Blog

UWWI News - December 2011

Here's an update on recent happenings with the UW Windows Infrastructure.

New Capabilities and Improvements

  • UWWI users can now log on to the NETID domain using a uwnetid@uw.edu user principal name (UPN), in addition to NETID\uwnetid and uwnetid@netid.washington.edu. This enables a shorter username making it easier for users to log in, as well as paving the way for single sign-on to Office 365 based services.
  • The UWWI Group Sync Agent (slurpee) has reduced UW group update latency to 30 minutes or less for user-managed groups under 1000 members. Institutional groups and large groups are still only synchronized once a day.
  • The NETID domain controller refresh work is complete. Results include: Windows Server 2008 R2 forest functional level, increased operational capacity, and improvements around router dependency.
  • The UW Forest root domain controller refresh work is complete. Maintaining hardware warranty level was achieved via this work.

Spotlights

  • Partnered with IT staff from the College of Arts and Science to test PowerBroker Identity Services (was Likewise Enterprise) as a solution for Unix interoperability with UWWI Delegated OUs. Results include: identifying specific configurations that work, and a list of work needed by UW-IT to support this solution.
  • Since May, UWWI has added: 13 delegated OUs (38 total), 3 trusts (51 total), ~900 computers (3400 total), ~20k users (520k total).
  • UWWI support requests are up. 147 UWWI support tickets resolved since May, compared to 91 the 6 months prior. UW groups requests are up too.
  • ~183000 UWWI logons/day on average, representing a 50% increase.
  • OU utilization rates (based on requestor's projections) are increasing. 10 OUs have more adoption than planned, 16 are making progress towards their plans, and 12 are getting started.

What's Next

Our objectives for the months ahead include:

  • Continued work and changes to support an Office 365 project. Changes expected to UWWI user account provisioning include changes to the way the mail and displayName attribute values are populated. More details will be forthcoming on these changes, but if you have an application dependent on these attributes, we'd be happy to share what we know now.
  • Support of the university-wide Business Continuity Initiative by placing a NETID DC and a UW Forest root DC in a separate geo-zone. Other critical UWWI infrastructure will also be considered in the future.
  • Continue to refactor the UWWI Group Sync Agent to provide near real-time sync with reduced latency for all UW group changes.

Additionally, some possibilities given enough resources:

  • Develop auditing capabilities to address various security and regulatory concerns.
  • Invest in changes needed for Unix integration via PowerBroker Identity Services.
  • Investigate SCCM 2012 delegation features to enable OU customers to deploy SCCM for computer management within the NETID domain.
  • Develop item-level directory recovery capability to improve our ability to easily recover AD objects that have been mistakenly deleted.
  • Investigate Apple schema changes to improve Mac management as discussed at a campus gathering about Mac authentication integration.

Your Feedback

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we've been doing. You can "vote" for items in the backlog to help us rank priorities, or you can contact us via iam-support@uw.edu.

The December 2011 issue of the InCommon Update is now available online at http://www.incommon.org/newsletter

In this issue:

  • Populate Those Metadata Elements
  • OARnet Develops Common Agreement for Ohio Schools
  • New Certificate Service Subscribers
  • Speaking of Certificates, Kudos to Northwestern

New Participants in November:

  • Higher Education
    • Bay de Noc Community College (www.baycollege.edu)
    • Northern Illinois University (www.niu.edu)
    • Pepperdine University (www.pepperdine.edu)
    • Samford University (www.samford.edu)
    • University of Oklahoma (www.ou.edu)
    • Wake Forest University (www.wfu.edu)
    • Walsh University (www.walsh.edu)
  • Research Organizations
    • Ames Laboratory (www.ameslab.gov)
    • LIGO Scientific Collaboration (www.ligo.org)
    • Oak Ridge National Laboratory (www.ornl.gov)
  • Sponsored Partners
    • Ripple Send (www.rrripple.com)

The November InCommon Update is available at www.incommon.org/newsletter.

This issue includes:

  • InCommon Receives Online Trust Leadership Award
  • Federate with Research.gov
  • InCommon Sets 2012 Fees
  • Resources Available from Internet2 Member Meeting
  • First Year of Certificate Service: Tens of Thousands Issued
  • New Participants in October

This is a reminder that UW Information Technology (UW-IT) support of WS2003 domain controllers leveraging a cross-realm Kerberos trust with u.washington.edu will end on December 31, 2011 and that without explicit action, such WS2003 domain controllers will stop working with Kerberos when we switch to the new Kerberos 1.9 KDCs on November 29, 2011. Please continue reading for more information if you have domain controllers that fall into this category.

On or before the planned cutover to the new Kerberos 1.9 KDCs on November 29, 2011, UW-IT asks that you consider doing one of the following:

  • Replace existing WS2003 domain controllers before the cutover date.

UW-IT will keep the old KDCs running on a best-effort basis until December 31, 2011. If you need to rely on the old KDCs until that time, you will need to redirect all your Windows clients to different KDC DNS addresses prior to the November 29 cutover and until you?ve upgraded your domain controllers.

To continue using the old KDCs, on your Windows clients and domain controllers, edit the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\u.washington.edu\KdcNames

Replace the existing values with:
                k5-oldprimary.u.washington.edu
                k5-oldbackup.u.washington.edu

After you've upgraded your domain controllers, replace those values with:
                k5-primary.u.washington.edu
                k5-backup.u.washington.edu

Please contact us at iam-support@uw.edu if you have any questions.

IAM News - October 2011

Each quarter we provide an update on what's happening with UW Identity & Access Management (IAM) services. Here's our October 2011 edition.

New Capabilities

  • Enabled self-service requests for InCommon CA certificates through a new consolidated interface called UW Certificate Services.
  • Added self opt-in/opt-out of group memberships and two-factor authentication to the management options for UW Groups.
  • Released mod_gws 1.4.1, an Apache module compatible with Pubcookie and Shibboleth, supporting access control based on UW Group memberships.

Spotlights

  • UW Medicine worked with UW-IT to bring new affiliate populations into the UW Person Registry, including personnel from UW Physicians Network and Fred Hutchinson Cancer Research Center.
  • Spotlight on UW Libraries: With staff scattered across four Windows domains on three UW campuses, managing Windows resources has become more difficult and time consuming for the UW Libraries. They decided to consolidate the two largest domains into the NetID domain run by UW-IT. Although still a work in progress, the benefits are already apparent. Mike Reynolds, UW Libraries network administrator explained, "We have migrated over 450 staff workstations to the NetID domain and haven't looked back. Any resistance by staff to this change melted immediately when we explained to them that they'd no longer need separate passwords for logon and email. Departments that manage groups have responded positively to the switch from the Active Directory Users and Groups tool to the UW Groups web interface, which they find less intimidating to use for group management. And don't get us started on the benefits to our ITS department of not having to deal with firewall issues between us and trusted outside domains!" The Libraries has another 200 workstations and several dozen Windows servers left to migrate, at which point the lib.washington.edu and hslib.washington.edu domains will be shut down.
  • The National Institutes of Health (NIH) has federated with nearly 50 InCommon participating research universities, including the UW. Using iTrust, NIH's Federated Identity Management System, UW researchers can use their UW NetID account via the weblogin service for access to more than forty NIH applications. SAML 2.0 federation protocols underlie this capability. To learn more refer to NIH Federation InCommon Wiki.
  • As a National Science Foundation grantee institution and member of InCommon, the UW has enabled SAML-based federated single sign-on to Research.gov. Once logged into Research.gov, PIs and co-PIs can browse to FastLane's Principal Investigator services without having to log in again. The UW was one of the first institutions to enable this service. To learn more refer to their press release or visit ORIS's Simplified Access to Research.gov page.
  • In July, a pilot program went live to improve access to the University HealthSystem Consortium (UHC) website and applications via federated logins from the UW. The pilot included about 20 users from UW Medicine, with a plan to offer the option to all UW Medicine UHC users in November. UWMC Center for Clinical Excellence, UW-IT, and UHC collaborated on the project. This collaboration included UW sponsoring UHC into InCommon, which will eventually enable SAML-based federation with UHC for other InCommon member institutions.
  • In July, the Graduate School upgraded MyGradProgram to Windows 2008 R2 and transitioned its integration with the weblogin service from Pubcookie to Shibboleth, including use of both single and two-factor authentication. Now all 1400 faculty/staff users of MyGradProgram, as well as all student access for degree requests, general/final exams, and petitions use the weblogin service via Shibboleth and its industry standard SAML protocol.
  • In August, representatives from Internet2/InCommon, the Kuali Foundation, Jasig, and several universities, including the UW, met in Chicago to discuss futures for open-source IAM products for higher education and research. The two-day workshop identified capability gaps and redundancies, focusing on identity registries, service provisioning, and access management. Small subgroups have been chartered to make recommendations this autumn to align initiatives with community needs. To learn more refer to the Open Source Identity Management for Higher Education initiative website.
  • The UW Medicine Physician Liaison Program (PLP) partnered with UW-IT and UW Medicine IT Services to use the UW NetID identity verification process to verify the identities of potential users of U-Link: the internet portal provided by PLP to allow non-UWMC referring physicians, other licensed referring healthcare professionals, and their support staff, located throughout the Pacific Northwest, to access the electronic medical records of patients they refer to the UW Medicine (including UW Medical Center, Harborview Medical Center, and Seattle Cancer Care Alliance). For U-Link 4.0 and to meet UW Medicine requirements for secure access to patient data, PLP leveraged UW-IT's work on "identity assurance" in categorizing the processes used to verify the identities of prospective U-Link users. Here the high-assurance remote sponsorship features of the Sponsored UW NetID service proved useful. We expect the experience gained in working with PLP and refining identity assurance concepts in this project will help other UW business units that also need good security while working with similarly diverse user populations.
  • Our scheduled attempts to cut over UW Kerberos to version 1.9.1 revealed problems requiring a rollback. Having fixed the issues, UW-IT's project team is now rescheduling the upgrade (third time's the charm!) and will decommission the old Kerberos servers at the end of the year. To learn more refer to UW Kerberos Service Upgrade - Summer 2011.
  • On the Application UW NetID front, we've lowered the green flag and raised the yellow caution flag, signaling our limited capabilities, documentation, and support. We're still manually issuing this type of UW NetID account for system access to the Enterprise Data Warehouse, but other uses are subject to closer review and might be served better by a Shared UW NetID, at least until additional project work is completed to clarify policy and appropriate uses, enable self-service management, and transition support for Application UW NetIDs to the UW-IT Service Center.
  • In September, F2 Decision Support, UW HR, Academic HR, and UW-IT refined the My People report definitions and capabilities for analyzing UW employee organizational affiliation by Home Department and by Appointing Department. To learn more refer to the Human Resources reports in the Report Catalog on the Decision Support website.
  • Since June, MI Public Discussions added 10 more delegated OUs and another trust. Since January, the number of computers in the domain has more than doubled, to over 3,300.
  • Because X.509 certificates issued by the InCommon CA are trusted by browsers and OSes, adoption on UW-owned websites has been steady: 117 InCommon CA certs have been issued to the UW so far, and now are in use on several prominent UW-IT services like MyUW, the UW homepage, and the "deskmail" IMAP servers.
  • The UW Services CA continues to be used by UW applications that need a client certificate to access UW web services requiring TLS client authentication based on UW's internal trust fabric.
  • UW Groups use trends: 239 groups have been used in Catalyst, 180 groups are activated in UW Google Apps, over 50 groups are being synchronized to the Nebula domain, 60 or more are synchronized to a UW Mailman list, and a handful are being used to assert SAML isMemberOf attribute values to Shibboleth service providers for federated access management.

What's Next

Our objectives in the months ahead include:

  • Complete UW Kerberos upgrade to v1.9; retire old infrastructure
  • Integrate UW IAM capabilities with Office 365; via UWWI
  • Integrate UW Groups with Tegrity to support non-course uses
  • Upgrade the Token Authentication Service (i.e. Entrust Identity Guard)
  • Plan how to use employee separation data to auto-deprovision access
  • Evaluate My People report definitions/data for operational uses
  • Plan how to replace and retire the Whatami client component
  • Add People Finder report to My People reports
  • Map the UW application integration genome

Overall autumn quarter priorities, operational support, and general resource availability will determine what we get done.

Your Feedback

Supporting your needs for integration with IAM services offered through the Basic Services Bundle is our highest priority, so we welcome your feedback on how we can make progress updates like this, as well as the services themselves, more valuable to you. If you have needs, ideas, or feedback, please send them to iam-support@uw.edu.

InCommon News - October 2011

The latest InCommon news is available at https://spaces.internet2.edu/x/arCKAQ.

In This Issue:

  • Identity Management Governance Topic of IAM Online, Oct. 12
  • Shibboleth Installation Workshops Nov. 7-8 in Long Beach, CA
  • Populate Your Metadata UI (MDUI) Elements and Requested Attributes
  • Comodo Release: Tens of Thousands of Certificates Issued
  • Internet2 Announces Box.net, HP Services Available via InCommon
  • New Participants for September
  • Gluu, Unicon Featured Affiliates

Here's an update regarding our Kerberos 1.9.1 upgrade. On Wednesday, September 14, UW-IT cut over to the new Kerberos servers, but after a short period of time we detected performance issues affecting several services, including the UW weblogin service. After not being able to identify the exact cause of the problem, we rolled back to the old Kerberos servers.

Analysis of that attempt revealed a recently discovered bug in Kerberos 1.9.1 that appears only under very heavy load, the kind we sustain here at the UW. We have successfully patched the bug and are confident Kerberos 1.9.1 will now stand up to the heavy loads in production.

To avoid disruption to services during the first part of Autumn Quarter, we are going to reschedule the upgrade for November or later. We will send out a reminder ahead of time.

Please also remember we're planning to decommission the old Kerberos servers at the end of the calendar year. Any departments or schools still running Windows domains with WS2003 domain controllers leveraging a cross-realm Kerberos trust with u.washington.edu will need to upgrade their domain controllers or transition to a UWWI trust or UWWI delegated OU prior to December 31, 2011.

Thanks for your patience. Please send any questions to iam-support@uw.edu.

The August issue of the InCommon newsletter is now available at https://spaces.internet2.edu/x/mpqKAQ

In This Issue:

  • Pennsylvania System, InCommon Develop Template Agreement
  • Federated Research.gov Proves Popular
  • InCommon Email Lists Change Names
  • New Participant, Affiliate Logos Introduced
  • Joe St Sauver to Manage Certificate Service

New Participants:

  • A.T. Still University (www.atsu.edu)
  • Chapman University (www.chapman.edu)
  • McNally Smith College (www.mcnallysmith.edu
  • St. Louis University (www.slu.edu)
  • University of Idaho (www.uidaho.edu)
  • University of Kentucky (www.uky.edu)
  • University of Wisconsin-Superior (www.uwsuper.edu)
  • GENI (www.geni.net)
  • Long Term Ecological Research Network (LTERN) (www.lternet.edu)
  • CollegeNet (www.collegenet.com)
  • Nolij (www.nolij.com)
  • UHC (www.uhc.edu)

UW faculty and staff who use Research.gov can log in via federated logins from the UW using their UW NetID and password.

Once logged in to Research.gov, users can connect seamlessly to FastLane's Principal Investigator services without having to log in again.

To learn more, NSF posted a new release at http://nsf.gov/news/news_summ.jsp?cntn_id=121018&org=NSF&from=news

To log in to Research.gov via federation:

1. Browse to research.gov.

2. Select InCommon from the login menu options and click Login.

4. On the next page, select University of Washington from the menu options and click Log In.

5. This will redirect you to the UW weblogin page where you can authenticate as usual.

6. Voila! Via the federated login process your federated login name (as well as full name and email) are securely communicated to establish a session with Research.gov.

The July issue of the InCommon newsletter is now available at https://spaces.internet2.edu/x/pZGKAQ

In This Issue:

  • Legacy WAYF Decommissioned
  • July 13 IAM Online: ECAR’s 2011 Study of Identity Management in Higher Ed.
  • Shibboleth Installation Workshops July 21-22 in Milwaukee
  • Certificate Service Introduces Code Signing Certificates
  • Maryland Consortium Provides Template for Joining InCommon
  • Email List Added for Assurance Discussions
  • InCommon Expands to Include Research Organizations
  • New Participants in June
  • Featured Affiliate: Gluu

New Participants:

  • Lehigh University (www.lehigh.edu)
  • University of Kansas (www.ku.edu)
  • SLAC National Accelerator Laboratory (www.slac.stanford.edu)
IAM News - June 2011

Here's our quarterly update highlighting what's happening with UW identity and access management (IAM) services.

New Capabilities

  • Added RESTful web services as a data source for ASTRA span-of-control values.
  • Added more flexible options for populating the UW Groups service from ASTRA roles/authorizations.

Spotlights

  • During Spring quarter, UW-IT's Kerberos 1.9 Upgrade project team tested new hardware and software supporting UW Kerberos infrastructure (@u.washington.edu realm). Preparations are now under way for customer testing and validation of the transition plan for the September cutover to the new version. Details for customer testing will be available soon.
  • During May the last batch of SecurIDs supporting 2-factor authentication were expired, completing a two-year-plus transition from SecurID tokens to Entrust tokens for 2-factor authentication.
  • On June 16th we notified 333 people with EDUCAUSE accounts that they can log in to the EDUCAUSE website via federated logins from the UW. As a result, they no longer have to maintain a separate username and password to access resources, manage their profile, or register for events at EDUCAUSE. Instead, one simply selects the "InCommon" login option on www.educause.edu.
  • IT staff from the College of Arts & Sciences collaborated with Likewise Software and UW-IT on a technical proof of concept for integrating Unix systems with UW Windows Infrastructure for UW NetID authentication and RFC 2307 Unix login information. The collaboration demonstrated the technical feasibility of using Likewise Enterprise with UWWI delegated OUs, but actual adoption will require more fine-grained control of Likewise "overrides", central assignment of GIDs in the UW Groups service, and UID assignment to additional UW NetIDs.
  • UW-IT created weblogin-discuss@uw.edu, a new community discussion group focused on weblogin services (Pubcookie, Shibboleth, and web SSO more broadly). Envisioning how we evolve and support these services will be one of the initial discussion threads.
  • On Wednesday, June 29th, UW-IT will host a session on Macintosh authentication using UW NetID, 2:00-3:30pm in OUGL 220. Presenters include folks from Apple Computer Inc., UW-IT, and the UW Information School.
  • The number of UW Groups enabled in UW Google Apps increased from around 50 in March to about 90 today.
  • Since March, UW Windows Infrastructure added 2 more trusts and 3 more delegated OUs, with the total number of computers now exceeding 2,000.
  • InCommon approved new foundational documents for its Identity Assurance program, including refined profiles for InCommon Bronze and Silver. Their June 15th webinar was devoted to assurance.
  • Several UW organizations have started referencing UW student major groups to identify their current students by major (a very timely, useful, and automated solution to boot).

What's Next

Some of the objectives we plan to work on in the months ahead include:

  • Upgrade UW Kerberos infrastructure (hardware & software)
  • Release Groups 2.1.4 including 2-factor authentication and opt-in/opt-out features
  • Integrate UW CA website with InCommon Certificate Service
  • Assess how IAM capabilities can enable event-driven architecture
  • Plan how to use employee separation data to auto-deprovision access
  • Evaluate MyPeople report definitions/data for operational use with UW Groups
  • Release a 64-bit version of PubcookieFilter DLL

As before, higher priorities, operational support, and resource availability will determine what we accomplish during Summer quarter.

Your Feedback

This message is part of our effort to communicate more effectively about some of the IAM services supported by the Technology Recharge Fee. We hope it helps you understand a little bit better what's available and where things are headed. We welcome your feedback on how we can make updates like this, as well as the services themselves, more valuable to you.

If you have thoughts on that, please send them to iam-support@uw.edu.

An upgraded version of the u.washington.edu Kerberos service is available for customer testing until August 24th.

If you depend on UW NetIDs and Kerberos for authentication, please review our Kerberos upgrade information to determine whether your services depend on the current Kerberos service, how the upgrade to Kerberos 1.9 in September may impact you, and what you can do test to be ready for the transition.

Although many users leverage the UW Kerberos service whenever they log into a service that requires authentication by UW NetID, very few people will be directly impacted by this upgrade, because it's designed to provide backwards compatibility with existing configurations.

To determine if you need to test and what to test please visit:

How to Test Kerberos 1.9

For general information about the upgrade and schedule visit:

UW Kerberos Service Upgrade - Summer 2011

Please let us know if you have any questions about the customer test period by emailing iam-support@uw.edu. Thanks!

Today UW-IT hosted an event in OUGL 220 on "Macintosh authentication using UW NetID".

Presenters included folks from Apple Computer Inc., UW-IT, and the UW Information School.

A wiki page has been created for the event and topic. See Mac integration with UW NetIDs (2011 meeting)

During Spring quarter we had time on the margins of other UW-IT project priorities to implement several minor enhancements to the groups service.

We'd like your validation and feedback on these enhancements prior to scheduling a release. Here's a summary of changes in the 2.1.4 preview:

Changes to the GWS Browser UI include:

  • GRP-305 - data classification is an attribute of groups
  • GRP-415 - self-service opt-in/opt-out of group memberships
  • GRP-463 - 2-factor authentication (woot! a top vote-getter)
  • GRP-469 - link to UW online privacy statement and terms of use
  • new "S" shortcut to create subgroup from current group
  • also displays who's logged in in upper right corner

Changes to the GWS REST API include:

  • "v1" resources, representations, etc. are unchanged
  • new "v2" version number in resource URIs for new features
  • new version="version_no" attribute in "v2" group representations
  • new class="authnfactor" added to "v2" group representations
  • new class="classification" added to "v2" group representations
  • authnfactor values cannot be managed via REST API
  • classification values can be managed via REST API
  • new class="optins" and class="optouts" added to "v2" group reps
  • optins, optouts values can be managed via REST API

Known issues:

  • the bullets above may not be 100% on target/accurate/complete
  • API docs refer to an unimplemented "Security code" idea

Here are some brief notes about the primary feature additions above:

About GRP-305: much can be said about data classification, so I'll send a separate email (subject: "group data classification is an attribute").

About GRP-415 (opt-in/opt-out): group admins can specify people or groups who can add themselves to a group's membership, and/or remove themselves, without intervention by a member manager. This is implemented via new input fields labeled "People who can opt in" and "People who can opt out", with "join this group" and "leave this group" links for users to join/leave a group.

Note: this GRP-415 feature is the self-service version of another feature request, backlogged as GRP-167/GRP-168, which introduces additional request/approval workflow for joining/leaving a group. It currently has a low rank, but it might make a simple use case for integration between UW groups and the UW workflow service (coming in 2011-2012).

About GRP-463 (2-factor authentication): I'll summarize details in a separate email thread (subject: "2-factor authentication support").

Instructions:

To evaluate Groups 2.1.4 using real production groups, use this link:

https://iam-tools.u.washington.edu/group_ws/v1/

To evaluate Groups 2.1.4 using non-production throw-away groups, use:

https://urizen2.cac.washington.edu/test_ws/v1/

We'll schedule the release of these features based on your feedback.

Feedback can be posted back to group-discuss, to iam-support@uw.edu, or entered as bugs in our JIRA at https://jira.cac.washington.edu/browse/GRP

Have at it!

The June issue of InCommon News is available at https://spaces.internet2.edu/x/pYqKAQ

In This Issue:

  • June 15 IAM Online: Grab the Bronze and Silver Ring: Identity Assurance Progress
  • InCommon Supporting New Metadata Elements
  • CAMP Coming June 21-23: Registration Still Open
  • Shibboleth Workshops Slated for July 21-22 in Milwaukee
  • Steering Approves Refined Assurance Documents
  • Certificate Service Offers Client (Personal) Certificates
  • Legacy WAYF Decommissioning Planned for July 6
  • New Participants for June
  • Featured InCommon Affiliate: Aegis USA
  • Featured InCommon Affiliate: Unicon

New Participants:

  • Coppin State University
  • Santa Barbara City College
  • University of Miami
  • Benelogic
  • Washington Research Library Consortium