[midPoint] Use in higher education?

Richard Frovarp richard.frovarp at ndsu.edu
Thu Feb 18 23:15:33 CET 2016


I am evaluating open source IAM solutions for use at my institution. We 
are currently running a custom engineered solution, that while it 
handles most of what we want, only a couple of us are familiar with it. 
I'm hoping to get more capability, and better ease of use by switching 
to an open source solution.

We have around 40,000 active accounts, plus several thousand more for 
another institution that we provide some IAM services for.

Our current solution has evolved over the 20+ years since we first 
started doing IDM. We tie pretty much everything we can into IAM. We are 
doing the standard O365, Google Apps, and AD, plus of course our LMS. 
We're also pushing data to the library system, the clinic, the gym, and 
the system that lets students check out bikes for 30 minutes at a time 
on campus and in town. That last one also has to pull card data from the 
card system. Going the other way we provision printing allocation to the 
card system each semester. I have vendors that need flat files via scp 
or SFTP, or via web services. I have connectors running in Java, Perl, 
Powershell, and Go. The current solution relies on sending JSON messages 
via RabbitMQ, which works very well. If RabbitMQ is down, the changes 
are attempted to be pushed at a later time. If the end points are down, 
they just check in with RabbitMQ at a later point. I also have some 
services such as Office 365, that when it is provisioned, it triggers a 
modify in AD, and in Java which uses Graph after a DirSync is ran. The 
Java then pushes off new messages that are ran in PowerShell against 
mailboxes.

My question is how much of my need can be met by midPoint? I understand 
that it is a provisioning engine, which is what I'm after. Our self 
service needs are unique enough that this functionality would remain a 
separate system.

How painful is it to have a large number of attributes on a user? I see 
in the demo how a couple were added. To start tracking everything, I'm 
going to need a lot more. As noted in the comparison, academia doesn't 
have clean organizational units.

Is there any sensible way to store something like course registrations 
in the system? I'm guessing that I'll still need to manage that 
separately for the systems that need that information and/or to make 
decisions off of that information.

It's not immediately obvious to me, how hard is it to write a connector 
that operates asynchronously? The RabbitMQ model works quite well for 
us, and it would be quickest and easiest to to move those over as is 
until time permits new options to be developed. For some of them doing 
PowerShell, there might not be good other options anyway.

How does it handle username changes? The connectors would need to know 
what the old username was, and what the new one will be so they can find 
and update the username in the remote system.

We also need to keep track of training / terms of service usage that 
needs to be renewed. This then drives access to other systems. I'm 
guessing that we could implement that via assignments with expiration 
dates that are then used as dependencies for other services?

Thank you in advance for any information that is provided. It looks like 
a good product, it's just that higher education presents some very 
unique challenges.

Thanks,

Richard



More information about the midPoint mailing list