A collaborative presentation between Jeremy Rosenberg at Simon Fraser University and Dave Steiner at Rutgers University about their respective plans for the OpenRegistry Identity Management system.
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Campus Perspectives on OpenRegistry
1. From In-House to Open Source:
Creating a Sense of Identity (Management)
Dave Steiner – Rutgers University
Jeremy Rosenberg – Simon Fraser University
October 13, 2010
2. ABOUT US
• Dave Steiner
• Rutgers University – New Jersey
• Identity Management Architect
• Numerous IDM/Middleware Projects since 1984
• Joined newly created IDM Team in 2006
• Jeremy Rosenberg
• Simon Fraser University – Vancouver, BC
• Identity Management Architect
• Java Developer since 2004
• MBA in Management of Technology
3. ABOUT THIS PRESENTATION
• Campus Perspectives
• Legacy IdM Architectures
• Strengths and limitations
• Future requirements
• OpenRegistry Project
• What is OpenRegistry?
• How did it start?
• Why open source?
• State of the project
• OpenRegistry workflow walkthough
4. ABOUT SFU
• One University - Three campuses
• Burnaby
• Surrey
• Vancouver
• 32,000 students
• 900 faculty
• 1600 staff
• 100,000 alumni
Simon Fraser
1776 -1862
5. SFU’S IDAM LAYOUT
Web
Web PeopleSoft
CAS
CAS LDAP
LDAP PeopleSoft
Server
Server
Amaint
Amaint
Shibboleth
Shibboleth UDD
UDD Account
Account
Eduroam
Eduroam Provisioning
Provisioning
Mail
Mail
Zimbra
Zimbra AD
AD WebCT
WebCT Lists
Lists
6. SFU STRENGTHS AND LIMITATIONS
• Centralized • Scalability
• Single computing IDs • Support for new SoRs
• CAS SSO • No distributed admin
• Self Serve • Sustainability
• Maillists/ACLS • Only two developers
• Account Activation • (one is a rock climber)
• Auto Provisioning • Granularity
• Email / Filespace • General role support
• WebCT • No distributed data entry
7. SFU FUTURE NEEDS
• Capture more of the
University Population
• More accurate and
complete directory
• Greater auditing
capabilities
• Built on sustainable
industry standards
8. ABOUT RUTGERS UNIVERSITY
• One University – Three campuses
• New Brunswick
• Newark
• Camden
• Founded in 1766
• Over 56,000 students
• 4150 full-time and part-time faculty
• 6500 full-time and part-time staff
• Over 380,000 alumni
9. RUTGERS LEGACY
Rutgers University Identity Management Infrastructure
Guest Account Account
Kerberos &
Creation Creation SecurID
SafeWord
(RATS)
A
P
P
L
CAS I
C
Payroll A
T
I
O
People DataBase N
LDAP Radius S
(PDB)
&
Student Records
DataBase S
(SRDB) Y
S
Oracle T
E
M
S
Data Flow
Query
10. RUTGERS STRENGTHS AND LIMITATIONS
• Central Identities for • Not all populations
Students, Faculty and Staff supported
• Central Authentication via • Joint institutions not
CAS and LDAP supported
• Self-service credential • Guests not well supported
creation • Support is too centralized
• Self-service email • Needs to be more real-time
accounts
11. RUTGERS FUTURE NEEDS
• A long term, core identity management solution
• Single identity throughout person’s lifetime
• Extend – e.g. for students, from Prospect through Alumni
• Add population types (Continuing Education, joint
institutions, conference attendees)
• Faster propagation of data, real time where possible
• Data for better provisioning and de-provisioning,
both electronically and physically
12. WHAT IS OPEN REGISTRY?
• An open source Identity Management system – a
place for data about people affiliated with your
institution
• Combines distributed identity information into single
identity records
• Identity store, but generally NOT authoritative
• Identity reconciliation for multiple SoRs
• Identifier assignment
• Input: web, batch and REST interfaces from SoRs
• Output: queues, REST, batch – for provisioning and
de-provisioning, Directory Builder
15. HOW DID OPENREGISTRY START?
• Apr 2006 – creation of IDM group at Rutgers
• Production services (e.g. CAS, LDAP, Kerberos)
• New development
• Aug 2006 – IDM as part of a new IT Strategic Plan
• Nov 2006 – Rutgers Identity Management
Assessment
• Feb 2007 – Rutgers IDM Potential Initiatives
• Mar 2008 – OpenRegistry design work started
• Jan 2009 – Became a Jasig Incubator project
• Late 2009 – SFU joined the project
16. WHY AN OPEN SOURCE PROJECT?
• “Off the shelf” solutions require significant
customizations and integration work and may only
solve a portion of an institutions needs
• Open source collaboration > in-house building
• Decades of combined experience
• Leverage scant resources
• Learn from others' experiences: Sakai, uPortal,
CAS, Shibboleth, Kuali
• Not all knowledge with a few in-house people
• Tailored to the needs of higher education
17. STATE OF THE PROJECT
• Generic data model designed and reasonably stable
• Domain objects and base service layer code written for
addPerson, addRole, updatePerson, updateRole, etc.
Currently being tested with real-life data
• Input methods well defined and being implemented, output
needs further requirements/design
• Production deployment at Rutgers in first half of 2011
(dependant on new PeopleSoft payroll deployment)
18. HOW DID SFU GET INVOLVED?
• Jan 2005 – Sponsored Account Management App
• April 2007 –Single Computing ID Project
• No more multiple accounts for employees and students
• One login for HR and Registrar with Roles
• Mar 2008 – Distance Ed becomes third SoR
• Aug 2008 – Lightweight Accounts Introduced
• Aug 2009 – Contact with Rutgers IdM team
• Sept 2009 – Jasig Un-conference
• Late 2009 – First commits to OpenRegistry
• June 2010 – Additional Developers added
20. THANK YOU
Visit the Jasig Wiki at:
http://www.ja-sig.org/wiki/display/OR/Home
Jeremy Rosenberg
Join the OpenRegistry Dev mail list: rosenberg@sfu.ca
openregistry-dev@lists.ja-sig.org
Dave Steiner
Attend a Jasig event steiner@oit.rutgers.edu
http://www.jasig.org/