Upload
marc-twin
View
219
Download
0
Embed Size (px)
Citation preview
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 1/32
Identity Managementat UHI Millennium Institute
Jem Taylor
Head of Strategy & DevelopmentUHI Learning & Information Services
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 2/32
UHI advertising
UHI is important for the Highlands & Islands
region and is an exciting place to work
± You want to hear about IDM
± I want to talk about UHI and what we are doing
± 30 slides in 45 minutes: 90 seconds per slide
± So I will press on to the IDM part quite quickly
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 3/32
³To establish for the Highlands and
Islands of Scotland a collegiate
university which will reach the highest
standards and play a pivotal role in our
educational, economic, social andcultural development´
UHI Mission
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 4/32
y
Distancey Geography
y Cost
y Service Provision
Shetland
College
EO
LewsCastle
College
SMO
SFIA
Inverness
College
Argyll College
& DML
ThursoCollege
Orkney
College
NAFC
Moray College
& HTI
Perth
College
The UHI Challenge
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 5/32
A short history «
1993: The University of the Highlands and
Islands Project ³UHIp´
A dozen partners including 8 FE colleges,a NERC research institute, a statutory
body, an industry-funded college, etc
All partners have an independent IT
history and therefore a dozen different
legacies
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 6/32
The Dark Ages «
1995: kilostream-based connections between
UHI¶s Academic Partners
± Shared J ANET connection ± Very basic email for a very few staff
UHI employs its first three staff
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 7/32
The Middle Ages «
Summer 1996: integrated service: ISDN-6 VC
± 12 studios, 12-way ISDN MCU, BT lines
± SOEID funded, so gives desired illusion of beingfree at the point of use
September 1996: Millennium Commission
announces £33m funding in c. £100m initiative
Feb 1997: new offices, new staff, 3yr plan
± More and faster kilostream connections (change
of the cost trade-off between systems and
telecoms)
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 8/32
1998:UHI W AN project
± High Speed networking ± 45Mbit/sec
± Interim upgrades to 2Mbit/sec
UHI needed to build a W AN so as to be able to « ± Share facilities and costs across UHI
Share costs of J ANET & Internet access
One WWW server, many µweb sites¶
other µserver¶ facilities - eg. E-mail Videoconferencing across data network
± Reduce other costs
eg. telephony costs on PSTN
± Enable Campus-style collaborative working
Early Modern History «
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 9/32
300 miles
150 miles
UHI¶s territory coversover half of Scotland
1/6th of the UK¶s area
1/60th of the UK¶s total
population.
HE + FE accessed by
about 25,000
distinct people every year
Most FE students are
µlow FTE¶
Check the map scale «
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 10/32
UHI staff & students areconnected by high bandwidthnetwork ± internet, email, telephone and
video conferencing
± Effectively a regional µcampusL AN¶ organised by location rather than by department
± Multiple µprivate¶ IP data networks
± Internal telephony for UHI
± Future proof: Video; studentbroadcasting etc.
UHI LIS looks after shared/common systems ± Shared corporate systems
± Single internal eDirectory
ClydeNet
SoL
AbMAN
EastMAN
FATMAN
JANET
The UHI Network
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 11/32
UHI Today «
April 2001: an HEI with SHEFC funding
AY 2004/5: over 3,800 student FTEs
± 50% over age 25, 50%:50% gender balance,more than 5,200 enrolments
New Year 2005: moved to new HQ, this
time moving about 70 staff over weekend 2007: University title ?
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 12/32
UHI IDM problem
Complex / diverse IT environment «
Shared / common Student Records
system « ICT and Library systems need to be
available to all students «
IT Administrative overhead costs « Student Records quality & timeliness «
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 13/32
Current
Students
Assessment
AwardorProgression
Attendance
Funds &
Bursary
SQ A interface
SQ A
ModuleRegist ration
Class List
Assessment Register
Current
Students
Assessment
Award or
Progression
Attendance
Funds &
Bursary
SQ A
interfaceSQ A
Module Registration
Class List
Assessment Register
Student Records
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 14/32
Current
Students
Assessment
AwardorProgression
Attendance
Funds &
Bursary
SQ A interface
SQ A
ModuleRegist ration
Class List
Assessment Register
Student Records rôle in µbusiness¶
UC AS
national admissionssystem for full-time
HE
SLC
Student Loans
Company
SQ A
Entry qualifications
S AAS
Student funding
HES A
HE statistical
returns
FES
FE statistical
returns
SFC
Scottish FE and HE
funding council
SQ A
Registration &
Awards
Manage & run UHI:
UHI R AM
IDM
LIS & ICT systems
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 15/32
VLE teaching group
(CL AN vle)
IDM as part of the µbusiness¶
incoming
Students
Course
enrolment
UHI username/password
(Directories)
UHI email
(GroupWise)
H:/ folder
(NetWare)
UHI library
borrower (OLIB)P ATESi
Library card /
ID card
Moduleregistrations
Moduleregistrations
Moduleregistrations
IDM
MinervaPeople
Minerva
Groups
Current
Students
Assessment
AwardorProgression
Attendance
Funds &
Bursary
SQ A interface
SQ A
ModuleRegistrati on
Class List
AssessmentRegi ster
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 16/32
Why ?
Save IT and Library staff trouble?
± It does, but that is not why we are doing it
Make sure all students are enrolled? ± YES
Make Student Records a *management
tool* for the business instead of being justa record of what has already happened
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 17/32
When ?
Allocate accounts *before* enrolment so as to
assist induction processes
± As soon as details are available
± Only applies to students who go through some kind of records processing before enrolment
± No help for µwalk-ins¶ (but nothing is)
Lock accounts on the day individual students are
*due* to leave (planned expiry)
No µsummer gap¶ for continuing students
± No summer clearouts anymore: only delete expired
accounts, and should be able to do so in-year
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 18/32
Student lifecycle
1st year 2nd year
(multi- Annual) course
P
(another) course
enrolment
Createwith
planned
expiry
Unlockand
extend
application P-
Lockon
expiry
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 19/32
How will ID flow around?
Novell Identity Manager
± Student records ST AFF & STUDENTS IDM system
± IDM system eDirectory
± IDM system Active Directory
± eDirectory GroupWise
± Password synchronisation all of the above
Siva2
± eDirectory to everywhere else: CL AN vle, MVN forum,
self-provisioning through GuanXi Idp, Shibb world, etc
± Alistair Young is our software development ID expert
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 20/32
UHI. AC.UK
production
GroupWise
ID Flow designSITS:Vision student record
holds permanent identity
STU
table
PRS
table
UHI_IDM_TREE
identity
management
system
UHI_NDS_TREE
productioneDirectory
UHI. AD
production
Active
Directory
C reate/
modify
C reate/
modify
Passwd
sync
Passwd
sync
create
Siva2
C reate/ modify
Self-
service
portal
DEP1REG4 IDM- AD
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 21/32
Comparison: Siva1
Home-made: very flexible but requires in-house
effort for maintenance and development
Create-only: seek and ignore existing accounts
Deals with Students only
Logic for user account defaults is in java code
µ pliers¶ utility to get data from SITS: unreliable
Although Java code, method for GroupWise isWindows only: would prefer to be on Linux
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 22/32
Comparison: IDM + Siva2
Identity Manager ± Manufacturer supported: drivers available for other systems too
± Create or Modify logic, including changing end-date / withdrawal
± SITS:Vision source for Staff as well as Students
± New OR ACLE based µminerva¶ utility for feeder: more robust ± Will be able to feed other future ID sources into the same place
± Uses eDirectory template objects to define defaults for new users
± Runs natively on Novell NetWare, Windows and Linux platforms
± Web-based control interfaces based on iManager
Siva2 ± Will run from triggers in the eDirectory API
± Will not care how user is created: will fire for manual creates
± Can do anything, including modify eDirectory accounts
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 23/32
Siva Connected Systems
CL AN vle (which is heavily Groups based)
MVN forum (ditto)
GuanXi Identity Provider for Shibboleth and everything else we build ourselves
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 24/32
What about Citrix?
Citrix likes Active Directory
We decided to offer a UHI-wide ActiveDirectory «
± In parallel with e-Directory, not instead of
± With the same content in both technologies
Our service offering is now Content
instead of Technology ± Our users can use either (any) technology
± Our job is to assure & sync the information
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 25/32
UHI. AC.UK
production
GroupWise
Simplified ID Flow for CitrixSITS:Vision student record
holds permanent identity
STU
table
PRS
table
UHI_NDS_TREE
productioneDirectory
UHI. AD
production
Active
Directory
C reate/
modify
C reate/
modify
Passwd
sync
create
Siva2
REG5 IDM- AD
Magic
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 26/32
Citrix needs to login to NetWare«
Citrix uses Active Directory authn
But all Home Drives (H:) are NetWare
Citrix has tools for login to both worlds But it doesn¶t work µout of the box¶
because we need Location at Login «
Behind the scenes, LD AP contextlesslogin fails ± Citrix can¶t find the user¶s e-
Directory context
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 27/32
Call a consultant !
If all our users lived in the same context
Citrix would work just fine «
With IDM, they can ! A bespoke IDM driver maintains a µsecret¶
area in the e-Directory «
This is a flat space with an alias for eachuser «
All users appear in the same context
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 28/32
IDM to the rescue!
All users appear in the same context «
All users are also in their real context «
Novell choice dialogue at normal login So «
± Carefully hide the Aliases container from all e-
Directory users except IDM & Citrix
± Take care not to break aliases
± Tighten up so that all users are maintained by
IDM (not by technicians)
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 29/32
Next Up
Bread & butter IDM becomes responsibility of
records-oriented staff who know the data
± Handle withdrawals etc. based on Academic
Regulations (policy basis)
Provide more subtle information based on the
information content of the student record
± e.g. to run Sharepoint need up-to-the-minute Groups
management in the Directory
± Same communities as in Siva but distinct IDM flow
± Common vocabulary so staff (users) can understand
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 30/32
Technology
Designer for Identity Manager on Windows XP ± Very good tool
± Has all the basic drivers
± Use to control and deploy, as well as to design
I DM3 on NetWare/ED ± For eDirectory accounts
± For GroupWise accounts
I DM3 on W2003/ AD+ED ± For AD accounts
8/3/2019 061212 Identity Management at Uhi
http://slidepdf.com/reader/full/061212-identity-management-at-uhi 31/32
Development IDM platform
Same scale and structure as the real environment ± Want to be able to copy IDM drivers back and forth easily
Designer for Identity Manager ± Drivers dataflow and modification
IDM3 on NetWare/ED ± VNC view of DSTR ACE
IDM3 on W2003/ AD and W2003/ED ± VNC view of dstrace
iManager ± Control of migration, driver On/Off, etc
Big fat VMware server with half a dozen virtual servers
± Development environment is an important system worth resourcing