51情报站's identity management (IDM) program started in 2003 when the security group, along with developers from the database support group and others, developed the initial MIDAS application. MIDAS became the cornerstone of 51情报站 IDM's strategy, receiving nearly quarterly updates and major revisions every five years. MIDAS has adapted to changing technologies and emerging trends to support the university's needs, and today manages nearly all University-operated systems.
In 2008, we adopted a Single Sign-On (SSO) approach to provide a consistent login experience across all University services. Since then, SSO has expanded from the initial five services to over 180 applications, hosted both locally and in the cloud.
In 2014, Middleware became an additional focus of the IDM group and development efforts have been re-prioritized to include directory data management and cloud compatibility. A Directory Manager was created and an ESB was built to support exposing local APIs as well as foster Cloud to Cloud integrations between our hosted applications.
The IDM program has been guided by several external and internal factors. State policies, such as Sec-501, had many IDM related requirements and later on, with the adoption of ISO 27001, additional requirements had to be met. Additionally, the changing technology landscape required the IDM to develop additional features or change mythologies to provide end users and applications the best level of support possible and to keep costs as low as possible.
Guiding Principles
Secure by default and obvious: The IDM/Middleware group has developed several security and compliance controls. These controls should be non-intrusive and work with the most common use cases to enhance the user experience instead of presenting road blocks. If a control is a hindrance, users will avoid or bypass the control simply to do their task.
Reuse code and processes: Nothing should be developed with only one use case in mind. As applications or features are developed, future uses should be accounted for and exceptions assumed. Libraries should be built instead of specialized applications.
Engineered complexity brings flexibility: All use cases cannot be accommodated for during development. Spending the extra time to create a deeply controllable system allows for unknown use cases and problems to be solved without significant re-writes or single problem solutions.
Single Sign-On First: All applications should be centrally authenticated through the SSO system to provide portal support and a clean consistent user experience.
Best practice adoption: By leveraging existing frameworks (Sec-501, ISO 27000, NIST-800 series) and best practices (NIST-800, Internet2 policies), we can have a robust IDM Program.
We can't do this alone: The IDM/Middleware group is only as good as other groups and units in the University. We use their data, we build upon their work, we express their work through new channels. Communicating needs, accommodating changes/challenges and working with others to achieve common goals is key to a functional IDM Program.
Self-Improvement: When we assume that code will always run, we are left with rotting code and problems for tomorrow. Occasionally re-factoring existing code leads to efficiencies and helps to keep processes relevant and robust.
Long-term Goals
Unified Account ID: MIDAS was created when users had both faculty and student accounts. These accounts were (and are) separate in some systems with MIDAS laid on top of them providing consistent credential management. Our goal is to remove or minimize the continuing need for multiple role-based accounts and unify them under the single MIDAS ID. This has been a driving force behind several IDM projects as well as a guiding principle when integrating new systems.
Paperless Account Request: 51情报站 still partially relies on paper/PDF-based account requests in special cases. MIDAS 2.0 introduced an online account request process which is currently being enhanced in MIDAS 3.0 to include the remaining paper use cases. The goal is to unify the account request process into a single online path which can then be enhanced for automation, auditing and reporting.
Ubiquitous Single Sign-On: Most campus logins are already occurring through Monarch-Key, but there are still a few systems not under Monarch-Key. The goal is to have a single login everywhere on campus. Nearly every month, services are added to Monarch-Key and as replacements or upgrades present themselves, holdouts are migrated.
Enhanced Account Security: IDM has become the cornerstone of cloud based security strategies. Attacks on credentials are becoming more common as services and applications move to cloud infrastructures. We have already made significant strides in protecting these applications by taking an SSO first approach (which minimizes credentials stored in hosted applications) and by deploying two-factor authentication on SSO. Additional steps are underway to include user notifications, behavioral analytics of login behavior and expansion of the two-factor deployment.
MIDAS as a Service: Over the past few years, MIDAS has been transitioning from a standalone website to an API-based model. This has already shown benefit with the SSO password change feature of Monarch-Key, but we are looking to expand and extended this capability throughout MIDAS. It is our goal that students should only have to go to MIDAS during initial setup or never at all, but still receive all the same benefits of MIDAS. Faculty, staff and administrators will still use the MIDAS website primarily for administrative needs.
Enhanced SSO Disaster Recovery: Monarch-Key is resistant to support system outages, but if it remains hosted on campus, there are critical dependencies that cannot be removed. IDM is currently undergoing projects to provide highly available cloud capable data sources for Monarch-Key which will enable a hybrid or completely hosted Monarch-Key deployment.
Affiliate Management: MIDAS and Monarch Profile Manager both have needs to identify and support users with ancillary associations to the University. Several projects have been completed and several more are currently in the works to provide first tier support for various affiliates throughout campus.
Recent Updates
New in MIDAS: Organizations
If you're the leader of a department, office, program or other business unit, you and your chosen delegates will gain access to a new control panel in MIDAS: Organizations.
From this interface, you can manage MIDAS's understanding of your business unit and its members. By including people in the Organization, their accounts will remain active, and they will acquire permissions relevant to your unit.