Trying to implement IDM at MMU The pitfalls and minefields of an Identity Management project at Manchester Metropolitan University Mike Preece Manchester Metropolitan University Preece Manchester Metropolitan University

Trying to implement IDM at MMU Currently trying to implement Identity Management at MMU using Novells IDM3 Currently trying to implement Identity Management at MMU using Novells IDM3 Tell you about the project and problems faced so far Tell you about the project and problems faced so far Solutions to problems faced Solutions to problems faced

Agenda Background and situation at MMU Background and situation at MMU My background My background Project initiation Project initiation Meta-Directory Meta-Directory Project scope creep Project scope creep Current Plan Current Plan Problems faced Problems faced Conclusion Conclusion

Background and Situation at MMU MMU is in top 10 of British Universities by number of Students. MMU is in top 10 of British Universities by number of Students students, staff spread across many sites in and around Manchester students, staff spread across many sites in and around Manchester. Became a University in Became a University in Still seems to have a culture of a Public sector institution. Still seems to have a culture of a Public sector institution.

Background and Situation at MMU One Main eDirectory that all staff and students have an account in. One Main eDirectory that all staff and students have an account in. A few departments run smaller directories such as A.D. and eDirectory. A few departments run smaller directories such as A.D. and eDirectory. LDAP provision based on the main eDirectory LDAP provision based on the main eDirectory Single 8 digit institution ID Single 8 digit institution ID

My Background Started at MMU 18 months ago, from private sector. Started at MMU 18 months ago, from private sector. Started with a strong background in A.D. but less knowledge of Novell products. Started with a strong background in A.D. but less knowledge of Novell products. Main task to implement new student network account creation system. Main task to implement new student network account creation system. Main person working on this project. Main person working on this project.

Project Initiation New Student Record System is QLS using an Oracle DB, based on Active Directory. New Student Record System is QLS using an Oracle DB, based on Active Directory. We currently maintain a SQL Server database that stores details of all live students. We currently maintain a SQL Server database that stores details of all live students. Set of batch file scripts using JRB Utils run daily to create or update students' network accounts. Set of batch file scripts using JRB Utils run daily to create or update students' network accounts. Currently if a student changes course a duplicate account is often created. Currently if a student changes course a duplicate account is often created. Need to replace current system and synchronise the AD and eDirectory passwords Need to replace current system and synchronise the AD and eDirectory passwords

Project Initiation Required pulling data from the Oracle DB tables. Required pulling data from the Oracle DB tables. Synchronising AD and eDirectory for staff accounts. Synchronising AD and eDirectory for staff accounts. Few different Identity Management products available. Few different Identity Management products available. We are primarily a Novell Shop and IDM has good reputation in the market place. We are primarily a Novell Shop and IDM has good reputation in the market place. Soon discovered the concept of an ID Vault and Meta-Directory – the way forward for us. Soon discovered the concept of an ID Vault and Meta-Directory – the way forward for us.

A Meta-Directory A System of Integrated Directories A System of Integrated Directories 1 Username, 1 password for all systems. 1 Username, 1 password for all systems. All different systems using up-to- date and consistent data from the authoritative systems. All different systems using up-to- date and consistent data from the authoritative systems. Less labour intensive account maintenance Less labour intensive account maintenance

A Meta-Directory

Concept well received Concept well received Concerns raised because helpdesk staff that have ability to reset eDirectory passwords can gain access other systems. Concerns raised because helpdesk staff that have ability to reset eDirectory passwords can gain access other systems. Can we add study unit enrolment data? Can we add study unit enrolment data?

Project Scope Creep WebCT requires enrolment data WebCT requires enrolment data Many enrolments types such as: Many enrolments types such as: Provisionally enrolledProvisionally enrolled Fully enrolledFully enrolled Fees not paidFees not paid Can we also have staff data ASAP? Can we also have staff data ASAP? Timescales become unmanageable Timescales become unmanageable Arghh – project gets out of control! Arghh – project gets out of control!

Current Project Plan Only synchronise basic student data through the ID Vault and in to eDirectory. Only synchronise basic student data through the ID Vault and in to eDirectory. Directly synchronise eDir and AD accounts for some staff as required. Directly synchronise eDir and AD accounts for some staff as required. Build the system so it is scaleable and include the rest at a later date. Build the system so it is scaleable and include the rest at a later date.

Current Project Plan – From this:

Current Project Plan – to this:

Current Project Plan A Driver in the live tree to send data to Active Directory A Driver in the live tree to send data to Active Directory This was easiest way to implement this quickly, works really well.This was easiest way to implement this quickly, works really well. Only existing accounts synchronised, no need to define policies Only existing accounts synchronised, no need to define policies Passwords synchronisation requires Universal Password Passwords synchronisation requires Universal Password Can now focus on student account side Can now focus on student account side

Current Project Plan – Student Accounts Two parts: Two parts: Synchronise Oracle database with ID VaultSynchronise Oracle database with ID Vault Synchronise ID Vault with eDirectorySynchronise ID Vault with eDirectory Oracle to ID Vault Oracle to ID Vault IDM is an event triggered systemIDM is an event triggered system Dont put triggers on live DB, we used a reporting instance insteadDont put triggers on live DB, we used a reporting instance instead

Synchronise Oracle database with ID Vault

Synchronise ID Vault with eDirectory Much easier once correct data is in ID Vault and in is correct format Much easier once correct data is in ID Vault and in is correct format Complex container placement rules based on students faculty, home department, primary course code and study level (PG/UG/Foundation yr etc) Complex container placement rules based on students faculty, home department, primary course code and study level (PG/UG/Foundation yr etc) If account matched then is updated, if not found then is created with a default password based on students personal data If account matched then is updated, if not found then is created with a default password based on students personal data Need to eliminate duplicate accountsNeed to eliminate duplicate accounts

Problems we faced Procedures and policies for create/update/delete Procedures and policies for create/update/delete These need to be well defined, we could not use existing rules as they were not correct in first place for reasons such as licensing rules.These need to be well defined, we could not use existing rules as they were not correct in first place for reasons such as licensing rules. Requires higher level management to get involvedRequires higher level management to get involved What systems will connect? What systems will connect? Decide what data is required in ID VaultDecide what data is required in ID Vault Important for Shibboleth Important for Shibboleth Needs to be clearly definedNeeds to be clearly defined Other system managers need to get involvedOther system managers need to get involved LDAP tree– sync from eDir or source systems? LDAP tree– sync from eDir or source systems?

Problems we faced – LDAP Tree Do all eDirectory accounts need to be in the LDAP Tree? Do all eDirectory accounts need to be in the LDAP Tree? Permissible that only valid student and staff accounts from source systems in LDAP tree? Permissible that only valid student and staff accounts from source systems in LDAP tree?

Problems we faced How to process deletes? How to process deletes? Students are never deleted form source systems but just un-enrolled and so disappeared from a view.Students are never deleted form source systems but just un-enrolled and so disappeared from a view. A daily procedure that checks the view against last nights view and performs a compare? A daily procedure that checks the view against last nights view and performs a compare? Rollout Plan Rollout Plan Change authoritative system for alias generationChange authoritative system for alias generation Do you really want to re-sync all eDir objects with source system and loose all changes?Do you really want to re-sync all eDir objects with source system and loose all changes?

Problems we faced – Rollout Plan 1.) Sync existing system with Vault (get all aliases into Vault) 2.) Overwrite ID Vault with existing Student account info in eDir 3.) Pull in data from Student Record System (no overwrite) 4.) Push all back to eDir Finish with updates from Stu records overwriting ID Vault + eDir

Problems we faced - Passwords Password Policy Password Policy Need a Institution-wide password policyNeed a Institution-wide password policy Universal Password Universal Password Allows eDirectory to store passwords in a decryptable format.Allows eDirectory to store passwords in a decryptable format. Need NMAS on every workstationNeed NMAS on every workstation Need password policy applied to all usersNeed password policy applied to all users Security container must be widely replicatedSecurity container must be widely replicated SeeSee TIDs: , TIDs: ,

Conclusions Get Management buy-in early on Get Management buy-in early on Define business policies and procedures Define business policies and procedures Decide what data to store in the ID Vault / Meta-Directory Decide what data to store in the ID Vault / Meta-Directory How do you want to provide LDAP? How do you want to provide LDAP? Will delete operations be a problem? Will delete operations be a problem? Define a institution password policy and implement Universal Password early Define a institution password policy and implement Universal Password early Do you want to re-synchronise all accounts? Do you want to re-synchronise all accounts? How will you implement / rollout How will you implement / rollout