InCommon Collaboration Success Program Case Study
(September 2023)
University of California, Santa Barbara
Executive summary
The University of California, Santa Barbara (UCSB), saw the Collaboration Success Program (CSP) as an opportunity to get multiple teams on the same page about how identity and access management (IAM) are managed on its campus. Two primary goals UCSB pursued towards this aim were (1) upgrading Shibboleth and adjusting the SSO pod architecture and (2) implementing and exploring Grouper applications. While more work remains to fulfill UCSB’s vision of a unified, more modernized IAM framework, participating in the CSP gave UCSB clarity around how to eliminate existing redundancies, structure a new enterprise team, and merge data more effectively.
Solution summary
Since 2018, UCSB has worked to restructure and replace separate technology teams (Campus Identity Operations, Student Affairs (SA), and Identity Developers), all dealing directly or indirectly with cloud identity. UCSB’s goal is to create a broader, modernized, more cohesive framework under the main heading of Information Technology Services (ITS). Participating in the CSP gave UCSB clarity around how to eliminate existing redundancies, structure the new ITS team, and merge data.
Trusted Access Platform features supported
Shibboleth/CAS, Grouper
The project
UCSB focused mainly on upgrading its cloud identity services under the broader restructuring of the IAM teams. The CSP project team faced challenging objectives when working with each of the original four tech teams, from separate departments, to identify IAM issues to address. The scope of folding these four separate entities into one system has required a slow and steady approach.
UCSB used the CSP program to explore its current lifecycle principles. Match/merge challenges were examined to reconcile multiple sources of record sources. The team sought to define identifiers in identity. Human resources, for instance, used DOB and employeeID, while SA used PermNumber and applicantID. The question of folding the large student affairs identity into the identity and access management mix was a main focus. Student affairs, alone, manages, 26 business departments, more than 40 developers, and about 200 applications and systems.
The challenge
During the CSP, as UCSB was actively merging different IAM teams, the new united team began to question existing lifecycle principles while negotiating multiple systems of record. For years, these four IT teams were operating independently of one another and creating separate solutions. Each of the four original teams brought their own challenges to the CSP:
- Match/merge logic is currently the single greatest challenge for UCSB.
- UCSB employees and emeriti are sourced in real time via UCPath web services.
- The system of record for students is hourly via a student affairs data feed. Applicants also come through this same feed.
- The system of record for miscellaneous affiliates comes from a variety of delegated management tools.
- UCSB has many component services for provisioning/lifecycle, multiple directory services, management tooling, and authentication from the previous IAM architecture.
Goals
UCSB hoped to create a broader, modernized, more cohesive framework under the main heading of Information Technology Services (ITS). Joining the CSP gave UCSB clarity around how to eliminate existing redundancies, structure the new ITS team, and merge data.
- Upgrade Shibboleth and adjust the SSO pod architecture.
- Implement and explore Grouper applications.
- Question our assumptions.
- Coalesce into a single team.
The result
Grouper Progress:
- The team must bring up the TAP container for the latest Grouper version.
- Testing means loading raw data into Grouper, preparing test reference groups and test authentication policies, and integrating with the test application. Varied authentication testing must follow data from raw to policy and must include a test integration with cloud service providers.
- UCSB is currently working to build out Grouper to replace the current, custom group tagging process.
Shibboleth Upgrade Progress: UCSB is working to upgrade Shibboleth from 3.4.6 to 4.3.1. In the development environment, 4.3.1 is running. There is work, however, to be done.
- UCSB is prioritizing a stepped approach to upgrading to pinpoint work errors and deprecated code.
- As part of this upgrade to 4.3.1., the team must deploy the TAP Shibboleth container 4.3.1 in unison to prepped and upgraded UCSB config files for automated deployment.
Plans and remaining questions for the new version of Shibboleth:
- Can UCSB enable authentication in Shibboleth as opposed to using the CAS plugin?
- Enable OIDC.
- Enable support for Universal DUO Prompt.
- Enable IdP Administrative webflows.
- Enable authentication audit logs to report use.
- Prepare automated deployment for future version upgrades.
- Shibboleth Discovery Service
Lessons learned
The CSP, according to UCSB’s IAM team, allowed the group to get “in sync.” Conversations around the existing identity systems and practices were initiated. In addition, UCSB used the CSP as an opportunity to review the existing possibilities/solutions using the InCommon tools and vendor resources.
For future CSP participants, UCSB offers the following suggestions:
- Take advantage of the offers to connect with individual CSP peers and/or Incommon Catalysts.
- Find time to spend as a team to debrief and digest CSP programming.
About the University of California, Santa Barbara
UCSB is an R1 public institution, part of the University of California (UC) system, with enrollment around 24,000 undergraduate students and 3,000 graduate students.
CSP Project Team:
Jim Woods, Director of Cloud and Identity Services
Farah Tahmasbi, IAM Developer
Dean Welch, Technical Project Manager
Noah Baker, Senior Collaboration Engineer
Scott Gilbert, System Administrator
LouisTourtellotte, IAM Operations (50 percent)
James Kinneavy, Enterprise Architect
Yaheya Quazi, Enterprise Architect
—Back to Collaboration Success Program Alumni Case Studies