IAM Services Overview

Owned by mhodges
Last updated: Feb 16, 2024 by Baron Fujimoto
4 min read

The University of Hawaii provides centralized enterprise resources for authentication, including federated authentication, and authorization services. These services are based on the UH Identity Management System (UHIMS).

UHIMS collects, consolidates, establishes unique identifiers, and makes available information about each person associated with the University. Members of the University community occupy and traverse many roles and can be associated with one or more campuses at any time. UHIMS has connectors to the University's business applications so that it may track a person’s current affiliation(s) with the University and its campuses. The information gathered by UHIMS is retained in a Person Registry and published to LDAP and AD as needed for authentication and access management.

Online academic and business applications can securely authenticate and authorize members of the University community who intend to utilize University provided or sanctioned online resources.

Table of Contents

Enterprise Middleware, Identity and Access Management (IAM)

Mission Statement

Provide, support and advocate authentication, authorization and related middleware solutions for securing UH on-line services, resources and information.

Services

  • UHIMS - University of Hawaii Identity Management System
    • Metadirectory/Person Registry with data from:
      • Banner
      • PeopleSoft
      • RCUH
      • WPMS - White Pages Management System
    • Provisions person information for the following services:
      • Banner - Provides the UH Number (aka Student Id number).
      • Core LDAP - For authentication and directory services.
      • Email and Google@UH Services
      • Grouper - UHIMS Automatic Groups populated by role, campus, etc
      • LISTSERV (automated subscriptions lifecycle for affiliation-based mailing lists)
      • PeopleSoft HR - Provides the UH Number (aka Employee Id) through a manual process utilizing UHIMC.
      • UH Manoa Campus Center OneCard System (BlackBoard)
      • UNIX shell/Personal Home Pages
    • Provides the following web services for applications developers
      • Core LDAP Web Service (for ACER and VIA)
      • UHIMS Web Service (for name changes, password resets, etc)
    • Provides the following audit functions
      • Google@UH Email Audit Utility - facilitates UH responses to legal requests for email account information.
    • Utilizes internal components
      • Roles and affiliation management subsystem
      • Email notification subsystem
    • Utilizes external components
      • RabbitMQ Message Broker
  • Identity Administrative Applications:
    • UHIMC - UH Identity Management Console
    • UHIMS Shell - (bmt) Administrative command line interface to UHIMS and identity/access management tools to various ERPs.
    • UHIMS Web Service - The UHIMS Web Services provide an API that exposes common UHIMS functions.  It is currently being overhauled to make it RESTful and to formalize the ACLs.
  • Community Applications/Services:
    • ACER - UH Acknowledgements and Certifications Self Service - ACER allows individuals to view and review acknowledgements and certifications.
    • Business Critical Applications registration - community members can identify their business critical applications for improved communications and coordination.
    • CAS - UH Web Login Service
    • IAM Self Service functions - UH Username creation and forgotten password assistance.
    • MFA - Multi-factor Authentication (Duo Security Hosted Service)
    • Shibboleth IdP - UH Shibboleth Identity Service Provider (UH IdP) provides federated authentication to external Service Providers, such as Google, research.com, internet2.edu, educause.edu, etc.
    • Targeted Termination Reports - if you identify a cohort we can keep you informed of who's changed appointments etc.
    • UH Groupings - UH Groupings Administration and Provisioning Service provides a standard Role Based Access Control solution for application authorization and for lifecycle enhanced, automated provisioning of LISTSERV Lists, etc. 
    • UHIMS Home Directory Management Tools - Manage UHUNIX-based home directories for users' web sites and application development space. 
    • UHIMS SSO Server - username services support
    • WPMS - White Pages Management System
  • Enterprise Middleware Applications:
    • UH Directory Services (LDAP) - Enterprise Authentication and Directory Services, based on the Red Hat Directory Server (FKA 389DS).
    • UH Grouper - Enterprise access management system - Organizes individuals according to their multiple representative groups where groups imply roles, imply entitlements.
    • UH Message Broker - Enterprise Message Broker, based on RabbitMQ.
    • UHIMS Events - UHIMS Events publishes UHIMS Person Registry updates. Consumer applications can subscribe to UHIMS Events in order to detect terminations for example, in order to automatically deprovision access authorizations.
    • UHIMS Views - The UHIMS Views provides access to data in the UHIMS person registry as well to person information, such as home address data, in select Systems of Record.  UHIMS Views can also be used to crosswalk between UH Username and UH Number.

Support

  • ITS Security Group Support
    • Assist Security Group with Audits and Gmail extractions.
    • Google@UH Audit - Google Email Audit utility
  • UH Data Governance Support
    • Assist Data Governance committee with requests that impact authorization and authentication.
  • Community and Developer Support (last, but not least)
    • Help other departments leverage ITS middleware infrastructure, especially our Identity Management infrastructure.
    • Shibboleth Service Provider integrations.
    • CAS URL registrations.
    • UH Groupings requests.
    • Message Broker requests.
    • Facilitate the periodic UH Applications Developers meeting
      • Provide UH developers the opportunity to be involved very early in the conceptualization and initial design of new projects.
      • Keep developers abreast of the status of projects that may be beneficial or otherwise impact them.
      • Provide developers an opportunity for early access to new technologies.
      • Provide developers with boot camps and hands on experience with technologies deployed by the IAM group.
      • Share ITS applications development best practices.
      • Share IT security, cyber-infrastructure, data governance and other related UH and ITS initiatives.

Ecosystem Diagram