Significant changes to our Identity Management Services are underway.
- LDAP Directory Services
- One Time Password (OTP) Services
- Increase in use of our Single Sign-on and Federated Authentication Service
The first two are targeted for initial deployment the first week of May. In the case of the OTP service, a gradual migration to the new service will start, after the initial Pilot tests have been concluded. The third is a gradual process that will continue on all year. For more information on Identity Management Documentation, go here.
LDAP Directory Services
LBL is now upgrading from a robust but not recently updated Sun LDAP directory software on older hardware to OpenLDAP on a Virtual Machine Environment. The LDAP directory schema was designed some 20 years ago and we have been modifying and updating it since then. In the process of this migration and upgrade, we are updating the schema, adding to the object classes and attributes that are stored, and removing obsolete object classes. Further, we are re-writing the sync application that adds new people to the directory, adding a self
service Password Reset Utility, and working on ideas for re-branding this service
One time Password
Over 1400 internal and external customers (many of them users of the HPC clusters managed by the IT Division’s HPC Services Group), use a 7 year old implementation of Cryptocard along with hard tokens that are individually configured and issued to users. As the result of a 6 month effort, the decision has been made to convert to Nordic Edge, using a combination of hard and soft tokens. Soft tokens can be deployed on smart phones, require a pin just like a hard token, and offer much easier distribution and ongoing management capabilities. We will continue to support both services until a gradual migration of existing users has been completed. Over the next 6 months, research will also continue on extending OTP to business systems web applications (as opposed to the more typical use via SSH).
Federated Authentication and Single Sign On (SSO) Services
Our institutional Wiki (commons.lbl.gov) will benefit from agreements we have reached with other institutions within the UC and National Lab Community. Starting April 3, space owners on the wiki can work with partners at Argonne National Lab, UCLA and UC Merced. Users from those institutions will be able to authenticate to commons and if the space owner gives permissions to these external users, actually participate in content editing. We are expecting UC Berkeley to join sometime in April. We also continue to add to the Business systems that benefit from single sign on. Google Apps, Commons, and Taleo are examples of applications that already take advantage of this capability.