Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID


TIER Adopter Profile: Lafayette College

May 23, 2017, by Sara Aly
Tags: COmanage, Frontpage News, Grouper, Recent Posts, Shibboleth, TIER, TIER Software, Trust & Identity, Trust and Identity in Education and Research

Trust and Identity in Education and Research (TIER) is a community-driven effort and response to the need for a comprehensive suite of identity services tools and software, as well as consistent campus identity practices. In 2015, 49 colleges and universities made a three-year financial commitment for the TIER start-up. We checked in with one investor campus about their implementation experience.

Key takeaways:

  • Lafayette is currently running all three TIER components: COmanage, Grouper and Shibboleth
  • COmanage is addressing operational gaps in the identity management system
  • Plans to lead a Consortium of Liberal Arts Colleges (CLAC) work group on Grouper

Lafayette College is a small liberal arts college in Easton, Penn., with a predominantly residential undergraduate student population. Like most institutions, identity and access management at Lafayette has to manage a complicated digital identity lifecycle for its students, faculty, staff, and short-term affiliates. The digital infrastructure department at Lafayette already has a custom identity management system (IdMS) that relies on web-based forms to help with onboarding faculty and staff. However, operational gaps related to affiliates, including requesting accounts, terminating access, and managing the overall digital identity lifecycle, became evident.

It is common that the human resources department needs to authorize access for people who are not employees of Lafayette. However, a procedure similar to that for authorizing account creation for employees was followed for affiliates. This required that sensitive personal identifiable information (PII) be added to Banner to generate a Banner ID number for the purpose of identity matching. There were two main deficiencies in this process: collecting this information wasn’t appropriate for an affiliate, and Lafayette’s custom IdMS required notification of termination in order to de-provision access. The procedure for affiliates provided an end date prior to onboarding, but no process was in place to terminate access based on the stored date.

“The switch to COmanage closes the operational gap we had with respect to managing and tracking sponsored accounts, which are typically transiently affiliated with the College, independent of our custom IdMS that manages employees,” said Janemarie Duh, identity management systems architect at Lafayette. Typical use cases for Lafayette include the provisioning of a NetID and access for a consultant, external reviewers of academic departments who are faculty members at peer institutions, and people employed by an outsourced dining services company that need access to services.

COmanage serves as a person registry that collects and stores that information for use by integrated services. It provisions to Lightweight Directory Access Protocol (LDAP) and sends notices to enrollees, allows for expiration dates to be set on identity records, sends automated expiration notices, and makes it easy to handle requests for renewals. For Lafayette’s identity and access management team, COmanage delivers three key benefits:

  1. It ensures that each account sponsored by a Lafayette employee has a Banner ID number for the purpose of identity matching.
  2. It ensures that there is a known and tracked campus representative for each enrollee.
  3. It allows identity and access management to manage the entire identity lifecycle of affiliates.

COmanage, together with Grouper and the Shibboleth IdP, make up the key components of the TIER software suite. The identity and access management team at Lafayette runs each of these software packages independently, but plans to migrate to the TIER versions, which are delivered with some pre-configuration in packaged containers.

“We recently started using Grouper to manage access policies based on reference groups and plan on deploying the Shibboleth IdP package in the next six to eight months,” said Bill Thompson, director of digital infrastructure. “The first steps will be to evaluate if the production release is a fit with our infrastructure. We are not doing Docker yet, but we may commit to deploying it in Docker in some way using the TIER component or in another way that fits our needs and contributing that work back to TIER.”

Lafayette has participated in the TIER Packaging and API Working Groups and contributed work to the Shibboleth default configuration survey and the TIER Grouper Deployment Guide. In order to generate more interest in TIER among their peers, digital infrastructure at Lafayette plans to lead a Consortium of Liberal Arts Colleges (CLAC) work group to show other member institutions how Grouper can help them with Identity Access Management (IAM) governance.

“It is important to keep in mind that TIER is not only a toolset but consists of practices, as well. For Lafayette, TIER practices, such as attribute release and supporting global research and scholarship, are important,” added Duh and Thompson. “We hope to interest a few schools enough that we can help guide them in installing and setting up Grouper using the TIER Grouper Deployment Guide.”

This blog post was written with the help of Janemarie Duh, identity management systems architect and Bill Thompson, director of digital infrastructure at Lafayette College.