Identity and Access Management (IAM) is the set of business policies, processes, and a supporting infrastructure for managing the creation, maintenance and use of digital identities.
Identity and Access Management - A Primer (PDF, 837KB)
IAM will affect everyone who interacts with UBC. Currently, the impact of IAM on UBC departments is dependent on:
Without IAM, each new system adds yet another username and password for our faculty, staff or students to remember and increases our administrative burden to maintain them. The IAM program identified directory services as urgent priority. The most common directory services at UBC are LDAP and Microsoft's Active Directory (AD). A number of in-flight projects required enterprise-scale AD thus Enterprise Active Directory was for early delivery by IAM.
Enterprise Active Directory (EAD) is one of the solution components of the Identity and Access Management Program (IAM) at UBC. The IAM solution architecture specifies a single Active Directory instance as a platform for incorporating Microsoft technologies into IAM. EAD will be utilized as a centralized authentication and directory service for Microsoft-based services, including Exchange 2010 and VDI.
The technology guiding principles for this program are to align with open standards and to implement technology solutions to obtain the best value for UBC. In order to meet these requirements, Open LDAP, an open source implementation of the Lightweight Directory Access Protocol (LDAP,) and Shibboleth 2.0, an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure, will be deployed alongside EAD to facilitate non-Microsoft authentication.
Most systems access controls are based on the user's attributes that define his/her group membership. For example, most faculty are members of the active employee group. IAM has deployed Grouper to aggregate and manage group memberships, and to act as the authoritative or top-level repository for group memberships if a system-of-record for the group does not exist.
There are a wide range of integrations and new services being deployed by IAM. For example, the program will deliver an IAM-enabled distribution- and mailing-list management solution that can leverage peoples' memberships in groups to automate the provisioning of distribution and mailing lists while providing sophisticated control and management capabilities.
CWL is a collection of components, including a user interface, database, authentication engine and person data hub and is presently the place where information pertaining to your identity, such as certain usernames, passwords and cross-references to other IDs are stored. IAM is planning to replace some CWL components and enhance others with the exact details to be worked out in the upcoming months. However some decisions have already been made such as replacing the CWL authentication engine (Auth2) with Shibboleth 2.0 for all new authentication integrations.
If you are an application owner and would like to take advantage of the benefits offered by IAM, you can prepare now by making your application Shibboleth-aware. Please contact the IAM Team (lois.cumming@ubc.ca) for further information on integrating your application.
If you are a Department System Administrator, and would like to take advantage of the benefits offered by IAM, contact Lois Cumming (lois.cumming@ubc.ca) For EAD, please contact EAD Directory Services (ead-request@interchange.ubc.ca).
If you are an employee in an organization that is part of the UBC community, integration activities are underway to systematically onboard units onto IAM. To find out if your unit is taking part in these integration activities, please contact your Department System Administrator
