August 11, 2014, 3:44 PM — The Educational Testing Service, a non-profit organization that provides academic assessment tests, says it has gained efficiencies by centralizing its identity and access management (IAM) for on-premises, cloud and hosted applications. But it had to cope with a few bumps in the road along the way, especially in extending IAM into the cloud.
ETS deployed Oracle Identity Management for its thousands of employees in order to be able to provision and de-provision applications quickly for single sign-on convenience that's a boon to both end users and the IT department staff. One advantage was "we went from days to minutes" when it came to granting access to applications, says Jim Moran, chief information security officer (CISO).
Though it took a number of years to roll out, the easier part of this vast single sign-on IAM deployment serving the employees. The harder part was extending it to the business and service providers that ETS relies upon, in particular cloud services such as Microsoft Office 365.
ETS has engaged Computer Sciences Corp. to host Oracle Identity Manager and other components for the basic infrastructure, according to Moran. ETS administers identity management for employees based on simple defined roles, such as what applications someone working in an ETC call center might need.
To expand the Oracle IAM support out to business partners, it's necessary to share some Oracle IAM components.
"Oracle provides 'Fedlets,' Java code you can give to your service providers," says Moran. Based on the SAML 2.0 standard, this software allows business partners to join in a federated fashion with ETS to share the appropriate applications and users without having to deploy a full-fledged identity management system. This has worked out well to do things such as link ETS with third-party web portals of partners that do things such as grading tests. But the 'Fedlet' arrangement does require work to set up, including maintaining a public-key infrastructure exchange for security, Moran saya. It means interaction between the companies to establish a significant level of trust.
The biggest bump in the road has been extending the ETS Oracle Identity Management deployment out into cloud-based services. In adopting Microsoft Office 365, for example, ETS found that Microsoft wouldn't allow Oracle agent software to be added to a Microsoft Office 365 server. The approach that ETS found would work to unite Oracle Identity Management with Microsoft Office 365 was to set up a separate server as an intermediate point.
"We now use a web-based server as a shim between Oracle and Microsoft," says Moran. There are various issues related to how well Oracle and Microsoft share IAM-related information for federation, but Moran says there are signs things are improving and moving in the right direction.
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org