Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Novell to Microsoft Conversion:
Identity Management Design & Plan
Presented To:
Harrisburg Area Community College
3/2/2011
1215 Hamilton Lane, Suite 200
Naperville, IL 60540
www.MoranTechnology.com
Voice & Fax: 877-212-6379
Identity Management Design
Harrisburg Area Community College
Page 2 of 18
Version History
Ver. # Ver. Date Author Description
1.0 22-Feb-11 Brian Desmond Initial Draft
1.1 1-March-11 Scott Weyandt Review and Edits
Identity Management Design
Harrisburg Area Community College
Page 3 of 18
Table of Contents Introduction .................................................................................................................................. 4
Background ............................................................................................................................... 4
Solution Overview ....................................................................................................................... 6
Connected Systems ...................................................................................................................... 7
Business Processes ....................................................................................................................... 8
Student Account Lifecycle ...................................................................................................... 8
Employee Account Lifecycle ................................................................................................ 10
FIM Architecture ........................................................................................................................ 11
Server Design .......................................................................................................................... 12
Key Provisioning Components ............................................................................................ 12
Password Management ............................................................................................................. 14
Self Service Password Reset Architecture .......................................................................... 14
Help Desk Password Reset Architecture ............................................................................ 15
FIM Deployment Planning ....................................................................................................... 16
FIM Deployment Costs ............................................................................................................. 17
Summary ..................................................................................................................................... 17
Identity Management Design
Harrisburg Area Community College
Page 4 of 18
Introduction
This document details the recommendations of Moran Technology Consulting (MTC)
for the design of the new Harrisburg Area Community College (HACC) Forefront
Identity Management (FIM) 2010 solution.
Background
HACC has engaged MTC to conduct a thorough and impartial evaluation of its
current network operating system and email environment (Novell NDS and
GroupWise). As part of this assessment, MTC identified the pros and cons of converting
to Microsoft Windows Server Active Directory and Exchange Server 2010 from the
current Novell NetWare and GroupWise products. Also, MTC developed a migration
project plan and business case with costs estimates for moving to Microsoft.
In addition, MTC conducted a requirements workshop for the design and
implementation of Microsoft’s identity management solution (FIM). We recommend
that FIM be deployed by HACC to integrate HACC’s key enterprise systems, including
SunGard Banner, SunGard Luminis, and Blackboard WebCT with its email and
directory infrastructure. This integration will allow HACC to automatically provision
and deprovision both employee and student email (Exchange 2010 and Gmail,
respectively) and directory accounts (Active Directory) as well as synchronize
passwords across these systems and other key HACC applications. Interviews with
both campus IT and Central IT security suggest that the ability to automatically create
and manage employee and students accounts is a critical need and will lead to both
greater IT security as well as administrative efficiency.
As part of this effort, MTC has developed the following design for FIM as well as
pricing and planning information for FIM deployment. Key documents for this step
include:
• HACC FIM Design (HACC FIM Design.docx)
Identity Management Design
Harrisburg Area Community College
Page 5 of 18
• HACC High-level FIM Plan (HACC FIM Plan.mpp)
• HACC FIM Cost Estimates (HACC FIM Costs.xlsx)
Identity Management Design
Harrisburg Area Community College
Page 6 of 18
Solution Overview
The Identity Management system for HACC will be comprised of three key
components:
• Active Directory
• Forefront Identity Manager (FIM) 2010
• Self-Service Password Management (SSPR)
These three components will serve as the foundation for management of all user
accounts at HACC. Active Directory will serve as the source of truth for passwords. For
HACC systems that cannot authenticate directly to Active Directory, FIM will forward
passwords to those systems. Various additional systems can be connected to FIM for
synchronization and provisioning of account information from authoritative sources
such as SunGard Banner.
Identity Management Design
Harrisburg Area Community College
Page 7 of 18
Connected Systems
FIM will connect to a number of key systems that were identified during
planning workshops. These systems include SunGard Banner, Active Directory and
Exchange 2010, Google Apps Gmail, and an LMS system (currently WebCT). Banner
will serve as the source of truth for key demographic information (for students, faculty,
and staff) as well as drive provisioning and deprovisioning of accounts in various
connected systems.
The following diagram provides a high level overview of the connections to the
FIM Synchronization Service.
Identity Management Design
Harrisburg Area Community College
Page 8 of 18
Business Processes
While the exact logic for provisioning and deprovisioning of accounts will be
determined during final design workshops, we have included recommended base
processes based on our experience performing identity management projects at
community college systems similar to HACC. The processes for managing student and
employee accounts typically differ and as such they have been documented separately.
Student Account Lifecycle
Student account provisioning is based on whether or not the student is
considered to be active or not. When a student has been inactive for two consecutive
semesters, their access to various systems will be disabled. For example, a student
would no longer have access to log on to Windows lab computers or access Windows
file services. Subsequently after an additional semester, accounts will be deprovisioned
(e.g. deleted from Active Directory). The following diagram outlines this process.
Identity Management Design
Harrisburg Area Community College
Page 9 of 18
Start Student
Provisioning
Active Student
Provision Active
Directory account
Provision Gmail
account
Provision LMS
(WebCT?) account
Yes
Inactive for two
semestersYes
Finish
No
Disable Active
Directory account
Disable Gmail
account
Disable LMS access
Inactive for
three semesters
Remove Active
Directory account
Remove Gmail
account
Yes
No
Identity Management Design
Harrisburg Area Community College
Page 10 of 18
Employee Account Lifecycle
Much like student account provisioning, employees are based on the status of the
employee as determined by Human Resources (HR). In higher education environments,
it is typically necessary to treat staff and faculty accounts separately when
deprovisioning access to systems. In the case of staff accounts it is generally feasible and
recommended to remove access on the employee’s termination date however faculty
typically require extended access in order to complete grades and follow-up with
students. The following diagram details these processes.
Start Employee
Provisioning
Provision Active
Directory account
Provision Exchange
mailbox
Provision Home
Folder
Faculty
Provision LMS
access
Yes
Active Employee
Yes
StaffNoInactive for 90
days
Disable Active
Directory account
Yes
No
Remove Active
Directory account
Remove Home
Folder
Inactive for one
semester
No
Yes
Inactive for two
semestersNo
Yes
Yes
Finish
No
Disable LMS Access
No
Identity Management Design
Harrisburg Area Community College
Page 11 of 18
FIM Architecture
Microsoft Forefront Identity Manager (FIM) 2010 is comprised of three key
components. These components include:
• Synchronization Service
• FIM Portal (a web interface)
• FIM Service
The Synchronization Service is responsible for the movement of data between
connected systems as well as ensuring that data is accurate in all connected systems.
The FIM web interface provides a web based user interface to the FIM product whereby
synchronization, workflow, and object management can be configured. For example, a
web interface can be created to allow for students to activate their Gmail account or to
reset their passwords. The FIM Service provides a web services interface in to the FIM
web interface which can be used by applications to interact directly with the product.
The HACC FIM environment will be comprised of three FIM servers and a two
server SQL Server cluster. The FIM web interface and Service layer servicing end user
requests will be hosted on a two node load balanced cluster. This cluster will also house
custom password management and object management web pages. The FIM
Synchronization Service and a separate FIM Service partition will be hosted on a single
backend FIM server. The following diagram provides a high level overview of the
topology:
Identity Management Design
Harrisburg Area Community College
Page 12 of 18
Server Design
It is typically acceptable to virtualize FIM servers so long as sufficient hardware
resources are allocated to the virtual machines. The following table provides
recommended memory and CPU requirements for the servers identified in the previous
section. The FIM SQL databases are particularly I/O intensive and with this in mind it
is important to allocate fast storage for SQL.
Quantity Purpose CPU Qty. Memory
2 FIM Portal/Password Reset 2 8GB
1 FIM Sync Service 2 8GB
2 SQL Cluster for FIM 4 16GB
Key Provisioning Components
The FIM Synchronization Service depends on Management Agents (MAs) to
Identity Management Design
Harrisburg Area Community College
Page 13 of 18
connect to various systems for the provisioning and synchronization of user
information. FIM comes with a number of management agents for common systems as
well as an extensible Application Programming Interface (APIs) for developing custom
management agents (XMAs).
For the HACC implementation, it is expected that the following management
agents will be required:
• Active Directory
• Oracle Database
• Google Gmail (custom XMA)
• WebCT (database MA or a custom XMA)
In addition to the Management Agent infrastructure used for synchronization, FIM
supports the execution of custom workflows according to state changes for objects in
the FIM database.
In order to support the provisioning requirements outlined in this document, the
following workflow activities will be required:
• Username generator
• Home folder creation/deletion
• Home folder permissions management
• PowerShell command (e.g. for managing Exchange mailbox settings)
Identity Management Design
Harrisburg Area Community College
Page 14 of 18
Password Management
HACC currently does not have a self-service password management
infrastructure in place. Additionally various HACC systems use separate passwords,
which leads to a significant number of helpdesk calls when the end users fail to
authenticate to individual systems.
Self Service Password Reset Architecture
As part of the scope of this project, a custom web based Self Service Password
Reset (SSPR) interface will be implemented that will allow users to register for
password reset (i.e., set security questions) as well as reset their password at a later time
and date. The SSPR interface will mirror the following behaviors:
• Users will be provided with a list of 15 security questions from which they will
select five to answer;
• To reset passwords students will be required to answer two of their pre-selected
questions randomly presented each time they desire to reset their password;
• Answers to security questions will NOT be case sensitive.
• The password management web interface will maintain a separate account
lockout feature. Five invalid login attempts (incorrect date of birth, incorrect
security questions, etc.) within 10 minutes will lockout the user from the web
interface.
All of these details can be modified and confirmed during a final design review, prior to
FIM deployment.
The password management web interface will maintain user security questions,
answers, and audit trails in an independent database that will not be directly integrated
with FIM. The current version of FIM provides integrated password management (e.g.,
reset and security questions) for users who access the service from a domain joined
workstation only.
Identity Management Design
Harrisburg Area Community College
Page 15 of 18
Help Desk Password Reset Architecture
When a user engages the service desk for password reset, the service desk
currently uses an outside process to verify the user’s identity (via administrative access
in the campus portal). Once the user’s identity has been verified, the account is flagged
for reactivation, unlocked, and their password is set to a random string to prevent
unauthorized access until the user can reactivate their account. The user will be directed
to go through the account activation process again, including:
• Log in using 9 digit Student ID and date of birth (six digits) as password;
• Set security questions (answers are case insensitive);
• Reset password by providing new password and confirmation of new password
(password must meet Active Direction password complexity requirements).
Specific details and requirements for this function can be finalized during the design
validation prior to FIM deployment.
Identity Management Design
Harrisburg Area Community College
Page 16 of 18
FIM Deployment Planning
MTC recommends that HACC initiate the project to design and deploy FIM
concurrently with the project to migrate from Novell GroupWise and Netware to
Microsoft Exchange 2010 and Active Directory. If FIM design and planning occurs
before or alongside Exchange and Active Directory planning, FIM can be implemented
to create new student accounts into the new Active Directory environment as it is
deployed.
We estimate that the design, development, testing and deployment of FIM will
take approximately 10 weeks. The following Gantt chart shows the key tasks and
project step flow.
Our plan and estimated duration assumes that HACC will contract with a skilled
and experienced Microsoft FIM implementer for this project. We estimate that
Identity Management Design
Harrisburg Area Community College
Page 17 of 18
following consulting hours will be required for each of the FIM Deployment Project
phases.
FIM Deployment
Services
Hours
Design & Plan
40
Development
80
Test
16
Deployment
40
Knowledge Transfer
24
200
FIM Deployment Costs
MTC estimates that following costs associated with the deployment of FIM at
HACC.
FIM Total Costs
Total
Licenses
$ 13,877
Hardware
$ 10,000
Services
$ 40,000
$ 63,877
Additional cost estimate details and assumptions for HACC’s FIM deployment
are provided in a separate document, HACC FIM Costs.xlsx.
Summary
This document outlines a high level design and workflow for implementing an
identity management system (FIM) at the Harrisburg Area Community Colleges
Identity Management Design
Harrisburg Area Community College
Page 18 of 18
(HACC). The scope of the initial identity management implementation will be limited
to the synchronization of data (user accounts and mailboxes for students and
employees) to key systems (e.g. SunGard Banner, Active Directory, Gmail, etc.). The
implementation will also provide for a self-service password management
infrastructure and synchronization as well as a single point of authentication for
enterprise systems.