Identity Management: Services, Tools and Processes Cal Racey Caleb.Racey@ncl.ac.uk Context: Who I am Cal Racey – System Architecture Manager: • 9 years experience of Middleware application provision • Particular focus on issues of single sign on and C access control • Project Manager on JISC funded GFIVO, IDMAPS and GRAND projects • Collaborate with Internet2/EDUCAUSE on IdM • Experienced in use of open source tools Presentation Overview Theme: Practical examples of IdM solutions • Background: The challenge of IdM • Newcastle’s IdM review – Audit – Architectural Gaps • Tools and services to enhance IdM – Data integration – Group management – Authentication – Combined integration service Overview of IDM The Challenge of Implementing IdM Architectures (Thanks to Jens Haeusser UBC.ca for the IKEA Metaphor and slides) What this workshop is trying to achieve • Help add pages to that instructions booklet • Build community knowledge and practice around IdM • Build portfolio of case studies around IdM • Find out what the community needs • Provide reusable examples of IdM solutions Newcastle’s IdM Example • Focussed on exploiting our Existing IdM data • SAP HR + student data good enough – Poor use in Teaching and Learning apps – needed better integration with applications What we Did: • Audit application practice and desired usage • Understand requirement – Gap analyses • Deploy tools and services to enhance architecture • Focus on early benefit realisation Audit: Systems requiring IdM data Accommodation Grouper S3P Active Directory Individuals project (DMS) Service centre (helpdesk) Blackboard Intralibrary Shibboleth CAMA Lists Site manager (CMS) Dspace Module Outline forms Smartcard ePortfolios Myprofiles/My Impact Student homepage ePrints NESS (VLE) Regulations Email NUcontacts Telecoms Estates ticketing system Print credits Timetabling Exam papers Recap UNIX FMSC VLEs Sakai (VRE) Wireless Initial Architecture: Flow of Identity Data Desired Architecture Data warehouse, CAMA SAP Campus management HR Shibboleth, Grouper, Active Directory Grouper Talend Filling the gaps - Architecture • Data warehouse – Combines Identity data from multiple sources – Makes “sense” of data • Group management – Adds structure to user population • Arranges users into “usable” units • Data integration tools – Processes data + Puts it where it needs to be – Captures and expresses business logic • Authentication and Authorization service – Based on good user data Tools: Talend Integration suite • Data integration tool • Open source like MySQL – Free version + paid for enhancements • Replaced many bespoke scripts • Supported Existing and desired approaches – Excellent file support – Excellent database connectivity – Excellent Application connectivity (e.g. SAP) – Web services Resources available at http://research.ncl.ac.uk/idmaps/ Tools: Talend Integration suite Why Talend? • “Visionary” in Gartner’s data management • Also Offers Data quality and Master data management solutions • Training and consultancy offerings • “Middle Man” means they have to integrate with everything • ETL and IdM share many problems • Data quality, duplicate removal, incomplete data Resources available at http://research.ncl.ac.uk/idmaps/ Talend Example Tools: Talend Benefits • End to end connectivity – Control of flow all way through – Transparency of process – No more fragile chains of scheduled tasks • Allows team responsibility – Easy to see what a job does – Job stored in versioned store (svn) • Many data connectors • Interacts with windows and unix (including login) • Data integration logic in one place. Institutional data feed service (IDFS) Single point of contact for IdM data • Consultancy Process for asking for data: • Meeting to discuss requirements • Data integration form (Capture, record data flows) • Make application owners aware of responsibilities: • Security • DPA • Freedom of information Data integration tool (Talend) Tools: Grouper • GRAND project • Grouper used to structure and enhance IdM data – Organisational Structure – Module enrolment – User maintained e.g. Research teams • Groups are the way the university works – “modules, departments, research teams – not users” Use case documents available at http://research.ncl.ac.uk/grand/resources.php Tools: Grouper • Enables use of composite groups • Mixing of static institutional groups and user edited groups • management interfaces – – – – Web based: “heavy” and “lite” Web services Scripts (grouper shell) Java API • Data usable multiple ways – Data exports – Shibboleth attributes – LDAP-PC Grouper – wireless access Grouper – Room booking Tools: Shibboleth • • • • Built for Federated use case Provides Authentication and Authorisation Used extensively internally Rich attributes – People on accountancy can access acc101 podcast – People in chemistry can access chemistry wiki – Provides framework for targeted personalisation e.g. Here are your podcasts + exam papers • Standards based, allows integration – e.g. Google Apps Tools: Shibboleth use cases • Lecture capture authorisation • Portal page personalisation • Mailing lists • Wikis • blogs • VREs • Reading lists • Personal portfolios e.g. MyImpact Don’t have to understand shib to integrate shib’d apps have less to worry about Systems integration service • One place to talk about domesticating applications • Combines: – Institutional data feed service – Group management service – Shibboleth service • Mix and match services depending on requirement – Focus on need rather than architectural “purity” Goal: – Ease application development and deployment – Make IT applications appear “joined up” Realising benefits from IdM Problem: Benefit realisation dependant on influencing application owners – Apps Spread across political boundaries e.g. Library, careers, medical school – Apps spread across platforms – good tools not enough Solution: – Wrap tools and processes in a service – Campaign of outreach – Listen to application owners Realising benefits from IdM • Service more important than architecture or tools – Builds relationships • better understanding of real service barriers • easy future integration – 1Hour conversation > 2 weeks work • Delivery best influencing technique – Effective IdM dependant on influence • Even centralised IT can’t enforce IDM resources • IDMAPS http://research.ncl.ac.uk/idmaps/ • GRAND http://research.ncl.ac.uk/grand • Identity Management toolkit http://www.identity-project.org • Identity Management EDUCAUSE email list: IDM@LISTSERV.EDUCAUSE.EDU IT architects in academia (ITANA): http://www.itana.org/ Any Questions?