Identity and Access Management Services
OIT will establish a new department, Identity and Access Management Services, or IAM, on June 7.
Under the management of David Bantz, IAM will upgrade and expand the user authentication services in use at the University of Alaska to allow easier access to online services within and external to UA while safeguarding privacy and providing increased security.
Identity and Access Management Services will deploy a true single sign-on solution for UA students, employees, and affiliates working collaboratively with the IT departments at UAA, UAF and UAS. Currently many different programs and applications within the university system require unique login and password information. For example, there are different logins for legacy e-mail, UAOnline, Banner, ElluminateLive, VistaPlus, DegreeWorks, Google apps, Blackboard, Meeting Maker and network access, in part because those programs have all evolved one at a time. While the MyUA portal provides a convenient single access point to various accounts, it still relies on separately stored passwords and login information for each service. It’s IAM’s hope that soon, utilizing internationally recognized authentication technologies, users will be able to login and authenticate on the UA system and get resources both within UA and from external services based on a single authentication or login event – all without releasing passwords or unnecessary personal information.
One of the keys to this process will be the utilization of the middleware Shibboleth. According to its Web site, Shibboleth is standards based, open source software for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. Shibboleth will sit on top of the current EDIR data management system that the UA has in place; that means that services relying on Shibboleth’s privacy-preserving single sign-on will use your existing UA Username or identification number and the same password used currently by MyUA portal, the Directory (EDIR), and new Gmail accounts. For more information about Shibboleth, or to view a demonstration, click http://shibboleth.internet2.edu/about.html.
The other important development is UA participation in InCommon. On its Web site, InCommon is described as a formal federation of organizations focused on creating a common framework for collaborative trust in support of research and education. InCommon makes sharing protected online resources easier and safer. The InCommon federation supports user access to protected resources by allowing organizations to make access decisions based on a user's status and privileges as presented by the user's home organization. InCommon also preserves privacy, since the home institution controls which attributes are disclosed to which services. Information can be exchanged about authorized user access, without having to disclose the identity of the user unless both sides agree it's needed.
Hundreds of universities, corporations and government agencies are part of InCommon. Members of the federation can trust one another’s credentials. A UA researcher for example, can login to the National Science Foundation, a member of InCommon, and the NSF can trust the validity of their status as a researcher affiliated with the University of Alaska. That person then can avoid using multiple means of validating credentials. Through this system, thousands of websites can rely on the credentials being managed by UA without sending passwords off campus or accumulating user information. For more information about InCommon and to see a list of participants visit http://www.incommonfederation.org/.
The University of Alaska is currently in the process of joining InCommon. A consultant from University of Texas system will arrive in early July to assist with UA’s implementation of Shibboleth. A new lead programming position within IAM will be filled through OIT reallocation. In an on-going process,OIT will upgrade and migrate systems to utilize single-sign-on privacy-preserving authentication. It is possible that as early as this fall some of the benefits, such as access to iTunes U, scholarly databases, Microsoft Dreamspark and the National Student Clearinghouse, will be available using your UA Username or ID number and UA password.
For more information contact David Bantz, 450-8314 or firstname.lastname@example.org.