The Need For Identity Management

Submitted by jjanssen on Tue, 03/16/2004 - 11:27. IdM

Identity Management (IdM) is a long standing initiative in many organizations. APU's own Transparency Project was our first leap into this space, attempting to aggregate user management on several servers and services by deploying LDAP and giving our users a single set of credentials for most services. Married with the project, were changes to the network, and the deployment of our first portal to integrate access and interfaces to most used services. Some of the more advanced parts of IdM, such as provisioning, the automatic creation of accounts and services across multiple systems from a single interface or transaction, were moderately achieved with simple scripts.

Since then, through drivers from other projects, further steps have been made into IdM. We were able to move to Kerberos for authentication, by adding our students into our Active Directory environment, and having LDAP pass through authentication to a single source. This was far superior to any earlier password synchronization efforts, the result being that the majority of systems on campus now only require our users to remember one user name and password.

Another facet of IdM is enabling users to securely reset their passwords via a self-service mechanism, to increase worker productivity and reduce the time lost and resources spent by conventional means of verifying identity over the phone. The recent [Password Reset Project] will soon enable self-service password resets, and we will yet again be one step further along the IdM path.

Participation by several of our IMT staff in the Internet2 Middleware Iniative, brought us to understand that we really had been ahead of the curve in addressing some of the major portions of IdM. Comparing our notes with these Higher Ed best practices, confirmed that we had accomplished much, but also confirmed that there was much more to do. Passwords and usernames are only the tip of the iceberg.

IMT is greatly in need of a comprehensive Identity Management Initiative to address the complete Identity Life-cycle of our constituents. Knowing who are customers are, even as they change affiliations with the University over time, is essential to the success of our self-service initiatives. Furthermore proper management of groups as they are reflected by the business processes of the university, as well as the grouping of customers by activity, is critical to enabling collaboration and knowledge management. This is the problem with IdM, and other middleware efforts, they are the foundation on which so many other more visible initiatives depend, e-business, Enterprise Content Management (ECM), and distance education, but are overwhelming in size and hard to emphasize as adding business value independently of them. So perhaps APU should continue to make advances with IdM as attached to other projects which demand it, but my theory is that a focused initiative will be required to address the business process change in how we manage our most critical data set, our people.