Versions Compared

Old Version 4

changes.mady.by.user Jessica Fink

Saved on

compared with

New Version 5

changes.mady.by.user Jessica Fink

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Executive Summary

<Jessica to write after meeting>Fordham is a medium-sized school that was already running Shibboleth for SSO and eduroam for wireless access. The goal of this project was to implement Grouper and midPoint to manage provisioning and access based on roles. We were able to get these systems configured and running in test, but ran into complications with defining our organizational roles from Banner and mapping them to what we wanted for Grouper, and once this is completed we can move to production. Our existing relationship with Unicon was beneficial in tandem with the CSP in helping us complete this project faster due to many competing priorities for our team.

Solution Summary

Track: Managing Managing Access

Trusted Access Platform Components:  Grouper, MidPoint

Project Team:  Joli Patino (Fordham),  Gerald Gerald Salvador (Fordham),  Karl Bajenting. Kevin MullerCommunity Collaborators: Karl Bajenting (Fordham), Kevin Muller (Fordham), Chris Hyzer (UPenn), Unicon

The Environment: medium Medium-sized school with long history and a lot of alumni, with hybrid cloud , environment with different technologies in play all the time, : some hosted on AWS , and cloud management system around AD, LDAP, AD and Azure AD

Benefits to Organization: 

  • Our executive director of SSIA has commissioned this effort as an approach to address audit concerns regarding account and account permission deprovisioning. This will help us to show progress before the next round of audit.
  • A renewed process for automated role-based access control (RBAC) has been desired for several years, but a formal effort has not been properly commissioned until our recent involvement in InCommon CSP.

The Project

Why are we doing this?

Our Information Technology management has been seeking an automated process to provision and deprovision entities based upon organizational data stored primarily in our Banner ERP system. An initial attempt at this was inadequately resourced, and was not seeded with a breadth of university executive stakeholder involvement, so it did not successfully achieve its desired mission. Our active involvement in the InCommon CSP cohort represents a renewed effort to approach the original goal in a staged, and better supported manner.

Problem Statement:

We are in the process of seeking for a better solution to enhance our current Identity and Access Management system.

Impact Statement:

One of our IT goals is to prioritize and adjust services to improve the customer experience, by increasing availability, reliability and sustainability, leading to a more responsive and enhanced information technology.

Scale and Scope:

...

For the first phase, resources are dedicated to demonstrate Grouper (and Midpoint) in a functional proof-of-concept. Once proven, we will commence with a second phase to introduce this processing into our production environment.

The Solution

Grouper and Midpoint

  • Our “quick win” proof of concept will seek to establish traditional role-based information via Grouper, to replace that which is typically maintained using home-grown applications, which have become increasingly less maintainable.
  • As the Grouper portion of the effort proceeds, Midpoint will be evaluated for fit in the hybrid Fordham environment.

The Result

Initial Plan:

  • Project Phase Milestone Completion Dates
    • Initiation -- 11/13/2019
    • Planning – 12/10/2019
    • Execution – 02/14/2020
    • Monitoring & Control -

...

    • 03/13/2020
    • Closure -

...

    • 03/29/2020

Actual Implementation:

The dates were supposed to align with the Global Summit conference, buth COVID happened and they didn't. Grouper & MidPoint were stood up and running, and the biggest challenge is was integration between the two, because it didn't work out of the box, Unicon . We partnered with Unicon who we have a prior support relationship with on Shibboleth, and they also had some learning to do in order to help get it everything working

tangential, An unexpected prerequisite was  reworking all of Banner roles int into more functional and organizationally driven roles, looking . We need to do this first in order to connect with role-based roles in Grouper, . We had a big success in getting Grouper connected to LDAP as well as SSO, big success, trying to get it but ran into some trouble trying to share data between Grouper and MidPoint troubleMidPoint does reach . We do have MidPoint reaching out to a Banner table & pull pulling the data down with Banner, into midPoint, and we are still working with Unicon to set up the configuration to push from midPoint to into LDAP.

Erin connected them with a school that mapped their organization into Grouper with very sophisticated and complex SQL code. This was very helpful, and having more success stories or how-tos with best practices, essentially having documentation from the community on best practices to use as a reference point would be helpful.

We met our project goals, but would like to have more missing - efficient integration between Grouper & midPoint, beyond original success matrix, getting . In addition, we want to complete the flow into both AD and LDAP, when these connectors work they will be ~ 90%

getting information from Unicon and CSP, help with troubleshooting, helps them move faster, already had a relationship with them, supported their CAS 10 years ago, added in Grouper and midPoint

Conclusions & Lessons Learned

there on the overall goal.

We are currently in test with midPoint and Grouper, and the technology is working. In order to get past test to go into production we need to get our roles solidified, we have a combination of organization and role-based.

Conclusions & Lessons Learned

Original Success Metrics:

When the Grouper data has been shown to be a close equivalent of the legacy solution, initial success will be declared. For example,

  • Roles in LDAP & Active Directory from Grouper can be deemed equivalent to that previously provided by the legacy application
  • Provisioning and deprovisioning is taking place as expected

...

<conclusions & lessons learned>

Conclusions and Lessons Learned

The main benefits from CSP were getting information on Grouper and midPoint and help with troubleshooting from community experts and Unicon. The CSP program helped us move faster along with our pre-existing support relationship with Unicon for SSO. 

The biggest challenge was context switching and competing demands from other campus projects. Team members kept switching between different projects , lose focus, which resulted in lost focus and a continual stop/start, . We didn't get the commitment from resources that they wanted, unplanned we wanted for the project due to unplanned campus needs that were very important, included COVID, which prevented the focused commitment we would have liked.

With this erratic cadence, it was very hard to go back and forth , going and when diving back to Grouper, it is was sometimes hard to concentrate, but we learned from a lot of different people & instructorincluding community members and training instructors.

We would have liked to have a day or two early on at the face-to-face meeting to get the software up and running at the meeting, containerizemore . Or something like a Getting Started Guide with the containerized version that just has basic information on what needs to be configured would work. Discussing Docker and containerization earlier would have helped. We needed more recent information in the InCommon website , and wiki, pertain to a lot of the documentation references old versions, and it was often hard to find the right directions for the right version

Getting Started Guide, containerized version, just needs to be configured, available after initial meeting - baked in from start

essentially completed what they want

slowed down by running on prep, want to run in the cloud on AWS

. We wanted to run in the cloud on AWS, and were slowed down by the documentation referencing on premises deployments. That said, we essentially completed what we wanted to.

MidPoint midPoint 4 is going completely containerized, and having more communication out on some of the new releases , knowing it was going containerized as part of CSP would've helped them plan and choose a different direction moving forwardat the beginning. Perhaps an email from Internet2 with upcoming features, helps in planning process, influenced which version to take on

in test right now, need to get past test to go into production, still learning, combination or organization and role-based

Erin connected them with a school that mapped their organization into Grouper, very sophisticated and complex SQL code, more success stories or how-tos, best practices, having the community of best practices to reach out to and a reference point

for next cohort, spin up the application on laptops when you leave the F2F, useful to be able to talk about the connectors at the F2F

have the sessions recorded to go back and review, also to see sessions that one can't attend

?

The value of CSP for Fordham value was training, access to SMEs, and the connections to other schools with same challenges

struggling to learn containers

record mini-courses, workshop time would be after they consumed recorded content

sessions with Grouper, would be good to have the recording, virtual box available for 2 weeks & killed after thatthe same challenges.