You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Track: Lifecycle Management

Trusted Access Platform Components: MidPoint

Project Team: Patrick Landry, Brian Dore, Kin Cheung, Jeremy Schambaugh, Gene Fields

Community Collaborators: Matt Economou, Keith Hazelton, Erin Murtha, the entire team was very helpful

The Environment: medium school (15,000 students), extremely small staff, minuscule, Banner school

Benefits to Organization: 

User Community

  • End users will benefit due to the improved efficiency of the provisioning/deprovisioning process. In the future having a modern IdM platform will allow us to offer additional services such as audits and self-service to customers outside of OIT.

Office of Information Technology

  • Timely deprovisioning provides increased security
  • Robust logging and audit reports will improve security and aid in troubleshooting
  • Commercial-grade product with support will reduce risk associated with staff turnover and increase reliability of the provisioning/deprovisioning process
  • The success of this project will provide a base for future implementation of Grouper and COmanage

The Project

Problem Statement:

User provisioning to systems outside of Banner (and removing users from those systems) is currently driven by a set of home-grown scripts and processes. While user provisioning is generally done in a timely manner for new constituents, provisioning for returning users and deprovisioning remains troublesome. In addition, when user provisioning does fail it is not always obvious why it failed. The current process is also highly dependent on a single individual for modifications and maintenance. This exposes the process to significant risk due to staff turnover.

Impact Statement:

This project will provide a stable, reliable, maintainable platform for provisioning and deprovisioning.

Scale and Scope:

  • Internal OIT project executed by UCSS
  • 9 month timeline concurrent with CSP
  • UCSS and ITSO departments will be responsible for execution of the project
  • 6-8 staff members will be involved in the implementation

The Solution

While many Identity Management (IdM) systems exist, few of them are designed for the educational environment. Educational institutions place specific demands on an IdM system which are not necessarily encountered by other types of businesses such as

  • Frequent provisioning/deprovisioning
  • Many user cohorts with varying levels of access to systems and resources
  • The potential for multiple, fluid affiliations for each user
  • Fine-grained access control to resources
  • Robust Self Service features
  • Continuing affiliations for all users forever

Over the past several years the Internet2 community has collaborated to develop open-source software packages supporting identity and access management. The Trust and Identity in Education and Research (TIER) program was a three-year initiative (2016-2018) to provide enhancements and sustainability for community-driven identity and access management software and services. The TIER software is now the InCommon Trusted Access Platform (TAP).

By adopting the TAP suite we will gain support from community of like-minded institutions. This collaboration will provide access to resources unavailable due to lack of staff.

We have decided to implement midPoint as a provisioning engine during this project as it has wide adoption in the Collaboration Success Program (CSP) cohort, and is easily extensible via open source connectors. Support for midPoint is available from CSP SMEs, the vendor, consulting agencies, and peers.

The Result

Initial Plan:


  • Develop Architecture for Midpoint Deployment by December 31, 2019
  • Deploy Development Midpoint Instance by January 31, 2020
  • Deploy Production Midpoint environment by February 29, 2020
  • Go Live in Production with Midpoint by March 31, 2020

Internal Communications Plan - never built team outside of implementation team, never got past getting provisioning working

  • Internal team consisting of reps from
    • UCSS Management
    • UCSS Technical Services
    • CISO
    • EAS Integrations
  • Communication to campus community/stakeholders concerning the change in the provisioning process
  • Story concerning overall project/future potential

Minimum Viable Project

  • MidPoint PROD on site, non-redundant - test
  • Banner Connector - not, issues with Ethos performance & getting a connector
  • WinAD Connector - both running in test
  • LDAP Connector - running in test 

Actual Implementation:

no, did not accomplish what was planned

initial hard setback, personal illness and team member couldn't go to midpoint training

COVID hit, proposal for support contract that didn't hit

lots of extenuating and other circumstances

have test system

wanted Banner connector, was ambitious, Banner environment wasn't up to where they needed for that, Ethos was installed, it wasn't performant enough, working with Ellucian, expected more Banner schools to be excited about an Ethos connector, preference for SQL and BEIS

not listed that took a lot of time and resources, containerization consumed them, they learned a ton, thought it would be plug and play, easy to concentrate on with technical team, delayed them

midPoint training wasn't a getting started as much as how to configure midPoint, basics were done before class started, still facing the getting things running phase

do have containerized test environment, do have project up, can build it in prod with that is there in test, still tweaking in learning, have midPoint up and running with LDAP connectors, test is still in early phases, did make some progress and can move forward

Conclusions & Lessons Learned

Success Metrics:

This project will be considered a success if we can replace the functionality of the current system with a production installation of MidPoint capable of:

  • Interfacing with Banner via Ethos Integration to receive notifications when new users are created and when relevant user attributes are modified
  • Provision users to Active Directory and LDAP based on attributes derived from Banner data

program is fine, advice is that is does take some time, knew it in head going ahead, you can't sit back and get things out, you have to have time to participate in working groups and solve problems and ask questions, challenging

paying to participate in a group, not to be spoon fed, wanted more out of camaraderie

really enjoyed seeing what other schools were doing, felt splintered, not a group coming together to do one thing, people were doing things all different ways, every difference meant that it was hard to connect, everyone was solving their own problems, part that overlapped was not as much as they hoped

know the purpose of the program was not training, would have been helpful to have another week

found out they could have asked for more specific help from SMEs, didn't realize it was something that was offered, it could've helped a lot to have someone there for 5-6 hours to help, they just didn't know, so much to absorb at the beginning

most of midPoint is configuring XML, did not cover the structure of the XML files in the training, follow up training with the details would've helped, then the methodology changed and having XML files wasn't needed

didn't want to be the person that missed, want to try, especially in environment with highly trained experienced admins, too embarrassed to ask too soon

right after the training, environment was complex, had grouper hooked up, just wanted to focus on midpoint, it was too much, cool stuff everywhere, easy to get distracted, hard to focus when there's lots of shiny things to look at

had to learn IDE, VMs, all these other technologies, had to spend lots of energy

staff member who was sick last time is attending this time

whole thing is a lot harder than they expected, brought a lot of technical knowledge into it, and people were incredible, it would be hard for someone junior to come in and swim, lots of skills from 

understanding the relationship between Internet2 and Evolveum, were not InCommon participants

most peers have dedicated IAM staff, here they are generalists, hard to do with IAM

what does it mean to be alumni? training discounts for life, never lose access to CSP peers, ping Erin, Jessica, or Bill if you aren't getting answers

case studies as living documents, to update on progress

shorter gives a sense of urgency, allows teams to be more involved for shorter period of time, tight deadline is a benefit, it depends on the school and how long it takes 

weren't trying to do a complete implementation, just trying to replicate what they were doing already

COVID thew a wrench into everything, everyone lost focus and momentum

current plan is to get a maintenance and support contract for consulting & implementation support, quote from Unicon, also reached out to Evolveum

standardized support pricing would be nice

AD connector is there, but no one else is using it

seemed so simple, but once you connect in, debugging is hard, goes from simple to complicated really quickly

  • No labels