Embed Size (px)
Citation preview
Identity Management: Services, Tools and Processes
Cal Racey
Context: Who I am
Cal Racey – System Architecture Manager:• 9 years experience of Middleware application
provision• Particular focus on issues of single sign on and
access control• Project Manager on JISC funded GFIVO, IDMAPS
and GRAND projects • Collaborate with Internet2/EDUCAUSE on IdM• Experienced in use of open source tools
C
Presentation Overview
Theme: Practical examples of IdM solutions• Background: The challenge of IdM• Newcastle’s IdM review
– Audit– Architectural Gaps
• Tools and services to enhance IdM– Data integration– Group management– Authentication– Combined integration service
Overview of IDM
The Challenge of Implementing IdM Architectures
(Thanks to Jens Haeusser UBC.ca
for the IKEA Metaphor and slides)
What this workshop is trying to achieve
• Help add pages to that instructions booklet • Build community knowledge and practice around
IdM• Build portfolio of case studies around IdM• Find out what the community needs• Provide reusable examples of IdM solutions
Newcastle’s IdM Example
• Focussed on exploiting our Existing IdM data• SAP HR + student data good enough
– Poor use in Teaching and Learning apps – needed better integration with applications
What we Did:• Audit application practice and desired usage • Understand requirement – Gap analyses• Deploy tools and services to enhance architecture• Focus on early benefit realisation
Audit: Systems requiring IdM data
Accommodation Grouper S3P
Active Directory Individuals project (DMS) Service centre (helpdesk)
Blackboard Intralibrary Shibboleth
CAMA Lists Site manager (CMS)
Dspace Module Outline forms Smartcard
ePortfolios Myprofiles/My Impact Student homepage
ePrints NESS (VLE) Regulations
Email NUcontacts Telecoms
Estates ticketing system Print credits Timetabling
Exam papers Recap UNIX
FMSC VLEs Sakai (VRE) Wireless
Initial Architecture: Flow of Identity Data
Desired Architecture
SAPCampus
managementHR
Data warehouse,CAMA
Grouper
Shibboleth, Grouper,
Active Directory
Talend
Filling the gaps - Architecture
• Data warehouse– Combines Identity data from multiple sources– Makes “sense” of data
• Group management– Adds structure to user population
• Arranges users into “usable” units• Data integration tools
– Processes data + Puts it where it needs to be– Captures and expresses business logic
• Authentication and Authorization service– Based on good user data
Tools: Talend Integration suite
• Data integration tool• Open source like MySQL
– Free version + paid for enhancements• Replaced many bespoke scripts• Supported Existing and desired approaches
– Excellent file support– Excellent database connectivity– Excellent Application connectivity (e.g. SAP)– Web services
Resources available at http://research.ncl.ac.uk/idmaps/
Tools: Talend Integration suite
Why Talend?• “Visionary” in Gartner’s data management • Also Offers Data quality and Master data
management solutions• Training and consultancy offerings• “Middle Man” means they have to integrate with
everything• ETL and IdM share many problems
• Data quality, duplicate removal, incomplete data
Resources available at http://research.ncl.ac.uk/idmaps/
Talend Example
Tools: Talend Benefits
• End to end connectivity– Control of flow all way through– Transparency of process– No more fragile chains of scheduled tasks
• Allows team responsibility– Easy to see what a job does– Job stored in versioned store (svn)
• Many data connectors• Interacts with windows and unix (including login)• Data integration logic in one place.
Institutional data feed service (IDFS)
Single point of contact for IdM data• Consultancy
Process for asking for data:• Meeting to discuss requirements• Data integration form (Capture, record data flows)• Make application owners aware of responsibilities:
• Security• DPA• Freedom of information
Data integration tool (Talend)
Tools: Grouper
• GRAND project• Grouper used to structure and enhance IdM data
– Organisational Structure– Module enrolment– User maintained e.g. Research teams
• Groups are the way the university works– “modules, departments, research teams – not
users”
Use case documents available at http://research.ncl.ac.uk/grand/resources.php
Tools: Grouper
• Enables use of composite groups• Mixing of static institutional groups and user edited
groups• management interfaces
– Web based: “heavy” and “lite”– Web services– Scripts (grouper shell) – Java API
• Data usable multiple ways – Data exports– Shibboleth attributes– LDAP-PC
Grouper – wireless access
Grouper – Room booking
Tools: Shibboleth
• Built for Federated use case• Provides Authentication and Authorisation• Used extensively internally• Rich attributes
– People on accountancy can access acc101 podcast
– People in chemistry can access chemistry wiki– Provides framework for targeted personalisation
e.g. Here are your podcasts + exam papers• Standards based, allows integration
– e.g. Google Apps
Tools: Shibboleth use cases
• Lecture capture authorisation• Portal page personalisation• Mailing lists• Wikis• blogs• VREs• Reading lists• Personal portfolios e.g. MyImpact
Don’t have to understand shib to integrate
shib’d apps have less to worry about
Systems integration service
• One place to talk about domesticating applications• Combines:
– Institutional data feed service– Group management service– Shibboleth service
• Mix and match services depending on requirement– Focus on need rather than architectural “purity”
Goal:– Ease application development and deployment– Make IT applications appear “joined up”
Realising benefits from IdM
Problem: Benefit realisation dependant on influencing application owners– Apps Spread across political boundaries e.g.
Library, careers, medical school– Apps spread across platforms– good tools not enough
Solution:– Wrap tools and processes in a service – Campaign of outreach – Listen to application owners
Realising benefits from IdM
• Service more important than architecture or tools– Builds relationships
• better understanding of real service barriers• easy future integration
– 1Hour conversation > 2 weeks work• Delivery best influencing technique
– Effective IdM dependant on influence• Even centralised IT can’t enforce
IDM resources
• IDMAPS
http://research.ncl.ac.uk/idmaps/ • GRAND
http://research.ncl.ac.uk/grand • Identity Management toolkit
http://www.identity-project.org • Identity Management EDUCAUSE email list:
IT architects in academia (ITANA):
http://www.itana.org/
Any Questions?
