CUIT's Identity Management architecture is based on a combination of internally developed programs, opensource products, and commercial products. Where possible, we adhere to open standards to facilitate the adoption of our services.The University Network ID (UNI)
Identity Management at Columbia revolves around the University Network ID (UNI), a unique identifier assigned to each individual in any way associated with the University. The UNI serves as the primary public electronic identifier on campus (even when other identifiers are used internally), and is used for email, printing, computer labs, CLIO (library catalog), PeopleSoft self service, VPN and dialup access, and numerous smaller web-based applications.
Enrollment occurs when an individual first becomes part of the Columbia community, usually when they first arrive on campus, but sometimes earlier. Individuals activate their electronic identity (UNI) by providing personal information.Implementation Details
In the process of activating a UNI, the individual selects a password to attach to it. This combination of UNI+password may then be used by various applications to authenticate an individual (ie: to confirm the individual is who her or she claims to be).Implementation Details
CUIT accepts demographic data from various sources around the University, including the major student (SIS) and personnel (PAC) systems, various University affiliates (Barnard, Teachers College, etc), and numerous local departments. This information is correlated to generate the UNI for the individual as well as to generate a single entry in the enterprise directory.
This entry contains information such as the individual's name, address, department, and telephone number. In addition, the entry also contains information regarding aspects of the individual related to the source feed, known as affiliations. Affiliations are not publicly visible, and may be used for authorization purposes.
Currently, a complicated hierarchy establishes the "best" source for an individual who comes from multiple feeds, and this best source is reflected as the individual's primary role in the directory. However, by late 2006 it is expected that the directory will no longer require a primary role and will simply display all available roles for an individual. All affiliations for the individual are maintained with their entry, regardless of the number of source feeds.
Not all individuals associated with the University may be publicly visible via the directory. Notably, students who request privacy via FERPA as well as alumni with no other connection to the University are only visible to authorized applications. Furthermore, some publicly visible individuals may request the suppression of individual fields within their entry.Implementation Details
The primary source of central authorization information is the demographic feed data described above. An individual may receive different affiliations according to her or his source feed or feeds, including the attributes set for the individual within the feed by the feed administrator. When the individual is no longer a member of the feed, he or she loses the affiliations granted by that feed. This may then result in, for example, loss of access to restricted web sites or loss of email service.
A secondary source of central authorization information is group membership on the central unix servers (aka cunix groups). Users may create and manage their own cunix groups, with memberships subsequently reflected in the enterprise directory as affiliations. Expansion and generalization of this service is planned.Implementation Details
(aka WebSSO/WebISO/Single Sign On/Reduced Sign On)
The Columbia University WebISO (WIND) allows web-based applications to authenticate anyone with a UNI without the password being passed through the application. According to the needs of the application, an encrypted identifier may be returned instead of the UNI.
For approved applications, authorization information may also be returned in the response.Implementation Details
Web pages served from the central secure web server (www1.columbia.edu) and other CUIT maintained servers may take advantage of UNI authentication and affiliation information for authorization purposes using the standard Apache access control mechanism (eg: via .htaccess).Implementation Details
Provisioning and deprovisioning of accounts on the primary email (Cyrus) and unix (Cunix) systems happens automatically based on the demographic feed data and affiliations described above.
This service is currently available only for servers maintained by the CUIT Unix & Email Systems group.Implementation Details
CUIT is participating in several early adoption pilots of federated identity, allowing members of the Columbia University to access services maintained by other universities and organizations using their Columbia UNI.Implementation Details Additional Information