Monday, September 1, 2014

My Travels in Identity Management

From 1999 to 2014 I worked in higher-education and for most of those years my technical focus was on developing and managing Identity Management systems (earlier called Enterprise Directory Services, later called Identity and Access Management). During this time I was engaged with several cross-institution technology groups such as Internet2, EDUCAUSE, CUMREC, AACRAO, and ITANA and participated in the development of public white papers and contributed many public presentations both at conferences and via online webcasts. The page documents those public activities and provides links to available materials.

1999 - 2004: University of Notre Dame, Office of Information Technology

In 1999 I was hired by the University of Notre Dame to be their Manager of Information Engineering. The focus of this new position was to develop an ongoing program around data warehousing, data modeling, and to encourage best practices in data management. In early 2000 central IT management directed the immediate development of an Enterprise Directory Service using the Lightweight Directory Access Protocol (LDAP) in support of Single-Sign On (SSO) and, in contrast to existing account based systems, establishing a person-based identity registry for students, staff, and faculty of the University. I became responsible for this effort, focusing on directory schema, provisioning scripts, access controls, application integration using LDAP, and the development of web interfaces for directory search and user profile self-service. While the directory and registry could have been developed as separate components of this new IdM infrastructure, instead they were combined into a single directory with person-based entries and account-based attributes. In time the directory schema and provisioning applications were enhanced to include automated groups, allowing features of both roles based access control (RBAC) and discretionary access control (DAC). During this time I was appointed the Internet2 Meta Directory Services Campus Architect, was an active participant in the Middleware Architecture Committee for Education Directories working group ("MACE-Dir") and gave many presentations at Internet2, CUMREC, EDUCAUSE, and other higher-education focused conferences, as well as consulting with several universities included among them George Mason University and the University of Southern California.

Publications during this period 2002 to 2004 include:

June/2004 “Pseudonymous Instant Messaging Case StudiesNMI MACE-I2IM working group

May/2004 “Local Domain Person Object Class Study – Survey Results”, DraftNSF Middleware Initiative document - NMI-R5 

Dec/2003 “Internet2 Directory Services Diagnostic ScenariosNMI MACE-Dir working group

Oct/2002 “Metadirectory Practices for Enterprise Directories in Higher Education”, v200210
Co-author, editor

NSF Middleware Initiative document - NMI-R2May/2002 “Metadirectory Practices for Enterprise Directories in Higher Education”, v1.0Co-author, editor

NSF Middleware Initiative document - NMI-R1

2002 Presentations

10/28/02 “Middleware Technology - Operational Issues in Directories” tutorial session; Internet2 Member Meeting

10/3/02 “LDAP-Enabled Privacy at the University of Notre Dame” poster session; EDUCAUSE Annual conference

10/2/02 “The University of Notre Dame Enterprise Directory: Engineering Order from Chaos” poster session; EDUCAUSE Annual conference

7/31/02 “Directory Service Operational Performance Monitoring at Notre Dame”; Internet2 Advanced CAMP (Campus Architectural Middleware Planning) Workshop, July 2002, Boulder, Colorado

6/25/02 “MACE-Dir: Metadirectories - Practices in Higher Ed”; Internet2 Base CAMP (Campus Architectural Middleware Planning) Workshop, Boulder, Colorado

5/7/02 “MACE-Dir: Metadirectories”; Internet2 Member Meeting 4/17/02 “Enterprise Directory for Single Sign-On”; American Association of Collegiate Registrars and Admissions Officers (AACRAO) Annual conference

2003 Presentations

11/6/03 “Directory-Enabling Applications: Techniques from the Trenches”; EDUCAUSE Annual conference

6/6/03 “Ask the Experts” expert panel session moderated by Ken Klingenstein, Project Director, Internet2 Middleware Initiative & Chief Technologist; NMI-EDIT Campus Architectural Middleware Planning (CAMP) Meeting, Boulder, Colorado

6/4/03 “Leveraging Applications and Network Services Using Authentication” expert panel session moderated by Michael Gettes, Sr. Technical Architect & Strategist, Duke University; NMI-EDIT Campus Architectural Middleware Planning (CAMP) Meeting, Boulder, Colorado

5/13/03 “Self-service Privacy Using LDAP at the University of Notre Dame”; CUMREC Annual conference

5/13/03 “The University of Notre Dame Enterprise Directory: Engineering Order from Chaos”; CUMREC Annual conference

4/10/03 “Metadirectory: A Tool For Multiple Directories”; Internet2 Member Meeting

4/9/03 “Recent Developments in Directories: Performance Monitoring with “Look””; Internet2 Member Meeting

3/25/03 “LDAP-Enabled Privacy at the University of Notre Dame”; EDUCAUSE Midwest Regional Annual conference 3/13/03 “Middleware At ND” webcast; Internet2 Day, Notre Dame, Indiana

2/6/03 “Managing Enterprise Directories: Operational Issues - Performance Monitoring co-presented with Dr. Thomas Barton, University of Memphis); NMI-EDIT Base CAMP (Campus Architectural Middleware Planning) Workshop

2/5/03 “Architecting Your Data and Metadirectory Model”; NMI-EDIT Base CAMP (Campus Architectural Middleware Planning) Workshop

2004 Presentations

10/20/04 “Directory-Enabling Applications: Techniques From The Trenches”; EDUCAUSE Annual conference

7/2/04 “Connectors & Provisioning” expert panel session moderated by Keith Hazelton, Senior Technical Architect, University of Wisconsin-Madison; NMI-EDIT Advanced Campus Architectural Middleware Planning (CAMP) Meeting, Boulder, Colorado

5/18/04 “Canning the Spam: Winning the War at Notre Dame”; CUMREC Annual conference

5/17/04 “Directory-Enabling Applications: Techniques From The Trenches”; CUMREC Annual conference

4/22/04 “Getting to Win-Win: Leveraging Active Directory With Campus Enterprise Services”; EDUCAUSE Midwest Regional Annual conference

4/21/04 “Enterprise Directories: An Implementation Roadmap”; EDUCAUSE Midwest Regional Annual conference - seminar co-presented with Joel Cooper, Carleton College Director of IT, Chicago, Illinois

4/20/04 “Directories: Recent Schema Work - Local Domain Person”; Internet2 Member Meeting

2005 - 2014: University of Southern California, Information Technology Services

From 2005 to 3/2014 I developed and managed the Identity Management services at USC. As I had previously at Notre Dame, I designed and maintained the schema, access controls, and provisioning scripts for the Enterprise Global Directory Service and supervised the team of technologists with responsibility for the Shibboleth Identity Provider for web-based SSO, the Person Registry database, the Affiliate Identity System ("iVIP"), the Groups Management self-service application ("MyGroups"), the self-service password management application, and the self-service federated guest registration application. I worked closely with other offices at the University in the development of a governance program for Identity Management and served as the technical lead for that program. During this time I chaired the MACE-Dir working group, co-chaired the NISO Institutional Identifiers (I2) E-Learning working group (12/1/08 - 3/2009), and spoke regularly at a large number of higher-education focused conferences.

Publications during the period 2004 to 3/2014 include:

March/2010 “Ready the Pipes: Campus Technology Magazine”http://campustechnology.com/articles/2010/03/01/ready-the-pipes.aspx?sc_lang=enInterviewed for this article

Sept/2005 “Higher Education Person: A Comparative Analysis of Collaborative Public LDAP Person Object Classes in Higher-EducationNMI MACE-Dir working group

May/2005 “Local Domain Person Object Class Study – Survey ResultsAuthor
NSF Middleware Initiative document – NMI-R7


2005 Presentations

10/21/05 “Leveraging Data Warehousing Assets in Enterprise Directory Design”; EDUCAUSE Annual conference

9/21/05 “Recent Advancements in Metadirectory Development in Higher Education” expert panel moderated by Brendan Bellina; Internet2 Member Meeting 9/19/05 “Metadirectories / Provisioning” Birds of a Feather session; Internet2 2005 Member Meeting

6/29/05 “Identity Management: Forming the Game Plan and Next Steps” expert panel session with accompanying presentation; NMI-EDIT CAMP Identity and Access Management Integration Workshop, Denver, Colorado

6/27/05 “Identity Management: Reflect and Join”; NMI-EDIT CAMP Identity and Access Management Integration Workshop, Denver, Colorado

5/17/05 “Enterprise Directory Design – Facing the Initial Challenges”; CUMREC Annual Conference

5/2/05 “Metadirectories & Resource Provisioning BoF: Feeding the USC Person Repository” Birds of a Feather session with accompanying presentation; Internet2 Member Meeting

3/22/05 “Middleware Authorization Using Groups”; EDUCAUSE Midwest Regional Annual conference

2006 Presentations

10/10/06 “Enterprise Directory Design – Facing the Initial Challenges”; EDUCAUSE Annual conference

10/9/06 “Care and Feeding of the Institutional Directory Service – Advanced Issues, Problems, and Solutions” half day seminar; EDUCAUSE Annual conference

10/9/06 “Deploying Shibboleth: Technical Requirements, Policy Issues, and Case Studies” half day seminar; EDUCAUSE Annual conference

6/27/06 “Using Shibboleth as Your WebSSO Authentication System”; CAMP Shibboleth, Burlington, Virginia

4/24/06 “Enterprise Directory Design – Facing the Initial Challenges”; EDUCAUSE Western Regional annual conference

3/21/06 “IdM and AuthX @ USC”; NMI Signet and Grouper Early Adopters Deployment Workshop, Los Angeles, California

3/21/06 “eduPermissionGroup draft”; NMI Signet and Grouper Early Adopters Deployment Workshop, Los Angeles, California

2007 Presentations

10/25/07 “Collaborators at the Gates of Troy – Extending eServices at USC”; EDUCAUSE Annual conference

10/23/07 “Architecting the Institutional Directory Service – Advanced Issues, Problems, and Solutions” full day seminar; EDUCAUSE Annual Conference

5/9/07 “Extending the Reach of eServices – Policy and Practice at USC”; EDUCAUSE Western Regional Annual conference

2008 Presentations

11/6/08 “The Launch of Google Apps at USC: Determinants, Decisions, and Deterrents”; TERENA EuroCAMP Annual conference, Athens, Greece

11/6/08 “USC Identity and Access Management”; TERENA EuroCAMP Annual conference, Athens, Greece

11/5/08 “Typical Directory Implementations at Institutions in Higher Education”; TERENA EuroCAMP Annual conference, Athens, Greece

10/30/08 “The Launch of Google Apps For Education at USC: Determinants, Decisions, and Deterrents”; (audio recording available here); EDUCAUSE Annual conference

10/29/08 “Applying Data Governance in Identity Management: To Serve and Protect” lightning talk session; EDUCAUSE Annual conference

10/29/08 “Applying Data Governance in Identity Management: To Serve and Protect” poster session; EDUCAUSE Annual conference

10/15/08 “The Launch of Google Apps For Education at USC: Determinants, Decisions, and Deterrents”; Internet2 Member Meeting

10/14/08 “Kerberos role in Unified Identity and Access Management”; Internet2 Member Meeting

10/13/08 MACE Directories Working Group update; Internet2 Member Meeting

8/8/08 EDUCAUSE Live! “Spotlight on Identity Management at USC”; online seminarhttps://library.educause.edu/resources/2008/8/spotlight-on-identity-management-identity-management-at-usc-collaboration-governance-and-access

7/10/08 “Identity Management at USC: Collaboration, Governance, Access”; American Association of Collegiate Registrars and Admissions Officers (AACRAO) Identity Management Workshop

4/21/08 MACE Directories Working Group update; Internet2 Member Meeting

4/1/08 “Applying Data Governance in Identity Management: To Serve and Protect”; EDUCAUSE Western Regional Annual conference

2009 Presentations

10/7/09 “InCommon Collaboration Activities – National Student Clearinghouse”; Internet2 Member Meeting

10/5/09 MACE Directories Working Group update; Internet2 Member Meeting

4/27/09 MACE Directories Working Group update; Internet2 Member Meeting

2/11/09 “Google@School: Apps, Tools, & Tips for Your College”; online Higher Ed Hero seminar

2/5/09 “Student Identity Life Cycle - Stage 2: Managing Digital Identity - USC IAM”; Internet2/EDUCAUSE CAMP

2/4/09 “Student Identity Life Cycle - Stage 1: Establishing a Relationship” co-presented with Dr. Kenneth Servis, USC Registrar; Internet2/EDUCAUSE CAMP

2010 Presentations

6/10/10 InCommon IAM Online: “Hot Topics and Current Issues in Identity Management – Handling Affiliate Populations”; online seminar

6/9/10 “USC Identity Management, Shibboleth, and SAML”; Open Web Application Security Project (OWASP), Los Angeles chapter

4/24/10 “Using Shibboleth to Connect: Applications for the Clearinghouse and other Federated Applications”; American Association of Collegiate Registrars and Admissions Officers (AACRAO) Annual conference

4/14/10 “Identity Management for Security Professionals: Leveraging Federations” seminar; EDUCAUSE Security Professionals Conference

4/14/10 “Federated Identity Management: Addressing the Risky Business”; EDUCAUSE Security Professionals Conference

2012 Presentations

4/25/12 “Supporting a Widely Deployed Campus Shibboleth Implementation” co-presented with USC, Duke, and Ohio State University; Internet2 Member Meeting

4/25/12 “USC Shibboleth Support Model” co-presentation with Russell Beall, USC; Internet2 Member Meeting

2013 Presentations

11/13/13 “USC: Managing Your Service Provider Interactions”; Internet2 Identity Week

10/17/13 “Multi-Factor Authentication in Higher Education”; EDUCAUSE Annual conference

5/13 “USC’s OAuth Recipe: OAuth + Enriched Identity Data + Central Authorization”; Common Solutions Group (CSG Stonesoup) member meeting

5/13 “An Overview of Identity Management: Where It Has Been and Where It Is Going”; EduSoCal Annual conference