Versions Compared

Old Version 2

changes.mady.by.user Jessica Fink

Saved on

compared with

New Version Current

changes.mady.by.user Jessica Fink

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Problem

The University of Louisiana at Lafayette uses identity information contained in the Banner ERP to provide access to other

Track: Lifecycle Management

Trusted Access Platform Components: MidPoint

Project Team: Patrick Landry, Brian Dore, Kin Cheung, Jeremy Schambaugh, Gene Fields

Community Collaborators: <SMEs who provided help on this project>

The Environment: <what is unique about your environment? i.e. small/large school, small/large team, includes hospitals, etc.>

Benefits to Organization: 

User Community

  • End users will benefit due to the improved efficiency of the provisioning/deprovisioning process. In the future having a modern IdM platform will allow us to offer additional services such as audits and self-service to customers outside of OIT.

Office of Information Technology

  • Timely deprovisioning provides increased security
  • Robust logging and audit reports will improve security and aid in troubleshooting
  • Commercial-grade product with support will reduce risk associated with staff turnover and increase reliability of the provisioning/deprovisioning process
  • The success of this project will provide a base for future implementation of Grouper and COmanage

The Project

Problem Statement:

...

systems outside of Banner (and removing users from those systems). This is

...

driven by a set of home-grown scripts and processes. While user provisioning is generally done in a timely manner for new constituents, provisioning for returning users and deprovisioning remains troublesome.

...

When the process fails, it is not always obvious why

...

. The

...

process is also highly dependent on a single individual for modifications and maintenance

...

, exposing the whole system to significant risk

...

in the case of staff turnover.

...

The Solution

The University chose to join the 2020 Collaboration Success Program and implement midPoint as a provisioning engine. In choosing midPoint, the project team cited the software component’s wide adoption within the CSP cohort and its extensibility via open source connectors. Team members also noted the availability of support from CSP subject-matter experts, Evolveum (which owns midPoint), consultants, and peer organizations.

The project team cited a number of benefits for this solution, including improved efficiencies, timely deprovisioning, robust logging and audit reports, and the availability of the support noted above. The project plan states this solution

Impact Statement:

...

will provide a stable,

...

reliable, maintainable platform for provisioning and deprovisioning.

Scale and Scope:

  • Internal OIT project executed by UCSS
  • 9 month timeline concurrent with CSP
  • UCSS and ITSO departments will be responsible for execution of the project

  • 6-8 staff members will be involved in the implementation

The Solution

While many Identity Management (IdM) systems exist, few of them are designed for the educational environment. Educational institutions place specific demands on an IdM system which are not necessarily encountered by other types of businesses such as

  • Frequent provisioning/deprovisioning
  • Many user cohorts with varying levels of access to systems and resources
  • The potential for multiple, fluid affiliations for each user
  • Fine-grained access control to resources
  • Robust Self Service features
  • Continuing affiliations for all users forever

Over the past several years the Internet2 community has collaborated to develop open-source software packages supporting identity and access management. The Trust and Identity in Education and Research (TIER) program was a three-year initiative (2016-2018) to provide enhancements and sustainability for community-driven identity and access management software and services. The TIER software is now the InCommon Trusted Access Platform (TAP).

By adopting the TAP suite we will gain support from community of like-minded institutions. This collaboration will provide access to resources unavailable due to lack of staff.

We have decided to implement midPoint as a provisioning engine during this project as it has wide adoption in the Collaboration Success Program (CSP) cohort, and is easily extensible via open source connectors. Support for midPoint is available from CSP SMEs, the vendor, consulting agencies, and peers.

The Result

Initial Plan:

Roadmap

  • Develop Architecture for Midpoint Deployment by December 31, 2019
  • Deploy Development Midpoint Instance by January 31, 2020
  • Deploy Production Midpoint environment by February 29, 2020
  • Go Live in Production with Midpoint by March 31, 2020

Internal Communications Plan

  • Internal team consisting of reps from
    • UCSS Management
    • UCSS Technical Services
    • CISO
    • EAS Integrations
  • Communication to campus community/stakeholders concerning the change in the provisioning process
  • Story concerning overall project/future potential

Minimum Viable Project

  • MidPoint PROD on site, non-redundant
  • Banner Connector
  • WinAD Connector
  • LDAP Connector

Actual Implementation:

<how did that go?>

Conclusions & Lessons Learned

Success Metrics:

This project will be considered a success if we can replace the functionality of the current system with a production installation of MidPoint capable of:

  • Interfacing with Banner via Ethos Integration to receive notifications when new users are created and when relevant user attributes are modified
  • Provision users to Active Directory and LDAP based on attributes derived from Banner data

...

The Result

The project involved installing midPoint and connectors to pull identity data from Banner and provision accounts to Active Directory and LDAP directories. The team also determined they would connect to Banner using the Ethos integration. 

The project team found it needed information about a number of topics before beginning the midPoint deployment, including details of identity and access management technologies, such as the containerization method used with midPoint (and other InCommon Trusted Access Platform components), and of midPoint itself

The group developed a test environment during the CSP time frame with midPoint up and running with LDAP and Active Directory connectors. However, they have not moved midPoint to production and continue to work on the Banner connector. In addition to a learning curve steeper than expected, the COVID-19 pandemic and other extenuating circumstances prevented completion of the project.The project team intends to continue the work on midPoint and the Banner connector.

Once this project is complete, the university hopes to use this experience to deploy Grouper and COmanage, two additional InCommon Trusted Access Platform components.

Lessons Learned

  • “Our advice is to understand that it takes time to do this. We knew this going in, but you can't sit back. You have to have time to participate in working groups and solve problems and ask questions.”
  • An unexpected challenge was containerization

About the University of Louisiana at Lafayette

The University of Louisiana at Lafayette is the second-largest university in Louisiana, with more than 19,000 students, offering bachelor’s, master’s and doctoral degrees. 

Project Team: Patrick Landry (Louisiana), Brian Dore (Louisiana), Kin Cheung (Louisiana), Jeremy Schambaugh (Louisiana), Gene Fields (Louisiana), Ethan Kromhout (North Carolina-Chapel Hill), Matt Brookover (Mines), Keith Hazelton (Internet2), Erin Murtha (Internet2).