IDENTITY IDENTITY PROBLEMPROBLEM

Too Many User Names and Too Many User Names and Passwords Across Multiple Passwords Across Multiple

SystemsSystems

Multiple DirectoriesMultiple Directories AD/eDIR/Open DirectoryAD/eDIR/Open Directory EmailEmail Student Information Student Information

SystemSystem Payroll/FinancePayroll/Finance Lunch SystemsLunch Systems Transportation SystemsTransportation Systems Library SystemsLibrary Systems PrintingPrinting Parent Calling Systems Parent Calling Systems

(parentlink)(parentlink) PhonesPhones Security CamerasSecurity Cameras

VPN Remote AuthenticationVPN Remote Authentication Door Security systemsDoor Security systems District Web Page District Web Page

AdministrationAdministration Digital Online Based Digital Online Based

Learning ProgramsLearning Programs Instructional ApplicationsInstructional Applications

Read180Read180 Read NaturallyRead Naturally Renaissance PlaceRenaissance Place Course Management Course Management

Systems (Moodle; Systems (Moodle; Blackboard; Schoololgy; Blackboard; Schoololgy; etc…)etc…)

All DirectoriesAll DirectoriesUsing the Same Basic Using the Same Basic

InformationInformation Name (Student and Staff)Name (Student and Staff) Login Name or ID (Student and Staff)Login Name or ID (Student and Staff) Password (Student and Staff)Password (Student and Staff) Identification InformationIdentification Information

Address (School Building Location)Address (School Building Location) PhonePhone EmailEmail

Grade or Graduation Year for studentsGrade or Graduation Year for students Job Classification for StaffJob Classification for Staff

Many Directories = Many Directories = Multiple Points of Manual Multiple Points of Manual

Entry and Entry and Multiple Points of Manual EntryMultiple Points of Manual Entry Double or Triple the management of the same Double or Triple the management of the same

user account (too much manual entry)user account (too much manual entry) Multiple chances for errorsMultiple chances for errors

Incorrect InformationIncorrect Information Inconsistent formattingInconsistent formatting

Poor SecurityPoor Security Changing and Resetting passwords requires Changing and Resetting passwords requires

manual supportmanual support Result is that many applications are under Result is that many applications are under

utilized or not used at all.utilized or not used at all.

Solution Strategies Solution Strategies

Work to get user and resource information from Work to get user and resource information from a common source or directory.a common source or directory.

Use applications which share a common Use applications which share a common directorydirectory

Link Directories togetherLink Directories together Purchase applications that are directory aware Purchase applications that are directory aware

and can authenticate users against an external and can authenticate users against an external directory from the appdirectory from the app

LDAP LDAP

LDAP provides a standard format for applications to LDAP provides a standard format for applications to share a single directory as it is a standard directory share a single directory as it is a standard directory service for all networks.service for all networks. Avoids the need to copy passwordsAvoids the need to copy passwords Permits applications to authenticate users against a common Permits applications to authenticate users against a common

directorydirectory Reasonably easy to transfer directory information if neededReasonably easy to transfer directory information if needed Easier to move information including user namesEasier to move information including user names

BUTBUT Adding and Deleting users in other applications remains a Adding and Deleting users in other applications remains a

challengechallenge There is often an added cost for some applications to link to There is often an added cost for some applications to link to

LDAPLDAP Formats of LDAP directories are not always consistent.Formats of LDAP directories are not always consistent.

SIF ImplementationSIF Implementation

Uses a central Integration server to manage user Uses a central Integration server to manage user names, passwords and other directory data names, passwords and other directory data among applicationsamong applications

Requires the install and setup of a Zone Requires the install and setup of a Zone Integration Server (ZIS) either locally or remote.Integration Server (ZIS) either locally or remote.

SIF agent required on all software applications SIF agent required on all software applications connected to the Zone Integration Server.connected to the Zone Integration Server.

SIFS is limited to fields which are included in the SIFS is limited to fields which are included in the specification.specification.

Management of SIFS can be challengingManagement of SIFS can be challenging SIFS is not a cheap solutionSIFS is not a cheap solution

33rdrd Party Software Party Software SolutionsSolutions

Acts as an intermediary between applications Acts as an intermediary between applications and directoriesand directories

Novell Identity ManagementNovell Identity Management Identity AutomationIdentity Automation Advanced ToolwareAdvanced Toolware Tivoli Identity Management Server (IBM)Tivoli Identity Management Server (IBM) Novell Identity ManagementNovell Identity Management Oracle Identity ManagementOracle Identity Management CA Identity Manager (CA Technologies)CA Identity Manager (CA Technologies)

North Branch North Branch BeginningsBeginnings

Linked GroupWise to eDirectory (LDAP) for common user name and Linked GroupWise to eDirectory (LDAP) for common user name and password.password.

Linked other Applications to eDirectory via LDAP for common user Linked other Applications to eDirectory via LDAP for common user name and password for easy authentication.name and password for easy authentication. Central Printing SystemCentral Printing System District Website (rSchool)District Website (rSchool) PD360PD360 DestinyDestiny VPN (Fortinet)VPN (Fortinet)

Upload of student and staff information for other applications using Upload of student and staff information for other applications using exported data file from Student Information System (Skyward)exported data file from Student Information System (Skyward) Parent Calling System (Parentlink)Parent Calling System (Parentlink) Renaissance PlaceRenaissance Place EdulogEdulog Read NaturallyRead Naturally OdysseyOdyssey

Remaining ChallengesRemaining Challenges

Deprovisioning users from external systems.Deprovisioning users from external systems. Migration to Active Directory and Google Apps Migration to Active Directory and Google Apps

(Email) removed link between LDAP and Email for (Email) removed link between LDAP and Email for using a common user name and password.using a common user name and password.

Phone system remains independentPhone system remains independent Migration to TIES for our student information Migration to TIES for our student information

system removed the ability to create custom user system removed the ability to create custom user accounts for students.accounts for students.

Limited Link between TSIS and Lite Lunch SystemLimited Link between TSIS and Lite Lunch System Links to some hosted applications remains a Links to some hosted applications remains a

challengechallenge

North BranchNorth BranchGoing ForwardGoing Forward

3rd party solution with Identity Automation3rd party solution with Identity Automation Issues that we needed to resolve for beginning Issues that we needed to resolve for beginning

school.school. Creating new student accounts in Active Directory from Creating new student accounts in Active Directory from

TSISTSIS Creating home directories for these new student Creating home directories for these new student

accounts in ADaccounts in AD Creating student email accounts linked with ADCreating student email accounts linked with AD Linking staff Active Directory accounts with Google Linking staff Active Directory accounts with Google

Apps DomainApps Domain

North Branch IDM North Branch IDM ProvisioningProvisioning

for Student Accountsfor Student Accounts Automated process to pull a CSV file from our TIES Automated process to pull a CSV file from our TIES

Student Information System that includes student Student Information System that includes student information with each students listed per row in this information with each students listed per row in this file.file.

CSV File (pulled from TSIS) is used by IDM to CSV File (pulled from TSIS) is used by IDM to automatically create all student accounts in AD using automatically create all student accounts in AD using DSS with a scheduled process.DSS with a scheduled process.

IDM creates the user accounts by pulling information IDM creates the user accounts by pulling information from several data fields, in the csv file, such as the from several data fields, in the csv file, such as the students’ first and last name, login id, password, grade, students’ first and last name, login id, password, grade, etc..etc..

Custom user accounts created by IDM product are then Custom user accounts created by IDM product are then automatically provisioned to Google Apps to create automatically provisioned to Google Apps to create student email addresses (google apps accounts)student email addresses (google apps accounts)

Report file emailed out to specific staff on new students Report file emailed out to specific staff on new students added to Active Directory.added to Active Directory.

North Branch IDM De-North Branch IDM De-Provisioning for Student Provisioning for Student

AccountsAccounts Automated process to pull a CSV file from our TIES Automated process to pull a CSV file from our TIES

Student Information System that includes student Student Information System that includes student information. Students not listed in this file are information. Students not listed in this file are considered no longer in the district.considered no longer in the district.

An IDM Report script is setup to automatically run An IDM Report script is setup to automatically run and email out lists of students to be de-provisioned.and email out lists of students to be de-provisioned.

Manual script is setup to run de-provision tasks Manual script is setup to run de-provision tasks against student AD and Google Apps Email accounts.against student AD and Google Apps Email accounts.

De-Provision Script disables the student AD account De-Provision Script disables the student AD account and suspends the student Google Apps Email accountand suspends the student Google Apps Email account

Automated Delete Report Script will email report of Automated Delete Report Script will email report of accounts to delete from AD and Google.accounts to delete from AD and Google.

Manual Delete script can be run – will only delete Manual Delete script can be run – will only delete accounts that have not been accessed in over 365 accounts that have not been accessed in over 365 days.days.

North Branch IDM North Branch IDM ProvisioningProvisioning

for Staff Accountsfor Staff Accounts Automated export of data from Skyward to our FTP Automated export of data from Skyward to our FTP

server.server. Skyward XML File is used by IDM to create all Staff Skyward XML File is used by IDM to create all Staff

accounts in AD (still a work in progress)accounts in AD (still a work in progress) IDM creates the user accounts by pulling information IDM creates the user accounts by pulling information

from several data fields in this data file such as first from several data fields in this data file such as first and last nameand last name

Custom user accounts created by IDM product are Custom user accounts created by IDM product are then provisioned to Google Apps to create staff email then provisioned to Google Apps to create staff email addresses.addresses.

Password synchronization between AD and Google Password synchronization between AD and Google account.account.

Report file emailed out to specific staff on new staff Report file emailed out to specific staff on new staff added to AD and Google Apps.added to AD and Google Apps.

North Branch IDM De-North Branch IDM De-Provisioning for Staff Provisioning for Staff

AccountsAccounts Manual process still in placeManual process still in place Unable to create an automated Unable to create an automated

method for determining staff no method for determining staff no longer employed using the longer employed using the information from Skyward Financeinformation from Skyward Finance

Receive email from District Office Receive email from District Office with a list of staff no longer with a list of staff no longer employed by the Districtemployed by the District

North Branch Application North Branch Application User AutomationUser Automation

Parent Calling System (Parentlink) – Hosted Parent Calling System (Parentlink) – Hosted SolutionSolution Setup automated pull of student data from TSIS into Setup automated pull of student data from TSIS into

comma delimited text files. Scheduled task setup to comma delimited text files. Scheduled task setup to push these files to Parentlink using WinSCP process.push these files to Parentlink using WinSCP process.

Destiny (Hosted)Destiny (Hosted) Beginning to look at automated method of pulling data Beginning to look at automated method of pulling data

from TSIS and pushing this into Destiny using tools they from TSIS and pushing this into Destiny using tools they provide.provide.

Central Printing (Local)Central Printing (Local) Begin looking at DSS as a solution for provisioning and Begin looking at DSS as a solution for provisioning and

deprovisioning of staff accounts in this SQL Server deprovisioning of staff accounts in this SQL Server database.database.

Identity Automation Identity Automation ToolsTools

Account ManagementAccount Management Password ManagementPassword Management User Self-Service ManagementUser Self-Service Management Group ManagementGroup Management Sponsorship ManagementSponsorship Management Workflow ManagementWorkflow Management Detailed ReportingDetailed Reporting

Identity Automation Identity Automation

Welcome Timothy Till (Identity Welcome Timothy Till (Identity Automation)Automation)

Gotomeeting:Gotomeeting: https://www1.gotomeeting.com/join/929https://www1.gotomeeting.com/join/929

012656012656 Dial +1 (773) 945-1018Dial +1 (773) 945-1018 Access Code: 929-012-656Access Code: 929-012-656 Meeting ID: 929-012-656Meeting ID: 929-012-656

DSSDSSData Synchronization Data Synchronization

SystemSystem Defined action-sets in DSS are what provision Defined action-sets in DSS are what provision

and de-provision accounts in all our system and de-provision accounts in all our system directories.directories.

Application with built-in tool-set that can move, Application with built-in tool-set that can move, transform and validate data between disparate transform and validate data between disparate systemssystems

Powerful reporting engine for real-time reporting Powerful reporting engine for real-time reporting against data assets housed is connected systems.against data assets housed is connected systems.

DSS is made up of user-defined action-sets DSS is made up of user-defined action-sets processed by DSS “engine” using scheduler or processed by DSS “engine” using scheduler or API triggers.API triggers.

DSS AdaptersDSS Adapters Command Line Command Line

Interface (CLI)Interface (CLI) Database (JDBC Database (JDBC

compliant DB)compliant DB) EDI (X12 HIPPA)EDI (X12 HIPPA) LDAP (AD, eDir, LDAP (AD, eDir,

OpenLDAP, etc)OpenLDAP, etc) Text (CSV, LDIF, Text (CSV, LDIF,

XML)XML) Web ServicesWeb Services

ExchangeExchange Google AppsGoogle Apps GroupWiseGroupWise KeepnTrackKeepnTrack Live@EDULive@EDU Office 365Office 365 Raptor V-softRaptor V-soft SharepointSharepoint WorkdayWorkday ZendeskZendesk ZimbraZimbra

DSS Action BuilderDSS Action Builder

ARMSARMSAccess Request Access Request

Management SystemManagement System Premier End-User facing Premier End-User facing

Identity Mgmt ToolIdentity Mgmt Tool ARMS is a suite of tools ARMS is a suite of tools

made up of multiple made up of multiple modules.modules.

Cross platform allowing Cross platform allowing users to interact with users to interact with system on any major system on any major browser.browser.

Mobile accessible Mobile accessible interface for Blackberry, interface for Blackberry, Android, iPhone, and Android, iPhone, and Windows MobileWindows Mobile

Account ManagementAccount Management Application AccessApplication Access Group ManagementGroup Management ReportingReporting SponsorshipSponsorship WorkflowWorkflow

ARMSARMSAccount ManagementAccount Management

Focus on User Identities by providing self-Focus on User Identities by providing self-service and delegated administrationservice and delegated administration

Admins can use this module to reset Admins can use this module to reset passwords, reset challenge questions and passwords, reset challenge questions and unlock accountsunlock accounts

Custom delegations to allow groups of users Custom delegations to allow groups of users to take action upon a target group of usersto take action upon a target group of users

Example: Delegate password reset Example: Delegate password reset privileges to teachers so they can reset privileges to teachers so they can reset student passwords.student passwords.

Account Management Account Management demonstration videodemonstration video..

ARMSARMSApplication AccessApplication Access

Controls what applications are presented Controls what applications are presented to user based on role within the district.to user based on role within the district.

Only presents application icons that are Only presents application icons that are relevant to the end users thus improves relevant to the end users thus improves user experienceuser experience

Supports Single-Sign-On (SSO)for web Supports Single-Sign-On (SSO)for web apps unable to use the SAML based apps unable to use the SAML based Federated IMS.Federated IMS.

Product informationProduct information webpage webpage..

ARMS Application AccessARMS Application AccessApplication DashboardApplication Dashboard

ARMSARMSGroup ManagementGroup Management

Full Delegation of Full Delegation of Group Mgmt in AD and Group Mgmt in AD and eDir environmentseDir environments

Capability distributes Capability distributes group ownership group ownership responsibility to responsibility to decision makersdecision makers

Supports static group Supports static group assignments and assignments and dynamic nested group dynamic nested group membershipmembership

Allows group Allows group Managers to:Managers to: Create GroupsCreate Groups Delete GroupsDelete Groups Manage Group Manage Group

Sub-OwnersSub-Owners Manage Group Manage Group

MembershipsMemberships

ARMS Group ManagementARMS Group ManagementMy GroupsMy Groups

ARMSARMSSponsorshipSponsorship

Provides a way to manage the lifecycle of Provides a way to manage the lifecycle of “external” (contractors, subs, volunteers, “external” (contractors, subs, volunteers, temps) user accounts.temps) user accounts.

An “external” account is any account An “external” account is any account managed outside of an authoritative managed outside of an authoritative source such as AD.source such as AD.

Designated Sponsors will be able to Designated Sponsors will be able to create, expire and delete accounts, as well create, expire and delete accounts, as well as re-attest accounts and transfer as re-attest accounts and transfer accounts to other sponsors.accounts to other sponsors.