some idm lessons learned n.
Skip this Video
Loading SlideShow in 5 Seconds..
Some IDM Lessons Learned PowerPoint Presentation
Download Presentation
Some IDM Lessons Learned

Loading in 2 Seconds...

play fullscreen
1 / 12

Some IDM Lessons Learned - PowerPoint PPT Presentation

  • Uploaded on

Some IDM Lessons Learned. Chris Phillips –, Fall Internet2 - Dec 5th , 2006. About Queen’s University. Full-time enrolment: 20,720 (2005) Academic Staff 2,355 (tenure and tenure track included) Other Staff 2,498 (including medical support staff)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Some IDM Lessons Learned' - lenci

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
some idm lessons learned

Some IDM Lessons Learned

Chris Phillips –,

Fall Internet2 - Dec 5th , 2006

about queen s university
About Queen’s University
  • Full-time enrolment: 20,720 (2005)
  • Academic Staff 2,355 (tenure and tenure track included)
  • Other Staff 2,498 (including medical support staff)
  • ITS ~ 100ppl, of which 25 work on software and integration projects.
the r evolution of our idm
The (R)evolution of our IDM
  • Spending more time on maintenance rather than delivering new services
  • Not able to keep up with policy changes to meet client needs
  • Difficult to staff for support and development
  • Evolution of NetID functionality is crucial to other projects so it was evaluated at the same time as they were (portal/cms).
  • RFI for ID mgmt itself was put together and a number of vendors were reviewed and Sun was selected. (
why change idm strategy
Why Change IDM Strategy?

No self serve interface for end users!

Can’t distribute admin tools easily

Can’t do delegated administration

Data accuracy issues.(People sometimes have duplicates).

Can’t do externally created sponsored accounts

Sync is nightly, need realtime or near realtime

Accounts are deleted and removals not always replicated out. Audit trail is incomplete

Enabling new data is custom work which is tedious and time consuming. Many opportunities to break in many places

Bussiness logic and “workflow” are sprinkled over many places and need to be refactored to simplify and to centralize tasks/objects.

No challenge questions for passwd reset

Certain changes don’t take effect automatically (uid changes)

why sun idm
Why Sun IDM?
  • The model is remarkably & comfortably familiar
  • Flexibility throughout -- system is xml driven.
  • Many out of the box capabilities. (password reset, challenge questions, web interface for delegated administration, ++)
  • Workflow engine and supporting GUI editing tools built in
  • Robust identity reconciliation engine (rules, pre/post events)
  • Connects to various resources out of the box.(LDAP,AD, SQL, plus custom connectors)
  • Architecture and implementation design patterns make sense. (e.g. self sign up processes can be implemented within the system without too many contortions)

Why Sun IDM?

  • Bundled in with Java Enterprise System (portal/mail/calendar/SSO) that we are licensed for.
  • We have a vendor to call upon and a support contract already with JES.
  • We are a big Solaris shop and have a good relationship with the vendor.
  • Training was available and proved invaluable (go to it first, THEN (re)architect & plan the deployment!)
things that could be better
Things that could be better.
  • The product is very broad AND deep. The documentation covers the breadth, but not so much the depth.
    • There are many buttons and dials to push, but what is the best and most scalable/effective way to do it? Hard to tell without help.
    • Needs more solution guides and recommended patterns/blueprints for implementation.
    • We are trying to address this ourselves (more later).
  • Change control on the product could be better.
    • A single change on a workflow could impact things dramatically.
    • Flying without a net if you don’t provide your own.
  • Dealing with non person objects are not as neat and clean as dealing with people objects.
    • Course enrollments, are they groups? Are they attributes to a person record? Are they both? What do you do if they are?
  • ‘do you get it or not?’ question easy to answer for (de)provisioning. However, things that twiddle attributes of a person not so easy. (e.g. LDAP and edupersonEntitlement changes for instance)
some intriguing thoughts
Some Intriguing Thoughts
  • Boy, doesn’t Sun IDM look like Nexus or vice-versa?(
  • Hey, doesn’t Signet do all this stuff?( )
  • Chris, why not use Grouper to deal with self managed groups and all those course enrollment based groups?( )
identity stack comparison
Identity Stack Comparison



Nexus+signet+grouper+a useful workflow tool+gluework betwixt the above+your business logic+glue work to your endpoints

Sun IDM+ your business logic+ customizations to above+glue work to your endpoints







Sun Fed. Manager + AccessMgr./OpenSSOORSun AccessMgr + Shib 1.3

MAMS + Shib 2.0 orShib 1.3+ your SSO

How do you choose? This is a whole topic unto itself best answered by you.A popular approach is to engage prof. services once a ‘winning’ technology is chosen.

Parting thoughts to consider: pre-existing tech. base, team caliber, technology strengths, size, funding, mgmt buy in, long/short term goals, and…and...

the collaboration pitch
The Collaboration Pitch
  • This is the same pitch as Shib for Fed. Id. Or JSR-168 for portal content. Build in a standard way so you can interoperate (but leave the door open for extending the work)
  • Why do the IDM work twice?
    • If our institutions are gravitating to common platform(s) then it is plausible that we can share/trade/co-develop components for certain workflows or provisioning processes.
  • Examples :
      • Provision/deprovision a WebCT/blackboard user.
      • Provision/deprovision a portal user.
      • Provision/deprovision a TSM (backup system) user.
      • Provision/deprovision a library only user.
      • Custom workflow for granting and revoking roles automatically based on attributes
      • What else?
  • In particular, if you are running JES or Sun IDM, find me and let’s talk…
thank you for your time

Thank you for your time!

Questions, comments, and inquiries welcome!

Project Website:

Useful references:

NMI-EDIT IDM readiness checklist:

Our RFI for an IDM solution: