University of Louisiana at Lafayette had a simple project to install midPoint along with connectors to pull from Banner and push out to AD and LDAP. With a very small team of generalists experienced with technology, the learning curve for IAM was much more than we expected and we sank a lot of time into containerization and other skills we weren’t expecting. Additionally, we wanted to connect to Banner using the Ethos integration, but we ran into several challenges there. Despite the slow start, we were able to get a test environment up and running with midPoint and are continuing to work on our project.
Track: Lifecycle Management
Trusted Access Platform Components: midPoint
Project Team: Patrick Landry (Louisiana), Brian Dore (Louisiana), Kin Cheung (Louisiana), Jeremy Schambaugh (Louisiana), Gene Fields (Louisiana), Matt Brookover (Mines), Keith Hazelton (Internet2), Erin Murtha (Internet2), the entire CSP team was very helpful
The Environment: Medium-sized school (~15,000 students) with extremely small staff, minuscule compared to others, Banner school
Benefits to Organization:
- End users will benefit due to the improved efficiency of the provisioning/deprovisioning process. In the future having a modern IdM platform will allow us to offer additional services such as audits and self-service to customers outside of OIT.
Office of Information Technology
- Timely deprovisioning provides increased security
- Robust logging and audit reports will improve security and aid in troubleshooting
- Commercial-grade product with support will reduce risk associated with staff turnover and increase reliability of the provisioning/deprovisioning process
- The success of this project will provide a base for future implementation of Grouper and COmanage
User provisioning to systems outside of Banner (and removing users from those systems) is currently driven by a set of home-grown scripts and processes. While user provisioning is generally done in a timely manner for new constituents, provisioning for returning users and deprovisioning remains troublesome. In addition, when user provisioning does fail it is not always obvious why it failed. The current process is also highly dependent on a single individual for modifications and maintenance. This exposes the process to significant risk due to staff turnover.
This project will provide a stable, reliable, maintainable platform for provisioning and deprovisioning.
Scale and Scope:
- Internal OIT project executed by UCSS
- 9 month timeline concurrent with CSP
- UCSS and ITSO departments will be responsible for execution of the project
- 6-8 staff members will be involved in the implementation
While many Identity Management (IdM) systems exist, few of them are designed for the educational environment. Educational institutions place specific demands on an IdM system which are not necessarily encountered by other types of businesses such as
- Frequent provisioning/deprovisioning
- Many user cohorts with varying levels of access to systems and resources
- The potential for multiple, fluid affiliations for each user
- Fine-grained access control to resources
- Robust Self Service features
- Continuing affiliations for all users forever
Over the past several years the Internet2 community has collaborated to develop open-source software packages supporting identity and access management. The Trust and Identity in Education and Research (TIER) program was a three-year initiative (2016-2018) to provide enhancements and sustainability for community-driven identity and access management software and services. The TIER software is now the InCommon Trusted Access Platform (TAP).
By adopting the TAP suite we will gain support from a community of like-minded institutions. This collaboration will provide access to resources unavailable due to lack of staff.
We have decided to implement midPoint as a provisioning engine during this project as it has wide adoption in the Collaboration Success Program (CSP) cohort, and is easily extensible via open source connectors. Support for midPoint is available from CSP SMEs, the vendor, consulting agencies, and peers.
- Develop Architecture for Midpoint Deployment by December 31, 2019
- Deploy Development Midpoint Instance by January 31, 2020
- Deploy Production Midpoint environment by February 29, 2020
- Go Live in Production with Midpoint by March 31, 2020
Internal Communications Plan
Internal team consisting of reps from
- UCSS Management
- UCSS Technical Services
- EAS Integrations
- Communication to campus community/stakeholders concerning the change in the provisioning process
- Story concerning overall project/future potential
Minimum Viable Project
- MidPoint PROD on site, non-redundant
- Banner Connector
- WinAD Connector
- LDAP Connector
We did not accomplish what was initially planned due to several unexpected impacts. There was an initial hard setback due to personal illness and a team member couldn't go to midPoint training. COVID threw a wrench into everything, everyone lost focus and momentum, and a proposal for a support contract that didn’t get funded. We never built a team outside of the implementation team and never got past getting provisioning working. There were lots of extenuating circumstances that gave us a slow start, but we do have a test system running the AD and LDAP connectors, and we learned a lot of information that will help us as we move forward.
We wanted a Banner connector, was ambitious, but our local Banner environment wasn't up to where we needed for that. Ethos was installed, but it wasn't performant enough, and we spent time working with Ellucian on it. We had expected more Banner schools to be excited about an Ethos connector, but there was a preference for SQL and BEIS.
An unexpected challenge was containerization which consumed us, we learned a ton, but initially thought it would be plug and play and it wasn’t. As a technical team, it was easy to concentrate on the details of getting the infrastructure for containers right, and this delayed us on other parts of teh project.
Additionally, the midPoint training wasn't a getting started as much as how to configure midPoint, and assumed basics were done before class started. We encountered a lot of challenges in the getting the things running phase.
We do have a containerized test environment up, and we can build it in prod with what we have in test. We are still tweaking the environment and learning, midPoint is up and running with LDAP and AD connectors, our testing is still in early phases, but did make some progress and can move forward with the information we learned and connections made during CSP.
Conclusions & Lessons Learned
Original Success Metrics:
This project will be considered a success if we can replace the functionality of the current system with a production installation of MidPoint capable of:
- Interfacing with Banner via Ethos Integration to receive notifications when new users are created and when relevant user attributes are modified
- Provision users to Active Directory and LDAP based on attributes derived from Banner data
Conclusions and Lessons Learned:
Our advice is to understand that is does take some time to do this, we knew this going on, but you can't sit back and get things out of the program, you have to have time to participate in working groups and solve problems and ask questions, which can be challenging for small teams. You’re paying to participate in a group, not to be spoon fed, and time needs to be put in to get more out of camaraderie.
We really enjoyed seeing what other schools were doing, though the differences in what we were doing felt splintered, not as a group coming together to do one thing. People were doing things all different ways and every difference meant that it was hard to connect, everyone was solving their own problems, the part that overlapped was not as much as we hoped.
We found out later we could have asked for more specific help from SMEs, and didn't initially realize it was something that was offered. It could've helped a lot to have someone there for 5-6 hours to help, but there was so much to absorb at the beginning that we didn’t know until later. We didn't want to be the person that missed something, especially in an environment with highly trained experienced admins, and felt too embarrassed to ask too soon.
Most of midPoint is configuring XML, the structure of the XML files is not covered in the training, and then the methodology changed and having XML files wasn't needed which was frustrating. Coming from a sysadmin background, we had to learn a lot of additional technologies like the IDE, and VMs, and had to spend lots of energy there.
The environment was complex, we had Grouper hooked up, but just wanted to focus on midpoint. There was too much, cool stuff everywhere, and it was easy to get distracted and hard to focus when there's lots of shiny things to look at.
The whole thing was a lot harder than we expected, we brought a lot of technical knowledge into it, and people were incredible, but it would be hard for someone junior to come in and swim. Most of our peers have dedicated IAM staff, here we are generalists, which is hard to do with IAM.
Our current plan is to get a maintenance and support contract for consulting & implementation. It seems so simple, but once you connect in, debugging is hard, and it goes from simple to complicated really quickly. Our team member who was sick is signed up for midPoint training, and we plan to move forward on the project and utilize the resources available for CSP alumni.