You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Executive Summary

<Jessica to write after meeting>

Solution Summary

Track: Managing Access

Trusted Access Platform Components: Grouper

Project Team: Pascal Cantin, Chris Russel

Community Collaborators: Chris Hyzer, Chad Redmond, Bill Thompson, Chris Hubing, Erin Murtha, Laura (UNC-Charlotte)

The Environment: <what is unique about your environment? i.e. small/large school, small/large team, includes hospitals, etc.>

Benefits to Organization: 

  • Reducing required time to complete access management request
  • Affecting IT staff to activities that provides more value to the organization.

The Project

Problem Statement:

Our legacy IAM solution (Passport York) has reached some of limits in terms of group provisioning (e.g. automatic provisioning access to AD and Azure AD resources) that we are more and more relying on running ad-hoc scripts and manual interventions to try to keep up.

Impact Statement:

Reduced productivity resulting by the increase of manual work required by the various IT departments of the university to fulfill access management needs.

Scale: Medium to large

Scope:

  • Deploying Grouper and Docker into production
  • Importing necessary attributes and memberships from SIS and PY
  • Provisioning groups and access into AD and Azure AD
  • Developing framework for future reuse

Risks:

  • Developer availability not confirmed yet that could scale back the scope of this project.
  • No Docker infrastructure supported by IT

The Solution

Grouper: An open-source access management solution that can provide automatic group provisioning, based on attribute, role or membership of a person.

The Result

Initial Plan:

  • Grouper PoC installation and configuration: Jan/Feb 2020
  • Validate Grouper PoC with various IT groups: Feb/Mar 2020
  • Deploy Solution production: Mar/Apr 2020
  • Decommission existing scripts: Apr 2020

Actual Implementation:

<how did that go?>

Conclusions & Lessons Learned

Success Metrics:

  • Decommissioning scripts that are currently used as a passable stop-gap
  • The solution can be reused to allow automatic group provisioning to as many as possible directory services and applications at the university: (e.g.: AD, Azure AD, LDAP and Passport York) 
  • Replacing suboptimal process of group provisioning inside PY
  • Reducing the amount of manual activities by IT for access management

<conclusions & lessons learned>

--------------

Notes:

Results
- finished the POC, understanding of third party to help with the implementation
- no plans to move to production
- RFP going on simultaneously, RFI
- main goal was to understand the tools and understand the mindset of open source
- staff internally with open source
- current IAM system is homegrown,
- got what they wanted in the POC, decided not to go to production
- COVID and remote work is postponing, cyberincident
- positive, community is big
- if they decide to go forward, need to be a big factor in the community to get their features in
- more involvement gets you the features you want, requires you to give with the community
- expertise of building the team, CISO is still building servers
- local help in the Toronto area
- study to see what is going, TechEx was good to see how things work behind the curtain, too much information
- key takeaway - how the community works
- access management: midpoint, shib, and grouper
- access to the SMEs, so far in Docker
- system was prone to decentralization, move to centralization
- already have Shibboleth, eduroam
- not much in the open source world for PAM
- Grouper has limitations of connectors, use case was provisioning to O365, liked the deployment guide
- deploying grouper on docker for dummies helps
- team worked to spin up what they need
- provisioned everything except O365, fundamental piece
- community at work
- Bill Thompson
- York doesn't have any money anymore, border and travel effects, a lot of uncertainty
- remote and then labs
- possibly consider another round of CSP with a more concrete scope, signed up before here, was onboarded via Internet2
- scope of engagement changed a few times
- CIO is fan of open source
- midPoint is one of 2 CSPs, 6-8 months
- community resources to put into production are not there
- getting feet wet and knowing what's going on
- other Canadian universities
- ACAMP & Duke presentation
- this program gets the ball rolling & then it's up to universities to keep it rolling

Lessons Learned
- keep the scope small
- putting it into production means supportability, that's not going to happen, needs to be a team
- keep it in the back pocket, Grouper may be good for a special use case

Challenge
- not funded to replace the old system, building the new
- IGA & IAM

Scope
- mail-enabled groups vs. non-enabled groups, Grouper won't do via external connector from Unicon
- no framework for future reuse

- were supposed to have developer assigned, but the developer got reassigned
- Docker infrastructure was managed by user guide from grouper

- midPoint has other options, TAP wants it containerized



  • No labels