Infrastructure for Identification, Authentication and Authorization (I2A2)
The information in this web page and its related pages has been designed to assist
system developers who want to use I2A2. Consequently there is no overview or
general description of I2A2 in the normal flow of the information presented.
However, here are two articles that give some general descriptions:
- " Infrastructure for Identification, Authentication and Authorization (I2A2)" by John Steele
- "Why use I2A2?" by George Wyncott
I2A2 is a support system that helps Purdue data systems control resources. It
enables them to identify who is asking for resources, prove the declared identity,
and determine what access rights the identity has.
The PUID: The identity key used by I2A2 is a ten digit number called the Purdue University IDentifier (PUID). A permanent PUID is assigned to each person having a relationship with Purdue. The PUID contains ten characters, has a Luhn check digit, and is displayed as 12345-67890.
The Alias: Some PUIDs may have an alias as an alternate way to identify them, aliases are currently borrowed for PUIDs from Coordinated Purdue Career Account Logins, assigned to all West Lafayette staff and students. An alias is usually more mnemonic and thus easier to remember than a ten digit number.
The I2A2 infrastructure has an Oracle database for creating and storing PUID
information, and Internet access to three fast database managers (DBMs) with
text-based, LDAP, RADIUS, and secure (SSL) network interfaces. One DBM serves
identification requests; a second,
authentication challenges; a third,
Apache web server modules, libraries, and code samples are offered to help developers enable I2A2 access from their systems
Restrictions Effective November 1, 2005, access to I2A2 services will become regulated through firewall restrictions. Departments within Purdue wishing to use I2A2 services should contact ITaP's Identity and Access Management (IAM) office to execute a Service Level Agreement (SLA) or Memorandum Of Understanding (MOU) regarding their access to I2A2 services.
Purdue departments who are already using I2A2 services will continue to have access to I2A2 services after this change. However, at some future time those departments may be contacted by the IAM office and asked to execute an SLA.
There are several reasons for restricting access:
- Knowing who is using the I2A2 services allows the IAM office to use ITaP's change management notification system to notify our customers of impending outages or service interruptions.
- The execution of an SLA between the IAM office and the client allows both parties to understand the requirements -- including security -- and expectations for the delivery of the I2A2 services.
- Best security practices require restricting access to potentially sensitive data or services to the smallest possible set of clients.
You may contact the IAM office to request access to I2A2 services by sending
electronic mail to firstname.lastname@example.org.
Web servers and applications which receive authentication credentials for
forwarding in I2A2 authentication requests should handle the credentials carefully
Those servers and applications should provide a secure channel over which the credentials are entered -- e.g., web servers should use SSL|TLS. (I2A2 requires that the credentials be forwarded to it over a channel secured by SSL|TLS.)
Operational monitoring of I2A2 operations includes accumulation of statistics about authentication requests and patterns in their use. When the I2A2 administrative staff detects an unusual pattern it will investigate.
I2A2 was developed by the Purdue Academic Computing Environment (PACE) group with help from the Management Information Department and the Purdue University Computing Center (PUCC) These people contributed to the documentaton.