Project Spotlight

Northern Arizona U Cleans House, Boosts Performance with New Identity Management System

• By Leila Meyer
• 03/12/15

Northern Arizona University has recently replaced its aging identity management system that authenticates and authorizes 180,000 users of everything from e-mail to the ERP system, and in the process it has consolidated resources, brought its data into strict standards compliance and boosted processing speed.

Rising licensing costs for the university's legacy system led administrators to investigate new options. "Instead of playing ostrich, we decided to poke around and see what else was out there," said Summer Steddom, software systems engineer team lead for Information Technology Services at NAU.

Evaluating the Options

The IT team had three main requirements for a new system. First, it needed a change log that tracks every single change to the directory and supports querying. According to Steddom, a lot of systems don't offer that feature or don't have it implemented well. The second requirement was a strong command line interface to the back end. "We do a lot of programmatic work, with scripts for installation and reconfiguration. It can't be done via a Web page," said Steddom. The third requirement was that it had to fit within the university's cost structure.

As required by Arizona law, the university evaluated several options, including Oracle Unified Directory, 389 Directory Server and UnboundID. According to Steddom, 389 Directory Server was "pretty full-featured but didn't have all of the bells and whistles." Oracle Unified Directory did have all of the bells and whistles, "but it was a pain to do server administration and configuration of their product," said Steddom.

UnboundID became a real contender, and the team conducted a hands-on test of the system. It met NAU's list of requirements, and Steddom was impressed by its command line interface. While some identity management systems focus on a Web interface, "UnboundID went the other way and embraced the command line — and then they wrote up the Web page interface on top of that," said Steddom. "It was nice that the roots were really for the systems administrators for enterprise class administration, and its home is on the command line, not the Web page."

Steddom was so impressed by the hands-on test of UnboundID that she expected it to be very expensive. "But it didn't turn out to actually be that way. It was extremely competitive, so we were able to make the switch," she said.

Implementing UnboundID

UnboundID has its roots in the Sun Directory Server open source project, which was later acquired by Oracle. UnboundID started with the open source code of Sun Directory Server and then added to it and modified it. Since UnboundID grew out of the same source as NAU's previous identity management system (Oracle Directory Server Enterprise Edition), it "felt like home," said Steddom. "We understood what it was doing and how to work with it right out of the gate, so it didn't really feel so much like a new product so much as a tools enhancement or feature enhancement upgrade."

The implementation process involved migrating the university's data. An unintended benefit of the process was that UnboundID's migration tool checked the data for standards compliance, and the team discovered that NAU's data wasn't as compliant as they had previously thought. "We didn't realize how far out of compliance we were," said Steddom. "We thought we had done an amazing job in the past, and we really had a lot of holes poked in our ego there."

They used the migration tool as a checklist of compliance issues, and then they worked with the stakeholders who were the stewards of each of the pieces of data to bring them into compliance. The process took NAU's tiny IT team several months to complete simply because it took so long to coordinate all of the various stakeholders on campus to be standards compliant. As the data was cleaned up, Steddom's team imported it into the production system. If that process of bringing the data into compliance had not been necessary, Steddom thinks the implementation would have taken only a couple of weeks, even with such a small team. However, she's happy that they were able to bring their data into compliance and sees it as an unintended benefit of the implementation.

Results

Once the system went into production, Steddom's team launched a second project to figure out how they could streamline it. "We were able to get rid of about six instances of the directory in different clusters because we didn't need the old legacy-style highly available cluster," she said. "So we were able to get rid of some server hardware and we were able to consolidate several instances into a couple of larger instances."

The new system went live in September 2014, and Steddom is pleased with the results. "It was a lot less to support in terms of hardware, so a lot less memory, a lot smaller footprint, a lot less disk, and it's a lot faster," she said. "It's 10 times faster running the same business rules against the same data set configured the same way using fewer hardware resources. At first we thought we had something misconfigured, but no, in fact it is just that much faster."