IAM for the UH Extended Community

Owned by mhodges
Last updated: Mar 15, 2016
7 min read

The purpose of this discussion is to better understand if there is an opportunity to create a centralized tool for managing populations that represent our extended UH community and to determine what the benefits centralized management might be. Some authorization schemas may not be feasible to centralize; instead, a pass-through method should be provided for local rights management.

Editors of this discussion are welcome to add new sections, new details to existing sections, etc.

Table of Contents

Primary Drivers

The primary drivers for this discussion are:

  1. Driver 1: the need to allow members of our extended UH community to authenticate online via UH centralized authentication services such as the UH Web Login Service.
    • There are many circumstances where it is not appropriate to issue a UH Username and UH Number, such as those processes that weakly vet an individual's identity.
    • A separate unique identifier that has no intention of being the single identifier issued to a person is needed.
  2. Driver 2: the need to provide extended UH community members with identifiers that can be used to issue and control campus cards for guests and visitors.
    • Cards are issued to extended UH community members to allow them to manually verify authorization to utilize select services, like book borrowing. These cards have a bar code assigned to them that identifies to whom the card was issued.
    • All campuses manage issue these kinds of cards (or is it many? most?). Coordinating centrally the assignment of unique identifiers would simplify administration and create a larger context that would increase the utility of campus cards across the system.

Terminology

  • automatic groups - Some institutional groups can be automatically established and updated daily, for example: faculty@manoa, staff@uhsystem, students (across all campuses), etc.
  • Middleware - Software that aggregates information available from disparate administrative systems (a narrow definition that meets our needs for this discussion).
  • UHIMS - The UH Identity Management System. This "middleware" keeps track of everyone officially affiliated with UH by receiving salient data about people from the various UH administrative systems.
  • Special Population - a group of individuals affiliated with the university, but not tracked by Banner, PeopleSoft, etc and not presently (circa 2013) known to UHIMS
  • VIA - The Visitor Internet Access application that allows faculty and staff to grant visitors temporary credentials (username and password) that can be used to access UH Manoa and other campus wireless networks.  These temporary credentials can be used for authentication to other select online services.
  • Visitors - Someone on a campus that is not directly affiliated with UH, but to whom we would like to provide specific services.

Use-Cases

  • Authorization Guests
    • Currently a person must have a UH account in order to be authorized to perform any UH services.  The higher ed community is working on providing a technical solution for proxying authorizations such that non-UH credentials can be utilized to perform limited functions.  For example, a UH student could invite her mom to pay per tuition on her behalf.  Mom would receive an emailed invitation to her, say, LinkedIn account.  Mom could then use her LinkedIn credentials to authenticate to the UH service that would allow her to pay her daughter's tuition.
  • Conference attendees
    • possibly candidates for VIA program in conjunction with local authorization schemes
  • Consultants
    • Consultants may be hired to install software on University infrastructure and require shell access, MFA, etc
    • VIA does not provide enough functionality to allow for the provisioning of shell access, etc.
  • Job applicants
  • Non-credit students
    • When asked ITS Help Desk assists with issuing UH Numbers and avoiding duplications.
    • Non-credit students are assigned a role@affiliation of "other@campus" where the "campus" reflects the campus code (see Organization Unit) of the campus with which the student is affiliated.
  • Other department sponsorships - UCLA, UISFL, Infusion Institute (sponsorship with East West Center and Dept of Philosophy), Senior Citizen programs (all campuses), Visiting Colleagues, etc.  Some of these courses may last a week or two weeks.
    • ITS Help Desk assists with issuing UH Numbers, identity verification should be done by the sponsoring department.
  • Outreach College (non credit classes, eg Dongnam University)
    • (see "non-credit students" above)
  • Parents
    • The future Parent Portal will allow "parents" or whomever is willing to pay tuition on behalf of a student to access the Parent Portal and make payment. The "parent's" email address becomes their "username" and a password is generated and emailed to them.
  • Post-Doctoral Students - non UH
    • possibly candidates for VIA program in conjunction with local authorization schemes
  • Prospective students
  • Registered Independent Organization (RIOs)
    • One or more individuals can be associated with a Departmental/Organizational UH Username established for an RIO.
    • Many individuals can be considered members of an RIO.
  • Research Scholars - non UH
    • possibly candidates for VIA program in conjunction with local authorization schemes
  • Spouse
    • Spouse living with a dorm student.
  • SCVP, Senior Citizen Visitor Program through the SEED Office (Manoa)
    • SCVP participants are treated like "uh departmental affiliates" and would be entered as "other@uhm"  ITS Help desk assists with issuing UH Numbers and avoiding duplications.  SEED handles identity vetting.
  • UH Casual Hires that do not have a UH Username
    • They are authorized to access to the UH Online Paystub application.
    • Since they are entered via PeopleSoft, they are able to create a UH Username for themselves.
  • UHF Employees
    • There are select UH services that would benefit from allowing them to authentication with their UHF credentials.
    • The know use-case is Laulima since the Security Awareness Training certification modules are hosted there.
  • UHM Campus Center HELP students
    • Eligible for a OneCard; ITS Help Desk assists with issuing UH Numbers and avoiding duplications.  HELP handles identity vetting.
    • Hawaii English Language Program (HELP). Sends ITS Help Desk a student list to add manually 2-3 times a semester (based on their program sessions). There are anywhere from 30-100 names provided at one time.
      • If HELP students also obtain Manoa "guest" ID cards, then it appears they will always be entered twice, once by Help Desk, and once by the ID office?
    • HELP students are assigned a role@affiliation of "other@uhm"
  • UHM Campus Center NICE students
    • Eligible for a OneCard; a unique identification number will be required instead of a UH Number (to be determined).
    • Currently NICE students are entered into VIA for authentication purposes.
  • UHM Hamilton Library Community Borrowers
    • Members of the general community may obtain from the library a library card.
      • According to their website, it appears they require a "formal" photo ID, though they include an ID card of questionable reliability (Kingdom of Hawaii ID).
    • Data Elements
  • VIA Users
    • The Visitor Internet Access applications allows fac/staff to authorize visitors utilize our wireless network. The visitor's email address becomes their "username" and a password is generated and emailed to them.
    • VIA Users can be granted additional rights locally through the use of secondary registration at a unit LDAP server (and authenticate e.g. through pass-through authentication or similar methods)
    • VIA Users can authenticate through the UH Web Login Service and to the campus wireless network.
  • Visiting Colleagues
    • Upon request, a visiting colleague may be treated just like departmental affiliates and would be entered as "other@<campus>" for whatever duration of time the sponsoring department requests, up to one year.
  • Consultants
    • Need to sign the GCN and related acknowledgements.
    • May need access to shell accounts depending on the statement of work.
    • Need to be able to easily and quickly revoke all access.

Unique Identifiers

These are the unique identifiers that have or will be used on campus id cards and One Cards.

Identifier Name

LDAP Attribute

Identifier System of Record

Format

Example
(dashes are never
stored as data)

Notes

UH Number

uhUuid

UHIMS

8 digits

1234-2234

One UH Number issued to each person officially associated with UH.
The last digit is a check digit. 
See below for planned 12-digit future format for the UH Number. 

UH Libraries identifier

n/a

UH Libraries

10 digits

 

Used for issuing community library cards.

Unique Identification Number

uin (proposed)

UHIMS (planned)

11 digits

12322-34323-4

A single person may end up with more than one UIN in some circumstances due to weak identity vetting.
Define an output mask that helps prevent it from being confused with the UH Number.

UH Number (future)uhUuidUHIMS12 digits1234-2234-3234 One UH Number issued to each person officially associated with UH.
The last digit is a check digit. 

Issues

  • Could a UIN be issued to someone that has a UH Number?
    • Yes. If the identity vetting process doesn't meet the requirements for issuing a UH Number, to avoid the potential for social engineering and inappropriate access, a UIN may be issued in certain circumstances.
  • Identity vetting for Special Populations
    • Creating duplicate identities is an issue that should be mitigated, to the degree possible.  But it must be understood that duplication is unavoidable and should be considered a normal occurrence.
    • Identifying the Level of Assurance associated with the vetting process.
    • Identifying the relevant attributes and the methods to be used for vetting each of them.  Attributes could include:
      • Name
      • Address
      • Phone Number
      • Email Address
      • Country, State, passport or Driver's License Number and notes on which agency issued the number
  • Limitations of UH Number for Special Populations
    • The UH Number is by definition assigned one per person. For Special Populations with weak identify vetting ensuring one UH Number per person is not a reasonably accurate process.
    • Special populations should instead be assigned a Unique Identification Number (UIN).
      • The UIN needs to be useful as an alternative to the UH Number. The OneCard project has established that the UIN must be numeric and not alphanumeric.
      • The UIN needs to be easily distinguishable from the UH Number.
        • IAM is recommending an 11 digit number; 8 and 12 digit numbers are reserved for the UH Number format and 9 digits is reserved for SSNs.
  • Support
    • Access to services often entails some level of support.
    • Ideally, a visitor is sponsored by a member of the UH community, or a department or staff office, and support falls back to the sponsor.
    • Self-service tools can reduce support requirements. For example, a visitor provides a personal email account and requests a password reset. It would be sent to her email account.

Specifications

  • Special Populations members may optionally require one or more of the following:
    • UH Number
    • UH Username
    • Unique Identification Number, instead of a UH Number
    • Identification of the department, staff office or program that is responsible for membership in a select special population.
    • UH Email service
    • UH Online Paystub service
    • Parent Portal service
    • Authentication to the wireless network
    • Authentication via the UH Web Login Services (CAS and Shib)
    • Inclusion in Grouper groups
    • Provisioning of a OneCard
    • Access to library resources
  • Life Cycle considerations:
    • As individuals change roles, they may transition into a standard population, which may or may not allow them to also be viewed as a special population.
    • For some special populations the life cycle is tied to the life cycle of the sponsor to which a member of the special population is tied.  For example, the student that invites the parent to join the special population will determine the life cycle of the parent account.
  • Administrative Tools for Special Populations
    • Request creating of a Special Population
    • Tools for manually adding and removing people from a Special Population
    • Tools for identifying life-cycle triggers, especially regarding termination
    • Tools for warning admins if important affiliation changes, regarding termination

References

  • Internet2 External Identities working group report