Identity Management Task Force

The IDM Task Force has been charged by the CIO to develop a set of integrated Identity Management services that manage UNM identity information so that it can be utilized to the maximum benefit of the UNM Community. The latest revision of the Task Force Charter is available for review.

Identity Management Design

See also, Identity Management/Active Directory Roadmap Overview.

One of the first deliverables of the Task Force is the IDM Design document. The document will outline specific goals of the taskforce and be used to spawn off projects to achieve the desired goal state. A link to the Design Document will be published here when it is finalized. Some the goals outlined in the Design document have already spawned additional projects.

Identity Management Design Goals

1. Build a Centralized Active Directory Forest
The ADTC was formed to implement a centralized AD forest on campus. This project is well underway and making significant progress. The AD Standards and Design are available at the CIO Web Site.

2. Establish NetID and Password Synchronization between main campus LDAP and the Centralized AD Forest
The Password Sync task force has finished the design and plans to go live November 22, 2009. When activated, the Creation, Deletion and Modifications to LDAP NetIDs will synchronize through the SUN IDM application to the Centralized AD forest.

Will users be able to change their password using Ctrl+Alt+Delete on a windows desktop attached to the AD Forest?
No. To enable this feature an IDM agent would be installed on every Domain Controller in the forest. To reduce complexity and possible conflicts during the AD Forest Migrations, it was decided not to allow this feature at this time. Password changes will have to be made through the online NetID management web pages.


Will all users password be synchronized on the go live date?
No. On November 22, 2009, a link will be established between an AD account and the LDAP NetID account. After this date — when a user changes their password via the NetID management pages, web page the passwords and expiration times between the two systems will synchronize. Until individual passwords are changed, separate passwords will still exist as well as separate password expiration dates.

Will all LDAP users have AD accounts on the go live date?
No. On go live date, a link between the LDAP NetID account and the AD account will be created only if the AD account already exists. After this date, modifications to the LDAP account such as updates from Banner, password changes, and Self Service modifications will trigger the synchronization in IDM and an AD account will be created.

The new AD forest is based on OU (Organizational Unit). How will I know who will be placed in which OU?
A mapping based on department number has been implemented. A person’s department number is based on which department pays his/her salary. Individual department numbers can be looked up via the online directory. The current departmental mapping can be viewed here.

Can I move a person into a different OU?
If there is a justified business need to move an individual into an OU they normally wouldn’t be in, a mechanism in IDM has been developed to enter an OU override. Right now this request can be done via an e-mail sent to IDM@unm.edu. Plans are underway to move this functionality to the IT Support center.

What will happen when a Department creates a new department number?
If a mapping for the new department number does not exist users with the new department numbers will be moved to the default OU (ou=people, dc=colleges, dc=ad, dc= unm, dc=edu). It is the responsibility of the OU administrators to notify IT of the new department number so that it can be added to the departmental mapping before the change takes place.

Will OU (organization unit) Administrators still be able to manage Accounts in AD?
Yes. OU Administrators will still be able to create Service Accounts, as they deem necessary.  These accounts should be created in the SvcAccounts sub-OU and conform to the standards established by the ADTC. Accounts for people should already exist via the IDM Synchronization. A users corresponding OU Administrator can change passwords for them, however, this will be discouraged. AD password changes will not propagate back through the IDM system and are prone to cause confusion for the users.

What attributes are being mapped from LDAP to AD and what are the implications?
View a list of attributes being mapped. Modifications to mapped attributes in AD will be overwritten by IDM the next time the account is modified in LDAP.

3. Establish Federated ID
One of the primary directions given by the CIO is to configure and establish Federated ID for UNM. Federated ID should be used to provide access to UNM and other state resources based on trusts established between UNM and other institutions.

As a first step towards this UNM has become a member of the InCommon Federation. As a participating member of the InCommon Federation UNM provides information about their practices so taht others can decide whether to trust our systems based on these declarations.
UNM Participant Operation Practices

My question isn’t addressed here. How do I get a question and answer added here?
Please submit your questions to IDM@unm.edu.