Conference2017

Identity Management and Service Integration in

Higher EducationBCNet Identity Management Working

Group

Conference 2017

Speakers:

• Corey Scholefield | BCNet EduTrust, UVic• Keir Novik | SFU • Andy Zoltay | RRU• Rahim Virani | KPU• Sebastian Gonzalez | UBC • Sabrina da Silva | BCIT

2

Conference 2017

General Overview

3

User

DigitalIdentity

Applications&HostedServices

InstituteHigherEd.

OtherOrganizationsApplicationsonpremise

Applicationsoffpremise

Conference 2017

Identity & Access - Planning Context

4

Identity

SecurityPrivacy

Conference 2017

Identity and Access - Planning + Project Process

5

Initiating Planning Executing

MonitoringClosing

DoIDAMconsulthere!

Conference 2017

Services Integration Phases

6

SystemSelection ••RFP?

SystemIntegration

••Business/Technical?

ChangeManagement

••Outreach/Training?

Go-Live

Conference 2017

Identity and Access – Planning Alphabet

7

• autheNtication

• authoriZation

• accounts Provisioning

• accounts De-provisioning

*ThankstoLucaFilipozzi andDougGregg(UBC)

Conference 2017

Identity and Access – Planning Alphabet

8

• autheNtication• Campus options vs. system capability

• authoriZation• Permissions assignment – roles / groups / local vs. centralized

• accounts Provisioning • Business Process ? Just-in-case vs. Just-in-time ?

• accounts De-provisioning• Disable / timeline / retention / ongoing-access / grace-period ?

Conference 2017

BC EduTrust Federated Services - Updates

9

• Goals• every BCNET member:

• runs eduroam WiFi service• runs federated SSO Identity Provider (IdP) in the

Canadian Access Federation• support BCNET IT Shared Services adoption

Conference 2017

BC EduTrust – CAF Community Group

10

Conference 2017

BC EduTrust / CAF / BCcampus – Federated Wordpress

11

Conference 2017

BC EduTrust – eduroam for @bc.net accounts on Azure AD

12

Conference 2017

BC EduTrust – CAF Research & Scholarship Entity Category Support

13

https://www.canarie.ca/identity/support/research-and-scholarship-entity-category/

Conference 2017

BC EduTrust – Education Planner (phase 3)

14

Conference 2017

Royal Roads University

15

• Strategies• Consolidating identities into a single repository with multiple

roles• Move towards central authentication• Streamlining account provisioning synchronization

• Challenges• Shibboleth is complicated and has a steep learning curve• Each service provider implementation has proven slightly

different or non-standard• e.g. use of the “unspecified” format• e.g. Shibboleth vs ADFS

• Shibboleth versioning differences has caused challenges• i.e. Version 3 of IdP and version 2 of SP

Conference 2017

Royal Roads University

16

• Newly on-boarded off-premise services:• WorldShare Management Services (Library system)• WebSpace (WPCloud)• Lynda.com• HRSmart

Conference 2017

Royal Roads University

17

Conference 2017

Royal Roads University

18

Conference 2017

IDAM - KPU strategies

§ User Experience (UX) driven§ Minimize security footprint§ IaaS and SaaS (“Cloud-enabled”)

19

Conference 2017

IDAM Struggles

§ Exceptions to calculated roles and definitions (vendors, visiting scholars, recruiters etc.)

§ Single identity, multiple role vs. multiple identity, multiple role service mapping

§ Creative account access workflows§ Federated Identity knowledge barrier of entry§ Some applications just don’t support

Single/SameSignon

20

Conference 2017

IDAM Accomplishments

§ Simple architecture, no heavy ETL and staging processes as well as data processing overhead.

§ Future ready:§ Directory Consolidation§ SSO onboarding§ Banner XE

§ In process of onboarding most popular candidates to SSO (Self-Service, Learning Management System, Navigation Portal, SharePoint, Office 365 etc..)*

21

Conference 2017

Current State

22

CentralAuthenticationSystem(CAS)

Shibboleth(SAML)

ActiveDirectoryFederationServices(ADFS)

Office365

UPASS UPSwing

RegroupWordpress Kaltura

Conference 2017

Future State

23

CentralAuthenticationSystem(CAS)SelfService(OSS) HorizonsCSM Symplicity CSM

Shibboleth(SAML)

ActiveDirectoryFederationServices(ADFS)Office365 DirectAccess

UPASS UPSwing Regroup KalturaWordpress

SharepointFAST

Moodle OneCampus

Conference 2017

High Level Metrics - KPU

24

TotalApplications 60

TotalApplicationsOff Premise 25%

SupportingSSO(SingleandSameSignOn) 50%

SingleSignOn Implemented 10%

SameSignOn Implemented 80%

Conference 2017

Simon Fraser University

• Strategies § Be principally a provider of cloud services§ Use cloud services with maximum value while minimizing

risk§ Single sign-on through CAS§ Federated identity through CAF

§ Struggles§ Preserving privacy§ Value proposition of IDAM

§ Accomplishments§ Compute Canada ARC site at SFU§ SFU Vault

25

Conference 2017

UBC

• IAM as an integrator for ERP renewal (Cloud Landscape)

• IAM Realignment• Office of CIO under the CISO portfolio

• Transitioning form a Infrastructure Dept. with a Security component to a Security Discipline with Infrastructure Responsibilities.

• Heavy lifting into the cloud.

26

Conference 2017

IAM as an integrator for ERP renewal(Changing Cloud Landscape)

27

DataGovernance

EnterpriseIntegra2on

IAM

Iden%tyHub

Conference 2017

IAM Realignment

28

Business Security Reference Model

Security Intelligence & Analytics

Governance, Risk, Compliance (GRC)

Advanced Security and Threat Research

InfrastructureApplications & ServicesDataPeople

Foundational Security Management

Physical Asset Management

Risk & Compliance Management

Security Policy Management

Command & Control Management

Identity, Access & Entitlement Management

Data & Information Protection Management

Threat & Vulnerability Management IT Service Management

Security Services and Infrastructure

Security Info & Event Infrascructure

Identity, Access & Entitlement Infrastructure

Security Policy Infrastructure

Crypto, Key & Certificate Management

Service Management Infrastructure

Storage Security Host & Endpoint Security Application Security Network Security Physical Security

Code Policies Events & LogsIdentity AttributesData Repository &

ClassificationSecurity Service

LevelsDesigns Config Info &

RegistryIT Security Knowledge

Operational Context

Software, System & Service Assurance

Conference 2017

Transitioning form a Infrastructure Dept. with aSecurity component to a Security Discipline withInfrastructure Responsibilities.

Drasticallyreduceattack

surface

StrengthenControls

IncreaseAnalytics

Capabilities

29

Conference 2017 30

Payment Plan on “Technical Debt”

Conference 2017 31

Heavy lifting into the cloud

Conference 2017 32

wireless

library

Integration of Services and Applications

BCITpublicwebsite

Conference 2017 33

• Strategieso Enhance user experienceo Simplification and optimization of services

• Struggles:o Preserving privacyo IDAM road map

• AccomplishmentsoOnboarding new serviceso Consolidating services

Integration of Services andApplications

Conference 2017

Questions

34