061212 identity management at uhi

8/3/2019 061212 Identity Management at Uhi

http://slidepdf.com/reader/full/061212-identity-management-at-uhi 1/32

Identity Managementat UHI Millennium Institute

Jem Taylor

Head of Strategy & DevelopmentUHI Learning & Information Services

[email protected]



UHI advertising

UHI is important for the Highlands & Islands

region and is an exciting place to work

± You want to hear about IDM

± I want to talk about UHI and what we are doing

± 30 slides in 45 minutes: 90 seconds per slide

± So I will press on to the IDM part quite quickly



³To establish for the Highlands and

Islands of Scotland a collegiate

university which will reach the highest

standards and play a pivotal role in our

educational, economic, social andcultural development´

UHI Mission



y

Distancey Geography

y Cost

y Service Provision

Shetland

College

EO

LewsCastle

College

SMO

SFIA

Inverness

College

Argyll College

& DML

ThursoCollege

Orkney

College

NAFC

Moray College

& HTI

Perth

College

The UHI Challenge



A short history «

1993: The University of the Highlands and

Islands Project ³UHIp´

A dozen partners including 8 FE colleges,a NERC research institute, a statutory

body, an industry-funded college, etc

All partners have an independent IT

history and therefore a dozen different

legacies



The Dark Ages «

1995: kilostream-based connections between

UHI¶s Academic Partners

± Shared J ANET connection ± Very basic email for a very few staff

UHI employs its first three staff



The Middle Ages «

Summer 1996: integrated service: ISDN-6 VC

± 12 studios, 12-way ISDN MCU, BT lines

± SOEID funded, so gives desired illusion of beingfree at the point of use

September 1996: Millennium Commission

announces £33m funding in c. £100m initiative

Feb 1997: new offices, new staff, 3yr plan

± More and faster kilostream connections (change

of the cost trade-off between systems and

telecoms)



1998:UHI W AN project

± High Speed networking ± 45Mbit/sec

± Interim upgrades to 2Mbit/sec

UHI needed to build a W AN so as to be able to « ± Share facilities and costs across UHI

Share costs of J ANET & Internet access

One WWW server, many µweb sites¶

other µserver¶ facilities - eg. E-mail Videoconferencing across data network

± Reduce other costs

eg. telephony costs on PSTN

± Enable Campus-style collaborative working

Early Modern History «



300 miles

150 miles

UHI¶s territory coversover half of Scotland

1/6th of the UK¶s area

1/60th of the UK¶s total

population.

HE + FE accessed by

about 25,000

distinct people every year

Most FE students are

µlow FTE¶

Check the map scale «



UHI staff & students areconnected by high bandwidthnetwork ± internet, email, telephone and

video conferencing

± Effectively a regional µcampusL AN¶ organised by location rather than by department

± Multiple µprivate¶ IP data networks

± Internal telephony for UHI

± Future proof: Video; studentbroadcasting etc.

UHI LIS looks after shared/common systems ± Shared corporate systems

± Single internal eDirectory

ClydeNet

SoL

AbMAN

EastMAN

FATMAN

JANET

The UHI Network



UHI Today «

April 2001: an HEI with SHEFC funding

AY 2004/5: over 3,800 student FTEs

± 50% over age 25, 50%:50% gender balance,more than 5,200 enrolments

New Year 2005: moved to new HQ, this

time moving about 70 staff over weekend 2007: University title ?



UHI IDM problem

Complex / diverse IT environment «

Shared / common Student Records

system « ICT and Library systems need to be

available to all students «

IT Administrative overhead costs « Student Records quality & timeliness «



Current

Students

Assessment

AwardorProgression

Attendance

Funds &

Bursary

SQ A interface

SQ A

ModuleRegist ration

Class List

Assessment Register

Current

Students

Assessment

Award or

Progression

Attendance

Funds &

Bursary

SQ A

interfaceSQ A

Module Registration

Class List

Assessment Register

Student Records



Current

Students

Assessment

AwardorProgression

Attendance

Funds &

Bursary

SQ A interface

SQ A

ModuleRegist ration

Class List

Assessment Register

Student Records rôle in µbusiness¶

UC AS

national admissionssystem for full-time

HE

SLC

Student Loans

Company

SQ A

Entry qualifications

S AAS

Student funding

HES A

HE statistical

returns

FES

FE statistical

returns

SFC

Scottish FE and HE

funding council

SQ A

Registration &

Awards

Manage & run UHI:

UHI R AM

IDM

LIS & ICT systems



VLE teaching group

(CL AN vle)

IDM as part of the µbusiness¶

incoming

Students

Course

enrolment

UHI username/password

(Directories)

UHI email

(GroupWise)

H:/ folder

(NetWare)

UHI library

borrower (OLIB)P ATESi

Library card /

ID card

Moduleregistrations

Moduleregistrations

Moduleregistrations

IDM

MinervaPeople

Minerva

Groups

Current

Students

Assessment

AwardorProgression

Attendance

Funds &

Bursary

SQ A interface

SQ A

ModuleRegistrati on

Class List

AssessmentRegi ster



Why ?

Save IT and Library staff trouble?

± It does, but that is not why we are doing it

Make sure all students are enrolled? ± YES

Make Student Records a *management

tool* for the business instead of being justa record of what has already happened



When ?

Allocate accounts *before* enrolment so as to

assist induction processes

± As soon as details are available

± Only applies to students who go through some kind of records processing before enrolment

± No help for µwalk-ins¶ (but nothing is)

Lock accounts on the day individual students are

*due* to leave (planned expiry)

No µsummer gap¶ for continuing students

± No summer clearouts anymore: only delete expired

accounts, and should be able to do so in-year



Student lifecycle

1st year 2nd year

(multi- Annual) course

P

(another) course

enrolment

Createwith

planned

expiry

Unlockand

extend

application P-

Lockon

expiry



How will ID flow around?

Novell Identity Manager

± Student records ST AFF & STUDENTS IDM system

± IDM system eDirectory

± IDM system Active Directory

± eDirectory GroupWise

± Password synchronisation all of the above

Siva2

± eDirectory to everywhere else: CL AN vle, MVN forum,

self-provisioning through GuanXi Idp, Shibb world, etc

± Alistair Young is our software development ID expert



UHI. AC.UK

production

GroupWise

ID Flow designSITS:Vision student record

holds permanent identity

STU

table

PRS

table

UHI_IDM_TREE

identity

management

system

UHI_NDS_TREE

productioneDirectory

UHI. AD

production

Active

Directory

C reate/

modify

C reate/

modify

Passwd

sync

Passwd

sync

create

Siva2

C reate/ modify

Self-

service

portal

DEP1REG4 IDM- AD



Comparison: Siva1

Home-made: very flexible but requires in-house

effort for maintenance and development

Create-only: seek and ignore existing accounts

Deals with Students only

Logic for user account defaults is in java code

µ pliers¶ utility to get data from SITS: unreliable

Although Java code, method for GroupWise isWindows only: would prefer to be on Linux



Comparison: IDM + Siva2

Identity Manager ± Manufacturer supported: drivers available for other systems too

± Create or Modify logic, including changing end-date / withdrawal

± SITS:Vision source for Staff as well as Students

± New OR ACLE based µminerva¶ utility for feeder: more robust ± Will be able to feed other future ID sources into the same place

± Uses eDirectory template objects to define defaults for new users

± Runs natively on Novell NetWare, Windows and Linux platforms

± Web-based control interfaces based on iManager

Siva2 ± Will run from triggers in the eDirectory API

± Will not care how user is created: will fire for manual creates

± Can do anything, including modify eDirectory accounts



Siva Connected Systems

CL AN vle (which is heavily Groups based)

MVN forum (ditto)

GuanXi Identity Provider for Shibboleth and everything else we build ourselves



What about Citrix?

Citrix likes Active Directory

We decided to offer a UHI-wide ActiveDirectory «

± In parallel with e-Directory, not instead of

± With the same content in both technologies

Our service offering is now Content

instead of Technology ± Our users can use either (any) technology

± Our job is to assure & sync the information



UHI. AC.UK

production

GroupWise

Simplified ID Flow for CitrixSITS:Vision student record

holds permanent identity

STU

table

PRS

table

UHI_NDS_TREE

productioneDirectory

UHI. AD

production

Active

Directory

C reate/

modify

C reate/

modify

Passwd

sync

create

Siva2

REG5 IDM- AD

Magic



Citrix needs to login to NetWare«

Citrix uses Active Directory authn

But all Home Drives (H:) are NetWare

Citrix has tools for login to both worlds But it doesn¶t work µout of the box¶

because we need Location at Login «

Behind the scenes, LD AP contextlesslogin fails ± Citrix can¶t find the user¶s e-

Directory context



Call a consultant !

If all our users lived in the same context

Citrix would work just fine «

With IDM, they can ! A bespoke IDM driver maintains a µsecret¶

area in the e-Directory «

This is a flat space with an alias for eachuser «

All users appear in the same context



IDM to the rescue!

All users appear in the same context «

All users are also in their real context «

Novell choice dialogue at normal login So «

± Carefully hide the Aliases container from all e-

Directory users except IDM & Citrix

± Take care not to break aliases

± Tighten up so that all users are maintained by

IDM (not by technicians)



Next Up

Bread & butter IDM becomes responsibility of

records-oriented staff who know the data

± Handle withdrawals etc. based on Academic

Regulations (policy basis)

Provide more subtle information based on the

information content of the student record

± e.g. to run Sharepoint need up-to-the-minute Groups

management in the Directory

± Same communities as in Siva but distinct IDM flow

± Common vocabulary so staff (users) can understand



Technology

Designer for Identity Manager on Windows XP ± Very good tool

± Has all the basic drivers

± Use to control and deploy, as well as to design

I DM3 on NetWare/ED ± For eDirectory accounts

± For GroupWise accounts

I DM3 on W2003/ AD+ED ± For AD accounts



Development IDM platform

Same scale and structure as the real environment ± Want to be able to copy IDM drivers back and forth easily

Designer for Identity Manager ± Drivers dataflow and modification

IDM3 on NetWare/ED ± VNC view of DSTR ACE

IDM3 on W2003/ AD and W2003/ED ± VNC view of dstrace

iManager ± Control of migration, driver On/Off, etc

Big fat VMware server with half a dozen virtual servers

± Development environment is an important system worth resourcing



Thank You!

Q & A

061212 identity management at uhi

Documents