You are here

Identity and Access Management

Submitted by Jason on Mon, 11/10/2014 - 13:39

We are in the process of researching an identity and access management solution for our school. For a couple years we were headed down the Novell Identity Management road, with the intention of having support from https://www.netiq.com/ , and using the Ellucian-->eDirectory ldap adapter.

Long story short the school decided to scrap all Novell products. So the identity management team is starting over.

I would be curious to hear what identity and access management solutions your school is using, and what your experiences have been.

We will be moving to Luminis 5 in about a year. Is Luminis 5 just as happy using AD as any other LDAP compliant directory server? Any difficulties?

Did you decide to stick with a single vendor, or is your IDM solution made up of different vendor solutions? I've noticed a few schools have chosen to have one vendor handle the data feeds from banner into directories, and then a second vendor to handle the access control (sso/password management).

And lastly, what was your timeline like?

thanks,
Jason

Luminis Version:

Hi Jason,

We are in the process of implementing TridentHE from Aegis Identity. We have a loose timeline and have asked for a more detailed timeline, but have not yet gotten it. (Our dev environment has been installed, but not very far on configuring it.) Their product uses a lot of open source and they are focused on education/Higher Ed IdAM. Our campus computing environment includes both windows and Unix/Linux. We use OpenLDAP and AD (and keeping both). And recently started with Shibboleth (we're doing this in-house). Aegis seemed the best fit for our mixed environment. They are our only vendor, but the project will be done by Aegie and us (eg, they are not doing the whole thing and then handing it over.) They are (more or less) local, so that is a plus. TridentHE is to replace a homegrown system that was started back in the '80s when we had one main campus AIX system that did mail, general computing and shared file space with our campus webserver; but since then has been extended, expanded, and stretched beyond it's original intent.

We did our RFP around April 2012, but were delayed in starting the project (due to our university, not the vendor). The other products/vendors I can remember were Fischer (sp?) and Hitachi. These products didn't seem as flexible and/or were more windows centric.

We are on LP 4.3.0. I don't know what our timeline for LP 5 is. (We haven't Shibbolized it. We may skip this, and implement LP 5 with Shib.) The Aegis solution will be pushing passwords to Luminis and down the line will do the de-provisioning.

Our first focus is to replace our initial username/credential delivery (sent via postal mail) with an new account claim process. We're running up against all kind of time issues. (eg, we are currently unsure as to when the new system will be ready... will it be ready for summer and fall 2015? or do we keep using the existing system? when do we make the call, etc)

Anyway, this is rambling. Not sure if this helps you at all.

One last comment...I think the biggest things I've learned so far: The tech is (relatively) easy. And it's easy to design a new system. The transition from the old system to the new system is harder. And the governance/policy and managing cultural change are even more difficult.

Good luck.

--Ginny Lee
Colorado School of Mines

PS: We are looking for a Luminis Admin. See https://www.lumdev.net/node/13509

Are you a Banner school? Is TridentHE pulling account information from Banner into your OpenLDAP and AD?

We have a mixed environment also. I looked back at some of our vendor lists and Gartner IDM info, and didn't see Aegis in any of them. Thanks for making us aware of that vendor.

Hi Jason,

Sorry I didn't see this sooner.

Yes, we are a Banner school. We are in the process of implementing TridentHE. It is/will be getting data from Banner (through BEIS and event messaging)... And then pushing info out to both AD and OpenLDAP... And to Shibboleth, Luminis, Backboard, and other systems. We're supposed to "flip the switch" around March 2nd, so we're a little crazied just now. (The project will not be finished in March, just a scaled back Phase 1.)

Anyway, good luck. If you wanna talk some time after March, lemme know.

--Ginny

We are still researching solutions, so I'm fairly certain the team would want to meet with your team in March.

And Ellucian is coming out with a new approach to access/sso soon, and we are going to be in that beta. The software that provides the sso layer, also is part of a larger open source product that has provisioning/identity management/auditing/governance.

We are using Microsoft Forefront/Identity Manager where Banner is the source and systems such as Active Directory, Gmail and Blackboard and others are targets. Our main use cases were self-service password reset and identity lifecycle automation. The licenses for us were mostly free as part of our Microsoft campus agreement. After trying to set this up in-house, we eventually used IdMEngine to help us with our implementation after we talked with 4-5 of their Banner references. We decided to go with the Banner View vs BEIS route for maintenance reasons.

Prior to this we were using Sun Identity Manager and looked at going to Oracle Identity Manager. The cost was just too prohibitive. We looked at Aegis and Fischer but didn't want to have to deal with smaller companies that don't have the deep pockets to compete with the likes of Microsoft, IBM and Oracle.

Ultimately our decision was based on the following: Banner integration, functional requirements and cost.

"The cost was just too prohibitive. We looked at Aegis and Fischer but didn't want to have to deal with smaller companies that don't have the deep pockets to compete with the likes of Microsoft, IBM and Oracle. "

What did you feel was the downside to being a smaller company? We've seen demo's from most IDM providers by now, and they all seem fairly feature rich. And Aegis and Fischer focus more on Higher Ed (familiar with Banner, etc..), which we see as an advantage over generic IDM providers like Oracle/MS.

The one thing I found interesting about the MS demo was how some of their connectors (I'm not sure of the total amount) were in Github. More of a community development thing.

Another thing that may or may not be an issue is that Forefront is/has been replaced by a newer product called MS Identity Manager. Did you upgrade your Forefront to the new product now? I don't know anyone (yet) that is using the MS Identity Manager in production in edu.