![Page 1: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/1.jpg)
Banner Enterprise Identity Services
Overview
![Page 2: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/2.jpg)
Introduction
• Ted Schmidt
• Technology Strategist
• I have been using Oracle for 25+ years
• http://www.usg.edu/information_technology
_services/
![Page 3: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/3.jpg)
What is Identity and Access
Management?
• Identity Management– Identity management is a discipline which
encompasses all of the tasks required to create, manage, and delete user identities in an electronic environment.
• Access Management– Ensures that the right services are available to the
right people.
• Identity Access Management or (IAM)
3
![Page 4: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/4.jpg)
Business and Identity
• Identification is the focal point of most
business transaction.
• Most services are not available based on
anonymous access.
• Service delivery necessitates a certain level of
knowledge about the recipients.
• Identity matters!
4
![Page 5: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/5.jpg)
So What is IAM - Really?
• Identity and Access Management
• Application Services Framework that will:– Improve Security
– Reduce Cost
– Enable new opportunities
• Via a common Framework for:– Provisioning
– Deprovisioning
– Authentication
– Authorization
5
![Page 6: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/6.jpg)
IAM Strategies and Challenges
• Complexity
– Authoritative Identity Source(s)
• Cost
– Development
– Maintenance
![Page 7: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/7.jpg)
Goals and Objectives
• Work from your prioritized drivers.
– Re-state your challenges as opportunities for improvement.
• Know what success looks like before you begin.
– Goals
• Describe the desired outcomes and outputs by phase.
– Scope
• Describes the limits placed on phases.
– Services
• Describes the services that will be delivered by phase.
– Timing
• Describes the timelines associated with the implementation of phase.
– Activities
• Describes the activities that will be undertaken to implement the phase.
– Infrastructure
• Describes the newly introduced and retired components relative to the phase.
7
![Page 8: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/8.jpg)
Banner Identity Management Goals
• Allow Ellucian Applications to work with 3rd Party Enterprise
Identity Management Systems.
• Adopt a single/unified Campus Identity definition.
• Support user provisioning to Ellucian applications.
• Support user provisioning from Banner.
• Support user provisioning to Banner.
• Standards based authentication support.
• Support SSO protocols.
8
![Page 9: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/9.jpg)
Banner Enterprise Identity Services
(BEIS)
• Standards based architecture
– LDAP
– CAS
– SPML
• Allow Banner to participate in an Enterprise Identity Managed environment.
– Identity Producer
– Identity Consumer
9
![Page 10: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/10.jpg)
Banner Enterprise Identity Services
• IAM Services supported via BEIS:
– Automated Services
• Provisioning
• Deprovisioning
• Service Provisioning Markup Language (SPML)
– Identity Data Export Utility
• Batch interface for Identity Data Processing
– Single Sign On
• Central Authentication Service (CAS) for BANNER Internet Native BANNER (INB) and Self-Service BANNER (SSB) applications
10
![Page 11: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/11.jpg)
Banner Enterprise Identity Services - Provisioning
• Service Provisioning Markup Language – SPML 2.0
• Outbound Provisioning– Banner is the Authoritative Source of Identity.
– Target Systems Identity lifecycle management.
• Inbound Provisioning– Banner is Non-Authoritative for Identity.
• Can I do both Inbound and Outbound?– Yes!
11
![Page 12: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/12.jpg)
Identity Provisioning with Enterprise IdM
- with Banner Authoritative
Banner
Vendor Enterprise
Identity Manager
Create User
Workflow
Banner
Identity Gateway
Banner
Identity
XML
Luminis
UDC Identity XML in SPML
Provision
User
Provision
User
UDC Identity XML in SPML
Identity
Topic
Identity
Proxy Identity
StoreUDC Identity
XML
SPML2.0
12
![Page 13: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/13.jpg)
Identity Provisioning with Enterprise IdM
- Banner as Consumer
Banner
Vendor Enterprise
Identity Manager
Create User
Workflow
Luminis
UDC Identity XML in SPML
Provision
User
Provision
User
UDC Identity XML in SPML
Identity
Store
UDC Identity XML in SPML
Provision
User
Other Authoritative Source
Banner
Identity Gateway
13
![Page 14: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/14.jpg)
BEIS ComponentsBatch
Utilities
Identity Data Export Utilities
(IDEU)
IDEU Schema
gokuuid
ProvisioningComponents
Banner Identity Gateway
(BNIG)
bnixmgrschema
gp_streams
_util
Oracle Streams
gp_udc_user_
provision
Identity Topic(app
server JMS)
Identity Proxy
Services (IdProxy)
identmgrschema
SPML LDAP
Adapter
Single Sign-on Components
CAS validation
service
SSO Manager
ssomgrschema
Oracle Database
WebLogic 11g Basic Domain
14
![Page 15: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/15.jpg)
Identity Data Export Utilities• UDC Identifier Assigner –
generates GUIDs for all living persons in the Banner database.
• UDCIdentity Extractor – creates a UDCIdentityList structure.
• LDIF Generator – generates an LDIF files from a UDCIdentityList XML document.
• SPML Publisher – publishes SPML messages from a UDCIdentityListXML document.
• File Operations – download and delete files created by IDEU.
Batch Utilities
Identity Data Export Utilities
(IDEU)
IDEU Schema
gokuuid
15
![Page 16: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/16.jpg)
Identity Management
System/Solution
Database Server Application Server (WebLogic 11g Basic Domain)
BEIS Components (batch utility runtime)
Identity Data Export Utilities
LDAP
Adapter
Banner
Assign
Extract
Enterprise
Directory
IDEU DB LDIF
Publish
16
![Page 17: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/17.jpg)
Banner Identity Gateway
Transforms Banner Identity XML messages to UDCIdentity XML messages.
• It is both a Consumer and a Producer.
– Consumes Banner Identity XML messages from the Banner Identity Topic.
– Publishes UDCIdentity XML messages to the UDC Identity Topic.
• Deployed to the Weblogic Server.
• Provides a host of functional and administrative services.
– i.e. A GUID service for the creation of globally-unique identifiers.
• Administrative management console.
• For Inbound Configuration Scenarios
– Banner Identity Gateway serves SPML Provisioning Service Target (PST) for inbound
provisioning.
– Banner Identity Proxy Service bypassed.
17
![Page 18: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/18.jpg)
Banner Identity Proxy Service
Consumes UDCIdentity XML messages from the UDC Identity Topic.
• As the RA will POST SPML messages to defined PSPs
– SPML Request Authority (RA) – Registered agent for creation of well form
SPML provisioning Request.
– Provisioning Service Provider (PSP) – Service which satisfies provisioning
service request from an RA (consumes SPML message).
– Provisioning Service Targets (PST) – Actual end points for the identity data.
ID Proxy PSP
IBM
LDAP
Workflow
18
![Page 19: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/19.jpg)
BEIS Authentication Support – SSO
Manager
Support three ways to allow applications to authenticate users.
• Local Native Authentication
– We continue to support the current authentication methods for SSB and INB.
• LDAP Authentication
– Applications can authenticate with a configured LDAP directory server.
– Allows a common login identifier and credential to be shared by all applications.
• Token-based Authentication
– Applications support a pre-authenticated token used to establish user identity.
– Supports Identity Management controlled environments and provides support for
SSO protocols (CAS).
19
![Page 20: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/20.jpg)
Single Sign On
If no SSO Token, Web Gate will
redirect browser to Auth Server.
SSO TokenDigital Campus Application
Web Tier
Banner
Self Service
(or Workflow,
Luminis, etc…)
Web Browser
User goes to access
Digital Campus Applications
through a browser.
1
23Web Gate
SSOManager
Provides http
token with
UDC ID
Authentication Server
Sun, Oracle,
Novell,
CAS / Other Web ISO…
20
![Page 21: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/21.jpg)
BANNER Configuration
• GUBUMAP
– Maps entity PIDM to UDC_ID
• GOBTPAC
– Trigger to generate BEIS event
– External User by default maps to LDAP login
– PIN can be extracted to default LDAP password
• GOBEACC
– Maps entity PIDM to Oracle login
– Required for INB and BANNER XE Administrative that use Oracle login
access controls
![Page 22: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/22.jpg)
BANNER Configuration
• Possible New Administrative Tasks
– Create BANNER entity accounts for all INB and BANNER XE administrative
accounts
• All Oracle BANNER application users must be mapped in GOBEACC
– Map BANNER Entity to Oracle Login
• (see above)
![Page 23: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/23.jpg)
LDAP Configuration
• GUBUMAP
– CAS asserted UDC ID must be populated in this table
• GOBEACC
– BEIS SSO Manager and Adm9inistrative XE applications must be able to
look Oracle login via the entity PIDM from this table
![Page 24: Banner Enterprise Identity Services Overview · 2015-01-26 · Identity Data Export Utilities (IDEU) IDEU Schema gokuuid Provisioning Components Banner Identity Gateway (BNIG) bnixmgr](https://reader034.vdocument.in/reader034/viewer/2022042016/5e74e2fb4d96dc43d9458353/html5/thumbnails/24.jpg)
Questions