Identity Management at UHI Millennium Institute Jem Taylor Head of Strategy & Development UHI Learning & Information Services [email protected].

Identity Managementat UHI Millennium Institute

Jem TaylorHead of Strategy & Development

UHI Learning & Information [email protected]

UHI advertising

• UHI is important for the Highlands & Islands region and is an exciting place to work– You want to hear about IDM– I want to talk about UHI and what we are doing

– 30 slides in 45 minutes: 90 seconds per slide– So I will press on to the IDM part quite quickly

“To establish for the Highlands and

Islands of Scotland a collegiate

university which will reach the highest

standards and play a pivotal role in our

educational, economic, social and

cultural development”

UHI Mission

Distance Geography Cost Service Provision

ShetlandCollege

EO

LewsCastleCollege

SMO

SFIA

InvernessCollege

Argyll College & DML

ThursoCollege

OrkneyCollege

NAFC

Moray College & HTI

PerthCollege

The UHI Challenge

A short history …

• 1993: The University of the Highlands and Islands Project “UHIp”

• A dozen partners including 8 FE colleges, a NERC research institute, a statutory body, an industry-funded college, etc

• All partners have an independent IT history and therefore a dozen different legacies

The Dark Ages …

• 1995: kilostream-based connections between UHI’s Academic Partners

– Shared JANET connection– Very basic email for a very few staff

• UHI employs its first three staff

The Middle Ages …

• Summer 1996: integrated service: ISDN-6 VC– 12 studios, 12-way ISDN MCU, BT lines– SOEID funded, so gives desired illusion of being

free at the point of use

• September 1996: Millennium Commission announces £33m funding in c. £100m initiative

• Feb 1997: new offices, new staff, 3yr plan– More and faster kilostream connections (change

of the cost trade-off between systems and telecoms)

• 1998:UHI WAN project– High Speed networking – 45Mbit/sec– Interim upgrades to 2Mbit/sec

• UHI needed to build a WAN so as to be able to … – Share facilities and costs across UHI

• Share costs of JANET & Internet access• One WWW server, many ‘web sites’• other ‘server’ facilities - eg. E-mail• Videoconferencing across data network

– Reduce other costs• eg. telephony costs on PSTN

– Enable Campus-style collaborative working

Early Modern History …

300 miles

150 miles

UHI’s territory covers over half of Scotland•1/6th of the UK’s area•1/60th of the UK’s total population.

•HE + FE accessed by about 25,000 distinct people every year•Most FE students are ‘low FTE’

Check the map scale …

• UHI staff & students are connected by high bandwidth network– internet, email, telephone and

video conferencing– Effectively a regional ‘campus

LAN’ organised by location rather than by department

– Multiple ‘private’ IP data networks– Internal telephony for UHI– Future proof: Video; student

broadcasting etc.

• UHI LIS looks after shared/common systems– Shared corporate systems– Single internal eDirectory

ClydeNet

SoL

AbMAN

EastMAN

FATMAN

JANET

The UHI Network

UHI Today …

• April 2001: an HEI with SHEFC funding

• AY 2004/5: over 3,800 student FTEs– 50% over age 25, 50%:50% gender balance,

more than 5,200 enrolments

• New Year 2005: moved to new HQ, this time moving about 70 staff over weekend

• 2007: University title ?

UHI IDM problem

• Complex / diverse IT environment …

• Shared / common Student Records system …

• ICT and Library systems need to be available to all students …

• IT Administrative overhead costs …

• Student Records quality & timeliness …

CurrentStudents

Assessment

Award or Progression

Attendance

Funds &Bursary

SQA interface

SQA

Module Registration

Class List

Assessment Register

CurrentStudents

Assessment

Award or Progression

Attendance

Funds &Bursary

SQA interface

SQA

Module Registration

Class List

Assessment Register

Student Records

CurrentStudents

Assessment

Award or Progression

Attendance

Funds &Bursary

SQA interface

SQA

Module Registration

Class List

Assessment Register

Student Records rôle in ‘business’

UCASnational admissions system for full-time

HE

SLCStudent Loans

Company

SQAEntry qualifications

SAASStudent funding

HESAHE statistical

returns

FESFE statistical

returns

SFCScottish FE and HE

funding council

SQARegistration &

Awards

Manage & run UHI:UHI RAM

IDMLIS & ICT systems

VLE teaching group(CLAN vle)

IDM as part of the ‘business’

incomingStudents

Courseenrolment

UHI username/password(Directories)

UHI email(GroupWise)

H:/ folder(NetWare)

UHI libraryborrower (OLIB)PAT

ESi

Library card /ID card

Moduleregistrations

Moduleregistrations

Moduleregistrations

IDM

MinervaPeople

MinervaGroups

CurrentStudents

Assessment

Award or Progression

Attendance

Funds &Bursary

SQA interface

SQA

Module Registration

Class List

Assessment Register

Why ?

• Save IT and Library staff trouble?– It does, but that is not why we are doing it

• Make sure all students are enrolled? – YES

• Make Student Records a *management tool* for the business instead of being just a record of what has already happened

When ?

• Allocate accounts *before* enrolment so as to assist induction processes– As soon as details are available– Only applies to students who go through some kind of

records processing before enrolment– No help for ‘walk-ins’ (but nothing is)

• Lock accounts on the day individual students are *due* to leave (planned expiry)

• No ‘summer gap’ for continuing students– No summer clearouts anymore: only delete expired

accounts, and should be able to do so in-year

Student lifecycle

1st year 2nd year

(multi-Annual) course

P

(another) course

enrolment

Createwithplannedexpiry

Unlockandextend

application P-

Lockonexpiry

How will ID flow around?

• Novell Identity Manager– Student records STAFF & STUDENTS IDM system– IDM system eDirectory– IDM system Active Directory– eDirectory GroupWise– Password synchronisation all of the above

• Siva2– eDirectory to everywhere else: CLAN vle, MVN forum,

self-provisioning through GuanXi Idp, Shibb world, etc– Alistair Young is our software development ID expert

UHI.AC.UKproduction

GroupWise

ID Flow designSITS:Vision student record holds permanent identity

STUtable

PRStable

UHI_IDM_TREEidentity

managementsystem

UHI_NDS_TREEproductioneDirectory

UHI.ADproduction

ActiveDirectory

Create/ modify

Create/ modify

Passwd sync

Passwd sync

create

Siva2

Create/ modify

Self-service portal

DEP1REG4 IDM-AD

Comparison: Siva1

• Home-made: very flexible but requires in-house effort for maintenance and development

• Create-only: seek and ignore existing accounts• Deals with Students only• Logic for user account defaults is in java code• ‘pliers’ utility to get data from SITS: unreliable• Although Java code, method for GroupWise is

Windows™ only: would prefer to be on Linux

Comparison: IDM + Siva2

• Identity Manager– Manufacturer supported: drivers available for other systems too– Create or Modify logic, including changing end-date / withdrawal– SITS:Vision source for Staff as well as Students– New ORACLE based ‘minerva’ utility for feeder: more robust– Will be able to feed other future ID sources into the same place– Uses eDirectory template objects to define defaults for new users– Runs natively on Novell NetWare, Windows™ and Linux platforms– Web-based control interfaces based on iManager

• Siva2– Will run from triggers in the eDirectory API– Will not care how user is created: will fire for manual creates– Can do anything, including modify eDirectory accounts

Siva Connected Systems

• CLAN vle (which is heavily Groups based)

• MVN forum (ditto)

• GuanXi Identity Provider for Shibboleth

• and everything else we build ourselves

What about Citrix?

• Citrix likes Active Directory • We decided to offer a UHI-wide Active

Directory …– In parallel with e-Directory, not instead of– With the same content in both technologies

• Our service offering is now Content instead of Technology – Our users can use either (any) technology– Our job is to assure & sync the information

UHI.AC.UKproduction

GroupWise

Simplified ID Flow for CitrixSITS:Vision student record holds permanent identity

STUtable

PRStable

UHI_NDS_TREEproductioneDirectory

UHI.ADproduction

ActiveDirectory

Create/ modify

Create/ modify

Passwd sync

create

Siva2

REG5 IDM-AD

Magic

Citrix needs to login to NetWare…

• Citrix uses Active Directory authn • But all Home Drives (H:) are NetWare • Citrix has tools for login to both worlds • But it doesn’t work ‘out of the box’

because we need Location at Login …

• Behind the scenes, LDAP contextless login fails – Citrix can’t find the user’s e-Directory context

Call a consultant !

• If all our users lived in the same context Citrix would work just fine …

• With IDM, they can !

• A bespoke IDM driver maintains a ‘secret’ area in the e-Directory …

• This is a flat space with an alias for each user …

• All users appear in the same context

IDM to the rescue!

• All users appear in the same context …

• All users are also in their real context …

• Novell choice dialogue at normal login • So …

– Carefully hide the Aliases container from all e-Directory users except IDM & Citrix

– Take care not to break aliases– Tighten up so that all users are maintained by

IDM (not by technicians)

Next Up

• Bread & butter IDM becomes responsibility of records-oriented staff who know the data– Handle withdrawals etc. based on Academic

Regulations (policy basis)

• Provide more subtle information based on the information content of the student record– e.g. to run Sharepoint need up-to-the-minute Groups

management in the Directory– Same communities as in Siva but distinct IDM flow– Common vocabulary so staff (users) can understand

Technology

• Designer for Identity Manager on Windows XP– Very good tool– Has all the basic drivers– Use to control and deploy, as well as to design

• IDM3 on NetWare/ED– For eDirectory accounts– For GroupWise accounts

• IDM3 on W2003/AD+ED– For AD accounts

Development IDM platform• Same scale and structure as the real environment

– Want to be able to copy IDM drivers back and forth easily

• Designer for Identity Manager– Drivers dataflow and modification

• IDM3 on NetWare/ED– VNC view of DSTRACE

• IDM3 on W2003/AD and W2003/ED– VNC view of dstrace

• iManager– Control of migration, driver On/Off, etc

• Big fat VMware server with half a dozen virtual servers– Development environment is an important system worth resourcing

Thank You!

Q & A