University of Waterloo Identity and Access Mangement

October 3, 2006

Identity Management (IdM) is an integrated system of business processes, policies and technologies that enable organizations to facilitate and control their users' access to critical online applications and resources — while protecting confidential personal and business information from unauthorized users. It represents a category of interrelated solutions that are employed to administer user authentication, access rights, access restrictions, account profiles, passwords, and other attributes supportive of users' roles/profiles on one or more applications or systems.

- from Wikipedia

General Description and Background

The identity-management system at UW is a key and central component for any application that provides or requires information about UW's people and other entities and the resources to which they have access. It is the repository of information that identifies those who are members of the UW community and defines their roles in the institution. It is the vehicle that authentication and authorization interfaces use to make role-based decisions on whether to accept or deny access requests, ranging from a request to establish a wired or wireless connection to the campus network to a request to see or update information in a database. It is the vehicle that will enable the institution to participate in "federation of trust" agreements by which one institution permits access to certain of its resources by members of other institutions. It is also the vehicle that enables the institution's security-audit record of accepted and denied requests.

There are ever-diminishing returns to evolving a home-grown system. The report from the 2005 Deloitte audit of campus identity management recommended that UW look to the future by exploiting the greater potential of a commercial identity-management system. This effort is also included in IST’s 2006/7 annual plan. The general approach will involve building a long-term “preferred vendor” relationship with an innovative, market-leading supplier of IdM solutions.

The initial phase of the overall identity management effort, a technical upgrade of UWdir, has been completed (implementation May 2006). Demonstrations by a number of vendors, including IBM, SUN and Oracle have been held in order to gain functional and technical familiarity with commercial solutions in general. UW is also preparing to participate in a Federated Identity pilot with other Ontario institutions, one that involves the Library, Shibboleth, Scholars Portal and Cambridge Scientific Abstracts. A recent ECAR survey of approximately 400 institutions (Educause members) indicated that less than 12 percent were at the RFI stage or later for IdM. Based on its previous experience, UW is in a strong position to make this next step and take advantage of new capabilities and offerings.

Scope and Objectives

The steps covered by this charter are the investigation and recommendation of a commercial solution that can perform such standard functions as:

core directory services
self-service (e.g. registration, password reset, account history)
provisioning for accounts, privileges and services
authentication services
authorization services (e.g. campus groups, policy and role based access, potential extensions to ERP applications)
single or reduced sign-on
complete client and entity set (e.g. physical resources, background processes, contact to alumnus)
logging and audit functionality
automated processes and workflow (e.g. de-provisioning of staff accounts)
multiple authentication layers
delegated administration
identity reconciliation and merge

It will also include an initial assessment of the professional services that may be required. Potential systems should also include functionality that will be of interest in future implementation phases, such as:

virtual directory
Federated Identity
multi-factor and other techniques for strong authentication

Timeline

Select the members of the project team to pursue the commercial solution. (June 2006)
Document the requirements and expectations for the commercial solution. Refine the scope and objective for potential project phases, with particular emphasis on a timeline of priorities, benefits and services that are desirable in each of 2007 and 2008. (June/July 2006)
Issue an RFP to establish a long-term relationship with the vendor whose identity-management offerings seem best suited to meet UW's short-term objectives and future expectations. (September 2006)
RFP responses due (October 2006)
Analyze the RFP responses and short-list the vendors. (October/November 2006)
Follow-up and select the preferred vendor. (November/December 2006)
Establish Implementation Trial Project Charter (December 2006)
Implementation Trial:
- Implementation planning with vendor (December 2006)
- Go-live Proof of Concept/Acceptance Testing (May 2007)
- Implementation Trial complete and Final Report (May 2007)

Resources

Specific implementation resources are contingent on the product selected. The core RFP selection team will include:

Martin Timmerman – Computing Systems Services, IST
Reg Quinton – Computing Systems Services, IST
Roger Watt – Network Services, IST
Paul Snyder – Client Services, IST
Roy Wagler – Information Systems (Finance, Research and Infrastructure), IST
David Kibble – Information Systems (Academic Support and Ancillaries), IST
Connie van Oostveen - Information Systems (Academic Support and Ancillaries), IST

Additional staff from campus and within IST will be asked to provide input to the process by reviewing requirements and/or participating in vendor demonstrations as required. In order to ensure appropriate buy-in, detail requirements should also be reviewed by other key campus stakeholders. These include Faculty computing representatives and key Academic Support units (e.g. Library, Registrars, Human Resources, ODAA, CECS). Recommendations will be reviewed by IST management.

IdM Project Exclusions

There are specific campus projects now underway, potential initiatives or current services that are not included in the IdM project. These include, for example:

Email initiative (now in progress)
Campus “portal” (often included in IdM initiatives as a result of SSO and related objectives)
Student computing environment within Faculties (IdM will work with those responsible within academic computing units)

Risks and Constraints

Potential concerns include but are not limited to:

ability to engage key functional stakeholders (many objectives will require changes to existing business processes)
wide-ranging impact (IdM is unique in the number of “touchpoints” to applications and services – coordinating change may be difficult)
overlaps with other projects and significant system implementations
automation of functions is an overall objective (there is a risk in temporarily leaving some processes as manual)
a “balanced” timeline is crucial – i.e. one that can achieve key short term objectives with a reasonable but not overly aggressive schedule
developing and committing to a long term relationship with a vendor in a field that is still evolving fairly rapidly
a broader implementation or one with greater scope will carry greater risks

Appendix A

Project Considerations for UW IdM Implementation Team

Specific strategies for a number of functional and technical issues will be the responsibility of the detail project team to be formed after product selection. This team will also be responsible for determining a timeline and any “phase-in” plans. Possible items include, but are not limited to:

synchronization of data and passwords
ERP authentication and authorization
workstation resources
amount of biographical and related information to be stored in the central directory
self-signup for “affiliated partners” of UW
“hiding” people

Specific scope issues which would be evaluated by this team may include:

use of workflow tools
collection of data from as few authoritative sources as possible in a standard format
self-selected versus assigned identities
changes required to other campus systems (e.g. Human Resources in order to track organizational structure and hierarchies)
impact and requirements of any relevant legislation

Project Charter: RFP Preparation & Product Evaluation