Keystone Integration

Quick View

Summary:

Part two the the BitKOO/Keystone project will be focused on integrating the identity management, authentication and authorization solution, Keystone, into the ASU IT infrastructure. The goal for Keystone deployment is to span further than the walls of UTO. With the mindset of "The Concept of One", the projection for Keystone implemention will be in colleges and departments throughout the university thus providing a standardized means of authentication, authorization, and identity management.

Current interested parties include WP Carey School of Business and The BioDesign Institute. In addition, the streamlining of standard buisness processes will be realized through the use of Keystone's dynamic rule set by Role Based Access Control. Latency time for processes such as provisioning, and granting acess to accounts and service will be reduced resulting in a noticable reduction in the costs associated with non-productive hours spent waiting to aquire proper role permissions.

An added benefit to BitKOO's Keystone product is the implementation a proof-of-concept (POC) for Single Sign-On (SSO) functionality. This POC will provide users the ability to present their credentials once and gain access to CAS, Citrix, and Outlook Web Access (OWA). With sucessful implementation of the POC, future applications such as Sharepoint will also have the capability of gaining SSO functionality via Keystone.

Start Date:

March 30, 2009

Go Live:

January 29, 2010

End Date:

January 29, 2010

Current Milestone:

September 4th: Assessment of BitKOO deliverables

Stage:

On hold

People

Sponsor/Champion:

Adrian Sannier, Vice President and University Technology Officer

Lead Customer:

Scott Banks

Project Manager:

Nancy Biro

Contact for more information:

Nancy.Ma@asu.edu

Associate VP University Technology:

Scott Banks

More Info

Source:

Internal

Priority:

High

Scope:

As the second half of the Project “BitKOO Strategic Alliance”, the identity management (IdM) solution, Keystone, is to be integrated with the ASU infrastructure. The vision for Keystone is to deliver the university’s IT services a means recognized by industry of enforcing appropriate identity, access, management and administration policy. As regards the University’s strategic objectives, IT is a key enabler. The IdM project will enable many of the strategic imperatives:

Engaging in world-class research and securing future research funding will be strongly linked to our ability to participate in a federated model for collaborative research;

Improved accessibility to resources will improve the students’ learning experience at ASU;

Streamlined access to services not only within but also from outside ASU will enhance the sense of community, benefit community relations and contribute to making ASU an institution of choice for students and staff in an increasingly competitive higher education landscape;

Reducing costs of licensing and administration will contribute to the financial and sustainability agenda.

In addition, this IdM solution has the capability of being leveraged leveraged to manage more effectively access to other university services and facilities, eg library services, buildings while extending ASU ‘s ability to establish identity and access management processes across ASU and provide unified, consistent and standard business processes and technology to support an individual’s relationship with ASU.
The mechanisms that serve identity and access management of IT services can also be With IT infrastructure and business changes around the unified ASU now complete, the foundation is in place for the next step in identity management at ASU. With buyin from departments, colleges, and university associated institutions, the need for more streamlined processes and the support of strategic objectives the goal of a University wide, technologically advanced in the identity management will be realized.

Objectives:

The high level project objectives described below fall in the following main areas of focus:

User/account provisioning and de-provisioning

Full and granular access control over and above EDNA current capabilities.

Access control/management

Wider application of Single Sign-On

Password/authentication management

Alignment with federated model as enabler for research collaboration.

Single Sign On POC:

A standard username and password credential set has been in use at ASU for a number of years in the form of ASURITE. UTO has gradually increased the range of services that use EDNA as the authentication mechanism for permitting a user access to a service or resource only. Where possible, and usually as part of the natural upgrade cycle, university applications have been migrated to the use of this same sign-on mechanism in place of local proprietary methods, each with their own maintenance overheads.

With the implementation of BitKOO, UTO can further the common sign-on scenario by creating mechanisms for credentials to be safely passed from one application to another resulting in students and faculty who access these services only needing to present their credentials once.
With extended Single Sign-On comes increased risk to data should the ‘master key’ be compromised. However, this project will allow for consideration of raising levels of assurance in applications that currently may not have strong authentication built in by strengthening the authentication mechanisms for Single Sign-on through the use of more than one factor of authentication. Hence, this project will also implement an appropriate strategy for password/authentication management in terms of type, format, refresh etc.
Currently, inconsistencies exist in user/account provisioning and de-provisioning. For instance, variable delays are experienced before a new staff member is provisioned with a ASURITE ID and access to basic networked services (eg email, My Documents, file shares, printing, internet). Also, much of this process is manually driven for staff through the use of forms and other mechanisms. There are also inconsistencies in the type of ASURITE ID’s provisioned. This project aims to streamline this process and introduce automation, ultimately being managed through a single self-service application for the majority of cases.

All Milestones and Schedule:

BitKOO SSO Proof of Concept: Completed

Incorporation of Citrix
- David Hurt

Incorporation of OWA (Outlook Web Access)
- Paul Harper, Annette Aquino, Eric Kotler

Incorporation of CAS (Central Authentication Service)

Keystone Integration with Applications:

Aquire inventory of UTO applications – Completed
- https://spreadsheets.google.com/a/asu.edu/ccc?key=pZIo8ebHjBY4Zr9-Ue-2sJ...
  - Joe McDonald
  - Jason Pratt
  - Derwin Skipp
  - Nate Wilken
  - Bonnie Stoneking (peoplesoft dev)
  - George Holland (west)
  - Tamara Aniche

Review of UTO Directories and possible project - to be met by 8/31/09

Assessment of BitKOO deliverables – To be met by 09/04/09
- provisioning manager
- Kerberos DAL

Start discussions with developers from WPCarey, BioDesign, and any other College/Department for web application integration with Keystone – To be met by 07/5/09 – In Progress
- WPCarey - Cold Fusion: Mary Silva
- BioDesign - Ruby/Rails: Greggory Turnbull

Move UTO web applications behind Keystone – To be met by 10/31/09

Complete Keystone Integration with ASU IT Infrastructure - To be met by 01/29/10

BitKOO Provisioning Manager:

Develop Plan for inventory of services – To be met by 06/10/09
- To be completed by Derwin Skipp, Nancy Biro, and BitKOO
Status of BitKOO Provisioning Manager Beta/Alpa – To be met by 06/17/09
- To be delivered by BitKOO
Deliver VM for BitKOO Provisioning Manager - To be met by 6/17/09
Start wiring services using BitKOO Provisioning Manager – To be met by 07/01/09
Start wiring RBAC into BitKOO Provisiong Manager – To be met by 07/01/09
Move all responsibilities of EDNA web services to BitKOO Provisioning Manager. To be met by 11/01/09

Deliverables:

This project embraces the business processes and technology associated with the following functions that support an individual’s or entity’s relationship with ASU:

• Identification – pre-assigning an identifier to an entity

• Authentication – validating that an entity producing an identifier is the one to which the identifier was originally assigned

• Authorization – ensuring that the entity is afforded access only to the services and data required to support the allowed tasks

• Accountability – ensuring that only the authorized entity can exercise its individual authority.

Risk & Threats:

Factors identified to date that may inhibit or restrict project delivery include the following:

• Project progress will be constrained by the availability of resources designated wholly or in part to project tasks. Any discontinuity in this regard will impact project delivery, as it is anticipated that there will be limited ability to compensate for any resource unavailability. Existing components of the current IdM architecture may restrict the project delivery in some way, particularly in terms of the starting point. These include:

• The ASURITE, EDNA and identifier and the associated supporting management tools, which are well-established for staff, students and associates and are embedded into a number of existing processes

• Directory Service for Auth/Authen , which is currently not established enterprise directory service and is most likely to remain so at least for file and print services.

Dependencies:

Role-Based Access Control Automation - Version 1