Building an IAM Program at Portland State University

Polling URL: ...

PRESENTED BY: Ryan Bass, Associate CIO, Portland State UniversityJessica Coltrin, Associate Director, Portland State University

© 2018 Internet2

I 2 I

Asking Questions

You have the option to ask questions via the URL above, you can also upvote your favorite questions.

I 3 I

Building an Identity and Access Management (IAM) Program at Portland State University (PSU)

Agenda

About PSU

IAM Maturity

The Beginning of IAM at Portland State

IAM 2.0

2019 and beyond: Future Plans

PRESENTED BY: Presenter Name, Title, Organization

Optional second line

I 5 I

CIOs

Other leadership not focused on IAM?

IAM leadership

IAM developer/administrator

Other

Audience

About Portland State University

I 7 I

IAM Maturity

I 9 I

Gartner ITScore for IAM Maturity

Poll:...

I 10 I

I 11 I

The Beginning of IAM at Portland State

I 13 I

PSU Gartner ITScore for IAM in 2000

I 14 I

The Beginning

I 15 I

Gartner ITScore for IAM in 2010

I 16 I

The lingering Sun Identity Manager project team meetings becomes “IAM Operations” and is recognized as a long-term IT coordination group. Membership includes IAM, Windows Server Team (Active Directory), Unix Team (LDAP & CAS), Banner ERP, and Helpdesk

“Affiliate” account process created - ERP integrated and paperless

New Architecture and Integration Team with an IAM focus is created

Sun Identity ManagerIn house “Ragve” custom provisioning engine for LMS, etc

Sailpoint Identity IQ is selected to replace Sun Identity Manager

2012

I 17 I

I 18 I

PSU Gartner ITScore for IAM in 2013

I 19 I

Oracle support for Sun Identity Manager is ending soon

Project to migrate to SailPoint Identity IQ is underway

PSU Single Sign-On adoption has grown rapidly - added to Banner ERP self-service

Staff turnover creates opportunity for rebuilding IAM team

Changing Landscape in 2013

I 20 I

Large queue of lingering work to do:

Complete migration from Sun Identity Manager to Sailpoint Identity IQTake on operational responsibilities for custom provisioning toolFederated login with Shibboleth and InCommonMulti Factor AuthenticationService account managementPrivileged account management

Architecture and Integration team becomes 100% IAM focused, and is renamed to the Identity and Access Management team

Hired new leadership

Launching IAM 2.0 @ PSU in 2014

Identity and Access Management 2.0 @ PSU

I 22 I

First, look at what the rest of Higher Education is doing.• Experience with Kuali community and Kuali Identity Management• Awareness of InCommon and earlier phases of what became TIER (OSIdm4HE, CIFER)• Research with Gartner & Educause• Attended Internet2 Technology Exchange

Also look at prior work at PSU • Some foundational work in architecture and integration, Sailpoint chosen• PSU had already joined InCommon but wasn’t using it yet• We had Active Directory, LDAP, and Google in place with SunIDM• We had a custom system (ragve) built for D2L provisioning and other one-off provisioning

And institutional priorities and goals• First area of focus was finishing the Sailpoint project• Simplify the user experience and the support experience• Applications coming on board requesting SSO via SAML2

Creating a Vision

I 23 I

Vision for IAM

Sailpoint IIQfor identity store& provisioning

Google

D2L, etc.

AD

Create Account(Banner, Destiny, etc.)

LDAP

Single Sign-OnCAS & Shibboleth

Odin Account Managerfor all account/access mgmt

password managementservice account management

privileged account managementaccess requests

Most PSU Applications

ragve for custom apps Sailpoint

wouldn’t support

I 24 I

Strategy/Priorities

1) Manage Identities 2) Access Management 3) IAM Improvements

I 25 I

Developer-Focused Implementation Methodology

… With the addition of

StrategicOperational Fixes over Project Work

Small Iterations over Large Features

I 26 I

Projects Completed To Date

1) Manage Identities- OAM 2.0 (Sailpoint project)- Definitions, Individual & Service - Service Accounts - Support/Re-architect ragve

2) Access Management- Access Management Strategy- Automated Offboarding

3) IAM Improvements- Shibboleth IdP - Implement MFA- MFA for ACH & SSO- Limited Lifetime Accounts - Sailpoint 7 Upgrade

Lessons Learned● It takes time to build experienced resources. And it hurts when you lose them.● Defining & establishing common meanings for terms like service account is important, and

it takes more time than expected.● Tie access to roles; we use the same account for a user with student and employee roles● Limit vendor solutions to what they do well. Write custom code instead of trying to modify

vendor code.● IAM Operations always takes up more time than you think it will.

I 27 I

2014 - Team reformed as a software development team that also handles operations Introduced JIRA/Confluence to document and collaborate

Establishment of versioned releases & standard processes for development life cycle Establishment of IAM governance model, formalizing IAM-Ops, security rep Integration with Enterprise Application governance & high level IT Advisory Committee

2015 - OAM 2.0 with Sailpoint Added Additional Staff

2016 - Shibboleth, Duo, OAM Admin Documented IAM Architecture

Milestones

I 28 I

PSU Gartner ITScore for IAM in 2016

I 29 I

Current Architecture

Sailpoint IIQfor identity store& provisioning

Google

D2L, Pebblepad, etc.

AD

BannerSOR for all accounts

(entry via application or HR)

LDAP

Shibboleth Idp 3Single Sign-On

CAS & Shibboleth

Odin Account Managerfor all account/access mgmt

password managementservice account management

high account managementaccess requests

(custom Django web app)

Most PSU Applications

ragve for custom apps Sailpoint

wouldn’t support

OAM Adminfor backend administration

(custom Django web app)

Duo

I 30 I

Projects In Progress

1) Access Management - OAM Access Requests (OAR)- Proxy Management in OAM- Research Access Improvements

2) Manage Identities- Affiliate Accounts Rewrite- Privileged Accounts

3) IAM Improvements- Lenel Provisioning in Ragve

Lessons Learned● Switched Focus to Access Management ● Improvement projects like Affiliate Accounts always seem to take the backseat● The organization has to be ready to embrace certain changes● Vendor apis are often not as ready or complete as you need● Custom user-facing webapps shield complexity and allow for replacing components

without impacting the user experience

I 31 I

I 32 I

PSU Gartner ITScore for IAM in 2018

We’re now almost to Level 4.

Still more work to do on EA architecture alignment.

2019 and beyond: Future Plans

I 34 I

Future Projects

IAM Improvements

- Incorporate TIER - Identity First Design- Application PIN Recovery- AWS/Azure Accounts in OAM- Orphan Management- Search/Match in OAM- Temp/Guest Accounts in OAM

Core Identity and Access Management Features are in

Remaining work is improving and streamlining IAM

I 35 I

Investigate the TIER deliverables and incorporate them into our IAM Program where appropriate.

● Move Shibboleth to provided Docker containers● Implement Grouper with provided Docker containers● Investigate COmanage/MidPoint for identity store for low assurance accounts ● Investigate Shibboleth UI● Look into Banner/Ethos working group on to streamline Banner integrations● Follow id match initiative as it evolves

Incorporate TIER

I 36 I

Concept: The first time we collect identity information from a user, it should come through creating a record in the identity system. Identity system becomes the System of Record (SOR) for identity.

Principles

● Track users from their first touch point at the university through their last interaction.● Different levels of assurance, different levels of access throughout the identity lifecycle.● Visibility & automation around provisioning/deprovisioning of accounts & access.● Flexibility, modularity, and shared ownership.● Accounts are provisioned on an as-needed basis to additional systems

Identity First

I 37 I

Identity Creation

Login(Single Sign-On)

Undergrad App(Banner)Talisma Grad App

(CollegeNet)New Employee

(Banner)

Prospects Applicants Employees

Destiny

Non-Credit

Create Account(OAM)

Registration(Banner)

Students

I 38 I

Levels of Assurance

Level Info Collected Validation Uses

1 - minimal First, Last, External Email Email exists Prospects, temporary accounts, applicants, non-credit students

2 - matched Contact info, SSN requested, etc.

Search/match Admitted students

3 - verified* n/a Id document verification

Verified student, verified employee

● Each level builds upon the previous level, adding more assurance that the identity is valid● * Verified requires examination of an identity document, i.e. social security card, passport,

driver’s license● Note: We’ll be looking into InCommon Identity Assurance Levels to see where/how they fit.

I 39 I

PSU Gartner ITScore for IAM in 2020

Time for community collaboration

I 40 I

Building an IAM Program at Portland State University

PRESENTED BY: Jessica Coltrin, Associate Director, Portland State UniversityRyan Bass, Associate CIO, Portland State University

Questions and Discussion

© 2018 Internet2