Jim Beard Oregon
Very ad hoc
University of Oregon deployed SUN IDM in 2007,
45,000 active account.
Account password resets
Store everything in LDAP.
Found certain areas, things were harder.
Things were able to get away with things before
So have central account clerk.
They could call her to take care of things before.
But w new system, policies put in place, people can't just get pwd set over phone.
So you need to walk into accounts clerk office.
COMPLAINTS from other side of campus.
They don't want to come in.
And univ opened up a new location 40+ miles away. Always had researchers abroad.
Registration in Hawaii
In past. Fax or Phone call
Used credentialing agents on campus.
Very decentralized. Trying to improve
Bring IT professionals in from on campus that are not part of Central ID. Let them reset passwords.
Worked w someone a new Portland campus.
System is auditable.
We know who is doing the resets.
Can track down
Had to think about level of trust.
Flat structure. If you can change one person's pwd you can change everyone's pwd.
Couldn't give you access to just one dept.
Some of the challenges --rolled out 4 months ago -- on campus credentialing agent is dean of ? for a different school.
That person is busy and helps students and is not always there for this purpose.
Portland branch person is an IT person set to be there.
Q: We have a similar situation.
people not showing up in person. A workaround we have is users call in and share their ID number on back of card. That is good enough for pwd preset.
A: our account clerk can access confidential info. But students lose cards a lot. Might pick up someone else's card.
Brining in more services, so pwd
they still go in and do the new pwd
A: peple needing resets don't know answers to the security questions
Carmody: emerging InCommon bronze and silver frameworks are quite relevant.
If you have researchers who will access NSF or NIH sites, you will need to assert that their credentials are at bronze or silver level.
Any student filling out that form is going to have to be at silver. You aren't going to want to tag in LDAP that this one gets financial aid and that one doesn't
Easy to get to silver level when it's a pwd issue.
But pwd reset is the thorny issue.
Does silver allow for anything other than in person vetting on a reset?
Must have photo ID
And also must have one or two bank acct numbers that can be proved
Used to have wonderful stations where you can sign in.
So we are extending beyond that.
Looking at 4 or 5 levels of assurance