2. Context: Who I am
Cal Racey – System Architecture Manager:
• 9 years experience of Middleware application
provision
• Particular focus on issues of single sign on and
access control
• Project Manager on JISC funded GFIVO, IDMAPS
and GRAND projects
• Collaborate with Internet2/EDUCAUSE on IdM
• Experienced in use of open source tools
C
3. Presentation Overview
Theme: Practical examples of IdM solutions
• Background: The challenge of IdM
• Newcastle’s IdM review
– Audit
– Architectural Gaps
• Tools and services to enhance IdM
– Data integration
– Group management
– Authentication
– Combined integration service
4. Overview of IDM
The Challenge of Implementing
IdM Architectures
(Thanks to Jens Haeusser UBC.ca
for the IKEA Metaphor and slides)
5.
6.
7.
8.
9.
10. What this workshop is trying to achieve
• Help add pages to that instructions booklet
• Build community knowledge and practice around
IdM
• Build portfolio of case studies around IdM
• Find out what the community needs
• Provide reusable examples of IdM solutions
11. Newcastle’s IdM Example
• Focussed on exploiting our Existing IdM data
• SAP HR + student data good enough
– Poor use in Teaching and Learning apps
– needed better integration with applications
What we Did:
• Audit application practice and desired usage
• Understand requirement – Gap analyses
• Deploy tools and services to enhance architecture
• Focus on early benefit realisation
12. Audit: Systems requiring IdM data
Accommodation Grouper S3P
Active Directory Individuals project (DMS) Service centre (helpdesk)
Blackboard Intralibrary Shibboleth
CAMA Lists Site manager (CMS)
Dspace Module Outline forms Smartcard
ePortfolios Myprofiles/My Impact Student homepage
ePrints NESS (VLE) Regulations
Email NUcontacts Telecoms
Estates ticketing system Print credits Timetabling
Exam papers Recap UNIX
FMSC VLEs Sakai (VRE) Wireless
17. Filling the gaps - Architecture
• Data warehouse
– Combines Identity data from multiple sources
– Makes “sense” of data
• Group management
– Adds structure to user population
• Arranges users into “usable” units
• Data integration tools
– Processes data + Puts it where it needs to be
– Captures and expresses business logic
• Authentication and Authorization service
– Based on good user data
18.
19. Tools: Talend Integration suite
• Data integration tool
• Open source like MySQL
– Free version + paid for enhancements
• Replaced many bespoke scripts
• Supported Existing and desired approaches
– Excellent file support
– Excellent database connectivity
– Excellent Application connectivity (e.g. SAP)
– Web services
Resources available at
http://research.ncl.ac.uk/idmaps/
20. Tools: Talend Integration suite
Why Talend?
• “Visionary” in Gartner’s data management
• Also Offers Data quality and Master data
management solutions
• Training and consultancy offerings
• “Middle Man” means they have to integrate with
everything
• ETL and IdM share many problems
• Data quality, duplicate removal, incomplete data
Resources available at
http://research.ncl.ac.uk/idmaps/
22. Tools: Talend Benefits
• End to end connectivity
– Control of flow all way through
– Transparency of process
– No more fragile chains of scheduled tasks
• Allows team responsibility
– Easy to see what a job does
– Job stored in versioned store (svn)
• Many data connectors
• Interacts with windows and unix (including login)
• Data integration logic in one place.
23. Institutional data feed service (IDFS)
Single point of contact for IdM data
• Consultancy
Process for asking for data:
• Meeting to discuss requirements
• Data integration form (Capture, record data flows)
• Make application owners aware of responsibilities:
• Security
• DPA
• Freedom of information
Data integration tool (Talend)
24. Tools: Grouper
• GRAND project
• Grouper used to structure and enhance IdM data
– Organisational Structure
– Module enrolment
– User maintained e.g. Research teams
• Groups are the way the university works
– “modules, departments, research teams – not
users”
Use case documents available at
http://research.ncl.ac.uk/grand/resources.php
25. Tools: Grouper
• Enables use of composite groups
• Mixing of static institutional groups and user edited
groups
• management interfaces
– Web based: “heavy” and “lite”
– Web services
– Scripts (grouper shell)
– Java API
• Data usable multiple ways
– Data exports
– Shibboleth attributes
– LDAP-PC
29. Tools: Shibboleth
• Built for Federated use case
• Provides Authentication and Authorisation
• Used extensively internally
• Rich attributes
– People on accountancy can access acc101
podcast
– People in chemistry can access chemistry wiki
– Provides framework for targeted personalisation
e.g. Here are your podcasts + exam papers
• Standards based, allows integration
– e.g. Google Apps
30. Tools: Shibboleth use cases
• Lecture capture authorisation
• Portal page personalisation
• Mailing lists
• Wikis
• blogs
• VREs
• Reading lists
• Personal portfolios e.g. MyImpact
Don’t have to understand shib to integrate
shib’d apps have less to worry about
31. Systems integration service
• One place to talk about domesticating applications
• Combines:
– Institutional data feed service
– Group management service
– Shibboleth service
• Mix and match services depending on requirement
– Focus on need rather than architectural “purity”
Goal:
– Ease application development and deployment
– Make IT applications appear “joined up”
32. Realising benefits from IdM
Problem: Benefit realisation dependant on
influencing application owners
– Apps Spread across political boundaries e.g.
Library, careers, medical school
– Apps spread across platforms
– good tools not enough
Solution:
– Wrap tools and processes in a service
– Campaign of outreach
– Listen to application owners
33. Realising benefits from IdM
• Service more important than architecture or tools
– Builds relationships
• better understanding of real service barriers
• easy future integration
– 1Hour conversation > 2 weeks work
• Delivery best influencing technique
– Effective IdM dependant on influence
• Even centralised IT can’t enforce
34. IDM resources
• IDMAPS
http://research.ncl.ac.uk/idmaps/
• GRAND
http://research.ncl.ac.uk/grand
• Identity Management toolkit
http://www.identity-project.org
• Identity Management EDUCAUSE email list:
IDM@LISTSERV.EDUCAUSE.EDU
IT architects in academia (ITANA):
http://www.itana.org/
An appropriate metaphor for our current situation is an unassembled car. We have whole bunch of parts, and some notion of what the car looks like when put together, but no instruction manual for how to go about doing so.
What we need is the assembly manual for Identity and Access Management in Higher Education.
If we look at an actual IKEA manual, it has a number of parts.Today, we have a list of what’s inside the box.To some degree, like the drawers in a chest, we have the assembly instructions for individual components (although even there we have some gaps).What we don’t have are the cautions and warning labels- don’t hit the parts with a hammer, use two people to assemble, and watch out or the whole thing will fall on your head.
What we particularly lack are the instructions for putting all of the pieces together, and the detailed assembly directions.To some degree we also need a clearer description for the assembled collection- and a snappy name wouldn’t hurt.