Identity and Access Management

IST Retreat 2008

WATIAM Basic Timeline

• Licence, agreement, SOW, initial training, scope (Jun-Sep 07)

• Requirements phase (Oct-Nov 07)• Design phase (Dec-Jan 08)• Development, test, prototype infrastructure

(Jan 08)• Build phase (Mar-May 08)• Production environment (Jun 08)• Acceptance testing (Jul-Aug 08 TBD)• Go-live (Aug-Oct 08 TBD)

Phase I Scope

UWdir (“ego”) replacement, redesign and enhancements: • interfaces for Quest, HR, CECS, ODAA, Telephone Services• constituencies to include faculty, staff, students, applicants, employers,

alumni, guests, etc.• provisioning for identity and accounts in IDM to ADS, files shares and user

profiles, Unix• delegated administration (e.g., reports and monitoring, sponsored

accounts)• extracts for Faculties (e.g., email loads, class provisioning)• white pages• deprovisioning services (e.g., in-use data in expiry)• self-service (e.g., registration, password changes, key data element

synchronization)• SOAP/XML service layer for CECS Special Projects• Blackbaud Netcommunity support for ODAA

UWdir versus WATIAM • Workflow (automated creates and deletes, identity merges, workflow for

changes)• Real-Time Connectors (HR, Quest)• Policy Review (initial cleanup) • New Constituencies (employers, alumni)• Department Coding (cleanup of codes, labels)• CSO/PH Removal • Virtual Identity (multiple roles and extended information)• Extended Group and Role Information (ADS/bang accounts)• SOAP/XML Services Layer• Self-Service (email synchronization, challenge questions)• JobMine / E-Community Authentication Removal• Account Reconciliation / Verification• Technical Stack (Oracle, Java, XML/Express, SUN/JES)• Authoritative Sources (new definition)

Current Status

• Iterative Builds (latest)i. Provisioning (ADS, Unix)ii. OpenLDAP (online inquiry)iii. HR, Quest, TS connectorsiv. User self-servicev. Delegated admin and privileged accessvi. Life Cycle (create user, update, delete), Precedence and

Matching rules

• Work Pendingi. Extract files (Faculty, HR, etc.)ii. CECS & ODAA interfaceiii. New hardware

Good, Bad, Ugly

… lessons learned, challenges, …

• resource changes• training course availability• “virtual” concept• leading edge (evolving product)• initial scoping exercise and terminology• consultants and tools• proof of concept value• toolkit (Express, workflow)

Other Project Activities

• Audit (de/provisioning, account reconciliation, technical stack, security)

• Hardware (T5520s)

• Training

• Web Sitehttp://www.adm.uwaterloo.ca/infoidm/

SUN User Group

• 1st Canadian meeting – Toronto May 2008

Presentations / Topics Examples

• Bell (36 HR systems, contractors)

• WSIB (version control, upgrade cycles)

User Group Themes / Tidbits

I. Go slowlyII. Lots of discussion around FederationIII. Not much “out of the box” (lots of

configuration)IV. Common pitfalls (trying to get all the roles,

going it alone, clean data)V. OpenID initiative (self-managed ID)VI. ERP

Product RoadmapWe have release 7.1

Release 8.0 (Summer 2008)• Role manager

Release 9.0 (TBD 2010)• Decoupled connectors• Open source

Full Suite (Access/Fed, ID Mgr, Directory Serv, Open SSO, Role Mgr, Open DS)

Peer (SUN) Institutions

• Western (business analysis June 2007 to present)

• Guelph (postponed due to CIO re-org, reinitiation imminent)

• Queens (initial focus on staff/faculty, student work beginning)

Phase II

• Access Manager (web authentication, SSO)

• Federation (edupass, TUG, BBNC)• Faculty Provisioning

More Phase II

• Quest post-upgrade (real-time)• Synch-back (accounts and data for

HR, Quest, Telephone)• MS Exchange (provisioning)• Continuing Ed (campus view)• Enhanced matching (address, etc.)

Links

http://www.adm.uwaterloo.ca/infoidm/

http://www.sun.com/software/products/identity/index.jsp

Questions & Discussion