In general you can request IAM services at Georgia Tech, by using this link "How to request IAM services", which will gather your needs, submit a Footprints ticket for you, and begin any data stewardship or security overview that is needed. It is your responsibility to provide information as requested by IAM, Cybersecurity, database admins, and data stewards as these questions may arise. This is the method to get access to login.gatech.edu/CAS for your application, Shibboleth authentication for your application, get a GTED/LDAP searcher account, and request data from Identity and Access Management for your application.
Note: Routine issues and questions, about IAM or IAM-related topics, should go through central OIT support at email@example.com as usual. This team is sized appropriately for this volume, and trained to get questions to the correct team. Bypassing this process will likely not obtain faster service.
If you have been asked to submit a project request for the IAM team, you can go directly to this form.
A variety of IAM services is available. Authentication and authorization for applications is frequently requested. Some data is available in LDAP, SQL, and other formats. Some services are available widely to any who request them, and others are more restricted and require management approval, business case, data stewardship approval, Cyber-security approval, or subject to auditor or industry best practices restrictions. An example of a widely available service is login.gatech.edu for an on campus service for authentication, with no data needed. An example of a more restricted service would be a feed of data that includes student information. This would be subject to IAM manpower availability, FERPA, and data stewardship approval.
The time required for fulfillment of requests can vary. Obviously it depends on manpower, approvals, complexity, campus demands, the degree of IAM involvement, and the academic calendar.
What is jasig CAS?
What is CAS at GT? What is login.gatech.edu? How can I use CAS with my application?
In general, any on-campus application can do authentication to login.gatech.edu without any help from OIT IAM. However, if the application is off campus, or needs data back for any reason (probably for authorization) then they will need to fill out the IAM request form (How to request IAM services) and specify CAS, and whatever data is needed.
What is the SLA for login.gatech.edu?
login.gatech.edu (the GT login service based on jasig CAS) is intended to be a highly available service, for web based applications that can do CAS protocols. Not all jasig CAS functions are supported, however basic authentication, validation, proxy, and logout should work. If you have questions, you can ask in the request form mentioned above. Application users should subscribe to the firstname.lastname@example.org list, so they can be apprised of upgrades, changes, outages, etc. It is the application owner responsibility to test against new versions when upgrades are being tested, and give feedback on issues. Applications that just need authentication can connect without even requesting. If applications need data back, then the owner should fill out the "How to request IAM services" form. This will create a Footprints ticket.More Information on CAS programming.
Where can I find ex of using CAS with php? https://wiki.jasig.org/display/CASC/phpCAS+examples
Where can I find examples using CAS with xyz language? https://iam.gatech.edu/iam-users-group/
Introduction to GTEDThis page has a link for downloading GTED schema and a link to our service request form, good intro to GTED information:Purpose of GTED,
How to Get Started:
GTED Goals and Differences between GTED and other (GT) Directories
mention of our gted@lists email list
Location of the GTED data dictionary, to see what the values in GTED mean, and how they were derived. https://iam.gatech.edu/gted/GTEDDataDictionary.xlsx
When you request and receive a GTED access account, here is some useful introductory info: https://iam.gatech.edu/gted/welcome-to-gted-letter.html
Some GTED data is available in SQL form in the Data Warehouse. Permission has to be granted via the above mentioned request form. Here is further explanation of our Datawarehouse SQL tables of GTED data. https://iam.gatech.edu/gted/mage.dat-replacement-files.htmlSome IAM lifecycle technical information for developers can be downloaded from here.
Gted data contains, among other things, information on a persons affililiations to GT. For example, student, employee, guest, former, based on eduPerson standards. This is commonly used for authorization in applications, and a person can belong to more than one of these groupings. So here is a cheatsheet on how these affiliations are used in GTED.
Mage is a legacy IDM product implemented in 2005 at Georgia Tech. New enhancements are rare, but this is currently how department admins manage GT accounts, aliases, access to some services, password resets, moving accounts when people change roles, service accounts. It also has a database, and is also used in many IDM processes behind the scenes. For example movement of data from Peoplesoft and Banner such as names, departments, GTID... automatic assignment of accounts ... management of application service accounts... enforcement of security policies (ex guest rules, password policy, Cybersec emergency acct disabling) ... account life cycle .. database for Guest accounts ... etc etc
How to request access as a Wand/Mage admin
The account of a new Mage administrator must be upgraded with administrative privileges. This upgrade must be authorized by someone with the authority to make that request, i.e. someone who is responsible for the people whose accounts are to be administered by the new admin. Use this form to request Mage admin privileges for a given account and to schedule Mage training for the user of that account.
Request for Mage data (Mage as a data source is deprecated. See How to request IAM services instead)
Request for Mage.dat type data. (now from GTED not Mage, and hosted on the Data warehouse in sql format)
Request to make someone a Mage admin. Download permission (MACTR) form.
Early onboarding of GT employees, to create a GT account and before Peoplesoft paperwork is complete.
This self service tool is generally open to anyone with a GT account, and can be used to manage your password expirations and renewals, GTENS contact information, photo availability, and other GT account self service abilities.
The GT Role System (GRS) is a tool to assign roles to people. Roles are simply labels that are useful to somebody, usually for inclusion in a collaborative group or authorization to use a computer resource. More information can be found here. And here is a presentation from training on GRS and Buzzapi.
Grouper based role system (future).
What is Shibboleth?
How can I use this to authenticate and authorize in my application? (see How to request IAM services )
FAQs and Announcements
Most Announcements will appear on the appropriate service pages: login.gatech.edu, passport.gatech.edu, status.oit.gatech.edu
FAQs can be found here for IAM services. https://faq.oit.gatech.edu/
Announcements will normally be sent to email@example.com. You should join that, if you own applications that authentication to GTED, Shibboleth, or get data from OIT-EIS IAM services.
For most IAM questions and issues, we request that Footprints is used for most issues, so please go to firstname.lastname@example.org for triage. This support group is trained, and has more people, so they can quickly handle such questions and issues. However, if you are certain that your issue is an IAM issue, then you can bypass triage and send an email directly to email@example.com. This will create a ticket for you, assigned to the IAM team. Be aware that this will actually slow down addressing your issue, if the issue is really an email, network, unix, or some other non-IAM issue, or if the (much smaller) IAM support team is heavily loaded at the time