1 / 28

IDENTITY PROBLEM

IDENTITY PROBLEM. Too Many User Names and Passwords Across Multiple Systems. AD/eDIR/Open Directory Email Student Information System Payroll/Finance Lunch Systems Transportation Systems Library Systems Printing Parent Calling Systems (parentlink) Phones Security Cameras.

trixie
Download Presentation

IDENTITY PROBLEM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IDENTITY PROBLEM Too Many User Names and Passwords Across Multiple Systems

  2. AD/eDIR/Open Directory Email Student Information System Payroll/Finance Lunch Systems Transportation Systems Library Systems Printing Parent Calling Systems (parentlink) Phones Security Cameras VPN Remote Authentication Door Security systems District Web Page Administration Digital Online Based Learning Programs Instructional Applications Read180 Read Naturally Renaissance Place Course Management Systems (Moodle; Blackboard; Schoololgy; etc…) Multiple Directories

  3. All DirectoriesUsing the Same Basic Information • Name (Student and Staff) • Login Name or ID (Student and Staff) • Password (Student and Staff) • Identification Information • Address (School Building Location) • Phone • Email • Grade or Graduation Year for students • Job Classification for Staff

  4. Many Directories = Multiple Points of Manual Entry and • Multiple Points of Manual Entry • Double or Triple the management of the same user account (too much manual entry) • Multiple chances for errors • Incorrect Information • Inconsistent formatting • Poor Security • Changing and Resetting passwords requires manual support • Result is that many applications are under utilized or not used at all.

  5. Solution Strategies • Work to get user and resource information from a common source or directory. • Use applications which share a common directory • Link Directories together • Purchase applications that are directory aware and can authenticate users against an external directory from the app

  6. LDAP • LDAP provides a standard format for applications to share a single directory as it is a standard directory service for all networks. • Avoids the need to copy passwords • Permits applications to authenticate users against a common directory • Reasonably easy to transfer directory information if needed • Easier to move information including user names • BUT • Adding and Deleting users in other applications remains a challenge • There is often an added cost for some applications to link to LDAP • Formats of LDAP directories are not always consistent.

  7. SIF Implementation • Uses a central Integration server to manage user names, passwords and other directory data among applications • Requires the install and setup of a Zone Integration Server (ZIS) either locally or remote. • SIF agent required on all software applications connected to the Zone Integration Server. • SIFS is limited to fields which are included in the specification. • Management of SIFS can be challenging • SIFS is not a cheap solution

  8. 3rd Party Software Solutions • Acts as an intermediary between applications and directories • Novell Identity Management • Identity Automation • Advanced Toolware • Tivoli Identity Management Server (IBM) • Novell Identity Management • Oracle Identity Management • CA Identity Manager (CA Technologies)

  9. North Branch Beginnings • Linked GroupWise to eDirectory (LDAP) for common user name and password. • Linked other Applications to eDirectory via LDAP for common user name and password for easy authentication. • Central Printing System • District Website (rSchool) • PD360 • Destiny • VPN (Fortinet) • Upload of student and staff information for other applications using exported data file from Student Information System (Skyward) • Parent Calling System (Parentlink) • Renaissance Place • Edulog • Read Naturally • Odyssey

  10. Remaining Challenges • Deprovisioning users from external systems. • Migration to Active Directory and Google Apps (Email) removed link between LDAP and Email for using a common user name and password. • Phone system remains independent • Migration to TIES for our student information system removed the ability to create custom user accounts for students. • Limited Link between TSIS and Lite Lunch System • Links to some hosted applications remains a challenge

  11. North BranchGoing Forward • 3rd party solution with Identity Automation • Issues that we needed to resolve for beginning school. • Creating new student accounts in Active Directory from TSIS • Creating home directories for these new student accounts in AD • Creating student email accounts linked with AD • Linking staff Active Directory accounts with Google Apps Domain

  12. North Branch IDM Provisioningfor Student Accounts • Automated process to pull a CSV file from our TIES Student Information System that includes student information with each students listed per row in this file. • CSV File (pulled from TSIS) is used by IDM to automatically create all student accounts in AD using DSS with a scheduled process. • IDM creates the user accounts by pulling information from several data fields, in the csv file, such as the students’ first and last name, login id, password, grade, etc.. • Custom user accounts created by IDM product are then automatically provisioned to Google Apps to create student email addresses (google apps accounts) • Report file emailed out to specific staff on new students added to Active Directory.

  13. North Branch IDM De-Provisioning for Student Accounts • Automated process to pull a CSV file from our TIES Student Information System that includes student information. Students not listed in this file are considered no longer in the district. • An IDM Report script is setup to automatically run and email out lists of students to be de-provisioned. • Manual script is setup to run de-provision tasks against student AD and Google Apps Email accounts. • De-Provision Script disables the student AD account and suspends the student Google Apps Email account • Automated Delete Report Script will email report of accounts to delete from AD and Google. • Manual Delete script can be run – will only delete accounts that have not been accessed in over 365 days.

  14. North Branch IDM Provisioningfor Staff Accounts • Automated export of data from Skyward to our FTP server. • Skyward XML File is used by IDM to create all Staff accounts in AD (still a work in progress) • IDM creates the user accounts by pulling information from several data fields in this data file such as first and last name • Custom user accounts created by IDM product are then provisioned to Google Apps to create staff email addresses. • Password synchronization between AD and Google account. • Report file emailed out to specific staff on new staff added to AD and Google Apps.

  15. North Branch IDM De-Provisioning for Staff Accounts • Manual process still in place • Unable to create an automated method for determining staff no longer employed using the information from Skyward Finance • Receive email from District Office with a list of staff no longer employed by the District

  16. North Branch Application User Automation • Parent Calling System (Parentlink) – Hosted Solution • Setup automated pull of student data from TSIS into comma delimited text files. Scheduled task setup to push these files to Parentlink using WinSCP process. • Destiny (Hosted) • Beginning to look at automated method of pulling data from TSIS and pushing this into Destiny using tools they provide. • Central Printing (Local) • Begin looking at DSS as a solution for provisioning and deprovisioning of staff accounts in this SQL Server database.

  17. Identity Automation Tools • Account Management • Password Management • User Self-Service Management • Group Management • Sponsorship Management • Workflow Management • Detailed Reporting

  18. Identity Automation • Welcome Timothy Till (Identity Automation) • Gotomeeting: • https://www1.gotomeeting.com/join/929012656 • Dial +1 (773) 945-1018 • Access Code: 929-012-656 • Meeting ID: 929-012-656

  19. DSSData Synchronization System • Defined action-sets in DSS are what provision and de-provision accounts in all our system directories. • Application with built-in tool-set that can move, transform and validate data between disparate systems • Powerful reporting engine for real-time reporting against data assets housed is connected systems. • DSS is made up of user-defined action-sets processed by DSS “engine” using scheduler or API triggers.

  20. Command Line Interface (CLI) Database (JDBC compliant DB) EDI (X12 HIPPA) LDAP (AD, eDir, OpenLDAP, etc) Text (CSV, LDIF, XML) Web Services Exchange Google Apps GroupWise KeepnTrack Live@EDU Office 365 Raptor V-soft Sharepoint Workday Zendesk Zimbra DSS Adapters

  21. DSS Action Builder

  22. Premier End-User facing Identity Mgmt Tool ARMS is a suite of tools made up of multiple modules. Cross platform allowing users to interact with system on any major browser. Mobile accessible interface for Blackberry, Android, iPhone, and Windows Mobile Account Management Application Access Group Management Reporting Sponsorship Workflow ARMSAccess Request Management System

  23. ARMSAccount Management Focus on User Identities by providing self-service and delegated administration Admins can use this module to reset passwords, reset challenge questions and unlock accounts Custom delegations to allow groups of users to take action upon a target group of users Example: Delegate password reset privileges to teachers so they can reset student passwords. Account Management demonstration video.

  24. ARMSApplication Access • Controls what applications are presented to user based on role within the district. • Only presents application icons that are relevant to the end users thus improves user experience • Supports Single-Sign-On (SSO)for web apps unable to use the SAML based Federated IMS. • Product information webpage.

  25. ARMS Application AccessApplication Dashboard

  26. Full Delegation of Group Mgmt in AD and eDir environments Capability distributes group ownership responsibility to decision makers Supports static group assignments and dynamic nested group membership Allows group Managers to: Create Groups Delete Groups Manage Group Sub-Owners Manage Group Memberships ARMSGroup Management

  27. ARMS Group ManagementMy Groups

  28. ARMSSponsorship • Provides a way to manage the lifecycle of “external” (contractors, subs, volunteers, temps) user accounts. • An “external” account is any account managed outside of an authoritative source such as AD. • Designated Sponsors will be able to create, expire and delete accounts, as well as re-attest accounts and transfer accounts to other sponsors.

More Related