[midPoint] Use in higher education?

[Jason Everling]

We are using midpoint in production here at our school for about 6 months
now. For someone like myself coming from having no knowledge of an IDM
system nor much of Java, I was able to get it deployed, I did though ask a
lot of questions through this mailing list and everyone was very helpful.

"We are doing the standard O365, Google Apps, and AD, plus of course our
LMS." This is our exact setup right now and we use powershell to connect to
graph API to assign the O365 licenses. There is a connector though that can
do this but since we already had it running I did not have the time to
re-write our process.

I just recently added another flat-file resource and then a script on the
server sends the file to our campus alert system (Everbridge Mass
Notification) to update any changed records. I was manually doing this
before on my PC and now it is automated which is really nice so I am sure
the others you need could be done, "vendors that need flat files via scp or
SFTP, or via web services."

We also have a separate self-service system and I plan to keep it that way
since midpoint is a provisioning system and it does it very well.

As for username changes, we do those manually at the request of the person
if they really need a different username, we do not change usernames just
because they got married unless it is an extreme circumstance and the
person really hates seeing that name. You can create a new custom attribute
like us that maps from the username and stores the original, it would be
<weak> in midpoint terms.

We have about 15 additional attributes, I don't think that having more will
have any affect on the system. We also have the midpoint org structure
setup just like our ldap org structure. Hopefully sometime soon we will
have another org structure in midpoint that will be used for courses to
ldap groups, currently trying to find the money to have this done for us
since I do not have the time. We do have the persons courses though sync'd
to custom attributes in midpoint which could then be used for many things.

Any other questions, just ask, as for the async connectors, one of the
dev's would have to answer that as we are using all the standard connectors.

Thanks!
JASON


On Thu, Feb 18, 2016 at 4:15 PM, Richard Frovarp <richard.frovarp at ndsu.edu>
wrote:

> I am evaluating open source IAM solutions for use at my institution. We
> are currently running a custom engineered solution, that while it handles
> most of what we want, only a couple of us are familiar with it. I'm hoping
> to get more capability, and better ease of use by switching to an open
> source solution.
>
> We have around 40,000 active accounts, plus several thousand more for
> another institution that we provide some IAM services for.
>
> Our current solution has evolved over the 20+ years since we first started
> doing IDM. We tie pretty much everything we can into IAM. We are doing the
> standard O365, Google Apps, and AD, plus of course our LMS. We're also
> pushing data to the library system, the clinic, the gym, and the system
> that lets students check out bikes for 30 minutes at a time on campus and
> in town. That last one also has to pull card data from the card system.
> Going the other way we provision printing allocation to the card system
> each semester. I have vendors that need flat files via scp or SFTP, or via
> web services. I have connectors running in Java, Perl, Powershell, and Go.
> The current solution relies on sending JSON messages via RabbitMQ, which
> works very well. If RabbitMQ is down, the changes are attempted to be
> pushed at a later time. If the end points are down, they just check in with
> RabbitMQ at a later point. I also have some services such as Office 365,
> that when it is provisioned, it triggers a modify in AD, and in Java which
> uses Graph after a DirSync is ran. The Java then pushes off new messages
> that are ran in PowerShell against mailboxes.
>
> My question is how much of my need can be met by midPoint? I understand
> that it is a provisioning engine, which is what I'm after. Our self service
> needs are unique enough that this functionality would remain a separate
> system.
>
> How painful is it to have a large number of attributes on a user? I see in
> the demo how a couple were added. To start tracking everything, I'm going
> to need a lot more. As noted in the comparison, academia doesn't have clean
> organizational units.
>
> Is there any sensible way to store something like course registrations in
> the system? I'm guessing that I'll still need to manage that separately for
> the systems that need that information and/or to make decisions off of that
> information.
>
> It's not immediately obvious to me, how hard is it to write a connector
> that operates asynchronously? The RabbitMQ model works quite well for us,
> and it would be quickest and easiest to to move those over as is until time
> permits new options to be developed. For some of them doing PowerShell,
> there might not be good other options anyway.
>
> How does it handle username changes? The connectors would need to know
> what the old username was, and what the new one will be so they can find
> and update the username in the remote system.
>
> We also need to keep track of training / terms of service usage that needs
> to be renewed. This then drives access to other systems. I'm guessing that
> we could implement that via assignments with expiration dates that are then
> used as dependencies for other services?
>
> Thank you in advance for any information that is provided. It looks like a
> good product, it's just that higher education presents some very unique
> challenges.
>
> Thanks,
>
> Richard
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160219/6a73cc20/attachment.htm>