In general you can request IAM services at Georgia Tech, by using this link "How to request IAM services", which will gather your needs, submit a Footprints ticket for you, and begin any data stewardship or security overview that is needed. It is your responsibility to provide information as requested by IAM, Cybersecurity, database admins, and data stewards as these questions may arise. This is the method to get access to login.gatech.edu/CAS for your application, Shibboleth authentication for your application, get a GTED/LDAP searcher account, and request data from Identity and Access Management for your application.

Note: Routine issues and questions, about IAM or IAM-related topics, should go through central OIT support at support@oit.gatech.edu as usual. This team is sized appropriately for this volume, and trained to get questions to the correct team. Bypassing this process will likely not obtain faster service.

If you have been asked to submit a project request for the IAM team, you can go directly to this form


NOTICE: IAM SWOT analysis of GT IAM services, Aug-Oct 2017     
Details here.


Various types of IAM services at GT.

A variety of IAM services is available. Authentication and authorization for applications is frequently requested. Some data is available in LDAP, SQL, and other formats. Some services are available widely to any who request them, and others are more restricted and require management approval, business case, data stewardship approval, Cyber-security approval, or subject to auditor or industry best practices restrictions. An example of a widely available service is login.gatech.edu for an on campus service for authentication, with no data needed. An example of a more restricted service would be a feed of data that includes student information. This would be subject to IAM manpower availability, FERPA, and data stewardship approval.

The time required for fulfillment of requests can vary. Obviously it depends on manpower, approvals, complexity, campus demands, the degree of IAM involvement, and the academic calendar.


CAS or login.gatech.edu SSO service  

The new documentation pages are here. ( http://iamweb1.iam.gatech.edu/docs/services/CAS )

What is jasig CAS

What is CAS at GT? What is login.gatech.edu? How can I use CAS with my application?

In general, any on-campus application can do authentication to login.gatech.edu without any help from OIT IAM. However, if the application is off campus, or needs data back for any reason (probably for authorization) then they will need to fill out the IAM request form (How to request IAM services) and specify CAS, and whatever data is needed.

What is the SLA for login.gatech.edu?

login.gatech.edu (the GT login service based on jasig CAS) is intended to be a highly available service, for web based applications that can do CAS protocols. Not all jasig CAS functions are supported, however basic authentication, validation, proxy, and logout should work. If you have questions, you can ask in the request form mentioned above. Application users should subscribe to the gted@lists.gatech.edu list, so they can be apprised of upgrades, changes, outages, etc. It is the application owner responsibility to test against new versions when upgrades are being tested, and give feedback on issues. Applications that just need authentication can connect without even requesting. If applications need data back, then the owner should fill out the "How to request IAM services" form. This will create a Footprints ticket. 

More Information on CAS programming.  

Where can I find ex of using CAS with php? 
https://wiki.jasig.org/display/CASC/phpCAS+examples    
Where can I find examples using CAS with xyz language? https://iam.gatech.edu/iam-users-group/   

GTED  

Introduction to GTED 

    This page has a link for downloading GTED schema and a link to our service request form, good intro to GTED information:
    Purpose of GTED,
    How to Get Started:
    GTED Goals and Differences between GTED and other (GT) Directories
    mention of our gted@lists email list

More information on GTED. https://iam.gatech.edu/gted/index_html (formerly http://share-it.gatech.edu/oit/gted )

Location of the GTED data dictionary, to see what the values in GTED mean, and how they were derived. https://iam.gatech.edu/gted/GTEDDataDictionary.xlsx   
 
When you request and receive a GTED access account, here is some useful introductory info: https://iam.gatech.edu/gted/welcome-to-gted-letter.html  

Some GTED data is available in SQL form in the Data Warehouse. Permission has to be granted via the above mentioned request form. Here is further explanation of our Datawarehouse SQL tables of GTED data. Click here for GTED data tables in Data warehouse. (also known as the mage.dat replacement tables) (formerly https://iam.gatech.edu/gted/mage.dat-replacement-files.html )

Some IAM lifecycle technical information for developers can be downloaded from here.
 
Gted data contains, among other things, information on a persons affililiations to GT. For example, student, employee, guest, former, based on eduPerson standards. This is commonly used for authorization in applications, and a person can belong to more than one of these groupings. So here is a cheatsheet on how these  affiliations are used in GTED.

Data feeds

IAM has consolidated data from various authoritative systems and can allow access if there are business needs (with approval). IAM can also produce feeds of data base on GTED for mission critical type applications and services. These are always by request and are not self service. The request process would begin with the "How to request IAM services" form, mentioned on this page. Filling out this form would start the discussion and approval process. Data stewards and Cybersecurity must approve these requests.


Mage and Wand services

Identity Management’s Mage system manages accounts, email aliases, and employee, student, and service roles. It was put into production in 2005. While it began as our whole identity management (IDM) system, IDM has grown to include GTED and GRS, which now work back and forth with Mage to maintain various IDM data for Georgia Tech. The Mage system itself has three main parts:

These three pieces compose the Mage system.

How to Request Access as a Mage Admin

The account of a new Mage administrator must be upgraded with administrative privileges. This upgrade must be authorized by someone with the authority to make that request, i.e. someone who is responsible for the people whose accounts are to be administered by the new admin. Use the MACTR form to request Mage admin privileges for a given account. 

We no longer offer SQL access directly to Mage. Fill out our Data Stewardship Request if you need API access to IAM data. This Data Stewardship Request has also replaced requests that used to ask for access to “mage.dat” type of data.

Early onboarding of GT employees, to create a GT account and before Peoplesoft paperwork is complete.

Passport and self service

This self service tool is generally open to anyone with a GT account, and can be used to manage your password expirations and renewals, GTENS contact information, photo availability, and other GT account self service abilities. 


GT Role System (GRS)

 

The GT Role System (GRS) is a tool to assign roles to people. Roles are simply labels that are useful to somebody, usually for inclusion in a collaborative group or authorization to use a computer resource. More information can be found here. And here is a presentation from training on GRS and Buzzapi.              

Grouper based role system (future). 

Shibboleth and Federated Login Service

The new documentation pages are here  ( http://iamweb1.iam.gatech.edu/docs/services/Shibboleth )

What is Shibboleth?

How can I use this to authenticate and authorize in my application? (see How to request IAM services ) 

  

  

FAQs and Announcements

Most Announcements will appear on the appropriate service pages: login.gatech.edu, passport.gatech.edu, status.oit.gatech.edu

FAQs can be found here for IAM services. https://faq.oit.gatech.edu/

Announcements will normally be sent to gted@lists.gatech.edu. You should join that, if you own applications that authentication to GTED, Shibboleth, or get data from OIT-EIS IAM services.

The gted@lists.gatech.edu sympa list will be used for most announcements and discussions for IAM services. 

For most IAM questions and issues, we request that Footprints is used for most issues, so please go to support@oit.gatech.edu for triage. This support group is trained, and has more people, so they can quickly handle such questions and issues. However, if you are certain that your issue is an IAM issue, then you can bypass triage and send an email directly to iam-support@oit.gatech.edu. This will create a ticket for you, assigned to the IAM team. Be aware that this will actually slow down addressing your issue, if the issue is really an email, network, unix, or some other non-IAM issue, or if the (much smaller) IAM support team is heavily loaded at the time