Lafayette College
Executive Summary
Lafayette College has an institutional commitment to the TIER Campus Success Program as an investor campus. As a long-time member of the InCommon Federation, staff and leadership are actively involved in its advisory and working groups. We champion federation technologies among our peers, and the three major pieces of the TIER toolset - Shibboleth, Grouper, and COmanage - are key components of our IAM architecture.
We committed to deploying the TIER packaged version of the Shibboleth IdP and evaluating midPoint as an identity registry. Lafayette strives for consistency among its IAM processes and deployment architecture. The TIER packages will help us mature in these areas and will serve as a path to upgrade component software versions. The expected wins for us from integrating the packages into our IdMS are ease of deployment, doing things the InCommon way, and closing operational gaps.
Organization Description
Lafayette College is an independent liberal arts college located in Easton, Pennsylvania. It is in close proximity to both Philadelphia and New York and is accessible via the major arteries of the eastern U.S. The institution offers undergraduate programs in the arts and sciences as well as engineering within a liberal arts setting. It is a full member of the Patriot League and competes in NCAA Division 1 sports.
Lafayette is academically competitive and is a national leader in undergraduate research. Enrollment is around 2,450 students and the student body is entirely undergraduate. There are 215 full-time faculty and the College boasts a student-faculty ratio of 10.5 to 1. It is accredited by the Commission on Higher Education of the Middle States Association of Colleges and Schools.
Containerized TIER Component(s) to be implemented
☑ Shibboleth IdP
❏ Grouper Access Management Software
❏ COmanage Collaboration Management Platform
☑ Entity Registry, such as midPoint
Short Management-Level Use Case Description of Your Project
Although Lafayette College is interested in integrating and deploying all of the TIER components, our commitment to the TIER Campus Success Program is deployment of the Shibboleth IdP package and an evaluation of the capabilities of midPoint.
Lafayette College joined InCommon in 2007 and was an early adopter of Shibboleth. We run Shibboleth IdPv3 locally and recently moved to a multi-node deployment architecture to improve redundancy. The benefits we see with the TIER packaging are ease of deployment to new nodes, and default presets for configuring a Shibboleth IdP the “InCommon way”.
Our use case for midPoint is to evaluate it as a replacement for our custom-engineered identity registry. The Accounts Workflow is a set of web forms, which involves duplicate data entry, and scripts that create a digital identity and provisions accounts and access in some downstream systems. We want to investigate whether midPoint could replace the Accounts Workflow and provide some identity lifecycle management like creation of institutional digital identities and NetID namespace management.
Scope
Acquisition of the skills set and resources required in order for us to support the Docker platform as part of our compute infrastructure.
Replacement of our Shibboleth IdP V3 instance, installed from a tarball on a VM, with the TIER package using Docker as the build and deployment platform. This will take place in our three environments of development, stage, and production.
Evaluation of midPoint’s capabilities in a test environment. Included in the evaluation is configuring the software to connect to OpenLDAP and Banner (HR source system). With assistance from our Enterprise Data Management Systems group, we will create views to bring the identity data from Banner into midPoint that are required to onboard employees. We will investigate how we could use midPoint to manage our identity namespace and assign identifiers. A provisioning queue will be created to provision digital identities out to LDAP using the registry data contained in midPoint. Connecting COmanage, our source system for sponsored accounts, to midPoint is in scope but is a secondary priority.
Due to the impact on stakeholders in Human Resources and the Office of the Provost; on divisions and departments across campus; and on the processes of other departments within Information Technology Services, the production replacement of the Accounts Workflow is out of scope for this project. Careful planning and communication will be required to identify and assess dependent processes in order to be production-ready.
Key Stakeholders
| Sponsor | John O'Keefe, VP and CIO |
| Campus Success Program Contact(s) | Bill Thompson, thompsow@lafayette.edu |
| Communications contact | John O'Keefe, okeefej@lafayette.edu |
| Project team members | Bill Thompson, thompsow@lafayette.edu Janemarie Duh, duhj@lafayette.edu |
| Deployment Partners/Contractors | Unicon |
Project Milestones
Activity | Assigned Resources | Start Date | End Date |
Docker training for IAM and server admins | Internet2 SMEs | December | December 2017 |
Request and provision resources required to support a Dockerized IdP | Lafayette SMEs | December 1 | End of January, 2018 |
Install IdP package in development. Implement Lafayette settings, including Shib-CAS authenticator. | Lafayette SMEs Unicon | February 1 | March 2, 2018 |
Request and provision resources required to support Dockerized midPoint | Lafayette | February 1 | March 16, 2018 |
Implement and deploy IdP package in stage; conduct QA with RPs | Lafayette SMEs Unicon | March 5 | April 27, 2018 |
MidPoint training | Internet2 SMEs | Early April | April 2018 |
Install midPoint and assess capabilities, including redundancy | Lafayette SMEs Unicon | April 30 | June 15, 2018 |
Campus Success panel at Global Summit | Lafayette, et al. Internet2 | May 6 | May 9, 2018 |
Deploy IdP package in production | Lafayette | June 6 | June 6, 2018 |
Integrate midPoint into the IdMS; connect to Banner and OpenLDAP | Lafayette SMEs Unicon | June 18 | July 31, 2018 |
Employee identity data flows from Banner into MidPoint | Lafayette SMEs Unicon | June 18 | August 17, 2018 |
Report on Campus Success to liberal arts peers at CLAC annual conference | Lafayette | June 19 | June 21, 2018 |
Investigate capabilities for namespace management and identifier assignment | Lafayette SMEs Unicon | August 6 | September 14, 2018 |
MidPoint provisions records to LDAP | Lafayette SMEs Unicon | September 17 | October 6, 2018 |
Campus Success Panel at TechEx18 | Lafayette, et al. Internet2 | October 15 | October 18, 2018 |
Constraints, Assumptions, Risks and Dependencies
| Constraints | It is important to be aware that we might, at times, be operating under constraints that institutional priorities and responsibilities impose. |
| Assumptions | The Campus Success Program is the impetus for Lafayette integrating the Docker platform into its compute infrastructure. This project is dependent upon Docker and the assumption that we will provision the necessary compute resources and develop sufficient expertise to meet its requirements. |
| Risks and Dependencies | Replacing any production system, particularly one that provides access to vendor cloud services and R&S Service Providers, comes with risks. We will apply risk management principles to the changes we will make to our Shibboleth Identity Provider to minimize impact on our constituencies and maximize service uptime. There is no risk associated with midPoint since it is an evaluation and will take place in our test environment. |