SUNY System Administration Federation Overview

Gavin HoganJuly 15th, 2009

A work in progress….

2

Agenda

• Overview of SUNY

• Overview of IdM History at SUNY

• Federation/IdM Roadmap

• The Oracle Experience to date.

3

Overview of SUNY• 64 Campuses.

– Plus Research Foundation and Other Entities

• Total Enrollment :438,361

• SUNY Employees : 87,362

• $11B Annual Budget

4

History of IdM for SUNY

Mainframe:• Centralized Management.• Decentralized Management.Portal/Web Phase I• Leverage Mainframe for AuthN.• Migrate to Distributed AuthN (LDAP/POP)• Centralized Entitlements with distributed

Management.

5

Distributed AuthenticationThis is our current mode of operation.• About 60 campuses have enabled LDAP.• Entitlement and Access Control engine is

Home Grown• Protects Business Services ONLY at System

Administration.• Credential Management is maintained at

home campus.• Low learning curve, easy to implement.

6

Systems Integrated With SUNY SSO• Financial/Accounting• Human Resources and Payroll• Institutional Research Data Collection

and Reporting• Business Intelligence• Student Enrollment/Application

Processing

7

Systems Targeted For Integration

• Other Agencies: State Controllers Office

• Campus Student Information Systems

• UWide and Campus Confluence Wikis

• Lots of 3rd Party Software.

8

9

Moving to SUNY Federation• Created a task force to establish shared

attribute specifications.

• Work on populating attributes at campuses.

• Evaluating Technologies; modifications to existing systems

• False starts and personnel departures.

10

Key Motivations• Put more control into the hands of the

campuses.• User convenience, better SSO.• Improving audit compliance/capabilities• Integrate with other entities through a

standard channel.

11

Implementation Team• System Administration

– Centralized IT Services

• Information Technology Exchange Center (ITEC)– Campus Services and Support

• Alliance for Strategic Technologies.– Combined view for the whole University.

12

Key Sponsors• SUNY System Administration

– Central Business Offices– Office of Administrative Technologies

• SUNY ITEC– Campus clients

13

SUNY Shared Attributes• eduPerson attributes

• Mail, telephone, postalAddress etc

• sunyPerson attributes– Student ID– Person/Emplolee ID

14

Shibboleth POC• The shibboleth POC started with 1.x

• Moved on to a 2.0 implementation.

• Was used to a establish technological proving ground for the team.

• Highly likely to be used by many campuses as IdP.

• Original team moved on from SUNY.

15

Oracle POC• Oracle has a large suite of IdM software,

including a federation component (OIF). • Solution is complicated, but it covers a lot of

ground.• OIF is really a light weight SAML2 gateway

for the Oracle Access Manager• OAM could replace much of our existing

Security system.

16

Oracle POC• Oracle consulting engaged for the POC

• Shibboleth2 support has been assured by Oracle, we will hold them to that.

• Shibboleth1 support is expected to be available in the next release – 11G.

17

Oracle POC - Scope• The scope of the project is small.

• Prove that OAM/OIF can protect a federated Oracle Business Intelligence server.

• Prove that users can navigate back and forth across a local and a federated OBI server with a single sign-on session.

18

Oracle POC - Scope

• OIF Acting as a service provider must interact with a Shibboleth2 identity provider.

19

Why Oracle• Oracle is a primary technology partner

for SUNY

• Good relationship since 1987

• The SUNY CIO negotiated for a full University license of the IdM suite at a very good price.

• The suite is fully featured.

20

The Oracle Experience.• For several months we have been

drafting a consulting engagement with Oracle.

• We had difficulty coming to a technological design/approach.

• Product management is very interested in out project and provided some expertise to help Oracle Consulting.

21

The Oracle Experience.• For several months we have been

drafting a consulting engagement with Oracle.

• Oracle Consulting had difficulty coming to a technological design/approach.

• The project has been nearly derailed multiple times through a lack of professionalism from Oracle Consulting.

Does it work?

Check back in a few months.

23

Next Steps.• UWide Entitlements.

• Training – The Oracle Product Is Lacking Training.

• Non SUNY Integrations.

24

Contact me:

Gavin.Hogan@suny.edu