Versions Compared

Old Version 2

changes.mady.by.user Mike Zawacki (internet2.edu)

Saved on

compared with

New Version 3

changes.mady.by.user Mike Zawacki (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Executive Summary

...

Lafayette College is a TIER investor campus and the three major TIER components (Shibboleth Identity Provider (IdP), Grouper, and COmanage) are central to its identity management program. Striving for consistency among its identity and access management (IAM) processes and deployment architecture made Lafayette interested in the TIER packages as a path to upgrade component software versions.

...

A community of practice grew around the TIER Campus Success Program and was one of the most valuable outcomes for the participating institutions.

Solution Summary

...

Lafayette’s existing IdP implementation included the shib-cas-authenticator to refer authentication to CAS. Unicon modified the Shib-CAS plugin to add support for MFA signaling, then made it available to the Docker image. The Docker image, built locally on each node, contained local configuration files, including the plugin .jar file. An orchestration platform wasn’t necessary because of the small deployment. Internet2 Subject Matter Expert (SME), Paul Caskey, helped identify the cause of a Java heap space problem that migrated to the new deployment. The new nodes were initially slow to respond due to the Docker service pointing to Google DNS rather than Lafayette. A DUO MFA roll-out shortly before the IdP deployment revealed a misconfiguration in the Shib-CAS plugin for REFEDS MFA Profile support that prevented certain users from accessing web single sign-on. Working with a consulting partner and the responsiveness of SMEs were instrumental to success. The project contributed optional capabilities and configuration fixes back to the TIER packaging.

Training by Evolveum (midPoint developer) provided familiarity with operating midPoint, but Lafayette had unexpected challenges configuring connectors during installation. Connecting an LDAP resource required the RootDSE be exposed. Resource creation wizards generated broken XML schema files and OpenLDAP and Active Directory couldn’t provision DNs. Modified example files allowed disabling an account in midPoint to be administratively locked in LDAP and AD. Reconciliation to resolve inconsistencies also occurred. Because of a shorter than planned timeline, Lafayette considered integrating midPoint between the Accounts Workflow’s back-end database and LDAP rather than a replacement for the entire system. Timing factors prevented this. The Banner Identity Provisioning Working Group members, Data Structures/APIs SME, and Campus Success Program (CSP) institutions evaluating or integrating midPoint formed a nascent repository of knowledge within TIER for midPoint.

TIER Feature Supported

...

Shibboleth Identity Provider (IdP)

midPoint

Collaborators

...

Lafayette College: Janemarie Duh, Identity Management Architect; Bill Thompson, Director Digital Infrastructure; Carl Waldbieser, Systems Programmer

...

Internet2: Paul Caskey and Chris Hubing

Community resources

...

The Internet2 TIER Slack channels facilitated collaboration among Lafayette, Internet2 staff, and SMEs. Internet2 also created a designated Slack channel for Lafayette and Internet2 SME to use in solving a problem that migrated from our previous VM-based IdP deployment. Lafayette used the Internet2 TIER Slack channels heavily to engage with SMEs for help in overcoming roadblocks with integrating midPoint with our enterprise directories (OpenLDAP and Active Directory). The Banner Identity Provisioning Working Group launched within the CSP gave Lafayette the opportunity to establish working relationships with colleagues at institutions that also use Banner, an enterprise resource planning (ERP) system for higher education.

Supporting media

...

Lafayette student EXCEL Scholar: https://tiny.cc/lafayette_research

...