IDENTITY IDENTITY PROBLEMPROBLEM
Too Many User Names and Too Many User Names and Passwords Across Multiple Passwords Across Multiple
SystemsSystems
Multiple DirectoriesMultiple Directories AD/eDIR/Open DirectoryAD/eDIR/Open Directory EmailEmail Student Information Student Information
SystemSystem Payroll/FinancePayroll/Finance Lunch SystemsLunch Systems Transportation SystemsTransportation Systems Library SystemsLibrary Systems PrintingPrinting Parent Calling Systems Parent Calling Systems
(parentlink)(parentlink) PhonesPhones Security CamerasSecurity Cameras
VPN Remote AuthenticationVPN Remote Authentication Door Security systemsDoor Security systems District Web Page District Web Page
AdministrationAdministration Digital Online Based Digital Online Based
Learning ProgramsLearning Programs Instructional ApplicationsInstructional Applications
Read180Read180 Read NaturallyRead Naturally Renaissance PlaceRenaissance Place Course Management Course Management
Systems (Moodle; Systems (Moodle; Blackboard; Schoololgy; Blackboard; Schoololgy; etc…)etc…)
All DirectoriesAll DirectoriesUsing the Same Basic Using the Same Basic
InformationInformation Name (Student and Staff)Name (Student and Staff) Login Name or ID (Student and Staff)Login Name or ID (Student and Staff) Password (Student and Staff)Password (Student and Staff) Identification InformationIdentification Information
Address (School Building Location)Address (School Building Location) PhonePhone EmailEmail
Grade or Graduation Year for studentsGrade or Graduation Year for students Job Classification for StaffJob Classification for Staff
Many Directories = Many Directories = Multiple Points of Manual Multiple Points of Manual
Entry and Entry and Multiple Points of Manual EntryMultiple Points of Manual Entry Double or Triple the management of the same Double or Triple the management of the same
user account (too much manual entry)user account (too much manual entry) Multiple chances for errorsMultiple chances for errors
Incorrect InformationIncorrect Information Inconsistent formattingInconsistent formatting
Poor SecurityPoor Security Changing and Resetting passwords requires Changing and Resetting passwords requires
manual supportmanual support Result is that many applications are under Result is that many applications are under
utilized or not used at all.utilized or not used at all.
Solution Strategies Solution Strategies
Work to get user and resource information from Work to get user and resource information from a common source or directory.a common source or directory.
Use applications which share a common Use applications which share a common directorydirectory
Link Directories togetherLink Directories together Purchase applications that are directory aware Purchase applications that are directory aware
and can authenticate users against an external and can authenticate users against an external directory from the appdirectory from the app
LDAP LDAP
LDAP provides a standard format for applications to LDAP provides a standard format for applications to share a single directory as it is a standard directory share a single directory as it is a standard directory service for all networks.service for all networks. Avoids the need to copy passwordsAvoids the need to copy passwords Permits applications to authenticate users against a common Permits applications to authenticate users against a common
directorydirectory Reasonably easy to transfer directory information if neededReasonably easy to transfer directory information if needed Easier to move information including user namesEasier to move information including user names
BUTBUT Adding and Deleting users in other applications remains a Adding and Deleting users in other applications remains a
challengechallenge There is often an added cost for some applications to link to There is often an added cost for some applications to link to
LDAPLDAP Formats of LDAP directories are not always consistent.Formats of LDAP directories are not always consistent.
SIF ImplementationSIF Implementation
Uses a central Integration server to manage user Uses a central Integration server to manage user names, passwords and other directory data names, passwords and other directory data among applicationsamong applications
Requires the install and setup of a Zone Requires the install and setup of a Zone Integration Server (ZIS) either locally or remote.Integration Server (ZIS) either locally or remote.
SIF agent required on all software applications SIF agent required on all software applications connected to the Zone Integration Server.connected to the Zone Integration Server.
SIFS is limited to fields which are included in the SIFS is limited to fields which are included in the specification.specification.
Management of SIFS can be challengingManagement of SIFS can be challenging SIFS is not a cheap solutionSIFS is not a cheap solution
33rdrd Party Software Party Software SolutionsSolutions
Acts as an intermediary between applications Acts as an intermediary between applications and directoriesand directories
Novell Identity ManagementNovell Identity Management Identity AutomationIdentity Automation Advanced ToolwareAdvanced Toolware Tivoli Identity Management Server (IBM)Tivoli Identity Management Server (IBM) Novell Identity ManagementNovell Identity Management Oracle Identity ManagementOracle Identity Management CA Identity Manager (CA Technologies)CA Identity Manager (CA Technologies)
North Branch North Branch BeginningsBeginnings
Linked GroupWise to eDirectory (LDAP) for common user name and Linked GroupWise to eDirectory (LDAP) for common user name and password.password.
Linked other Applications to eDirectory via LDAP for common user Linked other Applications to eDirectory via LDAP for common user name and password for easy authentication.name and password for easy authentication. Central Printing SystemCentral Printing System District Website (rSchool)District Website (rSchool) PD360PD360 DestinyDestiny VPN (Fortinet)VPN (Fortinet)
Upload of student and staff information for other applications using Upload of student and staff information for other applications using exported data file from Student Information System (Skyward)exported data file from Student Information System (Skyward) Parent Calling System (Parentlink)Parent Calling System (Parentlink) Renaissance PlaceRenaissance Place EdulogEdulog Read NaturallyRead Naturally OdysseyOdyssey
Remaining ChallengesRemaining Challenges
Deprovisioning users from external systems.Deprovisioning users from external systems. Migration to Active Directory and Google Apps Migration to Active Directory and Google Apps
(Email) removed link between LDAP and Email for (Email) removed link between LDAP and Email for using a common user name and password.using a common user name and password.
Phone system remains independentPhone system remains independent Migration to TIES for our student information Migration to TIES for our student information
system removed the ability to create custom user system removed the ability to create custom user accounts for students.accounts for students.
Limited Link between TSIS and Lite Lunch SystemLimited Link between TSIS and Lite Lunch System Links to some hosted applications remains a Links to some hosted applications remains a
challengechallenge
North BranchNorth BranchGoing ForwardGoing Forward
3rd party solution with Identity Automation3rd party solution with Identity Automation Issues that we needed to resolve for beginning Issues that we needed to resolve for beginning
school.school. Creating new student accounts in Active Directory from Creating new student accounts in Active Directory from
TSISTSIS Creating home directories for these new student Creating home directories for these new student
accounts in ADaccounts in AD Creating student email accounts linked with ADCreating student email accounts linked with AD Linking staff Active Directory accounts with Google Linking staff Active Directory accounts with Google
Apps DomainApps Domain
North Branch IDM North Branch IDM ProvisioningProvisioning
for Student Accountsfor Student Accounts Automated process to pull a CSV file from our TIES Automated process to pull a CSV file from our TIES
Student Information System that includes student Student Information System that includes student information with each students listed per row in this information with each students listed per row in this file.file.
CSV File (pulled from TSIS) is used by IDM to CSV File (pulled from TSIS) is used by IDM to automatically create all student accounts in AD using automatically create all student accounts in AD using DSS with a scheduled process.DSS with a scheduled process.
IDM creates the user accounts by pulling information IDM creates the user accounts by pulling information from several data fields, in the csv file, such as the from several data fields, in the csv file, such as the students’ first and last name, login id, password, grade, students’ first and last name, login id, password, grade, etc..etc..
Custom user accounts created by IDM product are then Custom user accounts created by IDM product are then automatically provisioned to Google Apps to create automatically provisioned to Google Apps to create student email addresses (google apps accounts)student email addresses (google apps accounts)
Report file emailed out to specific staff on new students Report file emailed out to specific staff on new students added to Active Directory.added to Active Directory.
North Branch IDM De-North Branch IDM De-Provisioning for Student Provisioning for Student
AccountsAccounts Automated process to pull a CSV file from our TIES Automated process to pull a CSV file from our TIES
Student Information System that includes student Student Information System that includes student information. Students not listed in this file are information. Students not listed in this file are considered no longer in the district.considered no longer in the district.
An IDM Report script is setup to automatically run An IDM Report script is setup to automatically run and email out lists of students to be de-provisioned.and email out lists of students to be de-provisioned.
Manual script is setup to run de-provision tasks Manual script is setup to run de-provision tasks against student AD and Google Apps Email accounts.against student AD and Google Apps Email accounts.
De-Provision Script disables the student AD account De-Provision Script disables the student AD account and suspends the student Google Apps Email accountand suspends the student Google Apps Email account
Automated Delete Report Script will email report of Automated Delete Report Script will email report of accounts to delete from AD and Google.accounts to delete from AD and Google.
Manual Delete script can be run – will only delete Manual Delete script can be run – will only delete accounts that have not been accessed in over 365 accounts that have not been accessed in over 365 days.days.
North Branch IDM North Branch IDM ProvisioningProvisioning
for Staff Accountsfor Staff Accounts Automated export of data from Skyward to our FTP Automated export of data from Skyward to our FTP
server.server. Skyward XML File is used by IDM to create all Staff Skyward XML File is used by IDM to create all Staff
accounts in AD (still a work in progress)accounts in AD (still a work in progress) IDM creates the user accounts by pulling information IDM creates the user accounts by pulling information
from several data fields in this data file such as first from several data fields in this data file such as first and last nameand last name
Custom user accounts created by IDM product are Custom user accounts created by IDM product are then provisioned to Google Apps to create staff email then provisioned to Google Apps to create staff email addresses.addresses.
Password synchronization between AD and Google Password synchronization between AD and Google account.account.
Report file emailed out to specific staff on new staff Report file emailed out to specific staff on new staff added to AD and Google Apps.added to AD and Google Apps.
North Branch IDM De-North Branch IDM De-Provisioning for Staff Provisioning for Staff
AccountsAccounts Manual process still in placeManual process still in place Unable to create an automated Unable to create an automated
method for determining staff no method for determining staff no longer employed using the longer employed using the information from Skyward Financeinformation from Skyward Finance
Receive email from District Office Receive email from District Office with a list of staff no longer with a list of staff no longer employed by the Districtemployed by the District
North Branch Application North Branch Application User AutomationUser Automation
Parent Calling System (Parentlink) – Hosted Parent Calling System (Parentlink) – Hosted SolutionSolution Setup automated pull of student data from TSIS into Setup automated pull of student data from TSIS into
comma delimited text files. Scheduled task setup to comma delimited text files. Scheduled task setup to push these files to Parentlink using WinSCP process.push these files to Parentlink using WinSCP process.
Destiny (Hosted)Destiny (Hosted) Beginning to look at automated method of pulling data Beginning to look at automated method of pulling data
from TSIS and pushing this into Destiny using tools they from TSIS and pushing this into Destiny using tools they provide.provide.
Central Printing (Local)Central Printing (Local) Begin looking at DSS as a solution for provisioning and Begin looking at DSS as a solution for provisioning and
deprovisioning of staff accounts in this SQL Server deprovisioning of staff accounts in this SQL Server database.database.
Identity Automation Identity Automation ToolsTools
Account ManagementAccount Management Password ManagementPassword Management User Self-Service ManagementUser Self-Service Management Group ManagementGroup Management Sponsorship ManagementSponsorship Management Workflow ManagementWorkflow Management Detailed ReportingDetailed Reporting
Identity Automation Identity Automation
Welcome Timothy Till (Identity Welcome Timothy Till (Identity Automation)Automation)
Gotomeeting:Gotomeeting: https://www1.gotomeeting.com/join/929https://www1.gotomeeting.com/join/929
012656012656 Dial +1 (773) 945-1018Dial +1 (773) 945-1018 Access Code: 929-012-656Access Code: 929-012-656 Meeting ID: 929-012-656Meeting ID: 929-012-656
DSSDSSData Synchronization Data Synchronization
SystemSystem Defined action-sets in DSS are what provision Defined action-sets in DSS are what provision
and de-provision accounts in all our system and de-provision accounts in all our system directories.directories.
Application with built-in tool-set that can move, Application with built-in tool-set that can move, transform and validate data between disparate transform and validate data between disparate systemssystems
Powerful reporting engine for real-time reporting Powerful reporting engine for real-time reporting against data assets housed is connected systems.against data assets housed is connected systems.
DSS is made up of user-defined action-sets DSS is made up of user-defined action-sets processed by DSS “engine” using scheduler or processed by DSS “engine” using scheduler or API triggers.API triggers.
DSS AdaptersDSS Adapters Command Line Command Line
Interface (CLI)Interface (CLI) Database (JDBC Database (JDBC
compliant DB)compliant DB) EDI (X12 HIPPA)EDI (X12 HIPPA) LDAP (AD, eDir, LDAP (AD, eDir,
OpenLDAP, etc)OpenLDAP, etc) Text (CSV, LDIF, Text (CSV, LDIF,
XML)XML) Web ServicesWeb Services
ExchangeExchange Google AppsGoogle Apps GroupWiseGroupWise KeepnTrackKeepnTrack Live@EDULive@EDU Office 365Office 365 Raptor V-softRaptor V-soft SharepointSharepoint WorkdayWorkday ZendeskZendesk ZimbraZimbra
DSS Action BuilderDSS Action Builder
ARMSARMSAccess Request Access Request
Management SystemManagement System Premier End-User facing Premier End-User facing
Identity Mgmt ToolIdentity Mgmt Tool ARMS is a suite of tools ARMS is a suite of tools
made up of multiple made up of multiple modules.modules.
Cross platform allowing Cross platform allowing users to interact with users to interact with system on any major system on any major browser.browser.
Mobile accessible Mobile accessible interface for Blackberry, interface for Blackberry, Android, iPhone, and Android, iPhone, and Windows MobileWindows Mobile
Account ManagementAccount Management Application AccessApplication Access Group ManagementGroup Management ReportingReporting SponsorshipSponsorship WorkflowWorkflow
ARMSARMSAccount ManagementAccount Management
Focus on User Identities by providing self-Focus on User Identities by providing self-service and delegated administrationservice and delegated administration
Admins can use this module to reset Admins can use this module to reset passwords, reset challenge questions and passwords, reset challenge questions and unlock accountsunlock accounts
Custom delegations to allow groups of users Custom delegations to allow groups of users to take action upon a target group of usersto take action upon a target group of users
Example: Delegate password reset Example: Delegate password reset privileges to teachers so they can reset privileges to teachers so they can reset student passwords.student passwords.
Account Management Account Management demonstration videodemonstration video..
ARMSARMSApplication AccessApplication Access
Controls what applications are presented Controls what applications are presented to user based on role within the district.to user based on role within the district.
Only presents application icons that are Only presents application icons that are relevant to the end users thus improves relevant to the end users thus improves user experienceuser experience
Supports Single-Sign-On (SSO)for web Supports Single-Sign-On (SSO)for web apps unable to use the SAML based apps unable to use the SAML based Federated IMS.Federated IMS.
Product informationProduct information webpage webpage..
ARMS Application AccessARMS Application AccessApplication DashboardApplication Dashboard
ARMSARMSGroup ManagementGroup Management
Full Delegation of Full Delegation of Group Mgmt in AD and Group Mgmt in AD and eDir environmentseDir environments
Capability distributes Capability distributes group ownership group ownership responsibility to responsibility to decision makersdecision makers
Supports static group Supports static group assignments and assignments and dynamic nested group dynamic nested group membershipmembership
Allows group Allows group Managers to:Managers to: Create GroupsCreate Groups Delete GroupsDelete Groups Manage Group Manage Group
Sub-OwnersSub-Owners Manage Group Manage Group
MembershipsMemberships
ARMS Group ManagementARMS Group ManagementMy GroupsMy Groups
ARMSARMSSponsorshipSponsorship
Provides a way to manage the lifecycle of Provides a way to manage the lifecycle of “external” (contractors, subs, volunteers, “external” (contractors, subs, volunteers, temps) user accounts.temps) user accounts.
An “external” account is any account An “external” account is any account managed outside of an authoritative managed outside of an authoritative source such as AD.source such as AD.
Designated Sponsors will be able to Designated Sponsors will be able to create, expire and delete accounts, as well create, expire and delete accounts, as well as re-attest accounts and transfer as re-attest accounts and transfer accounts to other sponsors.accounts to other sponsors.
Top Related