Identity and Access Management in the LAN

ScopingExerciseReport

11 June 2009

Objective To identify current practice regarding the management of user identities and application access on the LAN

so as to

Assist with selecting and defining standards aimed at making effective IAM more readily achievable for more schools

Clarified aspects for discussion

1. The need for a single set of login credentials with associated user attributes

2. The need to streamline the process by which network directory user accounts are created and managed within the LAN

Long term goal

Single sign on to all MLE associated applications regardless of where they reside

Information sources

Edtech’s own knowledge base as a school specialist network integrator

Open response survey via the MLE group

Community priorities

#1 priority for users to have a single set of credentials to remember

Secondary requirements

Ability to differentiate between multiple services/apps without credential re-entry (SSO)

The login to allow for different roles in different apps

School control – the ability to tailor the front end user experience

Directory systems

Novell E

-Dire

ctory

Windows A

ctive

Directo

ry

Macintosh

Open

Directo

ry

Smart

Net Open

LDAP dire

ctory

Other Open

LDAP dire

ctory

Windows A

D and M

acintosh

OD

0%10%20%30%40%50%60%70%80%90%

Directory System Used to Manage User Authentication by School Type

Secondary/Area SchoolsPrimary/Intermediate Schools

Methods of directory population

0%

20%

40%

60%

80%

Directory Population at the Start of Each Year

All School TypesPrimary and IntermediateSecondary & Area

Groups/Roles

Studen

t or s

tuden

ts

Teac

her or t

each

ers

Office or o

ffice st

aff Staff

Senior m

anag

emen

t / le

aders

hip

Administrat

or

Admin

Support

staff

Network/

Domain Administ

ration

Groups fo

r eac

h studen

t yea

r leve

l

Librar

y

Administrati

on

Princip

al

Studen

t tea

chers

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Common Role Oriented Groups Utilised Within the Central Directory(used by more than 4% of respondents)

All school typesSecondary/Area SchoolsPrimary/Intermediate Schools

Participating applications

Applications for which single sign on would be advantageous:

SMS LMS Library systems AsTTle

Discussion 1. The need for a single set of login credentials with associated user attributes

2. The need to streamline the process by which network directory user accounts are created and managed within the LAN

The need for a single set of login credentials

Priorities Single username and password used

wherever needed on the LAN Single entry of credentials Single active session – single

simultaneous login User attributes associated with

credentials for customised role based access

The need for a single set of login credentials

Implementation Options Direct authentication Federated authentication Synchronisation of credentials

The need to streamline the management of user accounts

Recommendations Common location for school staff

data to be defined. A decision as to the authoritative

source of student user accounts Definition of a simple role based

attribute schema so as to distinguish users at login

Possible provision of directory specific tools for creating and managing user accounts to reduce the current administrative workload.