How InCommon Academy is Supporting IAM Infrastructure Modernization at Illinois State University
By Amber Rasche - Senior Communications Specialist, Internet2
Majeed Abu-Qulbain, Senior Enterprise Architect at Illinois State University, is an alumnus of the InCommon Academy’s Collaboration Success Program and Trusted Access Platform training. In this Q&A, Majeed discusses how InCommon Academy is supporting his team’s efforts to standardize and streamline identity and access management (IAM), ultimately to solve challenges and better serve their university community.
Did you know? Grouper School kicked off this week, but registration is still open for our fall 2021 workshops on COmanage, Shibboleth, and midPoint.
Tell us about your role at Illinois State University and what led you to enroll in the InCommon Academy.
In my role as a senior enterprise architect at Illinois State University, I work across operational and leadership teams to help develop, validate, and communicate future state architectures. My focus is especially in the domains of infrastructure, IAM, and DevOps.
A team of us from the university’s Office of Technology Solutions signed up for the 2020-21 InCommon Collaboration Success Program. Our goal was to develop future state architectures to replace the underlying technologies that currently support the university’s identity management and web-based SSO processes.
Training-wise, we initially focused on Shibboleth and midPoint. However, after seeing many great examples of Grouper use cases during midPoint training, we decided to dive into Grouper School too. We wanted to better understand how we might leverage Grouper’s capabilities in our future state IAM architecture—and whether it would be best to start with Grouper now or add it in a later phase.
What specific IAM challenges was your team facing at the time?
There were three main IAM needs we were focused on, for which Grouper, in particular, came to light as a much-needed solution.
The first was addressing fragmented group management processes. Initially, Grouper was viewed as the likely successor to our homegrown web-based LDAP group management tool. And ultimately we decided to use Grouper to manage groups in both of our directories—AD and LDAP—instead of only managing LDAP groups as the current tool does.
The second was reducing our number of point-to-point, custom IAM-related integrations. We needed a consolidated web-based tool for managing all ad hoc groups. We also wanted to have Grouper take over all management of automated institutional affiliations and roles that drive IAM provisioning, as well as specific application security groups and attribute-based entitlements.
Grouper allows us to move the management and administration of several of these IAM-related integrations from our integration development team to our dedicated IAM team, as Grouper delivers much of the logic these integrations require. We love our developers, have a great relationship with them, and depend on them for many self-service and other IAM components—but we believe Grouper will help reduce the amount of code they need to manage and give them some bandwidth back to focus on other important things.
The third was advancing our goals to standardize and streamline access management. While several applications and services leverage access control based on directory groups, many applications handle all of that internally, which leads to onboarding and offboarding inaccuracies. We believe that Grouper can be a huge help in centralizing a lot of this logic in a standard location where access—both role- and attribute-based—can be automated and audited in an efficient manner.
How has your experience and takeaways from Grouper School helped you address those IAM needs?
There were so many takeaways that it’s difficult to discuss all of them! Below are just a few examples of Grouper features that we learned about in training and are currently working to implement as part of our future IAM architecture:
- Loader jobs for several institutional affiliations, as well as application integrations from our source student and HR systems. More source systems are on the radar for the future.
- Composite groups or “Group Math” to handle many use cases, such as identifying primary affiliations and other application policy groups.
- Minimum retention thresholds for groups to help prevent accidental mass removals, whether due to system or data issues.
- “Recent Membership” functionality that allows us to add a buffer period so that, when a user is dropped from a group/access policy, there is a slight and configurable delay in that user’s actual loss of access (with appropriate overrides in place).
Other takeaways included DevOps deployment methods, right-sizing a Grouper deployment, and understanding the different configuration management methods Grouper supports. There were also several architectural takeaways that led us to use Grouper alongside midPoint, instead of using midPoint alone, for a more feature-rich and modernized IAM foundation that we can build on going forward.
Is there anything else you’d like to share about your experiences with the InCommon Academy and Grouper School?
Chris Hyzer and Chad Redman, who led the Grouper training workshops, are really great! Because they are Grouper developers, they know the product inside and out. And, beyond just discussing complex topics, they are able to quickly dive in and demonstrate them.
Both instructors take time to deep-dive into any questions students have, even when the questions get a bit “into the weeds.” They are also able to take questions and problems that students want to solve at their own institutions and discuss how they have already implemented solutions using Grouper—from general IAM challenges to specific Grouper deployment or upgrade issues.
Interested in experiencing the InCommon Academy first-hand? There’s still time to sign up for fall 2021 workshops on COmanage, Shibboleth, and midPoint.
- ICYMI: From Onboarding to Upskilling, InCommon Academy Can Meet Your Team’s IAM Training Needs
- Questions? Please visit our website for more details or email firstname.lastname@example.org.