Charlie Leonhart is leading off the morning with a discussion of identity management. He’s asking the crowd who’s running their first generation ID management system as opposed to as second or third generation system. Paul points out that their approach at MIT is more incremental, changing and adding to the original system every year, so it’s more of a maturing continuum rather than generations. Georgetown’s original ID management was a directory built for provisioning accounts in different systems.
RL Bob says that Internet 2 and MACE point to different products that handle this kind of thing, but there is no significant open source shared product in the space of core identity management and provisioning, as the institutions that have built these systems have done it in ways that are embedded so deeply in their systems that it’s hard to share.
Several people have used commercial products in their identity management – Indiana uses Microsoft’s identity management server, and it’s working very well. Brad thinks we need to get better at federated identity – maybe 2008 will be the year of federated identity. Gary says NYU uses Sun’s identity management products, because they didn’t want to have to build it themselves. Michigan is going to go with the Novell services because they didn’t want to build it themselves and the connectors to Peoplesoft and other systems were already there. Duke is also using Novell. Colorado is going with Sun. Georgetown has picked Oracle, primarily to automate feeds from backend systems and for provisioning and de-provisioning. De-provisioning is particularly challenging – the ability to do ubiquitous de-provisioning is important.
How much convergence is there with digital identity and physical id control. At Chicago the card office has always been part of central IT, and they’re working on merging that system with card system, and they’re working on a common system across the hospital and the campus.
How centralized is the process of creating identities – how many are taking feeds from departments to create identity? Tim says that at Harvard the issues are around SOA kinds of things – changes in data formats, scheduling, etc.
RL Bob says that we have a local community college that we share facilities with that needs NetIDs, and we are working with the Cancer Care Alliance who needs NetID. In both of those cases they run Active Directory and we’ve been using a federated approach, using Shibboleth – which raises some policy issues of what kinds of things they then might get access to.
At Stanford they’re setting up a guest account service. Bruce also notes that the owners of the Peoplesoft and Oracle systems are likely to start asking about what value the separate registries bring, instead of just using the purchased systems.
Klara talks about Duke needing to create the ability for affiliates to create accounts in a delegated fashion. Charlie characterizes this as the “Martian” user issue – visitors, people who come just for the day, etc. Michigan is setting up a sponsorship system where departments can set up temporary identities for visitors.
Brad says to look at the strategic issue, the University is not going to be a fortress any longer, but will need to be much more porous. He cites the issue of the library which was using access to a University digital identity as a surrogate for meaning “faculty, staff, or student” to grant access to subscriptions.
Tom is talking about people who are “non-affiliated patrons”, like those who have library privileges but no other connection to the institution. They’re creating a separate store of identities for these folks. It was much easier to not bring those back into the main identity store and deal with all the policy issues, etc.
Phil Long notes that business process has to precede identity management.
At Wisconsin they have a formal decision making body for identity management that reports to the Provost. Just this month that committee has announced that they’ll add two faculty members and student representation. Federated research has made this an academic as well as administrative issue.
Berkeley has a signle-sign-on management model, but there’s not a good funding model – they’ve been considering some sort of identity-management tax on new system development projects.
At Georgetown they have a tax on all money transactions on their cards to fund the card office operations – 4% on internal purchases (like soda and candy machines, etc), more for external vendors (like local restaurants, etc).
Texas has multiple assurance levels of identity – for high assurance you have to show up in person with photo ID.