sfu identity management overview

June 2009!

MANAGING IDENTITY Lessons learned over 15 years of campus wide account provisioning!

IT Services / Jeremy Rosenberg!

ABOUT ME

•  Jeremy Rosenberg!•  Originally from Toronto!•  Developer in IT services since 2004!•  Identity management strategy!•  Work mostly in Java!•  Things I Love!

•  Rich data!•  Elegant solutions!•  Living in Vancouver !•  Anything built by Apple !


ABOUT SFU

•  Named after famous explorer !•  Opened on September 9, 1965!•  One University - Three campuses!

•  Burnaby!•  Surrey!•  Vancouver!

•  32,000 students !•  900 faculty!•  1600 staff!•  100,000 alumni! Simon Fraser!

1776 -1862!

ABOUT THIS PRESENTATION

•  What was the itch? !Challenge!

•  How did we scratch it?!Solution!

•  Are we still itchy?!Lessons!


Today


Account Provisioning

Mail Lists

Web Based Activate

Web Server

UDD

LDAP

Online Learning

CAS

AD

PeopleSoft

Shibboleth Eduroam

Zimbra

1991

•  Get clean, current data from HR and Registrar systems!Challenge!

•  Top level negotiation between IT, Registrar and HR divisions!Solution!

•  Key enabler!Lessons!


1991



1995

•  Offload computing account administration to clerical staff!Challenge!

•  Custom GUI to backend code!Solution!

•  A good GUI means maximized organizational efficiencies!Lessons!


1995



ADMIN GUI

1995

•  Leverage registrar data to create automatic course mailing lists!

Challenge!

•  Shell scripts populate lists based on course membership from account database!

Solution!

•  Rich but proprietary!Lessons!


1995



Mail Lists

ADMIN GUI

1997

• Use existing mail lists for access control!Challenge!

• Modified Apache authorization module!Solution!

• Enable business users to make business decisions!Lessons!


1997



Mail Lists

Web Server

ADMIN GUI

1997

•  Distribute Identity across systems!Challenge!

•  Lightweight Directory Access Protocol (LDAP)!Solution!

•  Watch emerging standards!•  Stay ahead of the curve!•  Trust your gut!

Lessons!


1997



Mail Lists

Web Server LDAP

ADMIN GUI

1998

•  Sync data to downstream systems!

•  (LDAP, Online Learning)!Challenge!

•  Update Distribution Daemon (UDD) !

•  Push Messaging System!Solution!

•  Simple requirements can change over time!

•  Today consumers require context!Lessons!


1998



Mail Lists

Web Server LDAP

ADMIN GUI UDD

Online Learning

1999

•  Eliminate Lineups to Activate Computing Accounts!Challenge!

•  Web-based self activation!•  Integrated into mySFU Portal!Solution!

•  Enterprise solutions need enterprise infrastructure!Lessons!


ADMIN GUI

1999



Mail Lists

Web Server

UDD

LDAP

Self Activate

Online Learning

2000

•  Provide standards based web authentication !Challenge!

•  Central Authentication Server!•  Leverage existing LDAP directory!Solution!

•  Leverage and integrate open source applications whenever possible!

Lessons!


2000



Mail Lists

Self Activate

Web Server

UDD

LDAP

Online Learning

CAS

2001

•  Feed account information into MS Active Directory!Challenge!

•  Learn how Active Directory works!•  Write a custom UDD handler for

Windows!Solution!

•  Take responsibility for all Identity Management situations or identities will fragment!

Lessons!


2001



Mail Lists

Self Activate

Web Server

UDD

LDAP

Online Learning

CAS

AD

2003

•  Integrate Account System with PeopleSoft HR and SIMS!Challenge!

•  Batch files inbound!•  HTTP messaging outbound!•  Lots of knowledge sharing!

Solution!

•  Persistence and commitment!•  Be the best to build confidence!Lessons!


2003



Mail Lists

Self Activate

Web Server

UDD

LDAP

Online Learning

CAS

AD

PeopleSoft

2006

•  Provide a single computing account to users with multiple roles!Challenge!

•  Introduce roles in computing accounts!•  Role based access within downstream

systems!Solution!

• Made the ID more fundamental!•  Created questions of discipline!Lessons!


2006



Mail Lists

Self Activate

Web Server

UDD

LDAP

Online Learning

CAS

AD

PeopleSoft

Now With

Roles!

2007

•  Share identity across institutions!Challenge!

•  Shibboleth and Eduroam implementations !Solution!

•  Keep your head up!•  Take responsibility within the

community !Lessons!


2008



Mail Lists

Self Activate

Web Server

UDD

LDAP

Online Learning

CAS

AD

PeopleSoft

Now With

Roles!

Shibboleth Eduroam

2008

•  Integrate accounts with large scale Zimbra implementation!Challenge!

•  The entire arsenal!•  (LDAP, CAS, Maillists, UDD)!Solution!

•  Revised notion of robustness in face of high availability requirements!

Lessons!


2008



Mail Lists

Self Activate

Web Server

UDD

LDAP

Online Learning

CAS

AD

PeopleSoft

Now With

Roles!

Shibboleth Eduroam

Zimbra

2010+

• Granular resource access to match relationship!Challenge!

• Match user permissions to role requirements!Solution!

• CANHEIT 2011?!Lessons!



SUMMARY

•  Get clean data!•  Enable business users!•  Stay ahead of the curve!•  Trust your gut!•  Open standards when it makes sense!•  Iterative solutions!•  Be confident!•  Own it!

WORDS OF WISDOM



THANK YOU

Thank You / Merci Beaucoup!

[email protected]!

On behalf of!

Rob Urquhart! Frances Atkinson!Ray Davison! Steve Hillman!

sfu identity management overview

Technology

services jeremy rosenberg

account system

web servercasldappeoplesoftith

web authentication

managing identity lessons

account provisioning1995

account database

account provisioning1991