Wikipedia Says…“Single Sign On (SSO) is a property of

access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.”

• Reduce password fatigue• Reduce time spent re-entering

passwords• Abstract authentication from systems• Lower calls to Help Desk about

passwords• Centralized reporting for compliance• Can rationalize multiple authentication

methods• Improved interaction with 3rd Party

True Single Sign On is often hard to accomplish

“keys to the castle”

High Availability becomes the new IdM buzzword (well one of them)

Jasig CASCoSignKerberosOpenSSO JOSSOShibboleth

What protocol do they use? What kind of “clients” do they have? Features:

Opt Out of Single Sign On Management Monitoring High Availability / Scalability Flexibility “ClearPass”

Deployment/Maintainability

Its easy! (relatively) Assumes you’ve already solved your ID

problem

It’s a “big” win

Highly visible

Oh, and all that stuff listed under Benefits

• Documentation!• Present, Present, Present! (Education)• A Compelling Reason

– Features– Ease-Of-Use– Auditing– Superior User Experience

• Support It!• Strong Arm (not a pleasant experience)

Goes well with… Self-Password Reset/Change Lookup Id Profile

User EducationHelp Desk SupportTrusted SSL Certificates

Single Sign Out

OpenID – decentralized authentication system

Federation

Facebook Connect - API to let user log in via Facebook

InfoCards -

Rolling out an SSO will raise some of the following questions/concerns: We can’t use SSO because it doesn’t

support all types of guests easily* What’s your SLA? Why does it take so long to get an ID?* What about access control?* What is the password policy? What’s the identifier usage policy?

(but it sucks!)

Store identity data about your people

Reconciles different versionsMakes (usually) intelligent choicesHelps feed other systems

Directory builder Provisioning Reporting

Not too many! Very few higher education options Most non-Higher Education ones don’t

get “higher ed”▪ Multiple sources for a person▪ Multiple possible hierarchies▪ Every university is (slightly) different

What is OpenRegistry? OpenRegistry is an OpenSource Identity Management

System (IDMS). It's a place for data about people affiliated with your organization.

Core Functionality Interfaces for web, batch, and real-time data transfer Identity data store Identity reconciliation from multiple systems of record Identifier assignment for new, unique individuals

Additional Functionality Data beyond Persons: Groups, Courses, Credentials,

Accounts Business Rule based data transformations More than just a Registry, some periphery too Directory Builder Provisioning and Deprovisioning

Two Options:

▪ “The Big Bang”

▪ Transitional

Benefits Not maintaining two versions for extended

period of time Direct Developer Resources towards new

project Cons

This stuff better work! (or expect some pissed off people)

Significant investment in testing phase What’s the back up plan? Restrictions on flexibility

Benefits Significant time to test system “in

production” with real data Built-in Back Up Plan More flexible scheduling

Cons Maintaining multiple systems for

extended period Ambiguity about where to go for data In some instances, double the work!

We totally confuse the issue We’ve “big banged” ourselves for Dec 2010

(PeopleSoft deployment) We’ve committed to maintaining the legacy

system feeds We are gradually rolling it out!

Why? It seemed like a good idea at the time! “Big Bang” attachment to PeopleSoft gets IdM on

the radar and stresses importance Pilot Groups much earlier! Unfortunately, it puts IdM on the radar With schedule, no time to update all legacy feeds

Building a registry is tough! Deploying a registry is tougher! Touches everything!

▪ Data is owned by others▪ Policies around accessing data, identifiers, etc.▪ Downstream concerns with new populations▪ Poorly written tools that won’t work with the new

system▪ Help Desk Nightmare!▪ Start Looking at EVERYTHING

What does it all mean?

Governance is the activity of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems.

In the case of a business or of a non-profit organization, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data.

(according to Wikipedia)

PoliciesResponsibilityCoordination and PrioritizationComplianceSome of them like the details (i.e.

text on the page!) really really annoying

Making the CaseCommunication

Not too early

But not too late

Becomes important when you start depending on others

Some level of actual authorityA method for measuring

accountabilityTransparentLeave us better of!

Fiefdoms continue to exist

Duplicate data everywhere!

Duplicate application development

Misuse of information

None – just like it soundsExplicitly Decentralized

High level group sets policy Specialized groups implement policy

Centralized Makes just about all the decisions

Hybrid

1. initial – no process.

2. repeatable – starting to understand processes

3. defined – process documented, standardized and integrated.

4. Managed

5. optimized

(according to Burton)

Two key points:

You need a champion of sufficient authority

Feedback mechanism needs to be in place