Summit 2006 Presentation Proposals
October 3, 2005 | 2 Comments
I finally put together all my material to submit proposals for Summit presentations. I looked back at what we’ve been doing in the portal this year and the following is what I came up with. Overall it’s been a busy year, I was surprised to come up with as many as I did.
My Title: Portal Administrator and Senior Web Developer
My Bio
Zach Tirrell is from Plymouth State University in northern New Hampshire. Zach is both portal administrator and senior web developer for the institution. The main areas of his concentration revolve around integrating systems and identity management, Luminis has become a perfect enabler of this. He is often looking to get just a bit more out of Luminis than what is delivered.
Collecting Stats in Luminis
By leveraging the underlying UPortal infrastructure, learn how to take advantage of RDBMSStatsRecorder to generate detailed numbers on who is logging in, logging out, how often, and by role. You can then use these numbers to better understand how effective your portal strategy is. Tracking user adoption and growth over time becomes essential to decision making about the portal.
This presentation is for technical audiences.
YaleCAS in Luminis
One of the most common WebISO solutions is the Central Authentication Service developed by Yale (YaleCAS). In Luminis III.2 CAS became available as an installable module. Learn how to get YaleCAS installed, configured, and where it might fit in your organization. See how Plymouth State University has leveraged the phpCAS libraries to CAS’ify all their internally developed PHP web applications as well as a few third-party ones. What’s best, it only takes a couple lines of code!
This presentation is for technical audiences.
Luminis and Identity Management
While deploying Luminis, or maybe immediately after, lots of questions arise related to identity management. Are you using a central authentication point like LDAP or Active Directory? How do technologies like CPIP or YaleCAS fit into your authentication scheme? What applications should and can use SSO? Are you centrally managing authorization? Is shibboleth something you should be thinking about? How is your password policy? What’s you level of assurance on accounts you have assigned? All these questions and more will be discussed. Come prepared for lots of crowd participation.
LDI Implementation Tips and Tricks
Plymouth State University is starting to reap the rewards of its integrated campus portal strategy. PSU started its Banner migration in 2001, deployed Campus Platform 3 with its legacy SIS in 2002, publicly deployed Banner in 2003, and in 2004 with the migration to Luminis and implementation of LDI for eLearning, has finally reached “critical mass.” Luminis provides the infrastructure and LDI provides the glue that connects Banner, WebCT, the library, and other services. The presentation details Plymouth State University’s implementation and discusses the problems and solutions we faced along the way, with an emphasis on LDI and Luminis. Plymouth State has used this technology to realize the benefits of a unified digital campus.
This is a repeat from last year
Implement and Deploy Banner Channels
Banner 7 comes with a huge pile of exciting new channels. These channels greatly leverage the relationship between Luminis and Banner, however, implementation is complicated and deployment even more so. Banner channels are fantastic, but they need to be rolled out carefully. Plymouth State University has already run this gauntlet, come hear some of the concerns and pitfalls so you can avoid them yourself.
Tags: active directory, banner, campus portal, cas, channel, channels, identity management, integrate, integrated, integration, ldap, luminis, php, plymouth state university, portal, sct, sso, summit, sungard, sungardsct, tirrell, webiso, yalecas, Zach Tirrell, Zachary Tirrell
Establishing and Securing Identity in a Distributed World
September 2, 2005 | 10 Comments
We have found ourselves in an interesting position. We need to establish, ensure, and maintain identity with remote users without ever exchanging SSN or other highly confidential identifiers or information. Popular solutions include security questions, requiring initial email address, authoritative remote identity providers (ex. notary), or physical presence. First let me debunk all of these in our environment.
Security questions:
- limiting questions to predetermined ones, simplifies ability to automatically guess answers.
- with increased personal information becoming available online, personal questions may have answers easily found.
- open questions often lead to simple question/answer combinations (ex. what color is the sky? blue.)
Initial email address:
- we provide email accounts as a service, requiring an email account to get an email account is laughable
- expired or abandoned accounts are a dead end for ongoing use
Remote identity providers:
- time consuming and cumbersome for the user
- costly for the user
- much manual work
- difficult globally
Physical presence:
- could be time consuming
- online education implies never needing to come to campus
- difficult globally
- not remote, if they have to come here
One potential solution in this space is Faces. This is also potentially cumbersome and the cost is unknown.
Now let me present our solution.
Upon account creation at the institution (student, faculty, guest, alumni, etc), we generate a 32 character password change authorization code, or PCAC, (ex. KLAS-DFHL-KASD-FKLJ-KKL3-243I-HF34-POI2) and a unique username. The account is initially locked. The user receives the username and code through the postal service to a known address, in person, or it is presented to them online if they are able to establish an account-creating relationship online.
Once they have the PCAC, they are instructed to keep it in a safe permanent location (ex. with birth certificate or social security card). They are also intructed to use this code to activate their account and set their password online. From anywhere in the world they can enter the PCAC and username into a secure web form, to set their password.
Once the user has a known username and password combination they use this to access all their services.
This same procedure can be used in the future to instantly reset their password if they have lost or forgotten it. Of course if they know their password they will always be allowed to use that to change it to something else.
At this point they have established identity, received credentials, and with their PCAC can always recover from lost or forgotten passwords. All these steps can be performed online, self-service. The security of their account is primarily in their hands. No one at the institution ever knows their password, and their is no formulaic way of figuring it out. There are no guessable hints.
All of this explains the situation where the user has their PCAC or password. In the contingency where they have lost or misplaced their PCAC, they can have a new one created immediately in person, or request a new one to be mailed to them via an online form.
I have posted this with hopes that people will review this and comment on their opinion of its viability. Please leave comments if you see problems or advantages in this we have not.
This solution is not useful for schools with a PKI solution, but could be used very easily as a cheap intermediary solution while that area matures.
Flowchart of this process (PDF)
PCAC Example (PDF)
Jon Emmons’ article on this same topic: Password Management in an Identity-Theft World
(This proposal authored by Jon Emmons and Zachary Tirrell - 2005)
Tags: faces, identity, identity management, information technology, it, Jon Emmons, password, password management, passwords, PCAC, pki, pooch, security, Zach Tirrell, Zachary Tirrell