Understanding GatorLink and UFID at the University of Florida

The University of Florida (UF) relies on a comprehensive identity management system to grant access to various resources and services. Two key components of this system are the GatorLink account and the UFID. This article will explain what GatorLink and UFID are, how they are used, and how they contribute to the overall security and access management at UF.

What is a UFID?

The UFID, or University of Florida Identification number, is an eight-digit number that serves as a unique identifier for all university faculty, staff, students, DSO (Designated School Official) staff, and other UF affiliates. This automatically generated number identifies individuals for all services at UF.

Key features of the UFID:

Unique Identifier: Each person affiliated with UF, past or present, receives a unique UFID.
Non-Revocable: The UFID is permanent and does not change.
Opaque: The number itself does not contain any inherent meaning or personal information.
Central to Identity Management: All systems at UF must use the UFID as the primary person identifier.

How is a UFID Assigned?

The UFID is assigned through the UF Identity Registry, which is the single, authoritative source for contact information about individuals affiliated with the university.

Student Applicants: Student applicants are issued a UFID upon completion of their application.
New Hires: UF Human Resources assigns UFIDs to new hires.
Directory Coordinators: Authorized University employees, known as directory coordinators, enter information into the directory, which triggers the issuance of a UFID.

When contact information about a particular person is entered using the "Add Person" function (e.g., name, date of birth, address, organization UFID, etc.), the UFID assignment software will alert you if that individual already has a UFID.

Where is the UFID Used?

The UFID is present on the GATORONE card, the university's photo ID. The GATORONE Card gives you access to gated parking, libraries, computer labs, vending, Gator Dining, recreation centers, and many other places and services at UF. The GatorLink VPN is required for virtual library access for those working off campus.

Important Considerations Regarding UFID:

Privacy: Identifiers, including Social Security numbers and UFID numbers, are not to be displayed with grades.
Contact Information: It is crucial to ensure that your contact information in the UF Identity Registry is up to date. You can do this by logging on to one.ufl.edu with your GatorLink username and password and navigating to My Account > Update My Directory Profile in the myUFL portal.
Display Name vs. Legal Name: The Legal Name is your official name as it appears on official documents. The Display Name is what you want people to see in the UF Directory (online phonebook).
Publishing Information: You can choose to have your Local Home and Permanent Home data set to ‘Publish’ or ‘Do Not Publish’ in the UF Identity Registry. If you select ‘Publish’, your personal contact information can be made available in public directories. If you select ‘Do Not Publish’, your personal contact information remains unpublished. Your SSN is never published by the University of Florida. Work address information will be published for UF employees.

What is GatorLink?

Your GatorLink (username) is defined by you. This is the credentials that you will use to access all UF services. It is associated with your UFID but is used for access to digital services versus identification. Started in 1997, GatorLink provides a reduced sign on (RSO) environment for UF computer users. Originally based on Kerberos, GatorLink usernames and passwords have expanded and transformed to be the one set of credentials used by most university systems. In 2002, GatorLink was named as the standard credential for enterprise systems. Policy defines who can get a GatorLink, how GatorLinks expire, how passwords must be defined and how often passwords must change. Password policy is defined by a user s security roles. Each role has a password policy. A user s credential has the highest password policy associated with any of the user s roles. GatorLinks are assigned via self-service.

GatorLink Single Sign-On (SSO)

The GatorLink Single Sign-On (SSO) is a feature that has existed for several years in the myUFL Portal and was extended to non-Portal applications. This feature generally allows an application that is being logged on to by the user to verify the credentials of the person based on the current browser session and information stored at the Identity Service Provider (IdP). If a user has already logged on to a GatorLink protected application the user may be allowed to sign on to subsequent application within the same browser session without reentering the GatorLink username and password. The GatorLink IdP software is aware of the browser session and in many cases will pass credentials to the second, third, etc. application started within the specific browser session. Once the browser is closed all applications within that browser are closed and require new credentials (i.e., a re-entering of your GatorLink SSO) to return to the application. The GatorLink SSO feature allows users to work on enterprise, college and department-level applications without continually being asked for their credentials.

Importance of Strong Passwords and Multi-Factor Authentication

The university requires a secure and reliable method of identifying members of its community for access to electronic data resources. Your online accounts - including your GatorLink - hold a plethora of personal information that could allow hackers access to your files, money, or identity, as well as those of your school or employer! The first step in protecting yourself from these attacks is following sound password practices. A good idea for creating strong passwords is to combine a letter (or a few letters) from each word of a memorable phrase. Once you have created a strong and unique password, safely storing it is critical. An alternative way to store your passwords is through a Password Manager (PM). PMs are applications that allow you to safely store your passwords and encrypt them, making them difficult for attackers to access. Setting up a strong password is a great first step in securing your accounts. However, it is not the only step you can take! If you are reading this, you are likely familiar with Multi-Factor Authentication (MFA) with Duo Mobile. Doing so adds an additional layer of protection. Configuring MFA on your personal accounts can be a critical choice in protecting your accounts from compromise.

Identity Assurance Profiles (IAP)

Establish multiple levels of assurance for electronic identities, with attributes and requirements for their issuance.

UF FISMA Moderate: Offers a federal compliant FISMA Moderate certified proofing and Identity level. The user has been certified by UF proofing agents, possesses Multi-‐‑Factor Authentication (MFA) capable credentials and has had no events to risk those credentials since the most recent proofing. This level is intended to comply with requirements for the NIST Level of Assurance 3 for credentials. UF FISMA Moderate identities are assigned a UF Password Complexity level of P6. Only qualified workforce members as defined in the UF FISMA Moderate Proofing Procedure may be assigned a UF FISMA Moderate profile.
UF Blue: Offers a high level of assurance that an identity maps to the appropriate person.
UF Bronze: Is the default profile for active students, employees, and workforce members.
UF Basic Affiliate: Level is granted to anyone who has self-asserted their identity, or for whose identity is known by virtue of UF entered directory affiliations and the minimal attributes for this IAP. Examples include student applicants, library patrons, and selfregistration through a Learning Support System (such as to complete non-credit courses).
UF Guest: Is a short-term temporary access level, for visitors to the UF campus who require temporary access to minimal services. Guests are not eligible for a permanent GatorLink ID and not listed in the IdM directory registry.

Service Providers

Any Service Provider that uses information from the central identity registry to authenticate and authorize users. Examples of technologies that incorporate information from the central identity registry for use by Service Providers include: Shibboleth, UF Active Directory, UF LDAP, and UF Kerberos. Inclusion in the central identity registry provides no assurance of a person’s standing with the university. Service Providers should use appropriate authorization techniques and attribute assertions available from the UF identity provider to verify that users are eligible to access the provided resources. Service Providers should not use any login screen that is not provided by the central identity provider at UF. Exceptions to this may be granted after review of a Service Providers specific situation.

Read also: History of the Block 'M'

Department Security Administrators (DSAs)

Each department can have multiple DSAs, and for role requests any DSA can make requests. Yes, the old ARS system was able to support multiple DSAs with equal responsibility within a department, but SailPoint IdentityNow uses a more conventional single-manager model, where each person has a single manager within the system. In this case, please reach out to UFIT Identity and Access Management. UFIT IAM worked with the HR Liaisons to determine who should be Primary DSA for each area in the run-up to our launch of the new system. Not necessarily, but having multiple DSAs per department is recommended. In situations where a Primary DSA is going to be unavailable (vacation or other planned leave), the Primary DSA can set automatic reassignment to another appropriate DSA for the duration of their leave using the steps provided here in the HR Toolkit. Please note this will ONLY reassign new certifications. Any change to a UF employee’s department ID or Job code in UF’s HR data will generate a Mover certification.

Access Management and Roles

Access to enterprise systems are controlled by roles assigned to users. Users are assigned algorithmically according to policy via synchronization processes from the UF Directory. Manual requests for roles can be made via Department Security Administrators through the Access Request System (ARS) in PeopleSoft.

SailPoint IdentityNow

In SailPoint, Entitlements must be approved as part of the certification process. Now, what’s left will be the Requestable Roles - this is where we ask you spend time scrutinizing the requested access that may no longer be needed or appropriate. When someone moves between primary departments (e.g. leaving one dept for another), typically the Primary DSA of the department that the person is leaving will be assigned the certification. Only the person’s Primary DSA will be notified upon creation. in the fly-out, enter the UFID of the person you wish to reassign the certification to (Make sure the person you are reassigning to is a DSA), then select their name once found.

An illustrated guide to using other features of the "Access History" tools in SailPoint can be found in the HR Toolkit for Security Roles here. Now search for the person using their SailPoint display name (typically chosen last name, chosen first name [middle name if set]). Now, you will see two date boxes. In the left-hand box, select a date BEFORE the access was lost. Now you will see "Compare Access Details", which will show how many Roles and Entitlements have been lost and added in the time period you specified. Now you will see a list of Roles that have been removed during the time period in red.

UF Directory

The UF Directory is currently a mainframe application with data residing in a collection of 145 locally developed DB2 tables. Services queues are used to slave Directory, Authentication and Authorization systems to the UF Directory.

Read also: Legacy of Fordham University

Policy Regarding UF Directory

All individuals associated with UF must be in the UF Directory. All faculty, staff and students must maintain current contact information in the UF Directory.

Libraries

The Libraries offer UF students many amazing options for research, including online resources. Explore the digital research materials, connect with librarians who can help, and discover the online world of the George A. Smathers Libraries. UF has access to over a thousand databases, so there are plenty of options to help you find sources and materials for research. A database is a searchable collection of academic and informational material. However, if you’re unsure where to begin, using the Primo search tool is the best way to kickstart your research. If you are interested in finding primary sources online, check out UF’s digital collections. Manuscripts, archives, books, maps, newspapers, photographs, and more are available to UF students, with over seventy-eight thousand subjects covered. Finding aids can help you browse through these digital collections and archives to find exactly what you’re looking for. The Library Research Basics Guide was created to help students start doing research. If your research is still stumping you, try referring to the research guides created by UF librarians. Don’t forget - there are also subject librarians who all specialize in different fields of study, so don’t be afraid to ask for help!

tags: #gatorlink #university #of #florida #explained