Executive summary

Leveraging the software components provided by TIER and the ideas and assistance provided by the TIER community, Rice’s Identity First project will realign the flow of identity data across the university’s business applications.

This was done to increase automation, reduce errors, consolidate identity data, allow for more loose coupling of business processes, and increase personal data privacy and control for the Rice community.

TIER features supported

• Phase 1: TIER Shibboleth IdP and TIER Grouper GUI and Web Services
• Phase 2: TIER MidPoint

Collaborators

• Rice University
• Paul Caskey
• Chris Hubing
• Michael Gettes
• John Gasper
• TIER-grouper
• TIER-packing slack channels
• Keith Hazelton
• Warren Curry
• TIER API Working Group

Community resources

The Internet2 TIER API Working Group was invaluable in their discussions of the best practices and thoughts around the future state of using the TIER components in a holistic identity management infrastructure.

The project

Rice’s Identity and Access Management (IAM) group and High Performance Computing (HPC) group came together to discuss issues facing the campus and HPC in particular with regard to sponsored accounts. HPC creates a lot of sponsored accounts for access to their computing clusters, and is very sensitive to the failings in the current process. The groups decided to redesign a new sponsored account process to correct the failings of the existing system and provide a more user friendly, timely and efficient process.

The problem

Rice’s current sponsored account system is limited and constrained by the legacy home-grown identity management system to which it was added. Because the identity management system does not support more than the one system of record well, this has always been problematic for individuals moving from one system of record to the other. The design of the current sponsored account system is also limiting, either giving too little access to IT resources or giving too much.  

There is no granularity in the services that can be applied through the system other than through manual intervention.

The sponsor application review process adds yet another user irritation to the whole mix. While the review process, run out of our risk management office, is needed for the physical aspects of the sponsored account system (like ID cards, parking spaces, and library access), those needing simple access to IT resources are also constrained by the same review process. And once that review process has begun, it is nearly impossible to make changes to the application, if say, the sponsor chose the wrong resources for the guest increasing the five-day turnaround time to weeks.

The solution

Rice’s IAM group has started a project known as Identity First. This project will realign the major workflows and data transfers around the university’s business applications to increase automation, reduce errors, consolidate identity data, allow for more loose coupling of business processes, and increase personal data privacy and control for the Rice community. This project will involve business and service owners across the university from Human Resources and the Registrar to Academic schools and departments, to various Office of Information Technology departments.  

The first phase of the Identity First project will be to prepare for the major transition of our legacy identity management system that will replace the aging components of our IdM system with new, more modern components coming out of the Internet2’s Trust and Identity in Research and Education (TIER) program. This new TIER compatible environment is based on Docker containers.

Rice was fortunate to be included in TIER’s Campus Success Program. This helped get the first phase of the project off the ground, not only with Docker training that helped jumpstart our knowledge in this area, but also with the knowledge-sharing with the Internet2 subject matter experts and other program members. Being a part of the program gave us the support we needed to keep us going and moving forward. Rice worked on documenting our TIER Docker environment through the DevOps Deployment guide, and this experience has helped us to not only have a record what we did, but helped the team have a better understanding of all of the components even if they didn’t work on all parts.

The second phase of Identity First will involve work on two fronts; work on the user ingress portal that will encompass the requirements for the sponsored account process, and the testing/integration of the new TIER entity registry (MidPoint) that will serve as the repository for all identity information.  

The third phase of Identity First will involve the integration of the new ingress portal and the existing sponsored account process to ensure that all IT resources are properly handled through the Identity First interface while all approvals and non-IT functions are passed seamlessly onto the parts of the old sponsored account process that must be kept. This way the IT resources needed can be provisioned prior to the approval workflow finishing, allowing for a quicker turnaround for the user experience.

The result

This project is still ongoing.  

Phase one of the Identity First project has been completed. The production Docker environment is running and the issues and workflows necessary to run two of the TIER components, Grouper and Shibboleth, have been addressed. We already have seen a huge benefit in time savings.  Any time either of these applications required a software update, it used to take us about 3 weeks to build, test, and prepare new hardware for deployment. Now it is taking about 1.5 hours to do the same, freeing our limited staff time to work on other more pressing issues.

Phase two will begin in January 2019, when the TIER Midpoint component will be brought online in a test environment so that work on the sponsored application system can start utilizing the increased functionality provided by the new base software. Phase three will be started upon completion of phase two.

Lessons learned

We started this journey using the TIER reference Docker Swarm configuration. Since that time, Rancher 2.0 has been released, which is a management system for Kubernetes. We are now investigating moving over to Rancher 2.0 to support the management of both local (on campus) and remote (on Amazon Web Services) clusters.

Conclusions

Rice has found the community involvement and interaction between Internet2, the TIER Campus Success Program members and subject matter experts to be invaluable in this journey.  Being able to bounce ideas and thoughts off of others with similar issues and desires, with a shared goal of improving our respective environments, made the process much less overwhelming that it would have been otherwise.

About Rice University

Rice University, established in 1912, is a private (R1) research university located on a 295-acre campus in Houston Texas.  With a focus on undergraduate education, Rice maintains a student to faculty ratio of 6:1 with a median class size of 15. About 65% of undergraduates participate in research during their time at Rice.  Rice has a population of 3879 undergraduate and 2861 graduate degree-seeking students along with 671 full-time and 210 part-time instructional faculty and around 2300 full and part-time staff. Rice offers degrees in the schools of Architecture, Business, Continuing Education, Engineering, Humanities, Music, Natural Sciences, and Social Sciences.

Rice’s Identity and Access Management group was created in March of 2015 to support the needs of a changing organization.

Resources used

• Docker documentation
• Internet2/tier-idp
• Internet2/tier-grouper
• Evolveum
• TIER Campus Success Program