Standardizing Identity Management
Transcription
Standardizing Identity Management
Standardizing Identity Management Two Different Approaches from Technology and Institutional Archaeology Edward Aractingi - Marshall University Sherry Tirko, Chuck Moore, Nick Roy - Penn State Standardizing Identity Management Two Approaches • • Penn State – The Central Person Registry and Solving The Mystery of The Heterogenous Primary Appointment Marshall – Implementing Microsoft Forefront Identity Manager and Integrating With Office365 [2] © 2014 Internet2 Background [3] The Central Person Registry • Stories from “the long road to productionalization” Photo by Jill Scott, idea for title by Nate Klingenstein • • Started out with a trip to a CIC Meeting at Ohio State in 2007 Registrars, CIOs, other stakeholders decided to focus on IAM [4] The Central Person Registry • • • • • • • • • Penn State attendees including Kevin Morooney and Renee Shuey identified a need for a single source of truth for person records at the university 2008 – Formed “IAM Technical Architecture Group” as part of recommendations to VP for from Penn State stakeholders 2008-2010 – CPR requirements gathering with stakeholders 2010 – CPR implementation begins Spring, 2013 – Identity Services formed as a department to manage the CPR and related IAM systems September 2013 – CPR primed with data and in production Where we are now: October 2014 – Integrating with new PeopleSoft Campus Solutions Student System Deadline for Admissions Integration: April, 2015 Some rough edges to work out, including what to do about primary appointment, when there are (at least) 3 different HR systems at the university [5] Business Relationships – Background • Overcoming the past – Data – mine, yours, and ours – Silos [6] Business Relationships - Now • The new environment – Building trust – Data sharing – Shared decision making [7] CPR Data Flow • Real-time updates • Inbound – SOAP Web Services – CRUD operations • Outbound – JMS Queues – Change Notifications [8] Populating the CPR Data • No real-time updates • Comes in batch • Inconsistent • Overwritten daily • Has to be ‘staged’ [9] One Record To Rule Them All • Which record is ‘primary’? • Update policy – Which system has the correct data? – How do we keep systems in sync? [ 10 ] Marshall University- Background • Marshall University was faced by the same problems that many other institutions are facing • Account provisioning was automated but limited • Role management was not optimized and accurate [ 11 ] Marshall University- Legacy System • Ellucian Banner • Active Directory • A combination of sql, ProC, linux shell, and Windows shell scripts. • Original script authors no longer available • Only generated new account ID and email address, no additional attribute data. [ 12 ] Marshall University - Solution Overview • • • • Microsoft Forefront Identity Manager 2010 R2 FIM Portal Custom Banner Tables Office365 DirSync [ 13 ] Marshall University - Project Plan • Measure twice… cut once [ 14 ] Marshall Diagram Office 365 Exchange Password Reg /Reset DirSync User Accounts Ac(ve Directory User Accounts MUFIM, Windows Server 2008R2 + Sharepoint MUFIMSQL, Windows Server 2008 r2+ SQL Server MUFIMPW, Windows Server 2008 r2+ Sharetpoint Banner on Oracle RHEL Linux OS. FIM Banner Metaverse [ 15 ] New source Tables in Banner • • • • ad_person ad_person_delta ad_groups ad_groups_desc Ed Aractingi WVSTC 2014 Arac(ngi Arac(ngi Arac(ngi Arac(ngi Arac(ngi Arac(ngi MemberOf IDM-‐AMS_OFFICE365 MemberOf IDM-‐APPACCEPT MemberOf IDM-‐APPLICANT MemberOf IDM-‐BANNER MemberOf IDM-‐EMPLOYEE MemberOf IDM-‐FACULTY [ 16 ] 1 6 Banner BANNER GENERAL, HR, STUDENT SPRIDEN SPBPERS GOBTPAC BANNER ROLES AS_EMPLOYEE_PROFILE GOREMAL GOROROL GLBEXTR FIMS_AD_PERSON FIMS_AD_GROUPS_VIEW PROCESS PERSON DATA PROCESS GROUP DATA FIMS_AD_PERSON_DELTA FIMS_AD_PERSON_TMP AMS ZSASVRE FIMS_AMS_GROUPS FIMS_AD_GROUPS FIM DELTA SYNC FIM FULL SYNC FIM METAVERSE Ed Aractingi WVSTC 2014 BANNER POPSELS Credit: Maynard, B. & Enterprise Apps team [ 17 ] 1 7 The Delta Sync Process FIM delta sync agent ini(ates process If a new record is found, a delta record is wriVen to the delta table with “Add” FIM delta sync reads delta table and processes changes to metaverse stored procedure executes on staging tables If a record has changed, a delta record is wriVen to delta table with “Modify” FIM AD agent updates AD from metaverse a copy of the person table is made, then the person table is regenerated. A difference check is performed on the updated table and it’s copy For new accounts, services are provisioned based on group membership Credit: Maynard, B. & Enterprise Apps team Ed Aractingi WVSTC 2014 [ 18 ] 1 8 Username lookup – Integration w/Portal Credit: Cummings, J. & EnterpriseApps team Ed Aractingi WVSTC 2014 [ 19 ] 1 9 Workflow Exchange Server Active Directory FIM Metaverse FIM Tables Banner Entered in OnBoarding IIF(IsPresent(rawbirthdate),rawbirthdate,employeeID) Ed Aractingi WVSTC 2014 [ 20 ] 2 0 FIM Portal Ed Aractingi WVSTC 2014 [ 21 ] 2 1 Password Registration Ed Aractingi WVSTC 2014 [ 22 ] 2 2 Marshall University - Password Reset Ed Aractingi WVSTC 2014 [ 23 ] 2 3 Lessons Learned [ 24 ] Penn State- Lessons Learned • The basis for de-siloing is TRUST • Achieving IAM technical solutions can’t happen without • Establishing good relationships • Developing a shared understanding Marshall University [ 25 ] WVSTC 2014 Marshall University - Lessons Learned • • • • • Planning!!! Garbage in- garbage out Measure twice, cut once Get assistance (we use CampusEAI IDM services) It’s TEAM work Marshall University [ 26 ] WVSTC 2014 Questions / Discussion Contact Information Edward Aractingi – aractingi1@marshall.edu Sherry Tirko – slk24@psu.edu Chuck Moore – crm117@psu.edu Nick Roy – nsr11@psu.edu