Iowa's Enterprise Authentication and Authorization Strategy


Tony Bibbs, from Iowa, is speaking on Enterprise Authentication and Authorization. Iowa has long been a leader in this area. This service is very similar to Utah's Master Directory project (which Dave Fletcher wrote a little about just lately), but its based on a collection of tools including some which are open source. The service provides a single repository for accounts, a single credential set (not the same as single sign-on), a way for users to self service, a single point for conducting security audits.

The service consists of three parts, a client library with clients in ASP, Java, PHP, VB, etc. A service layer based on XML over HTTPS and written in Java, and a "provider" layer that reads credentials from multiple credential repositories. This last part was important in Iowa because each agency was managing their users using different tools. Utah was lucky that they had standardized on Groupwise and Netware years before. As a result, even though there were multiple trees, at least bring them together into a single master tree was easier (even still, it took 9 months). As Novell migrated to LDAP compatibility, so did Utah's directory trees.

Iowa's strategy is to get everyone using the same service layer and same set of clients. Once that's done, the credential repositories can be changed out without changing the applications.