Lafayette College has an institutional commitment to the TIER Campus Success Program as an investor campus. As a long-time member of the InCommon Federation, staff and leadership are actively involved in its advisory and working groups. We champion federation technologies among our peers, and the three major pieces of the TIER toolset - Shibboleth, Grouper, and COmanage - are key components of our IAM architecture.
We committed to deploying the TIER packaged version of the Shibboleth IdP and evaluating midPoint as an identity registry. Lafayette strives for consistency among its IAM processes and deployment architecture. The TIER packages will help us mature in these areas and will serve as a path to upgrade component software versions. The expected wins for us from integrating the packages into our IdMS are ease of deployment, doing things the InCommon way, and closing operational gaps.
Lafayette College is an independent liberal arts college located in Easton, Pennsylvania. It is in close proximity to both Philadelphia and New York and is accessible via the major arteries of the eastern U.S. The institution offers undergraduate programs in the arts and sciences as well as engineering within a liberal arts setting. It is a full member of the Patriot League and competes in NCAA Division 1 sports.
Lafayette is academically competitive and is a national leader in undergraduate research. Enrollment is around 2,450 students and the student body is entirely undergraduate. There are 215 full-time faculty and the College boasts a student-faculty ratio of 10.5 to 1. It is accredited by the Commission on Higher Education of the Middle States Association of Colleges and Schools.
Containerized TIER Component(s) to be implemented
☑ Shibboleth IdP
❏ Grouper Access Management Software
❏ COmanage Collaboration Management Platform
☑ Entity Registry, such as midPoint
Short Management-Level Use Case Description of Your Project
Although Lafayette College is interested in integrating and deploying all of the TIER components, our commitment to the TIER Campus Success Program is deployment of the Shibboleth IdP package and an evaluation of the capabilities of midPoint.
Lafayette College joined InCommon in 2007 and was an early adopter of Shibboleth. We run Shibboleth IdPv3 locally and recently moved to a multi-node deployment architecture to improve redundancy. The benefits we see with the TIER packaging are ease of deployment to new nodes, and default presets for configuring a Shibboleth IdP the “InCommon way”.
Our use case for midPoint is to evaluate it as a replacement for our custom-engineered identity registry. The Accounts Workflow is a set of web forms, which involves duplicate data entry, and scripts that create a digital identity and provisions accounts and access in some downstream systems. We want to investigate whether midPoint could replace the Accounts Workflow and provide some identity lifecycle management like creation of institutional digital identities and NetID namespace management.
Acquisition of the skills set and resources required in order for us to support the Docker platform as part of our compute infrastructure.
Replacement of our Shibboleth IdP V3 instance, installed from a tarball on a VM, with the TIER package using Docker as the build and deployment platform. This will take place in our three environments of development, stage, and production.
Evaluation of midPoint’s capabilities in a test environment. Included in the evaluation is configuring the software to connect to OpenLDAP and Banner (HR source system). With assistance from our Enterprise Data Management Systems group, we will create views to bring the identity data from Banner into midPoint that are required to onboard employees. We will investigate how we could use midPoint to manage our identity namespace and assign identifiers. A provisioning queue will be created to provision digital identities out to LDAP using the registry data contained in midPoint. Connecting COmanage, our source system for sponsored accounts, to midPoint is in scope but is a secondary priority.
Due to the impact on stakeholders in Human Resources and the Office of the Provost; on divisions and departments across campus; and on the processes of other departments within Information Technology Services, the production replacement of the Accounts Workflow is out of scope for this project. Careful planning and communication will be required to identify and assess dependent processes in order to be production-ready.
|Sponsor||John O'Keefe, VP and CIO|
|Campus Success Program Contact(s)|
Bill Thompson, email@example.com
|Communications contact||John O'Keefe, firstname.lastname@example.org|
|Project team members|
Bill Thompson, email@example.com
Janemarie Duh, firstname.lastname@example.org
Docker training for IAM and server admins
Request and provision resources required to support a Dockerized IdP
End of January, 2018
Install IdP package in development. Implement Lafayette settings, including Shib-CAS authenticator.
March 2, 2018
Request and provision resources required to support Dockerized midPoint
March 16, 2018
Implement and deploy IdP package in stage; conduct QA with RPs
April 27, 2018
Install midPoint and assess capabilities, including redundancy
June 15, 2018
Campus Success panel at Global Summit
Lafayette, et al.
May 9, 2018
Deploy IdP package in production
June 6, 2018
Integrate midPoint into the IdMS; connect to Banner and OpenLDAP
July 31, 2018
Employee identity data flows from Banner into MidPoint
August 17, 2018
Report on Campus Success to liberal arts peers at CLAC annual conference
June 21, 2018
Investigate capabilities for namespace management and identifier assignment
September 14, 2018
MidPoint provisions records to LDAP
October 6, 2018
Campus Success Panel at TechEx18
Lafayette, et al.
October 18, 2018
Constraints, Assumptions, Risks and Dependencies
It is important to be aware that we might, at times, be operating under constraints that institutional priorities and responsibilities impose.
|Assumptions||The Campus Success Program is the impetus for Lafayette integrating the Docker platform into its compute infrastructure. This project is dependent upon Docker and the assumption that we will provision the necessary compute resources and develop sufficient expertise to meet its requirements.|
|Risks and Dependencies|
Replacing any production system, particularly one that provides access to vendor cloud services and R&S Service Providers, comes with risks. We will apply risk management principles to the changes we will make to our Shibboleth Identity Provider to minimize impact on our constituencies and maximize service uptime.
There is no risk associated with midPoint since it is an evaluation and will take place in our test environment.