1. Copyright Dave Steiner and Jeremy Rosenberg 2010. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.

2. From In-House to Open Source: Creating a Sense of Identity (Management) Dave Steiner – Rutgers University Jeremy Rosenberg – Simon Fraser University October 13, 2010

3. ABOUT US Dave Steiner Rutgers University – New Jersey Identity Management Architect Numerous IDM/Middleware Projects since 1984 Joined newly created IDM Team in 2006 Jeremy Rosenberg Simon Fraser University – Vancouver, BC Identity Management Architect Java Developer since 2004 MBA in Management of Technology

4. ABOUT THIS PRESENTATION Campus Perspectives Legacy IdM Architectures Strengths and limitations Future requirements OpenRegistry Project How did it start? What is OpenRegistry? Why open source? State of the project OpenRegistry workflow walkthough

5. ABOUT SFU Simon Fraser 1776 -1862 One University - Three campuses Burnaby Surrey Vancouver 32,000 students 900 faculty 1600 staff 100,000 alumni

6. SFU’S IDAM LAYOUT Amaint Account Provisioning Mail Lists Mail Lists Web Server UDD LDAP WebCT CAS AD PeopleSoft Shibboleth Eduroam Shibboleth Eduroam Zimbra

7. SFU STRENGTHS AND LIMITATIONS Centralized Single computing IDs CAS SSO Self Serve Maillists/ACLS Account Activation Auto Provisioning Email / Filespace WebCT Scalability Support for new SoRs No distributed admin Sustainability Only two developers (one is a rock climber) Granularity General role support No distributed data entry

8. SFU FUTURE NEEDS Capture more of the University Population More accurate and complete directory Greater auditing capabilities Built on sustainable industry standards

9. ABOUT RUTGERS UNIVERSITY One University – Three campuses New Brunswick Newark Camden Founded in 1766 Over 56,000 students 4150 faculty 6500 staff Over 380,000 alumni

10. RUTGERS LEGACY People Database (PDB) Student Records Database (SRDB) Payroll Guest Account Creation Kerberos/ Safeword CAS Oracle Account Creation SecurID LDAP Radius APPLICATIONS&SYSTEMSAPPLICATIONS&SYSTEMS Data Flow Query

11. RUTGERS STRENGTHS AND LIMITATIONS Central Identities for Students, Faculty and Staff Central Authentication via CAS and LDAP Self-service credential creation Self-service email accounts Not all populations supported Joint institutions not supported Guests not well supported Support is too centralized Needs to be more real-time De-provisioning manual, once a year Roles don’t match needs Not an integrated system but grew up over time

12. RUTGERS FUTURE NEEDS A long term, core identity management solution Single identity throughout person’s lifetime Extend – e.g. for students, from Prospect through Alumni Add population types Continuing Education, joint institutions, conference attendees Faster propagation of data, real time where possible Data for better provisioning and de-provisioning both electronically and physically

13. HOW DID OPENREGISTRY START? Apr 2006 – creation of IDM group at Rutgers Production services (e.g. CAS, LDAP, Kerberos) New development Aug 2006 – IDM as part of a new IT Strategic Plan Nov 2006 – Rutgers IDM Assessment Feb 2007 – Rutgers IDM Potential Initiatives Mar 2008 – OpenRegistry design work started Jan 2009 – Became a Jasig Incubator project Late 2009 – SFU joined the project

14. WHAT IS OPEN REGISTRY? An open source Identity Management system A place for data about people affiliated with your institution Combines distributed identity information into single identity records Identity store, but generally NOT authoritative Identity reconciliation for multiple SoRs Identifier assignment Input: web, batch and REST interfaces from SoRs Output: queues, REST, batch, report server, Directory Builder, provisioning and de-provisioning

15. WHAT IS OPEN REGISTRY?

16. OPENREGISTRY ARCHITECTURE

17. WHY AN OPEN SOURCE PROJECT? “Off the shelf” solutions require significant customizations and integration work and may only solve a portion of an institutions needs Open source collaboration > in-house building Leverage scant resources Decades of combined experience Learn from others' experiences Sakai, uPortal, CAS, Shibboleth, Kuali Not all knowledge with a few in-house people Tailored to the needs of higher education

18. STATE OF THE PROJECT Generic data model designed and reasonably stable Domain objects and base service layer code written for addPerson, addRole, updatePerson, updateRole, etc. Currently being tested with real-life data Input methods well defined and being implemented, Output needs further requirements/design Production deployment at Rutgers in first half of 2011 dependant on new PeopleSoft payroll deployment

19. HOW DID SFU GET INVOLVED? Jan 2005 – Sponsored Account Management App April 2007 –Single Computing ID Project No more multiple accounts for employees and students One login for HR and Registrar with Roles Mar 2008 – Distance Ed becomes third SoR Aug 2008 – Lightweight Accounts Introduced No Email or Unix file space provisioned Aug 2009 – Contact with Rutgers IdM team Sept 2009 – Jasig Un-conference Late 2009 – First commits to OpenRegistry June 2010 – Additional Developers added

20. HR SIS Kipling, Rudyard Undergrad Staff Former Undergrad OpenRegistry CODE Bronte, Emily CODE WebCT Bookstore Bookstore Clerk Faculty Expired

21. THANK YOU Visit the Jasig Wiki at: http://www.ja-sig.org/wiki/display/OR/Home Join the OpenRegistry Dev mail list: openregistry-dev@lists.ja-sig.org Attend a Jasig event http://www.jasig.org/ Jeremy Rosenberg rosenberg@sfu.ca Dave Steiner steiner@oit.rutgers.edu