Novell to Microsoft Conversion: Identity Management Design & Plan · 2014-03-03 · to Microsoft Windows Server Active Directory and Exchange Server 2010 from the current Novell NetWare

Novell to Microsoft Conversion:

Identity Management Design & Plan

Presented To:

Harrisburg Area Community College

3/2/2011

1215 Hamilton Lane, Suite 200

Naperville, IL 60540

www.MoranTechnology.com

Voice & Fax: 877-212-6379

Identity Management Design


Page 2 of 18

Version History

Ver. # Ver. Date Author Description

1.0 22-Feb-11 Brian Desmond Initial Draft

1.1 1-March-11 Scott Weyandt Review and Edits



Page 3 of 18

Table of Contents Introduction .................................................................................................................................. 4

Background ............................................................................................................................... 4

Solution Overview ....................................................................................................................... 6

Connected Systems ...................................................................................................................... 7

Business Processes ....................................................................................................................... 8

Student Account Lifecycle ...................................................................................................... 8

Employee Account Lifecycle ................................................................................................ 10

FIM Architecture ........................................................................................................................ 11

Server Design .......................................................................................................................... 12

Key Provisioning Components ............................................................................................ 12

Password Management ............................................................................................................. 14

Self Service Password Reset Architecture .......................................................................... 14

Help Desk Password Reset Architecture ............................................................................ 15

FIM Deployment Planning ....................................................................................................... 16

FIM Deployment Costs ............................................................................................................. 17

Summary ..................................................................................................................................... 17



Page 4 of 18

Introduction

This document details the recommendations of Moran Technology Consulting (MTC)

for the design of the new Harrisburg Area Community College (HACC) Forefront

Identity Management (FIM) 2010 solution.

Background

HACC has engaged MTC to conduct a thorough and impartial evaluation of its

current network operating system and email environment (Novell NDS and

GroupWise). As part of this assessment, MTC identified the pros and cons of converting

to Microsoft Windows Server Active Directory and Exchange Server 2010 from the

current Novell NetWare and GroupWise products. Also, MTC developed a migration

project plan and business case with costs estimates for moving to Microsoft.

In addition, MTC conducted a requirements workshop for the design and

implementation of Microsoft’s identity management solution (FIM). We recommend

that FIM be deployed by HACC to integrate HACC’s key enterprise systems, including

SunGard Banner, SunGard Luminis, and Blackboard WebCT with its email and

directory infrastructure. This integration will allow HACC to automatically provision

and deprovision both employee and student email (Exchange 2010 and Gmail,

respectively) and directory accounts (Active Directory) as well as synchronize

passwords across these systems and other key HACC applications. Interviews with

both campus IT and Central IT security suggest that the ability to automatically create

and manage employee and students accounts is a critical need and will lead to both

greater IT security as well as administrative efficiency.

As part of this effort, MTC has developed the following design for FIM as well as

pricing and planning information for FIM deployment. Key documents for this step

include:

• HACC FIM Design (HACC FIM Design.docx)



Page 5 of 18

• HACC High-level FIM Plan (HACC FIM Plan.mpp)

• HACC FIM Cost Estimates (HACC FIM Costs.xlsx)



Page 6 of 18

Solution Overview

The Identity Management system for HACC will be comprised of three key

components:

• Active Directory

• Forefront Identity Manager (FIM) 2010

• Self-Service Password Management (SSPR)

These three components will serve as the foundation for management of all user

accounts at HACC. Active Directory will serve as the source of truth for passwords. For

HACC systems that cannot authenticate directly to Active Directory, FIM will forward

passwords to those systems. Various additional systems can be connected to FIM for

synchronization and provisioning of account information from authoritative sources

such as SunGard Banner.



Page 7 of 18

Connected Systems

FIM will connect to a number of key systems that were identified during

planning workshops. These systems include SunGard Banner, Active Directory and

Exchange 2010, Google Apps Gmail, and an LMS system (currently WebCT). Banner

will serve as the source of truth for key demographic information (for students, faculty,

and staff) as well as drive provisioning and deprovisioning of accounts in various

connected systems.

The following diagram provides a high level overview of the connections to the

FIM Synchronization Service.



Page 8 of 18

Business Processes

While the exact logic for provisioning and deprovisioning of accounts will be

determined during final design workshops, we have included recommended base

processes based on our experience performing identity management projects at

community college systems similar to HACC. The processes for managing student and

employee accounts typically differ and as such they have been documented separately.

Student Account Lifecycle

Student account provisioning is based on whether or not the student is

considered to be active or not. When a student has been inactive for two consecutive

semesters, their access to various systems will be disabled. For example, a student

would no longer have access to log on to Windows lab computers or access Windows

file services. Subsequently after an additional semester, accounts will be deprovisioned

(e.g. deleted from Active Directory). The following diagram outlines this process.



Page 9 of 18

Start Student

Provisioning

Active Student

Provision Active

Directory account

Provision Gmail

account

Provision LMS

(WebCT?) account

Yes

Inactive for two

semestersYes

Finish

No

Disable Active

Directory account

Disable Gmail

account

Disable LMS access

Inactive for

three semesters

Remove Active

Directory account

Remove Gmail

account

Yes

No



Page 10 of 18

Employee Account Lifecycle

Much like student account provisioning, employees are based on the status of the

employee as determined by Human Resources (HR). In higher education environments,

it is typically necessary to treat staff and faculty accounts separately when

deprovisioning access to systems. In the case of staff accounts it is generally feasible and

recommended to remove access on the employee’s termination date however faculty

typically require extended access in order to complete grades and follow-up with

students. The following diagram details these processes.

Start Employee

Provisioning

Provision Active

Directory account

Provision Exchange

mailbox

Provision Home

Folder

Faculty

Provision LMS

access

Yes

Active Employee

Yes

StaffNoInactive for 90

days

Disable Active

Directory account

Yes

No

Remove Active

Directory account

Remove Home

Folder

Inactive for one

semester

No

Yes

Inactive for two

semestersNo

Yes

Yes

Finish

No

Disable LMS Access

No



Page 11 of 18

FIM Architecture

Microsoft Forefront Identity Manager (FIM) 2010 is comprised of three key

components. These components include:

• Synchronization Service

• FIM Portal (a web interface)

• FIM Service

The Synchronization Service is responsible for the movement of data between

connected systems as well as ensuring that data is accurate in all connected systems.

The FIM web interface provides a web based user interface to the FIM product whereby

synchronization, workflow, and object management can be configured. For example, a

web interface can be created to allow for students to activate their Gmail account or to

reset their passwords. The FIM Service provides a web services interface in to the FIM

web interface which can be used by applications to interact directly with the product.

The HACC FIM environment will be comprised of three FIM servers and a two

server SQL Server cluster. The FIM web interface and Service layer servicing end user

requests will be hosted on a two node load balanced cluster. This cluster will also house

custom password management and object management web pages. The FIM

Synchronization Service and a separate FIM Service partition will be hosted on a single

backend FIM server. The following diagram provides a high level overview of the

topology:



Page 12 of 18

Server Design

It is typically acceptable to virtualize FIM servers so long as sufficient hardware

resources are allocated to the virtual machines. The following table provides

recommended memory and CPU requirements for the servers identified in the previous

section. The FIM SQL databases are particularly I/O intensive and with this in mind it

is important to allocate fast storage for SQL.

Quantity Purpose CPU Qty. Memory

2 FIM Portal/Password Reset 2 8GB

1 FIM Sync Service 2 8GB

2 SQL Cluster for FIM 4 16GB

Key Provisioning Components

The FIM Synchronization Service depends on Management Agents (MAs) to



Page 13 of 18

connect to various systems for the provisioning and synchronization of user

information. FIM comes with a number of management agents for common systems as

well as an extensible Application Programming Interface (APIs) for developing custom

management agents (XMAs).

For the HACC implementation, it is expected that the following management

agents will be required:

• Active Directory

• Oracle Database

• Google Gmail (custom XMA)

• WebCT (database MA or a custom XMA)

In addition to the Management Agent infrastructure used for synchronization, FIM

supports the execution of custom workflows according to state changes for objects in

the FIM database.

In order to support the provisioning requirements outlined in this document, the

following workflow activities will be required:

• Username generator

• Home folder creation/deletion

• Home folder permissions management

• PowerShell command (e.g. for managing Exchange mailbox settings)



Page 14 of 18

Password Management

HACC currently does not have a self-service password management

infrastructure in place. Additionally various HACC systems use separate passwords,

which leads to a significant number of helpdesk calls when the end users fail to

authenticate to individual systems.

Self Service Password Reset Architecture

As part of the scope of this project, a custom web based Self Service Password

Reset (SSPR) interface will be implemented that will allow users to register for

password reset (i.e., set security questions) as well as reset their password at a later time

and date. The SSPR interface will mirror the following behaviors:

• Users will be provided with a list of 15 security questions from which they will

select five to answer;

• To reset passwords students will be required to answer two of their pre-selected

questions randomly presented each time they desire to reset their password;

• Answers to security questions will NOT be case sensitive.

• The password management web interface will maintain a separate account

lockout feature. Five invalid login attempts (incorrect date of birth, incorrect

security questions, etc.) within 10 minutes will lockout the user from the web

interface.

All of these details can be modified and confirmed during a final design review, prior to

FIM deployment.

The password management web interface will maintain user security questions,

answers, and audit trails in an independent database that will not be directly integrated

with FIM. The current version of FIM provides integrated password management (e.g.,

reset and security questions) for users who access the service from a domain joined

workstation only.



Page 15 of 18

Help Desk Password Reset Architecture

When a user engages the service desk for password reset, the service desk

currently uses an outside process to verify the user’s identity (via administrative access

in the campus portal). Once the user’s identity has been verified, the account is flagged

for reactivation, unlocked, and their password is set to a random string to prevent

unauthorized access until the user can reactivate their account. The user will be directed

to go through the account activation process again, including:

• Log in using 9 digit Student ID and date of birth (six digits) as password;

• Set security questions (answers are case insensitive);

• Reset password by providing new password and confirmation of new password

(password must meet Active Direction password complexity requirements).

Specific details and requirements for this function can be finalized during the design

validation prior to FIM deployment.



Page 16 of 18

FIM Deployment Planning

MTC recommends that HACC initiate the project to design and deploy FIM

concurrently with the project to migrate from Novell GroupWise and Netware to

Microsoft Exchange 2010 and Active Directory. If FIM design and planning occurs

before or alongside Exchange and Active Directory planning, FIM can be implemented

to create new student accounts into the new Active Directory environment as it is

deployed.

We estimate that the design, development, testing and deployment of FIM will

take approximately 10 weeks. The following Gantt chart shows the key tasks and

project step flow.

Our plan and estimated duration assumes that HACC will contract with a skilled

and experienced Microsoft FIM implementer for this project. We estimate that



Page 17 of 18

following consulting hours will be required for each of the FIM Deployment Project

phases.

FIM Deployment

Services

Hours

Design & Plan

40

Development

80

Test

16

Deployment

40

Knowledge Transfer

24

200

FIM Deployment Costs

MTC estimates that following costs associated with the deployment of FIM at

HACC.

FIM Total Costs

Total

Licenses

$ 13,877

Hardware

$ 10,000

Services

$ 40,000

$ 63,877

Additional cost estimate details and assumptions for HACC’s FIM deployment

are provided in a separate document, HACC FIM Costs.xlsx.

Summary

This document outlines a high level design and workflow for implementing an

identity management system (FIM) at the Harrisburg Area Community Colleges



Page 18 of 18

(HACC). The scope of the initial identity management implementation will be limited

to the synchronization of data (user accounts and mailboxes for students and

employees) to key systems (e.g. SunGard Banner, Active Directory, Gmail, etc.). The

implementation will also provide for a self-service password management

infrastructure and synchronization as well as a single point of authentication for

enterprise systems.

Documents

Novell to Microsoft Conversion: Identity Management Design & Plan · 2014-03-03 · to Microsoft Windows Server Active Directory and Exchange Server 2010 from the current Novell NetWare