The goal of Identity Management is that every person at ODU has a single digital identity to interact with our technology services. We manage the digital identities of our faculty, staff, students, researchers, affiliates and visitors with the Monarch Identification and Authentication System (MIDAS).
With the MIDAS web application (midas.odu.edu), individuals at ODU can manage their own passwords and recovery settings, as well as request access to a variety of services beyond the defaults. Authorized users can also use MIDAS to manage departmental associations, permissions for others, and memberships in groups and mailing lists. Behind the scenes, MIDAS cross-references users between systems of record and keeps track of their centrally-managed permissions.
Middleware supports much of the behind-the-scenes processes that ensure that these different services work seamlessly together -- from Single Sign-On, to APIs, and dozens of cloud service integrations. For developers, Middleware offers infrastructure and resources: task runtimes, an identity-aware proxy, repositories for source code and compiled artifacts, and extensive internal documentation.
Core Identity Services
Your identity, password and permissions are managed with MIDAS, the Monarch IDentity and Authorization System. You'll use your MIDAS ID and password to log in to many online services using Monarch-Key Web Login. Additionally, you can use the Monarch Profile Manager to edit the way your profile is displayed throughout ODU systems (like Outlook and the online directory).
The MIDAS system keeps track of who you are and what you can access.
Use your MIDAS ID and password to log in to essential ODU services.
Monarch Profile Manager
Manage the way your name and title appear in ODU directories.
These are not systems that you would necessarily interact with on a regular basis, but they work behind the scenes to make sure your identity is consistent across a number of university services.
IDM Workflow, powered by Bonita, serves as the primary workflow engine for both MPM and MIDAS systems. This workflow routes requests to appropriate approvers, and keeps records about who approved what.
Enterprise Service Bus (ESB)
The ESB serves as the primary hosting location for ODU-related APIs and processes. The ESB consists of three major components: API Manager, Processing Nodes and Storage Nodes.
A replicated environment that provides highly available directory services to several locally hosted applications.
Active Directory Federation Services (ADFS)
A specialized single sign-on environment providing authentication services for Office 365 and related Microsoft products.
Middleware & Identity Management Program at ODU
New in MIDAS: Organizations
If you're the leader of a department, office, program or other business unit, you and your chosen delegates will gain access to a new control panel in MIDAS: Organizations.
From this interface, you can manage MIDAS's understanding of your business unit and its members. By including people in the Organization, their accounts will remain active, and they will acquire permissions relevant to your unit.
Secure by default and obvious: The IDM/Middleware group has developed several security and compliance controls. These controls should be non-intrusive and work with the most common use cases to enhance the user experience instead of presenting road blocks. If a control is a hindrance, users will avoid or bypass the control simply to do their task.
Reuse code and processes: Nothing should be developed with only one use case in mind. As applications or features are developed, future uses should be accounted for and exceptions assumed. Libraries should be built instead of specialized applications.
Engineered complexity brings flexibility: All use cases cannot be accommodated for during development. Spending the extra time to create a deeply controllable system allows for unknown use cases and problems to be solved without significant re-writes or single problem solutions.
Single Sign-On First: All applications should be centrally authenticated through the SSO system to provide portal support and a clean consistent user experience.
Best practice adoption: By leveraging existing frameworks (Sec-501, ISO 27000, NIST-800 series) and best practices (NIST-800, Internet2 policies), we can have a robust IDM Program.
We can't do this alone: The IDM/Middleware group is only as good as other groups and units in the University. We use their data, we build upon their work, we express their work through new channels. Communicating needs, accommodating changes/challenges and working with others to achieve common goals is key to a functional IDM Program.
Self-Improvement: When we assume that code will always run, we are left with rotting code and problems for tomorrow. Occasionally re-factoring existing code leads to efficiencies and helps to keep processes relevant and robust.
Unified Account ID: MIDAS was created when users had both faculty and student accounts. These accounts were (and are) separate in some systems with MIDAS laid on top of them providing consistent credential management. Our goal is to remove or minimize the continuing need for multiple role-based accounts and unify them under the single MIDAS ID. This has been a driving force behind several IDM projects as well as a guiding principle when integrating new systems.
Paperless Account Request: ODU still partially relies on paper/PDF-based account requests in special cases. MIDAS 2.0 introduced an online account request process which is currently being enhanced in MIDAS 3.0 to include the remaining paper use cases. The goal is to unify the account request process into a single online path which can then be enhanced for automation, auditing and reporting.
Ubiquitous Single Sign-On: Most campus logins are already occurring through Monarch-Key, but there are still a few systems not under Monarch-Key. The goal is to have a single login everywhere on campus. Nearly every month, services are added to Monarch-Key and as replacements or upgrades present themselves, holdouts are migrated.
Enhanced Account Security: IDM has become the cornerstone of cloud based security strategies. Attacks on credentials are becoming more common as services and applications move to cloud infrastructures. We have already made significant strides in protecting these applications by taking an SSO first approach (which minimizes credentials stored in hosted applications) and by deploying two-factor authentication on SSO. Additional steps are underway to include user notifications, behavioral analytics of login behavior and expansion of the two-factor deployment.
MIDAS as a Service: Over the past few years, MIDAS has been transitioning from a standalone website to an API-based model. This has already shown benefit with the SSO password change feature of Monarch-Key, but we are looking to expand and extended this capability throughout MIDAS. It is our goal that students should only have to go to MIDAS during initial setup or never at all, but still receive all the same benefits of MIDAS. Faculty, staff and administrators will still use the MIDAS website primarily for administrative needs.
Enhanced SSO Disaster Recovery: Monarch-Key is resistant to support system outages, but if it remains hosted on campus, there are critical dependencies that cannot be removed. IDM is currently undergoing projects to provide highly available cloud capable data sources for Monarch-Key which will enable a hybrid or completely hosted Monarch-Key deployment.
Affiliate Management: MIDAS and Monarch Profile Manager both have needs to identify and support users with ancillary associations to the University. Several projects have been completed and several more are currently in the works to provide first tier support for various affiliates throughout campus.
Old Dominion University's identity management (IDM) program started in 2003 when the security group, along with developers from the database support group and others, developed the initial MIDAS application. MIDAS became the cornerstone of ODU IDM's strategy, receiving nearly quarterly updates and major revisions every five years. MIDAS has adapted to changing technologies and emerging trends to support the university's needs, and today manages nearly all University-operated systems.
In 2008, we adopted a Single Sign-On (SSO) approach to provide a consistent login experience across all University services. Since then, SSO has expanded from the initial five services to over 180 applications, hosted both locally and in the cloud.
In 2014, Middleware became an additional focus of the IDM group and development efforts have been re-prioritized to include directory data management and cloud compatibility. A Directory Manager was created and an ESB was built to support exposing local APIs as well as foster Cloud to Cloud integrations between our hosted applications.
The IDM program has been guided by several external and internal factors. State policies, such as Sec-501, had many IDM related requirements and later on, with the adoption of ISO 27001, additional requirements had to be met. Additionally, the changing technology landscape required the IDM to develop additional features or change mythologies to provide end users and applications the best level of support possible and to keep costs as low as possible.