BCNET IDM Workshop – Past, Present and Future of IDM

 enterprise architecture  1 Response »
May 032010
 

Mike Shore, Sabrina da Silva and Oscar Shen

Past – Mike

  • Banner ERP used for Student and Staff information = Source of Record
  • leveraged Novell eDirectory Identity Vault using Novell Identity Manager product
  • Blend of custom scripts, Novell IDM and Luminis Integration to provision identities
  • Due to problems with Novell IDM not allowing groups with more than 5000 members, BCIT had to drop using Novell IDM and migrated to use custom scripts

Present

  • Banner ERP used for Student and Staff information = Source of Record
  • Focus on using Active Directory as the main source for Authentication for applications – approximately 800K accounts in AD
  • the custom scripts written in FoxPro to load AD

Banner Business Processes – Sabrina

  • roles Staff, Faculty, Student, Guest
  • groups created in AD – current employee, current instructor, current student, current guest
  • discussed how groups in AD are used

Central Authentication Services / Web SSO – Oscar

  • BCIT heavily leverages CAS to secure web applications
  • BCIT’s implementation of CAS is only used for AuthN, it just transfers a password back to the application so it can do the AuthZ against our AD
  • CAS is used to secure Web Pages, iTunes University, MSDN AA download site

Future – Mike

  • use Banner Enterprise Identity Services to replace the custom scripts
  • BCIT has a phased approach to moving BCIT’s IDM strategy forward (see the slide deck)

BCNet IDM Workshop – Primary Candidates for Identity Stores @TRU

 enterprise architecture  1 Response »
May 032010
 

Hugh Burley

Novell – eDirectory, Identity Manager, LDAP, Radius

Oracle – SGHE Banner, Luminis, Oracle Identity Management

The Current Workflow at TRU

  • 3 paths – email path in Novell, other system access via system admins and Human Resources and Student Information System via Oracle IDM provisions Luminis portal product
  • its the other system access that is a challenge – it is paper based with signatures (ASAR process)

Problems

  • many vendors don’t work with eDirectory, Novell continues to lose their customer base
  • ASAR process is slow and prone to error – results in privilege creep and incomplete access removal on termination
  • What is working is the Banner/Oracle stack for staff and students which automatically provisions to the Luminis portal

Future

  • implement Active Directory solve some of the problems with Novell and ASAR
  • still plan on using Novell Identity Manager to provision Active Directory going forward
  • **NOTE : BCIT had to pull out Novell IDM due to extremely poor performance with group changes as well as running into a 5000 member group limit (BCIT has needs for groups that are orders of magnitude larger

BCNet IDM Workshop – Identity and Access Managment @ UBC

 enterprise architecture  1 Response »
May 032010
 

Doug Gregg and Luca Filipozzi

Business Case for IAM – Doug

Started with a 96 page project charter and condensed to a 26 page PowerPoint

  • Objective : build the policies, processes and technologies to allow end to end lifecycle mgmt of person centric digital identities within a 2 year window
  • List of success criteria : reduced # of separate sign-ons, same username and password on most systems, simplified and automated provisioning and de-provisioning, etc

Where are we now?

IT Challenges

  • review of UBC IT – was not very favourable
  • commodity computing challenges – too much effort spent on the bottom of the technology stack

IAM Relationships

  • person, org, roles/groups, permissions, resources – all important entities – good diagram of a simplified view
  • presented a view of identity management, provisioning/deprovisioning, identity lifecycle, IAM connected sources, sinks today, next 6 months and within 2 years
  • provisioning an Enterprise AD and Grouper (group management)

People

  • IAM committees – steering committees (small group with senior management) and architectural advisory committee (representation from 20 areas)
  • key stakeholder groups – lots of touch points to keep these other committees informed
  • challenge dealing with the urgent tactical issues ahead of working on strategic directions – tough to balance
  • hard to communicate strategy when it is not fully developed

Milestone 1 – Luca

  • objective to leverage the CWL id and pwd for authentication and group access
  • push CWL ids into Enterprise Active Directory – June 15, 2010
  • migrate enterprise LDAP service from Sun to OpenLDAP – October 2010
  • use Grouper to manage provisioning and deprovisioning of groups – October 2010
  • need to look at Sympa – provides a canonical source particularly for mailing list management
  • need to look at Grouper – provides group management to talk back to AD, strong on group algebra for working on sets and needs to talk to an LDAP
 Older Entries  Newer Entries

Switch to our mobile site