Identity and access management is particularly difficult in the university environment because many users have two or more roles. For instance, many students who are close to graduating are also employed by their university departments. In the academic world, many employees have temporary contracts or their work is funded through grants. Because of these factors, it is important that the life-cycle management of identities is not made too aggressive and the links between identities and organisational units are kept flexible.
Finnish universities have a well-developed identity federation, HAKA, which is based on Shibboleth/SAML2 technology. The federation sets some preconditions for the implementation of identity management concerning both the technology and the processes used. These include identifying the users reliably when creating the user account or handing it over to the user.
When the University of Helsinki started rebuilding its IdM system, the starting point was to check whether any open source products exist that could be used as the basis of the system. We knew that it was unlikely that even any commercial solutions would be directly ready to meet our requirements, so we were prepared for extensive customisation in any case. In addition, we had decided that the system should be largely implemented at the university. This would allow it to respond quickly to the constantly changing requirements during the maintenance phase.
Of all the open source systems available, we selected the Apache Syncope, as it met our requirements in the POC evaluation. As the home university of the developer of the Linux system, we have no doubts concerning the use of open source solutions.
The University of Helsinki is the largest university in Finland, with 35,000 degree students and some 8,000 employees. The university has placed in the top 100 of numerous global studies comparing universities. In 2013, the university launched the IAM project with the primary aim of rebuilding the system for identity management.
The Open Source selection resulted in Apache Syncope and Tirasa, which provided ts activities to support the Army staff in building the best IdM system possible, for their own specific needs.
After a PoC built by Tirasa and based on Apereo CAS and Apache Syncope, the Institute decided to proceed on this path by engaging Tirasa itself to realize the whole infrastructure.
Provisioning is involved with managing the internal data sources and external via specific connectors for representation of users, groups and attributes. This component often needs to be tailored to meet the requirements of a specific deployment. The enterprise support of Tirasa, gave us the manageability, scalability and flexibility to connect and protect millions of consumers at enterprise customers
Currently the whole infrastructure, based on Apache Syncope, manages about 5.000 users, periodically synchronized with HR.
We choose Apache Syncope to carry out the provisioning and account management role as part of our authorization platform, due to its simplicity and flexible adoption to the product needs. Another important consideration was the knowledge and excellent support provided by the Tirasa team
Tirasa provided timely support and always followed up to ensure that all issues were resolved to satisfaction.
Stichting Bibliotheek.nl is very content with Apache Syncope as a product and intends to extend its services based on it.
SURFnet is currently planning how to include Syncope it in its identity management and collaboration middleware for provisioning / deprovisioning needs.
SWM is very satisfied with both the community and the commercial support of Tirasa.
Users can log in via SPID, thanks to the functional extension developed by Tirasa.
Currently, the U.Porto is the most international of Portugal’s universities thanks to its active cooperation with hundreds of higher education institutions worldwide. The ambition now is to establish the U.Porto as one of the top 100 universities in the world by 2020.
The UShareSoft UForge Identity management service, is based on Apache Syncope, which was expressly chosen for it's richly defined and complete RESTful API.