June 2012 issue of InCommon News is now available online at http://www.incommon.org/newsletter/2012_06_web.html

In this issue:

  • Subscriber Agreement Available for Duo Security Multifactor Offering
  • June 13 IAM Online Covers Multifactor Authentication
  • Revised Assurance Documents Approved; On to FICAM
  • June 6 Call to Discuss Remote Identity Proofing and Silver
  • Shibboleth Workshop July 16-17 at UMBC
  • Federation Info Pages
  • New Research & Scholarship Services
  • New Certificate Service Subscribers

New participants include:

InCommon News - May 2012
Nathan Dors posted on May 27, 2012

The May 2012 issue of InCommon News is now available online at http://www.incommon.org/newsletter/2012_05_web.html

In this issue:

  • InCommon Reaches 400 Participants
  • Internet2, Duo Security Announce Two-Factor Offering
  • RL "Bob" Morgan Honored by Internet2
  • Assurance Documents Revised
  • New Certificate Service Subscribers

New participants include:

RL "Bob" Receives Internet2 Award
Nathan Dors posted on May 26, 2012

Our very own identity architect, RL "Bob" Morgan, received the Internet2 President’s Leadership Award at the Spring 2012 Member Meeting.

As many of you know, RL Bob provides vision and architectural sanity to the UW's identity initiatives, drawing from his experiences with external groups and consortia (Internet2, IETF, InCommon, Common Solutions Groups, Internet Identity Workshop, and the like). This award acknowledges his lifetime commitment to the higher education, research, and related identity communities.

Congratulations Bob! We're lucky to have you on the team! 

InCommon News - April 2012
Nathan Dors posted on Apr 03, 2012

The April 2012 issue of InCommon News is now available online at http://www.incommon.org/newsletter/2012_04.html

In this issue:

  • 2011 InCommon Community Accomplishments
  • InCommon Confab Program Released
  • First Research & Scholarship Services
  • New Federation Info Pages
  • Assurance Program Open for Business

New participants include:

Token Authentication Service Outage
Nathan Dors posted on Feb 16, 2012

A UW Alert message was posted on Thursday morning due to problem reports concerning the use of Entrust tokens and the UW Token Authentication Service.

See: Access to UW Administrative Systems Affected by Outage

InCommon News - February 2012
Nathan Dors posted on Feb 13, 2012

The January 2012 issue of InCommon News is now available online at http://www.incommon.org/newsletter/2012_02.html

In this issue:

  • Federated Error Handling to Improve User Experience
  • First Service Providers Apply for R&S Category
  • Two Shibboleth Workshops Planned
  • New Certificate Service Subscribers

New Participants in January:

  • Arkansas State University (www.astate.edu)
  • Bloomsburg University of Pennsylvania (www.bloomu.edu)
  • Capella University (www.capella.edu)
  • Creighton University (www.creighton.edu)
  • East Stroudsburg University of Pennsylvania (www.esu.edu)
  • Furman University (www.furman.edu)
  • Goucher College (www.goucher.edu)
  • Owens Community College (www.owens.edu)
  • Syracuse University (www.syr.edu)
  • University of Maine System (www.maine.edu)
  • University of Maryland University College (www.umuc.edu)
  • University of Nebraska at Omaha (www.unomaha.edu)
  • University of North Texas System (www.untsystem.edu)
  • Yavapai College (www.yc.edu)
  • Woods Hole Oceanographic Institution (www.whoi.edu)
  • Ohio Technology Consortium (OH-TECH) (www.oh-tech.org)
  • Terra Dotta (www.terradotta.com)
InCommon News - January 2012
Nathan Dors posted on Jan 09, 2012

The January 2012 issue of InCommon News is now available online at http://www.incommon.org/newsletter

In this issue:

  • InCommon Launches New Research & Scholarship SP Category
  • New Certificate Service Subscribers
  • New Participants in December

New Participants in December:

  • Western State College of Colorado (www.western.edu)
  • WEPA, Inc (www.wepanow.com)