addressing business processes: customer needs and choosing the first applications jack suess, cio,...

Addressing Business Processes: Customer Needs and Choosing the First

Applications

Jack Suess, CIO, [email protected]://umbc.edu/~jack/

Copyright Jack Suess 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Base CAMP - February 5-7, 2003 2

What I Will Discuss

– The business factors driving this initiative– The directory development team and process– Development and deployment of new applications

using the directory service– Creation of a single sign on web authenticator– Future directory plans at UMBC– Applying the lessons learned - how to jumpstart a

directory project – Questions


UMBC Institutional Profile

• University of Maryland, Baltimore County.– Established 1966. Enrollment is 11,500– Carnegie designation of Research/Extensive– Centralized administration and IT services with

strong faculty governance structure– Heavy IT emphasis, about 25% of students in IT

related majors.– Locally developed SIS and HR systems but now

implementing Peoplesoft.


Business Factors UMBC Needed to Address - Fall 1999

– Finishing up with Y2K.– UMBC decided we would begin discussions to

replace our SIS, HR and Finance systems.– UMBC started two online graduate programs and

began planning for a third program. We needed to add more web-based self-service applications, especially account generation.


Business Factors - ContinuedFall 1999

–We had successfully deployed our web portal, myUMBC and were getting requests to extend it to alumni, parents, and prospective students.

–Fall 1999, we saw WebCT usage plateau, discussions with faculty pointed at need to make it “easier” to use course tools.

• Eliminate faculty handling of student account problems• Make it easier to “enroll” students• Eliminate the need to know HTML


Business Requirements

– Applications needed 7x24 access–The indecision over our SIS/HR plans made using those

systems directly a mistake. –We needed to reduce transactions on our overloaded

administrative systems.–We had reorganized support services and made our

Helpdesk the focal point. We needed to empower them with ability to manage basic account functions.

–To support alumni we needed to expand authentication services beyond solely using Kerberos


Why Deploy an Enterprise Directory

• Hype- Directories were hot technologies in 1999, though not necessarily mature.

• UMBC has a large Unix infrastructure and significant Unix development experience

• We didn’t want the complexity or cost associated with using a DBMS

• We wanted to solve this in a way that would allow us to collaborate with other schools.


Getting StartedJanuary 2000

– I2 was beginning to focus on the problem of middleware, I saw this as an opportunity for UMBC to be engaged in I2.

– I2 was soliciting schools to participate in an Early Adopters program and UMBC applied.

– I was the initial project sponsor for middleware at UMBC.

– January 2000 we created our middleware project team


Directory Project Team CreatedJanuary 2000

–Worked closely with Internet2 Middleware group–A technical lead was identified and the project team created.

• Members represented all areas of IT• I needed to get the team understanding what was meant

by directory services • Sharp differences on team over what directory platform to

use• I2 middleware group was very helpful in framing issues

for consideration


Directory Development - Engaging Non-IT Staff

– I met privately with our Vice Provost for Academic Affairs and CFO to discuss the project and get their support

– I worked through our IT Steering committee and discussed the project in terms of the business factors, not technology.

– In hindsight we should of done a better job broadly communicating this to the campus.


Selecting a Directory Product

–This became contentious - we looked at NDS, AD, Innosoft, iPlanet and Oracle

–Our process looked at initial cost, cost per entry, API, scalability, and availability.

–We had concerns about directory products tied too closely to network LAN products.

– iPlanet had the best product but cost was a concern. Opportunity struck - we purchased Innosoft - iPlanet then bought company and transitioned customers over to iPlanet :-)


Defining Data Access Strategy

–We initially focused on data needed for whitepages and account management.

–We negotiated read access to SIS and HR.– Updates to demographic data would be done through our

portal, myUMBC.–Where duplicate data exists in HR/SIS we used most recent

entry as “current”–Broad IT support was critical here, we needed input from our

analysts and DBA’s to fully understand what data was needed and get database triggers defined.


Defining Data Update Strategy

–Goal for account generation was that a PT student could register that day and get an account within 30 minutes.

–We discussed merits of real-time, near real-time, and batch updates of directory.

• Realtime - triggers between DBMS tables• Near realtime - triggers generate a changelog queue• Batch - extract and update periodically

–Selected near realtime to meet our goal for account generation but lessen dependencies


UMBC Directory Architecture

Public LDAP(Whitepages)

(SunOne DS5)

Oracle DB

LDAPDirectory

(iPlanet 4.1x)

AuthenticationService

(MIT K5)

MetadirectoryProcesses

(perl)SIS

(HP MPE)

HRSystem

User Input DirectoryManagmentApplications

Replica Replica

SISMirror

OutgoingConnectors

(perl)

To Consumers

Radius,WebAuth,PeopleSoft,etc.

UNIX Systems,Win2K Labs,AFS

Email Clients

Email Routing


Directory Development TeamMarch 2000

• 1 full-time directory architect• 1 directory programmer (.75)• PT access to an Oracle DBA (<.25)• PT access to SIS and HR analysts (<.25)

• Allocated $75,000 in startup funding


Development and Deployment- Phase 1

–Phase 1 – Generate new web-based account management system, go live August 2000

–Decided to load all students in SIS who have ever applied to UMBC to date, ~275000. This was a mistake, we should of limited it to active members only.

–Challenge was how to provide different levels of access to the directory without complex ACL’s and grant this access to other web services.

–We created a service we call webauth, which is similar to Shibboleth’s pubcookie.


Development of Webauth

–Goal was to provide a web-based single sign on (WebISO) that can authenticate across any web-based application.

• In summer 2000, nothing had been released that did this. We modeled our approach on Kerberos and each web service has a unique service ticket

• Created apache module • Created Java and Perl interfaces

–Available upon request but I would strongly suggest you consider I2’s Pubcookie.


•UMBC Directory Applications - Webadmin

•Created Webadmin, a web-based tool for accessing the directory, released 8/2000

–Allows delegation of control over different functions to groups or people based on roles and needs. Helpdesk group can now reset passwords and quotas.

–Self-service - students can now select username and password, create email aliases, and forward mail without coming onto campus

–Mistake - the user interface could have been better


Delegating AuthorityFall 2000

Goal - Let Helpdesk immediately handle basic account tasks on behalf of users without root access

–Store user preferences in LDAP as attributes, wrote LDAP interface to Unix systems

–Users must use Webadmin to update account–Helpdesk can reset passwords, quota, set forwarding

address, and Unix preferences.–Fall 2000, delegation horror story. Student working Helpdesk

stole class project from another student


Directory Based Updates

Public LDAP(Whitepages)

(SunOne DS5)

Oracle DB

LDAPDirectory

(iPlanet 4.1x)

AuthenticationService

(MIT K5)

MetadirectoryProcesses

(perl)SIS

(HP MPE)

HRSystem

User Input DirectoryManagmentApplications

Replica Replica

SISMirror

OutgoingConnectors

(perl)

To Consumers

Radius,WebAuth,PeopleSoft,etc.

UNIX Systems,Win2K Labs,AFS

Email Clients

Email Routing

CMS(Blackboard 5)

Helpdesk(Remedy)

UNIX Accounts(NIS)

Windows(Active

Directory)

StudentAdmin. Email

Table


Extending Webauth to 3rd PartiesSpring 2002

– Spring 2002 - provided linkage to one-card vendor (DieBold/JSA) for eCommerce. We provide a link from our portal to our JSA.

– We provided JSA with a webauth service ticket for their server and webauth client code to request validated campus-id when presenting a webauth cookie.

– I’d love to do with with other 3rd Parties such as Sallie Mae Solutions


Blackboard Course Auto-EnrollSummer 2002

– Added course containers to LDAP that track enrollments to courses (add/drop)

– Wrote a Java servlet for Blackboard that is updated by LDAP connector

– Fall 2002 students are auto-registered into their Blackboard course.

– We use course containers for other services like limiting lab access to students in particular courses, mailing lists, etc.


VPN Access

• Fall 2002 Goal - Rollout VPN services in fall to secure wireless and provide remote access to administrative applications

• Driven through LDAP group membership– Due to limitations in VPN users can only be in one

group, we had to be creative in how we defined groups to meet needs of different users.

– Most users automatically defined into a group but some people have to be managed manually


Short Term Plans AY 2002-2003

• The following are project proposals under consideration– Peoplesoft 8.0 integration with LDAP– Automated account deletion/deactivation– OS/X Netinfo and Novell 6 integration– Shibboleth– Alumni access– PKI


Shibboleth

•Shibboleth provides inter-institutional authorization service where the person controls what information is released to whom.•We will be demonstrating this to our USM library directors in the fall as a possible solution for inter-campus (USM) access to library databases.•We hope to have webauth working with Shibboleth sometime this fall


Results

–After Kerberos and DNS,the directory service has been our most reliable service, at least 99.99% uptime.

–These self-service applications have revamped the way we support users and the services we provide.

–Automated Blackboard connections were well received by faculty.

–Using a directory allowed us to utilize our institutional data in an academic context. The staff that did this would never be able to directly access and update our legacy SIS tables.


Lessons Learned

1. CIO leadership is important

2. Building support for the project inside and outside of IT is critical

3. This will be a new service that must be continually supported.

4. Managing expectations is important

5. The benefits exceed the costs

6. Don’t reinvent the wheel


NMI-EDIT Consortium

• Funded out of the NSF Middleware Initiative (NMI)

• Enterprise and Desktop Integration Technologies Consortium–Internet2 – primary on grant and research–EDUCAUSE – primary on outreach–Southeastern Universities Research Association (SURA) –

primary on NMI Integration Testbed

• Higher-ed, government, corporate, research, and international participation


NMI-EDIT: Goals

• Much as at the network layer, create a ubiquitous common, persistent and robust core middleware infrastructure for the R&E community

• In support of inter-institutional and inter-realm collaborations, provide tools and services (e.g. registries, bridge PKI components, root directories) as required


NMI-EDIT: Core Middleware Scope

• Identity and Identifiers – namespaces, identifier crosswalks, real world levels of assurance

• Authentication – campus technologies and policies, inter-realm interoperability via PKI, Kerberos

• Directories – enterprise directory services architectures and tools, standard object classes, inter-realm and registry services

• Authorization – permissions and access controls, delegation, privacy management

• Integration Activities – common management tools, use of virtual, federated and hierarchical organizations


Enterprise MiddlewareEducational Opportunities

• NMI-EDIT Workshops• Pre-conference Seminars and track sessions at EDUCAUSE Regional

Meetings• Campus Architectural Middleware Planning Workshops

– Base CAMP, Tempe AZ, 4-7 February 2003• CIO and Technical staff• Getting started topics• http://www.educause.edu/conference/nmi/camp031/

– Advanced CAMP– July 2003• Highly technical• Research topics


On-line Resources Available• Introductory Documents

– Sample Middleware Business Case and corresponding Writer’s Guide

– Identifiers, Authentication, and Directories: Best Practices for Higher Education

– Identifier Mapping Templates and Campus Examples

– And more….

• See resources page of www.nmi-edit.org


• Websites• middleware.internet2.edu - middleware research activities• www.nsf-middleware.org – NSF Middleware Initiative Site• www.nmi-edit.org – introduction to middleware and implementation assistance

• Middleware discussion/announcement lists• [email protected] – Internet2 and NMI-EDIT announcements of

events and resources• [email protected] – Discussion topics related to middleware• NMI lists (see Participation page on www.nsf-middleware.org) – NMI project

announcements, discussion, and information

• For more information, contact Ann West [email protected]

Websites and Email Lists


Questions and Discussion

•Questions and Discussion

addressing business processes: customer needs and choosing the first applications jack suess, cio,...

Documents

base camp

business factors umbc

kerberos slide

html slide

directory development

applications jack suess

hr systems

business processes