An IdM Architecture you
can Build At Home!
- Cal Poly Pomona’s
Scalable IdM Infrastructure
Peter Deutsch
Director, I&IT Systems
July 12, 2005
Goals for ID Management
@ Cal Poly Pomona





Protect and secure access to information
Reduce provisioning and maintenance costs
Meet legal and audit requirements
Improve user experience and services
Integrate with CSU and national projects
Key Components…

We have implemented a Campus-wide
Identity Management System that provides:




Automated Multi-Role Account and Capabilities
Provisioning System
Distributed User Authentication and Authorization
Directory and Registry Services
Close integration with Peoplesoft, Blackboard and
other key campus services
Directory and
Registry Services


Heart of the system is the Identity Registry,
a database that serves as the central
identity management repository for people
affiliated with CPP
It enables authentication and authorization
of individuals and serves as the
authoritative repository for a number of
attributes associated with each identity and
associated roles
Implementing
ID Management





System Architecture
Business Processes
What Works So Far
What Pieces Are Next?
Lessons Learned So Far
System Architecture
Systems of
Record
Systems of
Record
Management
System
Peoplesoft
Capability
Feed
Management
System
Capabilities
System
Active
Directory
White Pages
Identity
Registry
Photo IDs
...
Blackboard
. . .
Affiliate #1
Account
Mgmt
System
...
Affiliate #n
Namespace
#1
. . .
Namespace
#2
Namespace
Management
System
Business Rules/Processes
Software Modules
LDAP
Federated Namespace System
Photo IDs
Namespace
#n
Business Processes

Not easily shown is the full effect of
business rules & processes:



Each System of Record had its own access issues
(getting raw data is hard)
Each Capability feed requires its own set of business
rules
Not shown is the implicit system
governing data access:



Requires AVP or higher level authorization to initiate
new capabilities
Requires approval of originating data stewards
This is intended to be a non-trivial process
What Works So Far






Identity Registry & Automated Account
Management System up
Peoplesoft is System of Record for Employee
& Student Roles
LDAP alive and authoritative for multiple
other systems
Exchange feed with auto-population of
groups
Blackboard course feeds are up
ID Card feeds work (in both directions)
What Pieces Are Next?




We’re still working at getting Affiliate Roles
into Peoplesoft
We’re still working on improved password
management (complexity, aging, etc)
We’re about to go live with the Student
Applicant Role
We’re still looking at distributing Systems of
Record, White Pages management
Lessons Learned So Far

Technology is not the hard part
But…





Getting people to think globally is hard
Getting people to “surrender control” is hard
Hidden business processes are hard
Generating technical requirements is hard
Writing things down is hard…
Integrate with CSU
& National Initiatives


Secure Identity Management
Infrastructure (CSU)
Shibboleth (Internet 2)
(http://shibboleth.internet2.edu)

InCommon (built on Shibboleth)
(http://www.incommonfederation.org)
Questions?