Background information


University Leiden Community Network
ULCN is a collection of ICT-related facilities for the University community. Every student, staff member and guest is given a ULCN account that provides them with access to relevant ICT facilities needed for their study or work at such places as public workstations, Blackboard and the Digital Library. Users have just one account for access to all facilties.
Identity Management System
ULCN has developed into a full Identity Management System (IDMS). Identity Management is the term used for managing the rights and facilities (authorisations) available to an entity (user or group) in a complex ICT infrastructure. A digital identity (an account) is created to manage these rights and facilities. This avoids the necessity of registering local accounts in applications.
 
The central authentification mechanism is the heart of ULCN. This central authentication mechanism controls the user name and password entered when a user logs in to a ULCN-linked application. Once these details have been successfully verified, access to the application is permitted.

There are two important processes involved in Identity Management: registration and provisioning.

Registration
Registration of entities takes place in one or more source systems. ULCN has three source systems:
 
ISIS for registering students
SAP/HR   for registration of staff
GMS for registering guests
 
Once a user has been registered in one of the source systems, a ULCN account is created. It is not possible to create a ULCN account outside the source systems. Changes to user information can only be made in the source systems and are passed on to ULCN via transactions.

Provisioning
Provisioning sends account details from ULCN to the applications so that the user is able to log in. Deprovisioning is the reverse process: access is automatically denied if, according to the rules, a user may no longer have access. ULCN is the link between the source systems and the relevant applications.
The technology used

Diagram of ULCN structure (pdf)




ULCN uses Novell software: 

  • The Meta Directory of Identity Vault, abbreviated to IDVault (a security box) is the central storage medium for the information on identities (students, staff and guests). In addition, ULSN has two sub-storage media (the MAIL TREE and the SERVICE TREE) where a selection of the details from the Meta Directory are stored. 
 
  • The Meta Directory Engine directs the different processes to synchronise the details between the Meta Directory and a linked application.
 
  • The Identity Manager Drivers (abbreviated to IdM driver, formerly DirXML links) ensure the actual transfer of information.

Incoming information
The ISIS (via JDBC) and GMS (via NCP) source systems prepare changes directly (real-time) for the relevant IdM driver. SAP/HR (via iDoc) prepares the changes from one day during the following night (in batch form). The IdM driver checks at intervals of a minute for new changes, transforms these to XML and then applies relevant rules and policies. The transformed XML message then arrives at the Meta Directory Engine that stores the information in the Meta Directory. If appropriate, internal IdM drivers synchronise changes in the Meta Directory with two other directories (MAIL TREE and SERVICE TREE).
 
Outgoing information
There are three methods whereby outgoing applications link with ULCN:
 
  • IdM driver
    Most IdM drivers have been developed for linking with workplace environments and services. The IdM driver passes every change in ULCN directly (in real time) on to the relevant workplace environment: from ULCN to the outgoing workplace environment.
 
  • LDAP link
    An LDAP link works in reverse: the application asks ULCN for information. An example is Blackboard. 
    - Many applications use the LDAP link for authentication: the application checks whether the user name and password entered appear in ULCN.  
    - A small number of applications obtain information from ULCN (the SERVICE TREE). This operation does not take place in real time, but a few times a day.
 
  • Radius link
    A Radius link works in the same way as an LDAP link, but uses a different protocol to communication.  For example, Eduroam.
History
ULCN (version 1)

  • ULCN starts on 1 September 2000. All students receive an ULCN account that gives restricted access to a limited number of applications. Different scripts send information from ULCN to the applications.
  • In 2001 and 2002 new applications are linked, including workplace environments for students.
  • From 1 September 2002, staff are also given a ULCN account.


 ULCN (version 2)
  • At the end of 2003, a start is made on renewing the architecture. All scripts are replaced by stable (partly real time) links. The processes are governed by the source systems (SAP/HR and ISIS) and it is no longer possible to change details manually in ULCN.
  • At the end of 2004, ULCN (version 2) goes into production. Because of the robust environment, ULCN develops into a full Identity Management System (IDMS).
  • More applications are connected to ULCN, such as the VUW workplace environment.
  • In 2006 there is a need to register guests in a separate system. Up to this time, guest accounts were made via the source systems (SAP/HR of ISIS) or the application itself took care of access. The Guest Management System (GMS) went into production in mid-2008 and is ULCN’s third source system.
  • In April 2009, ULCN connects to the SURF federation and  federative Identity Management becomes possible. The ULCN account now also gives access to external applications, such as publications from publishing houses and other universities.
The future
  • There is now ‘one account for everything’, but the user logs in separately to each application. There is no  Single Sign On (SSO), although this will be resolved in time.
  • It will also be possible in time to make applications simpler and more specific for a particular focus Group. This can be achieved via Role-Based Access Control (RBAC). In RBAC the organisation defines particular roles. Different applications are linked to each role.
  • The ISIS student information system will be replaced by PeopleSoft Campus Solutions, which will replace the link between ISIS and ULCN.
  • The links with the workplace environments will be extended. This will give staff a single password for both their workplace and their ULCN account.
Web Editor – 18/08/2009