The Wales IDAM Project
National Wales Identity Management Implementation
Learning Possibilities undertook a project to create the identity management component for Wales HWB+ environment. There have been no ‘waves’ of implementation, because the aim is to achieve equality of access for all, and to stimulate collaboration right from the start. Identity management component forms a layer on the infrastructure that bonds all areas of the HWB+ infrastructure providing unique usernames for students and teachers across Wales.
Identity Life Cycle
Identity cycle starts at the school MIS/SIS as the source of identity which was integrated with different MIS/SIS such as Capita SIMS, Arbor, Bromcom, iSAMs, SchoolBase and Civica REMS to read the data. When a new user is added or existing user is updated at the MIS/SIS, their account is automatically created or updated at the on-premise Active Directory. The user is assigned the appropriate groups, and relevant SharePoint permissions.Users are synced to Azure AD and licensed based on the role and access i.e student. Identity management setup allows for teachers and students to be migrated to schools within wales during term time and for new term rollover.
This identity management component is the foundation and integration point for all applications linking into the SharePoint, Microsoft O365 and other applications including the learning and collaboration platform (LP+4) and 3rd party educational tools that use a secure single sign-on. The AD FS Federation Service is leveraged for SSO. An AD FS Federation server farm services Active Directory client requests through SSO authentication. An AD FS is also configured as load balanced. Federation server proxy exposes those core authentication services to the Internet by relaying requests and responses back and forth between Internet clients and the internal AD FS environment.
Integral to most environments is the ability to automatically handle the management of groups for use with policies, delegation or simply mail distribution. Our solution allows the management of groups both within individual schools, or at a group/trust level allowing groups to be kept up to date automatically throughout the year, or as part of a rollover to a new academic year. These groups can be based on class/subject data as well as the pupil/teacher core data allowing for a great deal of flexibility in the options available. In addition, we create different address book policies for different schools so that the users can only see the recipients that belong to their school which is called GAL Segmentation or GAL segregation. SharePoint permission access is enabled for the correct school and class members to school and class sites.