Meeting Date:

 August 5th, 2010 Time: 2:00 PM – 3:00 PM

Facilitator: Garry Gillette Recorder: G. Gillette  Location: FCC2A Conference Room Number of Pages: 1

 Topic Time

FrameStart Time

Responsible 

  Meeting Kick Off 5 minutes 2:00 Facilitator    Agenda 45 minutes 2:05 Facilitator    Open Discussion 5 minutes 2:50 Project team    Wrap Up 5 Minutes 2:55 Facilitator  

Fermilab Identity Management (FIdM) Project Briefing Agenda

 

Tom Ackenhusen Sripada Joshi Amanda PetersenBill Boroski Mark O Kaletka Vacation Jack Schmidt

Vacation Eileen Berman Vacation Rich Karuhn Nelly StanfieldDave Shuman Vacation Rob Kennedy Peter StomenhoffDave Coder Mark Leininger Laura StoverIrwin Gaines Griselda Lopez Mark ThomsAnil Garg Al Lilianstrom Julie Trumbo

Garry Gillette Patty Mcbride Vicky WhiteVacation Gerald Guglielmo

VacationScott Nolan

AGENDA:

• Introductions• Project Directives• FidM Definition• FIdM Agile Deployment Timeline• Project Deliverable Review• Fidm & PeopleSoft Integration

Project Directives

» Single Source of Truth» Bidirectional Interface to Applications» Traceability of Computer Services Usage» Authorization Mechanism» Single Cut Off Point» Connection with External Entities (Shib-other LDAP)» Lightweight Guest ID

Fermilab Identity Management (FIdM)

• Identity Management (IdM) -- the set of business processes—and the supporting infrastructure service components—that create, maintain, and use digital identities within legal and policy contexts. 

• Identity Management architectures integrate core components such as user provisioning, access management, identity lifecycle management, directory services, identity data content integration technologies, role management, federation, and identity audit. 

• Why implement next generation FIdM?

• Streamline and automate biz process (on-boarding, reorg, etc.)• Role and Request-based Access and Authorization Management• Eliminate duplication of information• Improve security – password management, authentication services, real-time deprovisioning• TCO reduction for FIdM• Improve end-user experience• Keep current FIdM Systems supportable and maintainable (Oracle 10g  11g)• Regulatory compliance

Deliverable #1 

Deliverable #1

Deliverable # 1Deliverable #2

Deliverable #3 

Deliverable#4 

Deliverable #2 

Deliverable #3 

Deliverable #4 

Deliverable # 2 

Deliverable # 3 

Deliverable # 4 

Development Environment

Staging Environment

PROD Environment

Deliverable #3 

Pilot Environment

FIdM Agile Deployment TimelineDeliverable # 1

Dependency on resource commitment and availability

Deliverable # 2

Development• Transition Deliverables 1 and 2 from Pilot  Dev (+ implement remaining Use-Cases)

• Complete Deliverables 3 and 4• Knowledge Transfer and Support for Team Fermilab • Team Fermilab are implementing D1-2 in Staging and Prod• Achieve Functional Parity with legacy Fermilab Infrastructure 

 

Pilot • Implement initial Use-Cases• Fully functional Pilot FIdM approved by FIdM Steering Committee 

• Multiple Pilot iterations expected to reach that point)

• 75% FIdM Infrastructure is  online • 10g vs. 11g software decision • Virtual vs. Physical Environment Decision (Staging & Prod)

• Project Plan, Finalize Detailed Requirements, Design and Architecture Documentation Deliverables

• Documentation for  Deliverables 1,2 and (partial) 3 complete

• Team Fermilab ready to begin Staging and Prod Deployments

FIdm Project Pilot and Development Stages

FIdM Project Staging and Prod Stages

Staging• Fermilab Staff implements FidM • Knowledge Transfer and Support provided to Team Fermilab

• Unit/Load/Acceptance Testing• Documentation• End-User Training

Prod• Team Fermilab implements FidM per • Unit/Load/Acceptance Testing• Documentation• Transition and Go-Live / CNAS to FIdM cut-over

• Post Go-Live Support• Establish Framework to Manage new FidM Functionality Requests 

 Pilot -- Deliverables: • Deliverable #1

– Stand up Environments , Infrastructure, DB, App Servers

– Install and Configure new Products– Next Generation Directory Services (11g) – Stand up Oracle Virtual Directory Services– Directory Services integrations: AD, LDAP, possibly KDC– Document all deliverables

• Deliverable #1 Accomplishments» Single Source of Truth» Connection Interfaces for External Entities» New 11g Infrastructure -- providing underpinning

baseline for other components; also maintains vendor support

» FSST Virtualization layer installed

August  T0 September  

2010

Pilot Phase:  The Pilot phase constitutes the bulk of work to validate the FIdM roadmap.  This deployment phase will be done in accordance with the project plan and initial design specifications identified in the discovery phase.

Pilot Phase Continued:

•Deliverable #2: AAAAA Service Framework

•AAAAA Services Framework will Provide:• Authentication– framework to consolidate existing

authentication mechanisms• Authorization – showcase RBAC• Audit – “Who, accessed What, When” reports• Administration – Full Centralized Life-Cycle

Management Framework for Accounts, Groups, Org-Unit, etc.

• Automation – Identity Workflow and Approval Engine, Self and Delegated Administration Services

•Accomplishments:• Traceability of Fermilab IT Services Use• Single Cut-Off Point (PoC mode)• Authorization Mechanisms • Lightweight Guest Self Registration• Interface for Connection to External Entities (Shib, Fed

ID)• Sign-off on all Pilot Deliverables

August  T0 September  

2010

OAM, OIM and 10g vs. 11g Release

– Pilot/Dev  to be implemented on OAM 10g (per original plan)

–NEW: Also stand up IdM 11g in parallel in Pilot

– Provide Cost/Benefit Analysis of 10g vs. 11g– Pilot Decision Point: 10g vs. 11g

Oracle IdM Product 11g Release

 

– Deliverable #3 – Replace CNAS Interfaces with FSST

• Replace CNAS Interfaces with FSST • Bridge the gap from Pilot to Development • Full Documentation• Support Team Fermilab for Staging and Prod• Unit Testing• Acceptance Testing by Stakeholders

– FSST– Sign off on FSST Deliverable

– Accomplishments– Single Source of Truth– Bidirectional Interface to Applications– Traceability of Computer Services Usage– Authorization Mechanism

October  to  December 2010

Development Phase:  The Development phase constitutes the bulk of the hours as will iteratively deploy the FIdm

solution.  The development phase will be done in accordance with the project plan and final design specifications uncovered in the previous phase

• Deliverable #3 FSST Replaces 14 CNAS Interfaces

LDAP & Active

Directory

EBSProject/Task View

Modified Employee Records when they are entered/saved in PS

fnal_cnas_effdt Interface Table

Modified Employee Records Every 15 Minutes

HRMS/CNAS Interface

Table

CNAS

New Look-upTable Values

Direct Entry of Empoyees, Visitors, Contractors, and Locations

MIT KDC

W2K KDCKerberos Accounts

(New, Updates, Terminations)

Kerberos Accounts(New, Updates, Terminations)

People/Locations

Company Code/PA Organizations/Dept, Supervisor,

Timecard ApproverDaily Extracts

Computer Security

Compliance

AP Invoice Approval (Access)

ORG PLUS

Updated/Returing

Employees

SPIRES

VO/Grid

BSS Help Desk

BAAD

FESS

CD Online Phone

Directory

ES&H Systems & Database

CD/MIS Comp

All Other Web Queries that Search by

Name

Property Query

Sunflower

ListservAll Hands

Support Services Extract

FSST(Single

Source of Truth)

CNAS Stub

Development Phase Continued:  – Deliverable #4 -- FSST Integration Development with HRMS

– Integrate FidM with HRMS solution– FSST, OIM, HRMS replace remaining CNAS Stub– Establish Framework to Manage new FidM Functionality Request s

October  to  December 2010

EBS Project/Task View

Modified Employee Records when they are entered/saved in PS

fnal_cnas_effdt Interface Table

Modified Employee Records Every 15 Minutes

HRMS/CNAS Interface

Table

CNAS

Direct Entry of Empoyees, Visitors, Contractors, and Locations

MIT KDC

W2K KDC

People/Locations

Company Code/PA Organizations/Dept, Supervisor,

Timecard ApproverDaily Extracts

FSST(Single

Source of Truth)

Kerberos Accounts(New, Updates, Terminations)

Kerberos Accounts(New, Updates, Terminations)

Updated/Returing

Employees

Direct Entry of Empoyees, Visitors, Contractors, and Locations

OIM

Updated/ReturingEmployees

New Look-upTable Values

New Look-upTable Values

Company Code/PA Organizations/Dept, Supervisor,

Timecard ApproverDaily Extracts

Project/Task View

People/Locations

Kerberos Accounts(New, Updates, Terminations)

Kerberos Accounts(New, Updates, Terminations)

– Resourcing Requirements during Deliverables 1- 4:

• FIdM Platform (hardware, VMWare, OS)• Networking• CNAS• Active Directory • OID LDAP• PeopleSoft• EBS

– Resourcing recommendations for Staging, Prod and Beyond – 1-2 FTEs

– 5 % FidM Steering Committee – 5% DBA and Platform Admins– 90% FIdM Maintenance & Continuous Integration

• 10% Maintenance and Operations of FIdM• 80% Continuous Fermilab App Integration and Business

Process Implementation

Staging and Prod Deployments:Fermilab Resourcing Recommendations 

SummaryPilot  -- 9/27

• Fully functional Pilot FIdM Approved and Accepted by Steering Committee (multiple iterations expected to reach that point)

• 75% FIdM Infrastructure is  online • 10g vs. 11g software decision is made• Project Plan, Final Requirements, Design and Architecture Documentation Deliverables

• Documentation for  Deliverables 1,2 and (partial) 3 complete• Team Fermilab ready to begin Staging and Prod Deployments 

Development  -- 12/31• Complete Deliverables 3 and 4 • End-to-end Unit and Acceptance Testing • Knowledge Transfer and Support for Team Fermilab (Staging & Prod)• (In progress) Team Fermilab are implementing D1 and D2 in Staging and Prod

• Establish Framework to Manage new FidM Functionality Requests 

Q&A ?