Over the next 9 months, ETS will be upgrading our identity and access management infrastructure to a new system. The identity and access management system is what identifies you as a user when you login to a web service, like Google or Webadvisor, and decides what you have access to in that system. Over time, CCA has grown in the number and complexity of web services used by faculty, staff and students, and are now in need of a more mature and sustainable infrastructure for managing access to these services. The new system will ensure ongoing stability, ease of maintenance, and flexibility in integrating new systems.
See also FAQ page for this project, which includes a current status of web services that have transitioned to the new Single-Sign On service.
CCA has basic identity management capabilities to support login and access to web services, but it is somewhat fractured across different systems and users. As the number and complexity of our web services has grown, we have had to implement several workarounds and custom processes to accommodate each of them. We have reached a point where it is necessary to consolidate how users are identified and access rights are managed, and upgrade to a holistic, more mature and capable system. With a new system, on-going maintenance will be less expensive, and new systems can be incorporated more easily. This upgrade is also a prerequisite to another planned project to deliver a campus portal or intranet.
In order to enable consolidated, unified login to multiple web services, this project will implement a modern, robust Identity and Access Management system. People information, including username, password, contact information, and campus affiliations, will continue to reside in Ellucian Colleague, our Database of Record. This information will be synchronized with a new centralized directory application (Redhat). Applications and web services will use the Redhat directory to authenticate (log on) users, and identify who the user is, so that personalized data from that service can be offered. Additionally, once a user logins to one service, he/she will be automatically logged into all other services that are unified under the unified login system (Single Sign-On).
The applications and services that will be unified under this project include:
- Windows and Mac computer login
- Moodle, Google Apps, Web Advisor, Voicethread, Vault, Virtual EMS, EZ Proxy
Additional services that will be explored as part of this project include:
- Campus Wifi
- Salesforce, HR/Payroll system
An additional component of this upgrade involves management of “groups” to which a user may belong. From the Colleague data, the directory system will have some group memberships, such as primarily affiliation (e.g. student, faculty, staff), but additional group membership definitions are needed to support levels of access to web applications. Group membership can be official, such as being on the roster of a course or an employee within a department. Groups can also be self-service, created by a staff or faculty member through a web interface. These self-service groups would then be recognized across several of our web applications, such as Google Apps. A deeper understanding of the campus’ needs for groups is necessary. Group management will be made possible by implementing a service called Grouper, integrated with the Redhat directory.
Below is an architectural overview of the planned web access management system, and how it will integrate with current and forthcoming systems.