IAM in Service Catalog
Here's an update on recent happenings with the UW Windows Infrastructure.
Our objectives for the months ahead include:
Additionally, some possibilities given enough resources:
Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.
The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we've been doing. You can "vote" for items in the backlog to help us rank priorities, or you can contact us via firstname.lastname@example.org.
The December 2011 issue of the InCommon Update is now available online at http://www.incommon.org/newsletter
In this issue:
New Participants in November:
The November InCommon Update is available at www.incommon.org/newsletter.
This issue includes:
This is a reminder that UW Information Technology (UW-IT) support of WS2003 domain controllers leveraging a cross-realm Kerberos trust with u.washington.edu will end on December 31, 2011 and that without explicit action, such WS2003 domain controllers will stop working with Kerberos when we switch to the new Kerberos 1.9 KDCs on November 29, 2011. Please continue reading for more information if you have domain controllers that fall into this category.
On or before the planned cutover to the new Kerberos 1.9 KDCs on November 29, 2011, UW-IT asks that you consider doing one of the following:
UW-IT will keep the old KDCs running on a best-effort basis until December 31, 2011. If you need to rely on the old KDCs until that time, you will need to redirect all your Windows clients to different KDC DNS addresses prior to the November 29 cutover and until you?ve upgraded your domain controllers.
To continue using the old KDCs, on your Windows clients and domain controllers, edit the following registry key:
Replace the existing values with:
After you've upgraded your domain controllers, replace those values with:
Please contact us at email@example.com if you have any questions.
Each quarter we provide an update on what's happening with UW Identity & Access Management (IAM) services. Here's our October 2011 edition.
Our objectives in the months ahead include:
Overall autumn quarter priorities, operational support, and general resource availability will determine what we get done.
Supporting your needs for integration with IAM services offered through the Basic Services Bundle is our highest priority, so we welcome your feedback on how we can make progress updates like this, as well as the services themselves, more valuable to you. If you have needs, ideas, or feedback, please send them to firstname.lastname@example.org.
The latest InCommon news is available at https://spaces.internet2.edu/x/arCKAQ.
In This Issue:
Here's an update regarding our Kerberos 1.9.1 upgrade. On Wednesday, September 14, UW-IT cut over to the new Kerberos servers, but after a short period of time we detected performance issues affecting several services, including the UW weblogin service. After not being able to identify the exact cause of the problem, we rolled back to the old Kerberos servers.
Analysis of that attempt revealed a recently discovered bug in Kerberos 1.9.1 that appears only under very heavy load, the kind we sustain here at the UW. We have successfully patched the bug and are confident Kerberos 1.9.1 will now stand up to the heavy loads in production.
To avoid disruption to services during the first part of Autumn Quarter, we are going to reschedule the upgrade for November or later. We will send out a reminder ahead of time.
Please also remember we're planning to decommission the old Kerberos servers at the end of the calendar year. Any departments or schools still running Windows domains with WS2003 domain controllers leveraging a cross-realm Kerberos trust with u.washington.edu will need to upgrade their domain controllers or transition to a UWWI trust or UWWI delegated OU prior to December 31, 2011.
Thanks for your patience. Please send any questions to email@example.com.
The August issue of the InCommon newsletter is now available at https://spaces.internet2.edu/x/mpqKAQ
In This Issue:
UW faculty and staff who use Research.gov can log in via federated logins from the UW using their UW NetID and password.
Once logged in to Research.gov, users can connect seamlessly to FastLane's Principal Investigator services without having to log in again.
To learn more, NSF posted a new release at http://nsf.gov/news/news_summ.jsp?cntn_id=121018&org=NSF&from=news
To log in to Research.gov via federation:
1. Browse to research.gov.
2. Select InCommon from the login menu options and click Login.
4. On the next page, select University of Washington from the menu options and click Log In.
5. This will redirect you to the UW weblogin page where you can authenticate as usual.
6. Voila! Via the federated login process your federated login name (as well as full name and email) are securely communicated to establish a session with Research.gov.
The July issue of the InCommon newsletter is now available at https://spaces.internet2.edu/x/pZGKAQ
In This Issue:
Here's our quarterly update highlighting what's happening with UW identity and access management (IAM) services.
Some of the objectives we plan to work on in the months ahead include:
As before, higher priorities, operational support, and resource availability will determine what we accomplish during Summer quarter.
This message is part of our effort to communicate more effectively about some of the IAM services supported by the Technology Recharge Fee. We hope it helps you understand a little bit better what's available and where things are headed. We welcome your feedback on how we can make updates like this, as well as the services themselves, more valuable to you.
If you have thoughts on that, please send them to firstname.lastname@example.org.
An upgraded version of the u.washington.edu Kerberos service is available for customer testing until August 24th.
If you depend on UW NetIDs and Kerberos for authentication, please review our Kerberos upgrade information to determine whether your services depend on the current Kerberos service, how the upgrade to Kerberos 1.9 in September may impact you, and what you can do test to be ready for the transition.
Although many users leverage the UW Kerberos service whenever they log into a service that requires authentication by UW NetID, very few people will be directly impacted by this upgrade, because it's designed to provide backwards compatibility with existing configurations.
To determine if you need to test and what to test please visit:
For general information about the upgrade and schedule visit:
Please let us know if you have any questions about the customer test period by emailing email@example.com. Thanks!
Today UW-IT hosted an event in OUGL 220 on "Macintosh authentication using UW NetID".
Presenters included folks from Apple Computer Inc., UW-IT, and the UW Information School.
A wiki page has been created for the event and topic. See Mac integration with UW NetIDs (2011 meeting)
During Spring quarter we had time on the margins of other UW-IT project priorities to implement several minor enhancements to the groups service.
We'd like your validation and feedback on these enhancements prior to scheduling a release. Here's a summary of changes in the 2.1.4 preview:
Changes to the GWS Browser UI include:
Changes to the GWS REST API include:
Here are some brief notes about the primary feature additions above:
About GRP-305: much can be said about data classification, so I'll send a separate email (subject: "group data classification is an attribute").
About GRP-415 (opt-in/opt-out): group admins can specify people or groups who can add themselves to a group's membership, and/or remove themselves, without intervention by a member manager. This is implemented via new input fields labeled "People who can opt in" and "People who can opt out", with "join this group" and "leave this group" links for users to join/leave a group.
Note: this GRP-415 feature is the self-service version of another feature request, backlogged as GRP-167/GRP-168, which introduces additional request/approval workflow for joining/leaving a group. It currently has a low rank, but it might make a simple use case for integration between UW groups and the UW workflow service (coming in 2011-2012).
About GRP-463 (2-factor authentication): I'll summarize details in a separate email thread (subject: "2-factor authentication support").
To evaluate Groups 2.1.4 using real production groups, use this link:
To evaluate Groups 2.1.4 using non-production throw-away groups, use:
We'll schedule the release of these features based on your feedback.
Feedback can be posted back to group-discuss, to firstname.lastname@example.org, or entered as bugs in our JIRA at https://jira.cac.washington.edu/browse/GRP
Have at it!
The June issue of InCommon News is available at https://spaces.internet2.edu/x/pYqKAQ
In This Issue: