Interfacing Banner BEIS With Identity Management - Summit 2012
3 likes5,173 views
This document presents an overview of implementing Banner with identity management at Carleton University, detailing the goals, project scope, experiences, and key components of the 'mycarletonone' project. It covers data flow architecture, performance experiences with Banner Enterprise Identity Services (BEIS), and role-based provisioning nuances. The overall rollout was successful and additional functionalities were added post-launch, with a specific focus on efficient identity management and account synchronization.
Interfacing Banner BEIS With Identity Management - Summit 2012
- 1. Interfacing Banner with Identity Management Presented by: Joel Avery and Jamie Campbell Carleton University March 27, 2012 Session ID 1756 Session ID 1756 1
- 2. Introduction • Who we are — Jamie Campbell – Assistant Director, Information Security and Operating Platforms — Joel Avery – Project IDM Engineer & Enterprise Architect • Carleton University — Ottawa, Canada — Comprehensive — 25,000 students, 2,500 faculty/staff • Provide an overview of our experience implementing BEIS and integrating it with Sun Identity Manager • Benefits, tips, challenges from our experience Session ID 1756 2
- 3. Agenda • Data Flow Architecture • BEIS components • Our BEIS experience • BEIS Role Model • Roles to Resources • Summary Session ID 1756 3
- 4. About our IdM Project ‘MyCarletonOne’ (MC1) • Identity Management (IdM) Project — Project Goals: Efficiency (e.g. standardization of account policy) Security (e.g. timely removal of accounts/access) Service (e.g. timely provisioning of accounts/access based on business need) — One username, One password • Scoping the project — Cohort by cohort (staff, then faculty, then students, then…) — Limited number of applications & services at launch — Limited scope of IdM functionality (provisioning & password management first, then SSO, then Enterprise Directory, then…..) Session ID 1756 4
- 5. Key Principles & Project Scope Banner is the authoritative repository of identity data Divide and conquer approach (staff, then faculty, then students) Resource applications/services include: Active Directory INB Banner itself Enterprise Directory LDI (Luminis portal/WebCT) SSB Email (staff/faculty) Email gateway (alias) Email (students) Session ID 1756 5
- 6. Key Data Flows Syncback Active Directory Banner Identity SPML 2.0 XML BEIS BEIS IDM Identity Identity (Roles & Enterprise Dir. Banner (Roles & Identity (Sun) Identity Gateway Proxy Data) Data) Exchange Email Cloud Email SSB Email Alias INB LDI Session ID 1756 6
- 7. Banner Enterprise Identity Services (BEIS) • Using BEIS as an outbound message gateway to send identity data to IdM • Version 8.1.0 on OAS 10G R2 • Oracle Streams configured to capture changes to identity data in tables • Messages issued from proxy in SPML 2 format • BEIS has 2 interfaces for management Session ID 1756 7
- 8. BEIS Streams Admin Interface Session ID 1756 8
- 9. BEIS Identity Gateway Session ID 1756 9
- 10. BEIS Identity Proxy Interface Session ID 1756 10
- 11. Our BEIS Experience • Overall performance is good • Some queuing of messages on bulk updates • Needed a customized app to pass SPML 2.0 messages to IDM (aka SPML relay) • Ran into issues with BEIS standard config — Increased Java memory to max — Recommend only OAS & BEIS on a single server (for 32 bit installs) Session ID 1756 11
- 12. Our BEIS Experience • There is a need for a defined shutdown process of BEIS. (Oracle Streams and BEIS shut down before Banner DB) • If no events are sent from SPML relay to IDM for over 60 minutes, then cached credentials expired. We created a heartbeat (resend last event every 15 minutes) Session ID 1756 12
- 13. Our BEIS Experience • We set up monitoring jobs in Oracle to determine whether: — There are issues with Capture & Apply — The gateway is not processing events — SPML relay is not sending pending events • Banner DB clones (where both production and the clone are BEIS-enabled) results in Oracle Streams not capturing changes for in-house tables. No errors appeared in logs. We resolved by rebuilding these tables as part of the post-clone processes. • Built our own event capture and republishing tool Session ID 1756 13
- 14. Role Model . Session ID 1756 14
- 15. Role Model Evolution – Initial View Student Employee Faculty Alumni Affiliate • Initial assumption (prior to project launch) was five distinct cohorts – Student, Employee, Faculty, Alumni and Affiliate Session ID 1756 15
- 16. Role Model Evolution – Reality • Analysis in first deployment showed Employee high overlap between Faculty roles – many people had roles in Student numerous cohorts. • This complicated Affiliate provisioning as well Alumni as the project communications Session ID 1756 16
- 17. Role Model Evolution - Reality Employee ‘MANUAL_ GEN_ACCES’ Faculty Contains... ‘EMPL_ADMIN_ CASUAL’ Student ‘EMPL_ADMIN_ CONTINUING’ Affiliate Alumni Requirements gathering in each release also required more fine grained roles within each cohort Session ID 1756 17
- 18. Banner - Roles Role Who EMPL_ADMIN_CONTINUING Current administrative continuing employees EMPL_ACAD_CONTINUING Current academic continuing employees FACULTY (WebCT role) Instructors at the University EMPL_ADMIN_CASUAL Current administrative casual employees EMPL_ACAD_CASUAL Current academic casual employees EMPLOYEE (WebCT role) All current active employees EMPL_ON_LEAVE Continuing employees who are on a leave of absence EMPL_BEIS People who have an employee relationship with the University, either past or present STUDENT People who have a student relationship with the University, either past or present ALUMNI People who have graduated from the University AFFILIATE People who have an affiliate relationship with the University via GZAAFFL MANUAL_GEN_ACCESS Assigned via GZAIROL We built a custom interface for MANUAL_INB_ACCESS Assigned via GZAIROL manually assigning some roles IMMEDIATE_DEPROVISION Assigned via GZAIROL to identities BASICPERSON Automatically assigned by BEIS, and is used for the case where a person has absolutely no roles. Session ID 1756 18
- 19. Role Based Provisioning Nuances • Some roles require other roles • Some roles are mutually exclusive • These rules are enforced in Banner • IDM prioritizes the roles when multiple roles exist • A ‘person’ is provisioned, not a role Session ID 1756 19
- 20. Roles to Resources • All roles are assigned by Banner. • A set of resources is associated with each role via business rules within the IDM. • The IDM system aggregates all the resources associated with all the roles of a user and prioritizes any mutual exclusions. • The IDM updates all the target resources (adding, deleting or updating the account associated to the user) in one transaction which will "roll back" if there is an error Session ID 1756 20
- 21. Password Synchronization and Self Management • The IDM manages (synchronizes) passwords for all target resources which have a password • The IDM creates resource accounts with the current IDM password. • Should a user forget their password, the IDM has a challenge / response system which allows the user to reset their password to a new value. • Target resource account names were synchronized for each user via a series of earlier projects (not a requirement of the IDM). • "One Username. One Password." Session ID 1756 21
- 22. Functionality added after launch • Requesting fine grained access control (e.g. Banner security classes) • Synchronization of name changes • Securing accounts for users who do not update their passwords (as per policy) Session ID 1756 22
- 23. Resource States • The IDM tracks the state of resources for each user • Manages creation and deletion along with enabling and disabling based on events from Banner • Reports on accounts created on the resource by other processes Session ID 1756 23
- 24. Summary • Overall BEIS experience was good • Rollout was highly successful • In process of rolling out to faculty • Questions? — Feel free to contact us Session ID 1756 24
- 25. Session Sponsor Thank You! Joel Avery Jamie Campbell Please complete the online session evaluation form Session ID 1756 “Datatel” and the Datatel logo, “Advance,” “Banner,” “Colleague,” and “PowerCAMPUS,” are trademarks or registered trademarks of Datatel+SGHE or their affiliates in the U.S. and other countries. Other trade names and trademarks used herein are owned by their respective holders. © 2012 Datatel+SGHE. All rights reserved. Session ID 1756 25
- 26. Supporting Slides – Sample BEIS Message <UDCIdentity action="UPDATE" PUBLISHER_NAME="PROD" xmlns="urn:sungardhe:enterprise:domain:identity:1.0"> <UDCIdentifier>8ED5ABA7DA0785CDF04400144F80BXD5</UDCIdentifier> <PersonIdentity> <PersonName> <FormattedName>Mrs. Marion M. Smith</FormattedName> <GivenName>Marion</GivenName> <PreferredGivenName>Marni</PreferredGivenName> <MiddleName>M.</MiddleName> <FamilyName>Smith</FamilyName> <Affix type="formOfAddress">Mrs.</Affix> </PersonName> <Gender>Female</Gender> <Birthdate> <BirthDay>8</BirthDay> <BirthMonth>11</BirthMonth> <BirthYear>1959</BirthYear> </Birthdate> <TaxId>2*****480</TaxId> </PersonIdentity> <EmailAddress>marni_smith@carleton.ca</EmailAddress> <PrimaryAddress validFrom="1988-03-17"> <PostalCode>K1Q 6K3</PostalCode> <Region>ON</Region> <Municipality>Ottawa</Municipality> <AddressLine>15 Any Street</AddressLine> </PrimaryAddress> <CampusAddress> <CountryCode>27</CountryCode> <PostalCode>K1S 5B6</PostalCode> <Region>ON</Region> <Municipality>Ottawa</Municipality> <AddressLine>Carleton University, CCS</AddressLine> <AddressLine>401 Robertson Hall</AddressLine> <AddressLine>1125 Colonel By Drive</AddressLine> </CampusAddress> Session ID 1756 26
- 27. Supporting Slides – Sample BEIS Message <CampusPhone> <AreaCityCode>613</AreaCityCode> <SubscriberNumber>5202600</SubscriberNumber> <Extension>3456</Extension> </CampusPhone> <InstitutionRoles> <institutionrole> <role>ALUMNI</role> <context>INTCOMP</context> </institutionrole> <institutionrole> <role>EMPLOYEE</role> <context>INTCOMP</context> </institutionrole> <institutionrole> <role>EMPL_ADMIN_CONTINUING</role> <context>INTCOMP</context> </institutionrole> <institutionrole> <role>EMPL_BEIS</role> <context>INTCOMP</context> </institutionrole> <institutionrole> <role>STUDENT</role> <context>INTCOMP</context> </institutionrole> </InstitutionRoles> <Extension> <Attribute> <name>DEPTLONG</name> <value>Computing & Communication Services</value> </Attribute> <Attribute> <name>PIDM</name> <value>41456</value> </Attribute> Session ID 1756 27
- 28. Supporting Slides – Sample BEIS Message <Attribute> <name>BANNERID</name> <value>100056013</value> </Attribute> <Attribute> <name>OFFICE</name> <value>401 Robertson Hall</value> </Attribute> <Attribute> <name>JOBTITLE</name> <value>Information Technology Analyst</value> </Attribute> <Attribute> <name>EXTUSERNAME</name> <value>marnismith</value> </Attribute> <Attribute> <name>IMS_SOURCE_ID</name> <value>35510</value> </Attribute> <Attribute> <name>BANNERINB_USER</name> <value>MARNISMIT</value> </Attribute> <Attribute> <name>DEPTSHORT</name> <value>CCS</value> </Attribute> </Extension> </UDCIdentity> Session ID 1756 28