Identity Management: Services, Tools and Processes Cal Racey

Context: Who I am Cal Racey – System Architecture Manager: 9 years experience of Middleware application provision Particular focus on issues of single sign on and access control Project Manager on JISC funded GFIVO, IDMAPS and GRAND projects Collaborate with Internet2/EDUCAUSE on IdM Experienced in use of open source tools C

Presentation Overview Theme: Practical examples of IdM solutions Background: The challenge of IdM Newcastle’s IdM review –Audit –Architectural Gaps Tools and services to enhance IdM –Data integration –Group management –Authentication –Combined integration service

Overview of IDM The Challenge of Implementing IdM Architectures (Thanks to Jens Haeusser UBC.ca for the IKEA Metaphor and slides)

What this workshop is trying to achieve Help add pages to that instructions booklet Build community knowledge and practice around IdM Build portfolio of case studies around IdM Find out what the community needs Provide reusable examples of IdM solutions

Newcastle’s IdM Example Focussed on exploiting our Existing IdM data SAP HR + student data good enough –Poor use in Teaching and Learning apps –needed better integration with applications What we Did: Audit application practice and desired usage Understand requirement – Gap analyses Deploy tools and services to enhance architecture Focus on early benefit realisation

Audit: Systems requiring IdM data AccommodationGrouperS3P Active DirectoryIndividuals project (DMS)Service centre (helpdesk) BlackboardIntralibraryShibboleth CAMAListsSite manager (CMS) DspaceModule Outline formsSmartcard ePortfoliosMyprofiles/My ImpactStudent homepage ePrintsNESS (VLE)Regulations NUcontactsTelecoms Estates ticketing systemPrint creditsTimetabling Exam papersRecapUNIX FMSC VLEsSakai (VRE)Wireless

Initial Architecture: Flow of Identity Data

Desired Architecture

SAP Campus management HR Data warehouse, CAMA Grouper Shibboleth, Grouper, Active Directory Talend

Filling the gaps - Architecture Data warehouse –Combines Identity data from multiple sources –Makes “sense” of data Group management –Adds structure to user population Arranges users into “usable” units Data integration tools –Processes data + Puts it where it needs to be –Captures and expresses business logic Authentication and Authorization service –Based on good user data

Tools: Talend Integration suite Data integration tool Open source like MySQL –Free version + paid for enhancements Replaced many bespoke scripts Supported Existing and desired approaches –Excellent file support –Excellent database connectivity –Excellent Application connectivity (e.g. SAP) –Web services Resources available at

Tools: Talend Integration suite Why Talend? “Visionary” in Gartner’s data management Also Offers Data quality and Master data management solutions Training and consultancy offerings “Middle Man” means they have to integrate with everything ETL and IdM share many problems Data quality, duplicate removal, incomplete data Resources available at

Talend Example

Tools: Talend Benefits End to end connectivity –Control of flow all way through –Transparency of process –No more fragile chains of scheduled tasks Allows team responsibility –Easy to see what a job does –Job stored in versioned store (svn) Many data connectors Interacts with windows and unix (including login) Data integration logic in one place.

Institutional data feed service (IDFS) Single point of contact for IdM data Consultancy Process for asking for data: Meeting to discuss requirements Data integration form (Capture, record data flows) Make application owners aware of responsibilities: Security DPA Freedom of information Data integration tool (Talend)

Tools: Grouper GRAND project Grouper used to structure and enhance IdM data –Organisational Structure –Module enrolment –User maintained e.g. Research teams Groups are the way the university works –“modules, departments, research teams – not users” Use case documents available at

Tools: Grouper Enables use of composite groups Mixing of static institutional groups and user edited groups management interfaces –Web based: “heavy” and “lite” –Web services –Scripts (grouper shell) –Java API Data usable multiple ways –Data exports –Shibboleth attributes –LDAP-PC

Grouper – wireless access

Grouper – Room booking

Tools: Shibboleth Built for Federated use case Provides Authentication and Authorisation Used extensively internally Rich attributes –People on accountancy can access acc101 podcast –People in chemistry can access chemistry wiki –Provides framework for targeted personalisation e.g. Here are your podcasts + exam papers Standards based, allows integration – e.g. Google Apps

Tools: Shibboleth use cases Lecture capture authorisation Portal page personalisation Mailing lists Wikis blogs VREs Reading lists Personal portfolios e.g. MyImpact Don’t have to understand shib to integrate shib’d apps have less to worry about

Systems integration service One place to talk about domesticating applications Combines: –Institutional data feed service –Group management service –Shibboleth service Mix and match services depending on requirement –Focus on need rather than architectural “purity” Goal: –Ease application development and deployment –Make IT applications appear “joined up”

Realising benefits from IdM Problem: Benefit realisation dependant on influencing application owners – Apps Spread across political boundaries e.g. Library, careers, medical school – Apps spread across platforms – good tools not enough Solution: –Wrap tools and processes in a service –Campaign of outreach –Listen to application owners

Realising benefits from IdM Service more important than architecture or tools –Builds relationships better understanding of real service barriers easy future integration –1Hour conversation > 2 weeks work Delivery best influencing technique –Effective IdM dependant on influence Even centralised IT can’t enforce

IDM resources IDMAPS GRAND Identity Management toolkit Identity Management EDUCAUSE list: IT architects in academia (ITANA):

Any Questions?