Identity Management

at UHI Millennium Institute Jem Taylor

Head of Strategy & Development UHI Learning & Information Services
jem.taylor@uhi.ac.uk

UHI advertising
UHI is important for the Highlands & Islands region and is an exciting place to work
You want to hear about IDM I want to talk about UHI and what we are doing

30 slides in 45 minutes: 90 seconds per slide So I will press on to the IDM part quite quickly

UHI Mission
To establish for the Highlands and Islands of Scotland a collegiate university which will reach the highest standards and play a pivotal role in our educational, economic, social and cultural development

The UHI Challenge

NAFC Shetland College Orkney College Thurso College

y y y y

Distance Geography Cost Service Provision

Lews Castle College

Inverness College SMO EO SFIA Argyll College & DML Perth College

Moray College & HTI

A short history
1993: The University of the Highlands and Islands Project UHIp A dozen partners including 8 FE colleges, a NERC research institute, a statutory body, an industry-funded college, etc All partners have an independent IT history and therefore a dozen different legacies

The Dark Ages

1995: kilostream-based connections between UHIs Academic Partners
Shared JANET connection Very basic email for a very few staff

UHI employs its first three staff

The Middle Ages

Summer 1996: integrated service: ISDN-6 VC
12 studios, 12-way ISDN MCU, BT lines SOEID funded, so gives desired illusion of being free at the point of use

September 1996: Millennium Commission announces 33m funding in c. 100m initiative Feb 1997: new offices, new staff, 3yr plan
More and faster kilostream connections (change of the cost trade-off between systems and telecoms)

Early Modern History

1998:UHI WAN project
High Speed networking 45Mbit/sec Interim upgrades to 2Mbit/sec Share facilities and costs across UHI
Share costs of JANET & Internet access One WWW server, many web sites other server facilities - eg. E-mail Videoconferencing across data network eg. telephony costs on PSTN

UHI needed to build a WAN so as to be able to

Reduce other costs

Enable Campus-style collaborative working

Check the map scale

150 miles

300 miles

UHIs territory covers over half of Scotland 1/6th of the UKs area 1/60th of the UKs total population. HE + FE accessed by about 25,000 distinct people every year Most FE students are low FTE

The UHI Network

UHI staff & students are connected by high bandwidth network
internet, email, telephone and video conferencing Effectively a regional campus LAN organised by location rather than by department Multiple private IP data networks Internal telephony for UHI Future proof: Video; student broadcasting etc.

AbMAN FATMAN ClydeNet

UHI LIS looks after shared/common systems

Shared corporate systems Single internal eDirectory

SoL
EastMAN

JANET

UHI Today
April 2001: an HEI with SHEFC funding AY 2004/5: over 3,800 student FTEs
50% over age 25, 50%:50% gender balance, more than 5,200 enrolments

New Year 2005: moved to new HQ, this time moving about 70 staff over weekend 2007: University title ?

UHI IDM problem

Complex / diverse IT environment Shared / common Student Records system ICT and Library systems need to be available to all students IT Administrative overhead costs Student Records quality & timeliness

Student Records
Funds & Bursary Attendance

Funds &

Class List
Module Registration

Current Students
Attendance Class List Current Students Assessment Register Assessment

Bursary

SQA interface

SQA

SQA interface

SQA

Module Registration

Award or Progression

Assessment Register

Assessment Award or Progression

Student Records rle in business

SAAS Student funding SQA Registration & Awards HESA HE statistical returns

UCAS national admissions system for full-time HE

Module Registration Assessment Register

Funds & Bursary

Attendance

Class List

SQA interface

SQA Current Students

Assessment

SFC Scottish FE and HE funding council

Award or Progression

SQA Entry qualifications Manage & run UHI: UHI RAM IDM LIS & ICT systems

SLC Student Loans Company

FES FE statistical returns

IDM as part of the business

incoming Students IDM
SQA Current Students

UHI username/password (Directories) H:/ folder (NetWare) UHI email (GroupWise) UHI library borrower (OLIB) Library card / ID card
Module registrations Minerva Groups

Funds & Bursary

Attendance

Class List

SQA interface

Minerva People

Module Registration

Assessment Register

Assessment

Award or Progression

Course enrolment

PAT ESi

Module registrations

Module registrations

VLE teaching group (CLAN vle)

Why ?
Save IT and Library staff trouble?
It does, but that is not why we are doing it

Make sure all students are enrolled?

YES

Make Student Records a *management tool* for the business instead of being just a record of what has already happened

When ?
Allocate accounts *before* enrolment so as to assist induction processes
As soon as details are available Only applies to students who go through some kind of records processing before enrolment No help for walk-ins (but nothing is)

Lock accounts on the day individual students are *due* to leave (planned expiry) No summer gap for continuing students
No summer clearouts anymore: only delete expired accounts, and should be able to do so in-year

Student lifecycle

(multi-Annual) course application P 1st year P 2nd year

(another) course enrolment

Create with planned expiry

Lock on expiry

Unlock and extend

How will ID flow around?

Novell Identity Manager
Student records STAFF & STUDENTS IDM system IDM system eDirectory IDM system Active Directory eDirectory GroupWise Password synchronisation all of the above

Siva2
eDirectory to everywhere else: CLAN vle, MVN forum, self-provisioning through GuanXi Idp, Shibb world, etc Alistair Young is our software development ID expert

ID Flow design
SITS:Vision student record holds permanent identity

STU table UHI.AC.UK production GroupWise REG4

create

PRS table

Create/ modify

Create/ modify

Create/ modify

DEP1 UHI_IDM_TREE identity management system Passwd sync Selfservice portal Passwd sync

IDM-AD UHI.AD production Active Directory

UHI_NDS_TREE production eDirectory

Siva2

Comparison: Siva1
Home-made: very flexible but requires in-house effort for maintenance and development Create-only: seek and ignore existing accounts Deals with Students only Logic for user account defaults is in java code pliers utility to get data from SITS: unreliable Although Java code, method for GroupWise is Windows only: would prefer to be on Linux

Comparison: IDM + Siva2

Identity Manager
Manufacturer supported: drivers available for other systems too Create or Modify logic, including changing end-date / withdrawal SITS:Vision source for Staff as well as Students New ORACLE based minerva utility for feeder: more robust Will be able to feed other future ID sources into the same place Uses eDirectory template objects to define defaults for new users Runs natively on Novell NetWare, Windows and Linux platforms Web-based control interfaces based on iManager

Siva2
Will run from triggers in the eDirectory API Will not care how user is created: will fire for manual creates Can do anything, including modify eDirectory accounts

Siva Connected Systems

CLAN vle (which is heavily Groups based) MVN forum (ditto) GuanXi Identity Provider for Shibboleth and everything else we build ourselves

What about Citrix?

Citrix likes Active Directory We decided to offer a UHI-wide Active Directory
In parallel with e-Directory, not instead of With the same content in both technologies

Our service offering is now Content instead of Technology

Our users can use either (any) technology Our job is to assure & sync the information

Simplified ID Flow for Citrix

SITS:Vision student record holds permanent identity

STU table UHI.AC.UK production GroupWise REG5

create Create/ modify

PRS table

UHI_NDS_TREE production eDirectory

Create/ modify Magic

IDM-AD UHI.AD production Active Directory

Siva2

Passwd sync

Citrix needs to login to NetWare

Citrix uses Active Directory authn But all Home Drives (H:) are NetWare Citrix has tools for login to both worlds But it doesnt work out of the box because we need Location at Login Behind the scenes, LDAP contextless login fails Citrix cant find the users eDirectory context

Call a consultant !
If all our users lived in the same context Citrix would work just fine With IDM, they can ! A bespoke IDM driver maintains a secret area in the e-Directory This is a flat space with an alias for each user All users appear in the same context

IDM to the rescue!

All users appear in the same context All users are also in their real context Novell choice dialogue at normal login So
Carefully hide the Aliases container from all eDirectory users except IDM & Citrix Take care not to break aliases Tighten up so that all users are maintained by IDM (not by technicians)

Next Up
Bread & butter IDM becomes responsibility of records-oriented staff who know the data
Handle withdrawals etc. based on Academic Regulations (policy basis)

Provide more subtle information based on the information content of the student record
e.g. to run Sharepoint need up-to-the-minute Groups management in the Directory Same communities as in Siva but distinct IDM flow Common vocabulary so staff (users) can understand

Technology
Designer for Identity Manager on Windows XP
Very good tool Has all the basic drivers Use to control and deploy, as well as to design

IDM3 on NetWare/ED
For eDirectory accounts For GroupWise accounts

IDM3 on W2003/AD+ED
For AD accounts

Development IDM platform

Same scale and structure as the real environment
Want to be able to copy IDM drivers back and forth easily

Designer for Identity Manager

Drivers dataflow and modification

IDM3 on NetWare/ED
VNC view of DSTRACE

IDM3 on W2003/AD and W2003/ED

VNC view of dstrace

iManager
Control of migration, driver On/Off, etc

Big fat VMware server with half a dozen virtual servers

Development environment is an important system worth resourcing

Thank You!

Q&A