Solution summary

UW started the CSP with the goal of addressing much needed upgrades to a heavily customized groups service system and answering questions about COmanage Registry and COmanage Match.

Trusted Access Platform features supported

Grouper, COmanage Match, COmanage Registry

The project

The UW-IT IAM team began by defining a plan for modernizing its outdated, custom-built group service. In the late 1980s, a customized architecture helped pave the way for Shibboleth and SAML. Now, the creators of these custom systems have retired, and the systems they created need an upgrade. 

UW-IT joined CSP to collaborate and solve these implementation challenges while managing a thriving and enormous identity system. The team created a list of action items, including the following:

• Decide how to deploy and integrate the new Grouper version into existing infrastructure.
• Choose which new Grouper features to implement.
• Plan how to get data ready for a new environment and for production tasks like logging and monitoring.
• Determine migration pathway from a custom interface to the new version. Increase use of standard Grouper solution features with less customization.
• Explore COmanage Registry and Match by using Internet2 resources and support and collaborating with other higher education institutions on the subject of identity registry with eventual goal of upgrading to an identity registry with an interface supporting a number of different IAM business processes.
• Develop/submit recommendation on COmanage products for UW-IT leadership on next steps

The challenge

Upgrading Grouper presented the following challenges:

• As the generation of UW-IT professionals responsible for UW-IT’s custom architecture and creation of Shibboleth and SAML retire, unfulfilled open IT positions and needed upgrades remain. 
• The original custom group system built by UW-IT includes some outdated Grouper tools (about six years out-of-date). Current infrastructure is lacking in comparison to software advances made within the last decade.
• The customized group system is heavily relied on a daily basis by campuses and is critical to infrastructure.
• Upgrade path for Grouper was challenging because of legacy and entrenched customization.
• Updating the existing group system to the latest, modern Grouper is not an option.
• Services are, for the most part, not containerized and are running on custom and complex architecture, requiring continual maintenance and monitoring.
• Launching a new system into an existing cloud environment based on Google Kubernetes wasn’t a smooth undertaking.

The result

UW-IT successfully completed part of its first goal of implementing a newer Grouper version within its environment. UW-IT also continues to successfully collaborate with other institutions thanks to the CSP program and created valuable relationships supporting both the new group system implementation and registry exploration. Their remaining goals are currently in process. Specific goals the team completed during CSP include:

• Completed design and deployment of upgraded group service, though launch still in process.
• Began running Grouper in the UW-IT environment.
• Started to understand what’s available with the new Grouper system and how to load data into it. 
• Created valuable relationships with fellow CSP participants like UVA and SMU on COmanage
• Wrote recommendation for UW-IT leadership on next steps for COmanage Registry and COmanage Match analysis, stating the decision not to invest in COmanage products due to the upcoming COmanage rewrite.

Lessons Learned

1. Ensure the IT team is fully resourced before starting the CSP program. Losing the UW-IT cloud engineer, along with several unfilled team positions, made it more difficult for UW-IT to advance its CSP goals when it had to manage other unrelated ongoing priorities.
2. Take advantage of InCommon Academy software training. UW-IT team CSP participants used all CSP training credits, and everyone agreed the training was extremely valuable.

About About University of Washington

UW is a public institution founded in 1861. More than 60,000 students are enrolled across three larger campuses in Seattle, Tacoma, and Bothell, with a smaller campus in Rome. Around 42,000 of those registered are undergraduates, and 17,000 are pursuing graduate or professional degrees. The university’s main campus sits on 634 acres in Seattle. UW is ranked sixth in the world and second among public institutions, according to U.S. News’ Best Global Universities.

• Every department and campus at UW has its own central IT, but all interface with the main integrated central UW-IT system, especially in the case of overarching systems like the identity system and Groups Service.
• The UW IAM team contributed to the original Shibboleth and SAML standard.
• UW Medicine supports a large scope of hospitals, clinics, and a global health program called “I-Tech.”
• UW-IT manages around 3.47 million individual identities, 126,000 non-people profiles, more than 1.4 million UWNetIDs, more than 200,000 groups, and more than 14 identity data sources.

UW-IT IAM Project Team: 

Anne Tacazon, Assistant Director, IAM
Jonathan Pass, IAM Solutions Architect
Colin McCarthy, IAM Specialist
Andrew Markiel, IAM Software Engineer
Tracy Stenvik, IAM Software Engineer

—Back to Collaboration Success Program Alumni Case Studies