Lafayette College
Executive Summary
Lafayette College is a small liberal arts college based in Easton, PA with a broad curriculum that synergizes traditional arts with programs in engineering. The College fosters intellectual inquiry, with students assisting faculty in their research at one of the highest percentages of any college or university.has an institutional commitment to the TIER Campus Success Program as an investor campus. As a long-time member of the InCommon Federation, staff and leadership are actively involved in its advisory and working groups. Lafayette works to We champion federation technologies among its peers. The our peers, and the three major pieces of the TIER toolset - Shibboleth, Grouper, and COmanage - are key components of its our IAM architecture. Lafayette has an institutional commitment to the TIER program as an investor campus.
We committed to deploying the TIER Goals for the College’s participation in the TIER Campus Success Program include deployment of the TIER packaged version of the Shibboleth IdP and evaluation of MidPoint evaluating midPoint as an identity registry. Deployment of the TIER solutions for Grouper and COmanage may be considered dependent upon their availability and Lafayette meeting its primary commitment to the Program. Lafayette College strives for consistency among its IAM processes and deployment architecture. We are interested in the The TIER packages will help us mature in these areas and will serve as a path to upgrade component software versions. As part of the cohort to participate in the TIER Campus Success Program, the big The expected wins for us would be the chance to integrate components into the existing IdMS, from integrating the packages into our IdMS are ease of deployment, doing things the InCommon way, and closing operational gaps relating to digital identity provisioning and identity lifecycle management.
Organization Description
afayette Lafayette College is an independent liberal arts college located in Easton, Pennsylvania. It is in close proximity to both Philadelphia and New York and is accessible via the major arteries of the eastern U.S. The institution offers undergraduate programs in the arts and sciences as well as engineering within a liberal arts setting. It is a full member of the Patriot League and competes in NCAA Division 1 sports.
Lafayette is academically competitive and is a national leader in undergraduate research. Enrollment is around 2,450 students and the student body is entirely undergraduate. There are 215 full-time faculty and the College boasts a student-faculty ratio of 10.5 to 1. It is accredited by the Commission on Higher Education of the Middle States Association of Colleges and Schools.Founded in 1826, Lafayette College takes its name from the Marquis de Lafayette. The Marquis‘s lifelong philosophy of cur non (why not?) is at the heart of College life. This philosophy also drives Lafayette’s identity and access management program.
Containerized TIER Component(s) to be implemented
Although Lafayette is interested in integrating and deploying all of the TIER components, strategic alignment with its roadmap and consideration of operational gaps is necessary for participation in the TIER Campus Success Program. The immediate proposal is that Lafayette will commit to deploying the Shibboleth IdP package/container and conduct an evaluation of MidPoint during the Program.
Shibboleth IdP
☑ Shibboleth IdP
❏ Grouper Access Management Software
❏ COmanage Collaboration Management Platform
☑ Entity Registry, such as midPoint
Lafayette College joined InCommon in 2007 and was an early adopter of Shibboleth. The IdP (urn:mace:incommon:lafayette.edu) currently runs v3.2.1. The deployment architecture is two nodes - one active and one passive - behind a proxy, which points to only one node. Benefits expected with the adoption of the TIER packaging are the default configuration for implementing the IdP the “InCommon way” and ease deployment to new nodes. An accommodation Lafayette would require is inclusion of the Shib-CAS authenticator, which is necessary due to the configuration of Lafayette’s IdP referring authentication externally to CAS.
Short Management-Level Use Case Description of Your Project
[Describe for upper management what problem you’re trying to solve. This should be written from a functional viewpoint and will used to describe your project on the web and in the wiki.]
TBD
Scope
Although Lafayette Although Lafayette College is interested in integrating and deploying all of the TIER components, strategic alignment with its roadmap and consideration of operational gaps is necessary for participation in our commitment to the TIER Campus Success Program . The immediate proposal is that Lafayette will commit to deploying is deployment of the Shibboleth IdP package /container and conduct an evaluation of MidPoint during the Programcapabilities of midPoint.
Shibboleth IdP
Lafayette College joined InCommon in 2007 and was an early adopter of Shibboleth. The IdP (urn:mace:incommon:lafayette.edu) currently runs v3.2.1. The deployment architecture is two nodes - one active and one passive - behind a proxy, which points to only one node. Benefits expected with the adoption of the TIER packaging are the default configuration for implementing the IdP the “InCommon way” and ease deployment to new nodes. An accommodation Lafayette would require is inclusion of the Shib-CAS authenticator, which is necessary due to the configuration of Lafayette’s IdP referring authentication externally to CAS.
MidPoint
We run Shibboleth IdPv3 locally and recently moved to a multi-node deployment architecture to improve redundancy. The benefits we see with the TIER packaging are ease of deployment to new nodes, and default presets for configuring a Shibboleth IdP the “InCommon way”.
Our use case for midPoint The use case for MidPoint is to evaluate it as a replacement for Lafayette’s our custom-engineered identity registry for faculty and staff. The Accounts Workflow is a set of web forms, which involves duplicate data entry, a back-end database and Perl scripts that create a digital identity and some provisions accounts and access in some downstream systems. The evaluation would be done to determine if MidPoint We want to investigate whether midPoint could replace the Accounts Workflow and provide some identity lifecycle management such as like creation of institutional digital identities and NetID namespace management creation, and assignment.
Scope
A second goal of the MidPoint evaluation is to determine the feasibility of using it as a subject attribute name change management service that provides the ability to query from components. To show how this comes together by integrating MidPoint as middleware, along with Grouper, between the Banner and COmanage source systems and OpenLDAP and AD (project in flight) directory services would be a big win for Lafayette and for TIER.
Regarding Grouper
If the TIER Grouper solution is ready during the Program and another participating institution integrates and deploys it by the end of the program year, Lafayette would deploy it after the program ends. The objectives for using the TIER Grouper package is to move Lafayette to the latest release and add redundancy for what has become a critical part of the IdMS.
Considering COmanage
Acquisition of the skills set and resources required in order for us to support the Docker platform as part of our compute infrastructure.
Replacement of our Shibboleth IdP V3 instance, installed from a tarball on a VM, with the TIER package using Docker as the build and deployment platform. This will take place in our three environments of development, stage, and production.
Evaluation of midPoint’s capabilities in a test environment. Included in the evaluation is configuring the software to connect to OpenLDAP and Banner (HR source system). With assistance from our Enterprise Data Management Systems group, we will create views to bring the identity data from Banner into midPoint that are required to onboard employees. We will investigate how we could use midPoint to manage our identity namespace and assign identifiers. A provisioning queue will be created to provision digital identities out to LDAP using the registry data contained in midPoint. Connecting COmanage, our source system for sponsored accounts, to midPoint is in scope but is a secondary priority.
Due to the impact on stakeholders in Human Resources and the Office of the Provost; on divisions and departments across campus; and on the processes of other departments within Information Technology Services, the production replacement of the Accounts Workflow is out of scope for this project. Careful planning and communication will be required to identify and assess dependent processes in order to be production-ready. Lafayette’s commitment is to deploy the IdP packaging and investigate the use of MidPoint. Because of time constraints due to scheduled projects, we are not able to take into account a bigger profile. Since Lafayette is interested in fulfilling the plan and vision of TIER, however, it is important to provide some context for COmanage at Lafayette. Lafayette College uses COmanage as an identity registry and provisioning service to LDAP for affiliates of the College. Extending its usage beyond sponsored accounts by adding capabilities that enhance provisioning from COmanage roles to Grouper reference groups and provisioning out to downstream services is the intention. In order to adopt the COmanage TIER packaging, Lafayette would require the inclusion of customizations that provide the capabilities for the sponsored accounts use case. TIER might accommodate this by creating a Sponsored Accounts Edition of the COmanage packaging or an overlay.
Key Stakeholders
| Sponsor | John O'Keefe, VP and CIO |
| Campus Success Program Contact(s) | Bill Thompson, thompsow@lafayette.edu |
| Communications contact | John O'Keefe, okeefej@lafayette.edu |
| Project team members | Bill Thompson, thompsow@lafayette.edu Janemarie Duh, duhj@lafayette.edu |
| Deployment Partners/Contractors | Unicon |
Project Milestones
Activity | Assigned Resources | Start |
Date | End Date |
Docker training |
MidPoint training and evaluation, including assessment of capabilities and IdMS integration
Give read-out on the MidPoint evaluation at Internet2 Global Summit:
May 2018
Presentation on Lafayette’s progress at CLAC annual conference: June
Contingent integration and deployment of TIER Grouper packaging:
Curate and deliver Program artifacts
Synergistic Projects
[Describe any synergistic projects that are currently underway]
...
for IAM and server admins | Internet2 SMEs | December | December 2017 |
Request and provision resources required to support a Dockerized IdP | Lafayette SMEs | December 1 | End of January, 2018 |
Install IdP package in development. Implement Lafayette settings, including Shib-CAS authenticator. | Lafayette SMEs Unicon | February 1 | March 2, 2018 |
Request and provision resources required to support Dockerized midPoint | Lafayette | February 1 | March 16, 2018 |
Implement and deploy IdP package in stage; conduct QA with RPs | Lafayette SMEs Unicon | March 5 | April 27, 2018 |
MidPoint training | Internet2 SMEs | Early April | April 2018 |
Install midPoint and assess capabilities, including redundancy | Lafayette SMEs Unicon | April 30 | June 15, 2018 |
Campus Success panel at Global Summit | Lafayette, et al. Internet2 | May 6 | May 9, 2018 |
Deploy IdP package in production | Lafayette | June 6 | June 6, 2018 |
Integrate midPoint into the IdMS; connect to Banner and OpenLDAP | Lafayette SMEs Unicon | June 18 | July 31, 2018 |
Employee identity data flows from Banner into MidPoint | Lafayette SMEs Unicon | June 18 | August 17, 2018 |
Report on Campus Success to liberal arts peers at CLAC annual conference | Lafayette | June 19 | June 21, 2018 |
Investigate capabilities for namespace management and identifier assignment | Lafayette SMEs Unicon | August 6 | September 14, 2018 |
MidPoint provisions records to LDAP | Lafayette SMEs Unicon | September 17 | October 6, 2018 |
Campus Success Panel at TechEx18 | Lafayette, et al. Internet2 | October 15 | October 18, 2018 |
Constraints, Assumptions, Risks and Dependencies
...
| Constraints | [Describe here potential factors that will impact the delivery of the project] | ||
| Assumptions | [Describe here conditions or situations that you are relying on in order to achieve project goals] | ||
It is important to be aware that we might, at times, be operating under constraints that institutional priorities and responsibilities impose. | |||
| Assumptions | The Campus Success Program is the impetus for Lafayette integrating the Docker platform into its compute infrastructure. This project is dependent upon Docker and the assumption that we will provision the necessary compute resources and develop sufficient expertise to meet its requirements. | ||
| Risks and Dependencies | Replacing any production system, particularly one that provides access to vendor cloud services and R&S Service Providers, comes with risks. We will apply risk management principles to the changes we will make to our Shibboleth Identity Provider to minimize impact on our constituencies and maximize service uptime. There is no risk associated with midPoint since it is an evaluation and will take place in our test environment. | Risks and Dependencies | [What are the most significant risks? What things must happen before the project is delivered?] |