The Problem

York University's legacy Identity and Access Management

Executive Summary

The main goal of CSP was to understand the mindset of open source and what’s involved, and this goal was met. The team completed a proof of concept for Grouper for access management, and decided it needed a lot more resources and planning in order to be able to complete the project and roll it out into production. A thorough understanding of what was involved in implementing another Trusted Access Platform component to production was obtained, which will inform the eventual replacement of their legacy IAM system. Overall, we learned what we were hoping to learn from the program.

Solution Summary

Track: Managing Access

Trusted Access Platform Components: Grouper

Project Team: Pascal Cantin (York), Chris Russel (York), Chris Hyzer (UPenn), Chad Redmond (UNC), Bill Thompson (Lafayette College), Chris Hubing (Internet2), Erin Murtha (Internet2), Lacey Vickery (UNC-Charlotte)

The Environment: very small team, already have Shibboleth and eduroam

Benefits to Organization: 

• Reducing required time to complete access management request
• Affecting IT staff to activities that provides more value to the organization.

The Project

Problem Statement:

Our legacy IAM solution (Passport York) has reached some of limits its limit in terms of group provisioning (e.g. automatic provisioning access to AD and Azure AD resources) that we are more . More and more relying , Passport York relies on running ad-hoc scripts and manual interventions to try to keep up.

Impact Statement:

Reduced productivity resulting by the increase of This results in reduced productivity, given the manual work required by the various IT departments of the university to fulfill access management needs.

Scale: Medium to large

Scope:

The Solution

The project team decided to join the 2020 Campus Success Program and deploy Grouper, an open-source access management solution that can provide automatic group provisioning, based on attribute, role, or membership of a person. The team set the scope of the project as:

• Deploying the InCommon Trusted Access Platform containerized Grouper Deploying Grouper and Docker into production
• Importing necessary attributes and memberships from SIS and PYthe student information system and Passport York. 
• Provisioning groups and access into AD and Azure AD
• Developing a framework for future reuse

Risks:

• Developer availability not confirmed yet that could scale back the scope of this project.
• No Docker infrastructure supported by IT

The Solution

Grouper: An open-source access management solution that can provide automatic group provisioning, based on attribute, role or membership of a person.

The Result

Initial Plan:

• Grouper PoC installation and configuration: Jan/Feb 2020
• Validate Grouper PoC with various IT groups: Feb/Mar 2020
• Deploy Solution production: Mar/Apr 2020
• Decommission existing scripts: Apr 2020

Actual Implementation:

The Result

The main goal of participating in the CSP was to understand the mindset of open source and what is involved in installing and configuring the software. This goal was met. The team completed a proof of concept for Grouper for access management, but  decided more resources and planning would be necessary to move to production. 

The proof of concept The proof of concept (PoC) for Grouper was completed and the team gained an understanding of how one can utilize of the value of using a third party to help with the implementation, but there are currently no plans to move to production. A developer was supposed to be . Competing priorities prevented a developer from being assigned to the project, but competing priorities prevented this from happening.

Grouper has some limitations with connectors, one of our core use cases was provisioning to O365 which we weren’t able to get working. Since it was a less common use case, it was more challenging to find people who had done it before. The team also encountered an issue with mail-enabled groups that was not able to be resolved.

During the round of CSP, Docker was being deployed across the products and there was not a standard method of deployment across TAP components. Coming up to speed on Docker took up a fair amount of time.

Conclusions & Lessons Learned

Orginal Success Metrics:

• Decommissioning scripts that are currently used as a passable stop-gap
• The solution can be reused to allow automatic group provisioning to as many as possible directory services and applications at the university: (e.g.: AD, Azure AD, LDAP and Passport York) 
• Replacing suboptimal process of group provisioning inside PY
• Reducing the amount of manual activities by IT for access management

which prevented going further in the deployment process; so it was not moved to production.

One of the project team’s main use cases was using Grouper to provision mail-enabled groups in Microsoft Office365. Even though we were successful to provision to Microsoft Office365 groups with the help of a couple of members of the  community, we encountered an issue with the provisioning of mail-enabled groups that we were unable to resolve without developing our own Grouper connector to Microsoft Office365. The project team also gained a thorough understanding of what was involved in implementing another InCommon Trusted Access Platform component to production, which will inform the eventual replacement of the legacy IAM system. 

Lessons Learned

Key TakewaysKey Takeways:

• Learning how the community works
• Access management knowledge including Midpoint, Shibboleth, and Grouper
• Access to the SMEssubject-matter experts
• Current system was prone to decentralization, move to centralization
• There is not much in the open source world for Privileged Access Management (PAM)

There was an RFP/RFI occurring simultaneously to investigate other options in addition to the Trusted Access Platform, and the main goal of CSP was to understand the mindset of open source and what’s involved. It was clear that one needs to staff internally to support open source. The proof of concept was enough to meet this goal, and there were competing resources due to the impact of the COVID pandemic including remote work and some internal security priorities. Therefore the decision was made not to go into production at this time. 

The CSP experience was positive and we became aware of just how big the community is, and how much time a lot of the experts put into the projects to ensure that the features they want are built. The more involvement one puts into the requirements and specifications for a feature, the more likely the feature you want will get built. While there is no monetary cost for open source software, one does have to give time and effort to co-create and shape the software. At TechEx it was good to see how things work behind the curtain, but there was some information overload and challenging to get a grasp on everything going on in the community in just one TechEx.Pascal was new to York when the project started, and more resources and expertise are needed on the team. With a small team, the CISO is currently very hands-on and helps build servers. We are looking for local help in the Toronto area. 

Lessons Learned:

• Plan for and get started on Docker earlier, ; it took longer than expected to get that going
• Scope can change as you learn new things
• Keep the scope small, ; it is more than you think it will be
• CSP is really helpful in getting the ball rolling, then it’s up to universities to keep it going
• Putting it into production means supportability, and team needs to be in place to support it
• Identity governance in higher education is very challenging
• When looking to replace a new system, plan for how to decommission the old, the transition from old to new takes additional time and planning

About York University

York University is a public research university in Toronto, Ontario, Canada. It is Canada's third-largest university with approximately 55,700 students and 7,000 faculty and staff.

Project Team: Pascal Cantin (York), Chris Russel (York), Chris Hyzer (UPenn), Chad Redmond (UNC), Bill Thompson (Lafayette College), Chris Hubing (Internet2), Erin Murtha (Internet2), Lacey Vickery (UNC-Charlotte)