TIER Campus Success Program Case Study
Georgia Institute of Technology
Georgia Tech’s current group management system is widely used and effective, but lacks a modern user interface, advanced API support, and scalability. Additionally, a broader cloud-first campus initiative recommends that new software be adaptable to cloud environments.
Through the Campus Success Program, Georgia Tech has worked to replace the legacy grouping system with Internet2’s Grouper enterprise access management system running inside Docker containers. While work is still in progress, Georgia Tech’s Grouper environment has been successfully deployed to Docker containers in production. However, Georgia Tech’s legacy group management system is still being used while a complete transition to Grouper will take place after the Campus Success Program is complete.
Over the course of the Campus Success Program, Georgia Tech’s Grouper implementation has evolved to use the TIER Grouper Docker image. Georgia Tech’s planning for the next phases of the Grouper project has greatly benefited from interactions with the Campus Success Grouper cohort. Docker orchestration tools like Rancher Kubernetes and AWS’s EKS have been evaluated and tested. Georgia Tech’s internal Enterprise Service Bus solution was used to build proxy APIs in front of Grouper Web Services to provide established authorization and consistency with other APIs offered by Georgia Tech’s Identity and Access Management team.
TIER Features Supported
Grouper – TIER Docker Image
- Dusty Edenfield – Georgia Tech
- Bert Bee-Lindgren – Georgia Tech Grouper SME
- John Bryson – Georgia Tech
The Grouper Deployment Enhancement Working Group was a group of Campus Success members with common goals of implementing Grouper and shortening the learning curve for others that are getting started with Grouper. The TIER DevOps Guide working group had a useful approach geared towards establishing best practices for architecting and automating Docker development practices. The Grouper Deployment Guide is an invaluable tool for anyone learning Grouper who wants to set up an environment with proven methods and structures. The Grouper Users email list and Internet2 Campus Success Program Slack channel were great ways to collaborate with others and to find help on issues that were blockers to progress..
There are three problems that Georgia Tech set out to solve through the Campus Success Program:
- Replace the legacy group management system with something more robust and scalable
- Improve efficiency and transparency by moving away from the custom LDAP and Active DIrectory provisioning process
- Adopt a group and access management system that complies with Georgia TEch’s new cloud-first focus
1. Replace the legacy group management system – The legacy group management system, Georgia Tech Role System (GRS), was implemented in 2006 to manage authorization to campus applications. GRS is a Java-based application with a command-line text-driven menu interface. It has been extremely successful at giving users self-service access to user role assignment with features like conditional attributes, indirect memberships, and LDAP provisioning. However, GRS has some limitations. The UI, which resembles a chat-bot or Zork-like wizard that asks questions with answers to be entered on the command line, can be daunting to new adopters. It is also hard to get visibility into the overall structure and relations between groups. Lastly, as GRS has grown and expanded from its original scope, its inability to scale and efficiently process the large numbers of groups when evaluating conditional based memberships has highlighted opportunities for improvement that are better served by more robust alternatives like Grouper.
2. Improve efficiency and transparency – By moving to the packaged LDAP and AD provisioners in Grouper, Georgia Tech looks to gain efficiency and transparency into the provisioning process. The IAM team will no longer need to maintain the GRS custom provisioning code, which will lead to improved sustainability. With its ability to filter groups in and out of different destinations, Grouper’s provisioning will be more flexible than Georgia Tech’s custom provisioners.
3. Georgia Tech’s new cloud-first initiative – Georgia Tech’s OIT will move to a new office location in 2019 and will move most of its data center resources to a new smaller data center at the new location. With the planning around cost for leasing space in the new location as well as the opportunity to find efficiencies in cloud based architectures, a new cloud-first focus has been promoted within OIT. Georgia Tech’s IAM team took this opportunity to learn about Docker and its inherent portability to either on-premise servers or cloud hosted servers. Learning to run Grouper processes in Docker was an important step in offering a scalable and sustainable access management solution in Georgia Tech’s cloud-first initiative.
Georgia Tech’s Identity Management team identified Grouper as a long-term solution to access management long before participating in the Campus Success Program. Our vision for group creation and access management is to provide one central place where users can create the groups they need, establish policies and conditions on those groups, and then provision those memberships out to various downstream systems for integration with access control policies within those systems. We want to avoid the situation where users are creating different and separate groups in multiple systems. For example, if someone were to create groups in Dropbox, those groups may not be the same as groups in Azure, AWS, Microsoft Teams, etc. Grouper was the optimum choice for this strategy due to its enterprise-quality grouping features and widespread adoption among peer institutions.
The first internal project that required Grouper integration was a partnership with Georgia Tech’s Internal Technology Group (ITG). ITG offers support and assistance for residential network services and business technologies to Georgia Tech’s Campus Services Division and the entire Georgia Tech community. ITG was tasked with providing grouping and access controls for a large door access system. The IAM team was able to deploy Grouper in production to support this system.
There were two key components to IAM’s Grouper architecture in support of ITG’s project. IAM’s in-house ESB service, Buzzapi, would provide proxy APIs to Grouper’s Web Services so that ITG could build applications that provide their own custom user interfaces for door control administration. Proxy APIs were chosen instead of direct access to Grouper Web Services so that standard API access policies could be enforced and to enable the use of familiar Georgia Tech attributes commonly used across other Buzzapi resources.
The other component of Georgia Tech’s Grouper architecture that was important was the choice of Docker for running the Grouper daemon, UI, and web services. Grouper at Georgia Tech is packaged as an image with three layers. The bottom layer is the base Grouper installation image. The second layer, which inherits from the bottom-layer image, contains configurations for Georgia Tech’s CAS authentication as well as custom Grouper hooks that are triggered for conditional memberships and grace period enforcement. The last layered image contains environment-specific configuration for pointing connections to either production or test Grouper Oracle databases. Finally, one image can be used to run either the Grouper Daemon, UI, or Web Services depending on which “docker run” command is executed. For development and maintenance purposes, it was beneficial to use Docker in this manner for its flexibility during testing and patching.
The use of the Grouper APIs and Docker containers will allow the IAM team to improve upon GRS in a few important ways. Exposure of Grouper’s powerful Web Services provides transparency into how groups are maintained and constituted in real time. Giving developers more access through familiar tools will help with adoption. Having a central place for managing all of Georgia Tech’s groups and access strategies provides consistency which will help with user satisfaction. Finally, the advantages of Grouper being built on Docker allows IAM to scale access control at Georgia Tech to reach a wider audience with more reliability.
Georgia Tech’s goals for the Campus Success Project were to replace the legacy GRS system with a more modern, sustainable access management system. While we have made progress on moving toward that goal, the migration to Grouper is not complete. Grouper is established as a production system, but it has not reached the scale necessary to support the multitude of cases possible across all of the services that the legacy system, GRS, currently serves.
There are still questions around which Docker orchestration method we decide to use, which has led to delays. Initially, we chose Rancher and Kubernetes for orchestration, but recently, with the larger campus’s AWS focus, we have decided to focus on AWS’s EKS offering.
Also, there is more work to be done to customize Grouper to fit Georgia Tech’s definition of an account versus a person. Currently, Georgia Tech’s Grouper contains person information, but does not yet handle multiple accounts associated with the singular person appropriately.
Foundationally, our Grouper implementation in Docker has improved as a result of participating in the Campus Success Program and collaborating with the other members. Having that rich breadth of knowledge to draw upon has had a great impact on our efforts not only on Grouper, but on our overall Docker DevOps strategy. As we progress with the remainder of the Grouper project, we will continue to work together with our fellow CSP members to build a higher quality access management solution at Georgia Tech.
Over the course of the last year in the Campus Success Program, there have been many opportunities for improvement and occasions for hindsight on the choices that were made in the project. The Campus Success Program in itself is a big commitment in terms of time and resources. We chose to implement only one TIER product, Grouper, and that was a good decision. During the past year, we have discussed the need for midPoint and Shibboleth in Docker containers and we intend to work on those projects in the future.
As it stands, we were not able to fully complete out goals. IAM strategies shift and project timelines move up or are delayed. We would have been more successful if we had more architects or developers to allocate to this project.. Having at least one backup Developer could have helped when priorities inevitably shifted. Also, it may have been helpful do have a project manager dedicated to the project who also would have participated in the bi-weekly calls. This could have helped the project to stay on task.
Ultimately, the Campus Success Program has been profoundly beneficial to Georgia Tech’s Grouper project. It has opened up avenues for assistance and innovation beyond what a sole IAM team could accomplish in a vacuum. Just talking with other members of the program on a regular basis over the course of the past year has granted enhanced perspective and facilitated knowledge transfer that probably wouldn’t have occurred otherwise. It has been an extremely valuable experience, but it should be approached with the mindset that any extra effort and resources dedicated to the project in the beginning will be well rewarded in the end.
The Campus Success Program has been a great experience for Georgia Tech. It has been a wonderful source of collaboration with our peers at other schools who are in various stages of implementation of Grouper. Each experience that was communicated by other members has provided valuable insight into their lessons learned so that we can avoid their pitfalls or follow along the successful paths that were blazed by others. While we continue to work on our overall project goal of successfully replacing our legacy grouping system with Grouper, we have made broad steps forward in learning about Grouper best practices and how to architect a sustainable and successful TIER product solution.