sfu identity management overview

June 2009!

MANAGING IDENTITY Lessons learned over 15 years of campus wide account provisioning!

IT Services / Jeremy Rosenberg!

ABOUT ME

•  Jeremy Rosenberg!•  Originally from Toronto!•  Developer in IT services since 2004!•  Identity management strategy!•  Work mostly in Java!•  Things I Love!

•  Rich data!•  Elegant solutions!•  Living in Vancouver !•  Anything built by Apple !

ABOUT SFU

•  Named after famous explorer !•  Opened on September 9, 1965!•  One University - Three campuses!

•  Burnaby!•  Surrey!•  Vancouver!

•  32,000 students !•  900 faculty!•  1600 staff!•  100,000 alumni! Simon Fraser!

1776 -1862!

ABOUT THIS PRESENTATION

•  What was the itch? !Challenge!

•  How did we scratch it?!Solution!

•  Are we still itchy?!Lessons!

Account Provisioning

Mail Lists

Web Based Activate

Web Server

Online Learning

PeopleSoft

Shibboleth Eduroam

Zimbra

•  Get clean, current data from HR and Registrar systems!Challenge!

•  Top level negotiation between IT, Registrar and HR divisions!Solution!

•  Key enabler!Lessons!

•  Offload computing account administration to clerical staff!Challenge!

•  Custom GUI to backend code!Solution!

•  A good GUI means maximized organizational efficiencies!Lessons!

ADMIN GUI

•  Leverage registrar data to create automatic course mailing lists!

Challenge!

•  Shell scripts populate lists based on course membership from account database!

Solution!

•  Rich but proprietary!Lessons!

Mail Lists

ADMIN GUI

• Use existing mail lists for access control!Challenge!

• Modified Apache authorization module!Solution!

• Enable business users to make business decisions!Lessons!

Mail Lists

Web Server

ADMIN GUI

•  Distribute Identity across systems!Challenge!

•  Lightweight Directory Access Protocol (LDAP)!Solution!

•  Watch emerging standards!•  Stay ahead of the curve!•  Trust your gut!

Lessons!

Mail Lists

Web Server LDAP

ADMIN GUI

•  Sync data to downstream systems!

•  (LDAP, Online Learning)!Challenge!

•  Update Distribution Daemon (UDD) !

•  Push Messaging System!Solution!

•  Simple requirements can change over time!

•  Today consumers require context!Lessons!

Mail Lists

Web Server LDAP

ADMIN GUI UDD

Online Learning

•  Eliminate Lineups to Activate Computing Accounts!Challenge!

•  Web-based self activation!•  Integrated into mySFU Portal!Solution!

•  Enterprise solutions need enterprise infrastructure!Lessons!

ADMIN GUI

Mail Lists

Web Server

Self Activate

Online Learning

•  Provide standards based web authentication !Challenge!

•  Central Authentication Server!•  Leverage existing LDAP directory!Solution!

•  Leverage and integrate open source applications whenever possible!

Lessons!

Mail Lists

Self Activate

Web Server

Online Learning

•  Feed account information into MS Active Directory!Challenge!

•  Learn how Active Directory works!•  Write a custom UDD handler for

Windows!Solution!

•  Take responsibility for all Identity Management situations or identities will fragment!

Lessons!

Mail Lists

Self Activate

Web Server

Online Learning

•  Integrate Account System with PeopleSoft HR and SIMS!Challenge!

•  Batch files inbound!•  HTTP messaging outbound!•  Lots of knowledge sharing!

Solution!

•  Persistence and commitment!•  Be the best to build confidence!Lessons!

Mail Lists

Self Activate

Web Server

Online Learning

PeopleSoft

•  Provide a single computing account to users with multiple roles!Challenge!

•  Introduce roles in computing accounts!•  Role based access within downstream

systems!Solution!

• Made the ID more fundamental!•  Created questions of discipline!Lessons!

Mail Lists

Self Activate

Web Server

Online Learning

PeopleSoft

Now With

Roles!

•  Share identity across institutions!Challenge!

•  Shibboleth and Eduroam implementations !Solution!

•  Keep your head up!•  Take responsibility within the

community !Lessons!

Mail Lists

Self Activate

Web Server

Online Learning

PeopleSoft

Now With

Roles!

Shibboleth Eduroam

•  Integrate accounts with large scale Zimbra implementation!Challenge!

•  The entire arsenal!•  (LDAP, CAS, Maillists, UDD)!Solution!

•  Revised notion of robustness in face of high availability requirements!

Lessons!

Mail Lists

Self Activate

Web Server

Online Learning

PeopleSoft

Now With

Roles!

Shibboleth Eduroam

Zimbra

• Granular resource access to match relationship!Challenge!

• Match user permissions to role requirements!Solution!

• CANHEIT 2011?!Lessons!

SUMMARY

•  Get clean data!•  Enable business users!•  Stay ahead of the curve!•  Trust your gut!•  Open standards when it makes sense!•  Iterative solutions!•  Be confident!•  Own it!

WORDS OF WISDOM

THANK YOU

Thank You / Merci Beaucoup!

Jeremy_Rosenberg@sfu.ca!

On behalf of!

Rob Urquhart! Frances Atkinson!Ray Davison! Steve Hillman!

sfu identity management overview

services jeremy rosenberg

account system

web servercasldappeoplesoftith

web authentication

managing identity lessons

account provisioning1995

account database

account provisioning1991

Technology

abstract - sfu

sport, nationalism and identity. cultural identity an...

sap cloud identity service overview

convocation - sfu atom home - sfu atom

wso2 identity server - product overview

phd - sfu-kras.ru

hep@sfu welcome undergraduate physicists high energy physics...

tutorial identity mixer & overview abc4trust

sap identity management...

child identity theft overview

brand identity overview

max11 sfu manual

operations research - sfu

sap identity management overview

greytower identity overview

identity theft overview

fischer identity overview

software practice overview identity

identity management landscape overview

financial economics - sfu