Infrastructure for Identification, Authentication and Authorization (I2A2)
NOTICE!
- New student characteristics now in production as of Aug 4, 2008.
- I2A2 service access restrictions were put in effect on November 1, 2005
Purpose
The information in this web page and its related pages has been designed to assist
system developers who want to use I2A2. Consequently there is no overview or
general description of I2A2 in the normal flow of the information presented.
However, here are two articles that give some general descriptions:
- " Infrastructure for Identification, Authentication and Authorization (I2A2)" by John Steele
- "Why use I2A2?" by George Wyncott
Introduction
I2A2 is a support system that helps Purdue data systems control resources. It
enables them to identify who is asking for resources, prove the declared identity,
and determine what access rights the identity has.
The PUID: The identity key used by I2A2 is a ten digit
number called the Purdue University IDentifier
(PUID). A permanent PUID is
assigned to each person having a relationship with Purdue. The PUID contains ten
characters, has a
Luhn check
digit, and is displayed as 12345-67890.
The Alias: Some PUIDs may have an
alias as an alternate way
to identify them, aliases are currently borrowed for PUIDs from
Coordinated Purdue Career
Account Logins, assigned to all West Lafayette staff and students. An alias is
usually more mnemonic and thus easier to remember than a ten digit number.
Infrastructure
The I2A2 infrastructure has an Oracle database for creating and storing PUID
information, and Internet access to three fast database managers (DBMs) with
text-based, LDAP, RADIUS, and secure (SSL) network interfaces. One DBM serves
identification requests; a second,
authentication challenges; a third,
authorization queries.
Apache web server modules, libraries, and code samples are offered to help
developers enable I2A2 access from their systems
Restrictions Effective November 1, 2005, access to I2A2 services will become
regulated through firewall restrictions. Departments within Purdue wishing to use
I2A2 services should contact ITaP's Identity and Access Management (IAM) office to
execute a Service Level Agreement (SLA) or Memorandum Of Understanding (MOU)
regarding their access to I2A2 services.
Purdue departments who are already using I2A2 services will continue to have
access to I2A2 services after this change. However, at some future time those
departments may be contacted by the IAM office and asked to execute an SLA.
There are several reasons for restricting access:
- Knowing who is using the I2A2 services allows the IAM office to use ITaP's change management notification system to notify our customers of impending outages or service interruptions.
- The execution of an SLA between the IAM office and the client allows both parties to understand the requirements -- including security -- and expectations for the delivery of the I2A2 services.
- Best security practices require restricting access to potentially sensitive data or services to the smallest possible set of clients.
You may contact the IAM office to request access to I2A2 services by sending
electronic mail to i2a2-admin@purdue.edu.
Ethical Use
Web servers and applications which receive authentication credentials for
forwarding in I2A2 authentication requests should handle the credentials carefully
and responsibly.
Those servers and applications should provide a secure channel over which the
credentials are entered -- e.g., web servers should use SSL|TLS. (I2A2 requires
that the credentials be forwarded to it over a channel secured by SSL|TLS.)
Operational monitoring of I2A2 operations includes accumulation of statistics
about authentication requests and patterns in their use. When the I2A2 administrative
staff detects an unusual pattern it will investigate.
More Information
Credits
I2A2 was developed by the Purdue Academic Computing Environment (PACE) group with
help from the Management Information Department and the Purdue University Computing
Center (PUCC) These people contributed to the documentaton.