Services, Tools and Processes - Identity Management Matters ()

advertisement
Identity Management: Services, Tools
and Processes
Cal Racey
Caleb.Racey@ncl.ac.uk
Context: Who I am
Cal Racey – System Architecture Manager:
• 9 years experience of Middleware application
provision
• Particular focus on issues of single sign on and
C
access control
• Project Manager on JISC funded GFIVO, IDMAPS
and GRAND projects
• Collaborate with Internet2/EDUCAUSE on IdM
• Experienced in use of open source tools
Presentation Overview
Theme: Practical examples of IdM solutions
• Background: The challenge of IdM
• Newcastle’s IdM review
– Audit
– Architectural Gaps
• Tools and services to enhance IdM
– Data integration
– Group management
– Authentication
– Combined integration service
Overview of IDM
The Challenge of Implementing
IdM Architectures
(Thanks to Jens Haeusser UBC.ca
for the IKEA Metaphor and slides)
What this workshop is trying to achieve
• Help add pages to that instructions booklet
• Build community knowledge and practice around
IdM
• Build portfolio of case studies around IdM
• Find out what the community needs
• Provide reusable examples of IdM solutions
Newcastle’s IdM Example
• Focussed on exploiting our Existing IdM data
• SAP HR + student data good enough
– Poor use in Teaching and Learning apps
– needed better integration with applications
What we Did:
• Audit application practice and desired usage
• Understand requirement – Gap analyses
• Deploy tools and services to enhance architecture
• Focus on early benefit realisation
Audit: Systems requiring IdM data
Accommodation
Grouper
S3P
Active Directory
Individuals project (DMS)
Service centre (helpdesk)
Blackboard
Intralibrary
Shibboleth
CAMA
Lists
Site manager (CMS)
Dspace
Module Outline forms
Smartcard
ePortfolios
Myprofiles/My Impact
Student homepage
ePrints
NESS (VLE)
Regulations
Email
NUcontacts
Telecoms
Estates ticketing system
Print credits
Timetabling
Exam papers
Recap
UNIX
FMSC VLEs
Sakai (VRE)
Wireless
Initial Architecture: Flow of Identity Data
Desired Architecture
Data warehouse,
CAMA
SAP
Campus
management
HR
Shibboleth,
Grouper,
Active
Directory
Grouper
Talend
Filling the gaps - Architecture
• Data warehouse
– Combines Identity data from multiple sources
– Makes “sense” of data
• Group management
– Adds structure to user population
• Arranges users into “usable” units
• Data integration tools
– Processes data + Puts it where it needs to be
– Captures and expresses business logic
• Authentication and Authorization service
– Based on good user data
Tools: Talend Integration suite
• Data integration tool
• Open source like MySQL
– Free version + paid for enhancements
• Replaced many bespoke scripts
• Supported Existing and desired approaches
– Excellent file support
– Excellent database connectivity
– Excellent Application connectivity (e.g. SAP)
– Web services
Resources available at
http://research.ncl.ac.uk/idmaps/
Tools: Talend Integration suite
Why Talend?
• “Visionary” in Gartner’s data management
• Also Offers Data quality and Master data
management solutions
• Training and consultancy offerings
• “Middle Man” means they have to integrate with
everything
• ETL and IdM share many problems
• Data quality, duplicate removal, incomplete data
Resources available at
http://research.ncl.ac.uk/idmaps/
Talend Example
Tools: Talend Benefits
• End to end connectivity
– Control of flow all way through
– Transparency of process
– No more fragile chains of scheduled tasks
• Allows team responsibility
– Easy to see what a job does
– Job stored in versioned store (svn)
• Many data connectors
• Interacts with windows and unix (including login)
• Data integration logic in one place.
Institutional data feed service (IDFS)
Single point of contact for IdM data
• Consultancy
Process for asking for data:
• Meeting to discuss requirements
• Data integration form (Capture, record data flows)
• Make application owners aware of responsibilities:
• Security
• DPA
• Freedom of information
Data integration tool (Talend)
Tools: Grouper
• GRAND project
• Grouper used to structure and enhance IdM data
– Organisational Structure
– Module enrolment
– User maintained e.g. Research teams
• Groups are the way the university works
– “modules, departments, research teams – not
users”
Use case documents available at
http://research.ncl.ac.uk/grand/resources.php
Tools: Grouper
• Enables use of composite groups
• Mixing of static institutional groups and user edited
groups
• management interfaces
–
–
–
–
Web based: “heavy” and “lite”
Web services
Scripts (grouper shell)
Java API
• Data usable multiple ways
– Data exports
– Shibboleth attributes
– LDAP-PC
Grouper – wireless access
Grouper – Room booking
Tools: Shibboleth
•
•
•
•
Built for Federated use case
Provides Authentication and Authorisation
Used extensively internally
Rich attributes
– People on accountancy can access acc101
podcast
– People in chemistry can access chemistry wiki
– Provides framework for targeted personalisation
e.g. Here are your podcasts + exam papers
• Standards based, allows integration
–
e.g. Google Apps
Tools: Shibboleth use cases
• Lecture capture authorisation
• Portal page personalisation
• Mailing lists
• Wikis
• blogs
• VREs
• Reading lists
• Personal portfolios e.g. MyImpact
Don’t have to understand shib to integrate
shib’d apps have less to worry about
Systems integration service
• One place to talk about domesticating applications
• Combines:
– Institutional data feed service
– Group management service
– Shibboleth service
• Mix and match services depending on requirement
– Focus on need rather than architectural “purity”
Goal:
– Ease application development and deployment
– Make IT applications appear “joined up”
Realising benefits from IdM
Problem: Benefit realisation dependant on
influencing application owners
– Apps Spread across political boundaries e.g.
Library, careers, medical school
– Apps spread across platforms
– good tools not enough
Solution:
– Wrap tools and processes in a service
– Campaign of outreach
– Listen to application owners
Realising benefits from IdM
• Service more important than architecture or tools
– Builds relationships
• better understanding of real service barriers
• easy future integration
– 1Hour conversation > 2 weeks work
• Delivery best influencing technique
– Effective IdM dependant on influence
• Even centralised IT can’t enforce
IDM resources
• IDMAPS
http://research.ncl.ac.uk/idmaps/
• GRAND
http://research.ncl.ac.uk/grand
• Identity Management toolkit
http://www.identity-project.org
• Identity Management EDUCAUSE email list:
IDM@LISTSERV.EDUCAUSE.EDU
IT architects in academia (ITANA):
http://www.itana.org/
Any Questions?
Download