The Problem

Fordham University has considered a better solution for access control for several years, as a home-grown system has become increasingly difficult to maintain. Recent IT audits have cited the need for a better system for account and account permission deprovisioning. A previous attempt to deploy a new solution was not adequately resourced and did not have the necessary breadth of support within the university for success.

The Solution

Fordham decided to join the 2020 Collaboration Success Program (CSP) to develop a new role-based access control system, taking advantage of the provided training, access to experts, and peer collaboration. The four-month time frame would impose the deadlines and incentive needed for a quick win proof-of-concept, which was the first of two phases in the university’s plan. 

The participants decided to implement both Grouper and midPoint as part of their solution. 

The Result

An unexpected prerequisite to integrating Group was a reworking all of the roles defined in Banner into more functional and organizationally driven roles. This allowed connecting the Banner data with the roles defined in Grouper. Project members successfully connected Grouper to LDAP and with the Shibboleth single sign-on system.

With Grouper successfully deployed, the university explored using midPoint to help with provisioning, but experienced problems with the integration of Grouper and midPoint. Fordham contracted with its partner Unicon to help solve that problem. As of the end of the CSP, midPoint was successfully pulling data from Banner tables, but Fordham and Unicon continue to work on setting up the configuration to push the data from midPoint into LDAP.

Fordham met most of the project goals by the end of the CSP, with the continued need to continue testing and moving to production. The project team will continue to work on a more efficient integration between Grouper and midPoint, and to complete the flow into both Active Directory and LDAP. At that point, everything can move to production.

Fordham cited context switching and competing demands from other campus projects as the biggest challenges during the four-month CSP. Switching among different projects resulted in lost focus and a continual stop/start. The COVID-19 pandemic and unplanned campus needs and priorities prevented both the resource allocation and focused commitment needed to fully complete the project (moving to production).

Lessons Learned

  • The main benefits from CSP were getting information on Grouper and midPoint and help with troubleshooting from community experts and Unicon. 
  • The CSP program, along with our pre-existing support relationship with Unicon for SSO, helped things move faster .
  • The biggest challenge was context switching and competing demands from other campus projects. 
  • Responding to the COVID-19 pandemic required resources originally planned for this project.

About Fordham

Fordham is a Jesuit university in New York with 16,000 students, classified as “Research - Very High Activity” in the Carnegie classification. The IAM program consists of a hybrid cloud environment; some hosted on AWS and cloud management system around Active Directory, LDAP, and Azure Active Directory

Project Team: Joli Patino (Fordham), Gerald Salvador (Fordham), Karl Bajenting (Fordham), Kevin Muller (Fordham), Chris Hyzer (UPenn), Unicon

  • No labels