Releases

This page contains information about completed and upcoming releases of IAM program deliverables, including delivery dates, status updates, and contact information.

Harvard's IAM program team is committed to Agile methodology not only at the level of development, testing, and deployment, but also in larger-scale organizational planning. Under this framework, development, testing, and rollout are structured under two-week sprints, with major objectives addressed within overarching program increments (PIs) of twelve weeks each (six sprints). Within each individual program increment, the sixth sprint is dedicated to hardening, innovation, and planning (HIP), and includes demonstrations for the external product owners receiving deliverables under the PI in question. See below for a summary of the objectives under IAM's current program increment, as well as sprint-by-sprint summaries of objectives and deliverables completed.

Looking for a top-level view? Please consult the latest IAM program dashboard for an overview of deliverables and timelines broken down by the 11 primary program streams identified under our overarching three-year program plan.

Current Program Increment

The current IAM program increment, PI-10, is made of up of six two-week sprints running from March 29, 2017 to June 20, 2017. 

Upcoming Releases

Get further details on upcoming IAM program releases below. Click the gray title bars for expanded information on each release.

 

Completed Releases and Sprint Summaries

Get sprint summaries and further details on completed IAM program releases below. Click the gray title bars for expanded information.

2017

4/9/17 - HarvardKey Self-service 3.6.3

HarvardKey Self-service 3.6.3, released on April 9, 2017, includes an update to the address in the footer of emails generated from the system; saves provided login names in lowercase to prevent any issues with other systems; and added logic to better support Duo device management based on the user's Duo status.

4/9/17 - HarvardKey Authentication 3.5.2

HarvardKey Authentication 3.5.2, released on April 9, 2017, includes back-end changes regarding the processing of Duo enrollments.

3/12/17 - HarvardKey Authentication 3.5.1

HarvardKey Authentication 3.5.1, released on March 12, 2017, includes an enhancement so that users can sign into Duo multifactor authentication when they are using Dragon Naturally Speaking software. It also includes a fix to remove dependencies on the Aurora database, so that if that database goes down it doesn't affect Authentication. It also fixes minor display issues on the HarvardKey login page.

3/9/17 - IIQ 3.1.10

IdentityIQ Release 3.1.10 includes the following minor changes:

  • Adds provisioning support for a soon-to-be-added Library Borrower for Schlesinger Library.
  • Expands support of User Principle Names within the new domain hks19.harvard.edu.

Known Issues

  • No known issues have been raised for IIQ 3.1.10

2/2/17 - IIQ 3.1.9

IdentityIQ 3.1.9, released on February 2, 2017, includes enhancements to notifications, as well as performance & bug fixes. 

New

  • Setup a scheduled process to prune the event logs (TEAMX-989)
  • Enabled internal event auditing on several custom workflows. (TEAMX-1070)

Enhanced

  • Simplified the notifications send to users when entering the Grace period in an effort to reduce confusion. (TEAMX-575, TEAMX-1137)
  • Several configuration changes aimed at providing a uniform licensing model for SharePoint and Exchange Online, and introduced new communities to faciliate future functionality for the Graduate schools. (TEAMX-941, TEAMX-1088)

Bug Fixes

  • Implemented vendor recommended bug fix for identified vulnerabilty. (TEAMX-1084)
  • Removed unused/deprecated code and account links (TEAMX-927, TEAMX-983)

Known Gaps and Remediation Steps

  • None

 

1/12/17 - AuthZProxy to the Cloud

CHG0017171

1/10/17 - Communities Phases

CHG0017176, CHG0017183 (1/11/17)

1/10/17 - IdP 3.3

CHG0017170

2016

12/21/16 - XML Import Update

CHG0016571 - Include new data point for CFA.

12/20/16 - IIQ 3.1.8 Hotfix 1

This hotfix addresses a performance issue with the recently-added duplicate identity handling functionality.

12/15/16 - View Update

Placeholder for Green Ocean Utility View Update

12/15/16 - IIQ 3.1.8

This release facilities the automated deprovisioning of accounts once an identity has been flagged as a duplicate in the Identity Registry.

12/14/16 - HarvardKey 3.5.0

This release of HarvardKey Self-Service and Authentication includes the following enhancements:

HarvardKey Authentication:

  • Gracefully handle accounts that have been locked out on the Duo side

HarvardKey Self-Service: 

  • Two-step Verficiation:
    • Send notification after adding or removing a device
    • Improvements to on-screen success notification
  • Accessibility Enhancement: Remove background transparency from all pages.
  • Account Claiming: Open claiming to any Harvard ID Holder

12/10/16 - AUTHLDAP Node Rebuild

CHG0016706 - Perform maintenance on existing node

11/22/16 - Add Domain to ADFS

Add Physics domain to whitelist

11/17/16 - HarvardKey 3.4.0

CHG0016902 and CHG0016903 - Introduce international phone number support and extended IE browser support.

11/14/16 - Waveset Juniper

  • Disables the FASMail Active Directory connector in Waveset as part of the FASMail decommissioning process. See CHG0016831

11/9/16 - IIQ 3.1.7

This release is further described under CHG0016772.

11/9/16 - MIDAS 3.5.1

Described further under CHG0016842, MIDAS 3.5.1 adds a new library code to support borrowers and enhances the resolution of duplicate identities within the registry.

11/5/16 - HUIDA Schema Migration

CHG0016570 - As we continue to improve and remediate security, this maintenance release migrates a schema.

11/3/16 - HarvardKey 3.3.0 (Self-Service)

This change is further described under CHG0016773.

11/2/16 - Update IAMUTILITY View

CHG0016820 - Add new data point to our utility view

10/27/16 - HarvardKey 3.3.0 (Authentication)

Further described under CHG0016771, this release updates text on the 'account locked' page.

10/27/16 - FIM Deployment for FASMAIL

Described under CHG0016742, this change supports the future retirement of FASMAIL and continue uninterrupted O365 services.

10/26/16 - IdP Customer On-boarding

This change is further described in ServiceNow under CHG0016767.

10/25/16 - AD Maintenance

Performing back-end maintenance on Active Directory servers

10/24/16 - Imports: Update Student Status Codes

This change is fully described under CHG0016730 and updates the list of available student codes.

10/20/16 - Update Role for Card Eligibility

This production release, CHG0016731, updates rules for ID card eligibility.

10/20/16 - HarvardKey 3.2

Bi-weekly release of Self-service described under CHG0016728

10/20/16 - IdP 3.2.1

Update expiring certificate for an SP described under CHG0016727.

10/17/16 - PIN Clean-up Script

Further described under CHG0016693, this maintenance release is for a clean-up script and does not affect users.

10/17/16 - IdP On-boarding and Config Updates

This change is further described under CHG0016674 and includes on-boarding new customer(s) and a configuration change to remove a dependency on a partner directory (HMS) for authentication.

10/11/16 - IdentityAPI

CHG0016584 includes on-boarding a new stakeholder, fixing a logging issue, and refined match score.

10/4/16 - PIN Database Maintenance

This change is further described under CHG0016504 and updates back-end infrastructure for PIN.

9/29/16 - IdP 3.1

This release provides a friendly look-and-feel for user error messaging and user error pages.

9/28/16 - IIQ 3.1.6

This release includes general security enhancements and bug fixes, specifically around notifications and provisioning of email addresses.  

9/27/16 - XID Database Maintenance

This change is further described under CHG0016503 and updates the back-end infrastructure for our XID credential.

9/22/16 - HarvardKey 3.1

This is a standard monthly HarvardKey release (CHG0016519) and further enhances the process for managing two-step verification within the HarvardKey self-service application.  It also includes security enhancements.  

9/21/16 - MIDAS 3.5

This release of MIDAS (CHG0016449) enhances identity resolution.

9/20/16 - Phonebook Database Migration

This change is further described under CHG0016502 and updates the back-end for our public phonebook.

9/19/16 - IAMUTILITY View Update

This maintenance update adds a new population to the utility view and is described further under CHG0016505.

9/13/16 - SilverPop Schema Migration

Described in further detail under CHG0016450, this underlying maintenance release enhances its schema.

9/12/16 - Two-Step Maintenance

This change is described in further detail under CHG0016451.

9/10/16 - HarvardKey 3.0

This release introduces a streamlined process for enrollment in two-step verification within the HarvardKey system and allows for two-step verification device management.

6/15/16 - MIDAS 3.4

This MIDAS release, described further under CHG0015818, enhances the "Library Special Borrower" role.

6/9/16 - SHA-2 EV Certificates

Update authentication services to use extended validation (EV) certificate bundle.  This release is further described under CHG0015396.

6/2/16 - Role API v. 2.6

This is the initial release of 'role' methods as part of Identity API and is further described under CHG0015745.

5/24/16 - MIDAS 3.3.1

This update of MIDAS contains some minor bug fixes and is further described under CHG0015682.  No new functionality is included in this release.

5/19/16 - Provisioning Target Updates

In this release, we will update the KeyStore configuration of our provisioning services.  This release is further described under CHG0015584.

5/17/16 - XML Import: Prime Role Calculation for SU

This release addresses a bug with role calculation such that a prime role should not be recalculated when adding a summer class.  This release is further described under CHG0015631.

5/4/16 - MIDAS 3.3

This release of MIDAS fixes some minor bugs and enhances identity resolution.

4/26/16 - LoginName Batch Server

A follow-up production feature release for Identity API 2.5, this will allow API operations in batch mode. More details about this change can be found under CHG0015300.

4/25/16 - Update Default OU

Further described in CHG0015300, this release changes the default OU name for 'Quarantine.'

4/23/16 - Database Patching (Production Environment)

Install the latest patch set from Oracle.

4/21/16 - MIDAS Cutover

Back-end changes to point to an upgraded application server.  No new MIDAS functionality is being released.  More details can be found under CHG0015397.

4/19/16 - IdP

This very minor release to production will enhance the text of error messages for applications that are protected using the IdP protocol.

4/19/16 - HarvardKey 2.4

This release will contain the next set of features and bug fixes for HarvardKey Self-service and Authentication services.

4/19/16 - HarvardKey Self-Service 2.4

This release will contain the next set of features and bug fixes for HarvardKey Self-service and Authentication services.

4/15/16 - Identity API v. 2.5

This release supports adding and updating email addresses in the identity registry via the API.  More information can be found under ServiceNow CHG0015299.

4/14/16 - HLDAP Upgrade

Back-end maintenance to upgrade underlying service from 1.3.3.1 to 1.3.4.0.  This change is described in more detail under CHG0015323.

4/12/16 - Database Patching (Stage Environment)

Install the latest patch set from Oracle.

4/11/16 - Waveset Updates

Back-end configuration maintenance further described at ServiceNow ticket CHG0015234.

4/11/16 - IIQ 3.1.4

More information regarding this release can be found under ServiceNow ticket CHG0015238.

3/24/16 - HarvardKey 2.3

This release will contain the next set of features and bug fixes for HarvardKey Self-service and Authentication services.

3/24/16 - Updates to IdP SPs

Additions and updates to 2 of IdP authentication service provider's attributes and metadata.

3/23/16 - Eligibility for Pending Students

Allows for students in 'pending' status at HSPH to be eligible to claim a HarvardKey. This change is described in further detail under CHG0015175.

3/21/16 - Kerberos Hot Fix

Quick fix for provisioning to Kerberos during infrastructure maintenance

3/17/16 - IIQ 3.1.3

Refining provisioning of @g.harvard.edu accounts as well as some minor bug fixes.  This release is described in greater detail in ServiceNow ticket CHG0015107.

3/15/16 - Database Rationalization

Migrate ACTIVEDIR from Oracle 10g to 11 (IAM*). This release is described in greater detail in ServiceNow ticket CHG0015105.

3/15/16 - HarvardKey Eligibility

Prepare for supporting users in additional departments and schools (HBS and HBP) to claim their HarvardKeys. This release is described in greater detail in ServiceNow ticket CHG0015106.

3/10/16 - FIM Code Improvements

Updates for provisioning via FIM specific to Source of Authority and UPN transformation.  This release is described in greater detail in ServiceNow ticket CHG0015033.

3/9/16 - Windows DNS Service to Infoblox

This release is described in greater detail in ServiceNow ticket CHG0014983.

3/8/16 - UNIVAD Cleanup

Remove unused OU structures from UNIVAD. There is no ServiceNow ticket associated with this release.

3/7/16 - Database Code Table Update to Add HMS QUAD Information

This release is described in greater detail in ServiceNow ticket CHG0015054.

3/3/16 - IIQ 3.1.2

Release of IdentityIQ 3.1.2. This release is described in greater detail in ServiceNow ticket CHG0014557.

3/1/16 - Add Brainstorm SSO to ADFS

Configure production ADFS to allow single sign-on to Brainstorm - QuickHelp for O365. Add claims rule to prod ADFS.This release is described in greater detail in ServiceNow ticket CHG0014996.

2/25/16 - App Admin 2.0

Release of App Admin 2.0. This release is described in greater detail in ServiceNow tickets CHG0014924 and CHG0014813.

2/24/16 - Data Cleanup

Assorted data cleanup activities. This release is described in greater detail in ServiceNow ticket INC01619179.

2/23/16 - HarvardKey Authentication & Self-Service

Authentication and self-service improvements to HarvardKey, including recovery verification.

2/17/16 - Summary: PI-5, Sprint 4

A summary of objectives completed during the fourth sprint of Program Increment 5, which ended Feb. 17, 2016, follows.

HarvardKey Team:

  • Stabilization release for HarvardKey self-service, including fixes for:
    • 500 errors for some login name recovery situations
    • Google opt-in issues for some DCE students
    • UI text inconsistencies
    • Soft authentication enhancement

Green Ocean Team:

  • Deployed new POI expiration notification report
  • Deployed ID card eligibility change request
  • Deployed ability to view new Delegate Student Account Payer role in MIDAS

Team Sparkles:

  • Provisioned replacement infrastructure for ADFS 3.0
  • Cleaned up groups in UNIVAD
  • Documentation for workstations and utility scripts

2/16/16 - HarvardKey Self-Service Hotfixes

Implementation of several hotfixes in HarvardKey self-service.

2/9/16 - Repoint Services

Repoint HarvardKey and SailPoint IIQ services to an improved HLDAP stack. This release is described in greater detail in ServiceNow ticket CHG0014797.

2/8/16 - Community Grace Period Change

Change grace period for FAS and GSAS degree-seeking student communities. This release is further elaborated upon in ServiceNow ticket CHG0014811.

2/3/16 - MIDAS 3.2

Release of MIDAS 3.2. This release is described in greater detail in ServiceNow ticket CHG0014623, and after deployment, public release notes will be available at http://iam.harvard.edu/resources/hr-resources/midas-release-notes.

2/3/16 - Summary: PI-5, Sprint 3

A summary of objectives completed during the third sprint of Program Increment 5, which ended Feb. 3, 2016, follows.

HarvardKey Team:

  • Ongoing stabilization work leading up to HarvardKey production release Feb. 8

Green Ocean Team:

  • MIDAS 3.2, released to production Feb. 3; includes refined features to support HarvardKey, stronger security of authorized POI roles, enhanced messaging, and fixes for screen display issues
  • Enhancements to Identity API, including source of client updates and allowing for multiple versions

Team Sparkles:

  • Optimization of AD group policies
  • Enhanced password criteria and service account security best practices
  • Proactive preparation for user support as part of HarvardKey 100% plan

2/2/16 - Adjust Duo Service Settings

Policy change to default configuration for Duo multifactor authentication. This release is described further in ServiceNow ticket CHG0014757.

2/2/16 - IdM Account Change

Change to IAM account. This release is described in greater detail in ServiceNow ticket CHG0014767.

2/1/16 - Add IIQ Community

Add an IIQ community for FAS degree students with status of "withdrawn". This release is further described in ServiceNow ticket CHG0014766.

1/19/16-1/23/16 - Staging Database Refresh

Database refresh for the stage environment. No impact to production environments is expected.

1/20/16 - Summary: PI-5, Sprint 2

A summary of objectives completed during the second sprint of Program Increment 5, which ended Jan. 20, 2016, follows.

HarvardKey Team:

  • Deployed ability for DCE students to activate optional services (after claiming a Google account) via the account management screen
  • On the login screen under the HarvardKey tab, deployed acceptance of either HarvardKey login name or HUID in the login name field
  • Deployed the ability for users to synchronize their HarvardKey password with all applications and services associated with their HarvardKey
  • Enabled suppression of some attributes released during IdP assertion

Green Ocean Team:

  • Created an enhanced HarvardKey claim report
  • Completed development for MIDAS enhancements to be included in version 3.2
  • Developed improved match response for the Identity API

Team Sparkles:

  • Implemented "recycle bin" feature to protect against accidental deletion of directory objects
  • Continued Active Directory work
  • Continued internal reporting on accounts

1/14/16 - SHA-2 Certificate Update

Install SHA-2 certificate for Auth-LDAP. This release is described in greater detail in ServiceNow ticket CHG0014380.

1/12/16 - Preferred Email Modification

CDWS to allow "preferred email" indicator to be carried forward. This release is described in greater detail in ServiceNow ticket CHG0014556.

1/11/16 - HarvardKey Authentication Enhancements

Authentication enhancements to HarvardKey, including CAS 3.0 support and default tab adjustments.

1/6/16 - HarvardKey Self-Service

Add functionality to HarvardKey self-service, including Google opt-in and password re-sync.

2015

12/16/15 - Summary: PI-5, Sprint 1

A summary of objectives completed during the first sprint of Program Increment 5, which ended Dec. 16, 2015, follows.

Green Ocean Team:

  • Developed request from HR to enhance MIDAS AppAdmin application
  • Added DCE students' personal email to DCE imports, facilitating those users' ability to claim a HarvardKey
  • Began work to decommission unsupported database instances
  • Completed a number of enhancements to MIDAS to assist the Service Desk in supporting HarvardKey stabilization issues

HarvardKey Team:

  • Deployed production hotfix to update HarvardKey password restrictions
  • Added communities to production environment, enabling HLS, HMS, and HDSM users to claim HarvardKey beginning Dec. 3
  • Worked on Google opt-in capability to allow users to activate available optional services after claiming a HarvardKey

Team Sparkles:

  • Ramping up new team and laying groundwork for next sprint
  • Finalized retirement of Quest Password Manager
  • General work on credentials

Cloud Team:

  • Continued replacement of SHA-1 certificates with SHA-2 for IAM applications
  • Deploy Healthcheck code to HLDAP
  • Oracle 11.2.0.4 upgrade

IDM Team:

  • Integrate @G opt-in workflow with IIQ
  • Fix and test Kerberos/Homedir aggregation partitioning

12/14/15 - Update Password Restrictions

Updates to password restrictions. This release is described in greater detail in ServiceNow ticket CHG0014409.

12/10/15 - SHA-2 Certificates

Install SHA-2 certificates for AuthLDAP and HU-LDAP.

12/3/15 - HarvardKey HMS Rollout

Rollout of HarvardKey to users in Harvard Law School, Harvard Medical School, and Harvard School of Dental Medicine.

11/24/15 - Communities Additions

Additions and amendments to communities, including:

  • (CHG0014273) IIQ 3.1: new communities, new refresh policy, Kerberos change
  • (CHG0014272) Community database scripts: HUIT incoming and FAS staff community breakout
  • (CHG0014274) Update to HarvardKey authentication and self-service: Allow more communities to be eligible to claim, remove "1009" error, and fix logging level for MFA.

11/23/15 - Name Capitalization

Convert cases of names from all upper to mixed case. This release is described in greater detail in ServiceNow ticket CHG0014270.

11/12/15 - HarvardKey 2.0

This HarvardKey release will allow for self-service claiming for FAS, CADM, GSE, GSD, HDS, HSPH, SEAS, and RAD in anticipation of the Nov. 12 launch. Faculty, staff, and students within these communities will be able to claim a HarvardKey and use it as an authentication credential. This release is elaborated upon in greater detail in ServiceNow ticket CHG0014026.

11/11/15 - IIQ 3.1 & Waveset

Turn on new provisioning capabilities in SailPoint IIQ and turn off provisioning people in Waveset. Includes redirecting PRM to HarvardKey. This release is described in greater detail in ServiceNow ticket CHG0014154.

11/9/15 - MIDAS 3.1

IAM capabilities to support new roles in MIDAS 3.1. Part of FAS, CADM, GSE, GSD, HDS, HSPH, SEAS, RAD use of HarvardKey, FAS provisioning through IIQ instead of Waveset and use of new sponsored affiliation roles. This release is described in greater detail in ServiceNow ticket CHG0014159.

11/6/15 - Program Increment 4 Summary

The fourth IAM program increment was made of up of 10 two-week sprints running from June 3, 2015 to Nov. 6, 2015. Core objectives for this PI were as follows:

Objective and Acceptance Criteria Feature(s)
1. Support Alumni rollout
At the end of PI, all Alumni data has migrated to production IdDB and we are ready to go live with HarvardKey.
  1. Implement Alumni claim status report
  2. Support integration testing and data migration
2. Replace FAS account management and provisioning
At the end of PI, demonstrate FAS users' ability to claim accounts and use identities provisioned through SailPoint IIQ.
  1. ServiceNow modifications to have access to Alumni and sponsored affiliates
  2. Calculate and tag cubes with FAS-related communities
  3. All FAS targets can be provisioned, and existing reports and email notifications supported, via IIQ
  4. Data cleanup of existing sponsored accounts and migration of data to IdDB
  5. Enable Service Desk to add/remove entitlements for FAS users
  6. Identify administration utility to perform identity resolution
  7. Remaining required functionality to enable FAS/CA to claim, manage, recover and authenticate in HarvardKey
  8. MIDAS features to support POI sponsored affiliates and onboarding of students/employees
  9. Modify IIQ to support addition of School IT support role(s) with limited capabilities
  10. Notifications related to the expiration of roles and accounts
3. Enable two-step verification
At the end of PI, users with HarvardKey can choose to enable two-step verification.
  1. Application registration update
  2. Key application update
  3. Enable self-enrollment
  4. Integrate Duo with CAS server
4. Invest in platform improvements and migrate production application environments to the cloud
At the end of PI, all listed applications are in the cloud (in all environments), providing enhanced functionality and cost savings.
  1. SailPoint IIQ
  2. Phonebook
  3. PIN/CAS/IdP
  4. Public LDAP
  5. AuthProxy
  6. FindPerson
  7. Connections
5. Externally-driven commitments
At the end of PI, features delivered to partners.
  1. Configure and implement secure SSN vault
  2. Implementation of HMS identity work
  3. Enhancements to PIN/CAS attribute release

11/4/15 - Summary: PI-4, Sprint 10

A summary of objectives completed during the tenth sprint of Program Increment 4, which ended November 4, 2015, follows.

All Teams

  • Support for deployment of HarvardKey 2.0 on Nov. 12, 2015

11/3/15 - Community End Dates

Update view in IIQ to include community end dates. This release is further elaborated upon in ServiceNow ticket CHG0014126.

11/3/15 - AppAdmin 1.3

IAM capabilities to support new roles in MIDAS 3.1. Part of FAS, CADM, GSE, GSD, HDS, HSPH, SEAS, RAD use of HarvardKey, FAS provisioning through IIQ instead of Waveset, and use of new sponsored affiliation roles. This release is further elaborated upon in ServiceNow ticket CHG0014125.

11/2/15 - Email Verification Database Change

Provide database change in IAM identity registry that will allow for reporting on HarvardKey recovery email verification status. This release is further elaborated upon in ServiceNow ticket CHG0014124.

10/21/15 - Summary: PI-4, Sprint 9

A summary of objectives completed during the ninth sprint of Program Increment 4, which ended October 21, 2015, follows.

HarvardKey Team

  • Finalized two-step verification functionality for Nov. 12 HarvardKey release
  • Deployed changes to password creation based on discussions with Information Security

Cloud Team

  • Completed security vulnerability scan of MIDAS
  • SHA-2 certificates deployed for additional IAM services

Green Ocean Team

  • Deployed fix for HBS email import duplication
  • Deployed ability to allow preferred email indicator to be carried forward
  • Additional work for MIDAS November release on notifications for authorizers and authorizer admins

10/20/15 - Update Imports Code

Update imports code for SIS and HBS. This release is further elaborated upon in ServiceNow ticket CHG0013966.

10/19/15 - Update SAN Certificates

Update SAN certificates for production domains. This release is elaborated upon in ServiceNow ticket CHG0013945.

10/19/15 - Remove Domain Controller

Remove domain controller DC200 from service. This release is greater elaborated upon in ServiceNow ticket CHG0013940.

10/19/15 - SHA-2 for Identity & Onboard API

Install SHA-2 certificate for the Identity and Onboard API.

10/15/15 - NetScaler Swap

Replace NetScaler load balancers on loan with fully-licensed NetScalers. This release is further elaborated upon in ServiceNow ticket CHG0013772.

10/15/15 - MIDAS SHA-2 Certificate

Install SHA-2 certificate for MIDAS.

10/14/15 - RDS Patch

Patch RDS instances in the production environment.

10/7/15 - Summary: PI-4, Sprint 8

A summary of objectives completed during the eighth sprint of Program Increment 4, which ended October 7, 2015, follows.

Overall: More than 6,000 HarvardKey credentials claimed

9/23/15 - Summary: PI-4, Sprint 7

A summary of objectives completed during the seventh sprint of Program Increment 4, which ended September 23, 2015, follows.

All teams:

  • Support for Alumni rollout of HarvardKey.

9/22/15 - HarvardKey Alumni Rollout

Alumni rollout of HarvardKey, including global UI change to PIN System login screens. This release is elaborated upon in ServiceNow ticket CHG0013530.

9/17/15 - PIN Self-Service Updates to Support HarvardKey

Updates to PIN self-service in order to support HarvardKey. This release is described in greater detail in ServiceNow ticket CHG0013597.

9/17/15 - MIDAS 3.0

Release of MIDAS 3.0. This release is elaborated upon in ServiceNow ticket CHG0013529.

9/16/15 - Modify DCE XML Import Code

Modify DCE XML import code to remove degree check. This release is further elaborated upon in ServiceNow ticket CHG0013681.

9/16/15 - IdP Updates to Support HarvardKey

Updates to IdP in order to support HarvardKey. This release is described in greater detail in ServiceNow ticket CHG0013596.

9/15/15 - Add Recovery Email & Claim Status to IIQ View

Add primary and alternate recovery emails, as well as HarvardKey claim status, at the Person level in IIQ view. This release is elaborated upon in ServiceNow ticket CHG0013393.

9/15/15 - Standardize Recovery Tables

Assure that HarvardKey recovery email tables are functioning according to accepted IAM standards. This release is elaborated upon in ServiceNow ticket CHG0013395.

9/14/15 - IIQ 3.0.1

Release of SailPoint IIQ 3.0.1. This release is elaborated upon in ServiceNow ticket CHG0013528.

9/10/15 - Establish Claim Status Daily Report

Establish daily reports and metrics on Alumni HarvardKey accounts claimed. This release is further described in ServiceNow ticket CHG0013568.

9/9/15 - Add Official Email to IDMRW/IDMRW2

Add email addresses tagged as official to login name table in IDMRW/IDMRW2 in order to better support HarvardKey login name claims. This release is described in greater detail in ServiceNow ticket CHG0013567.

9/9/15 - Summary: PI-4, Sprint 6

A summary of objectives completed during the sixth sprint of Program Increment 4, which ended September 9, 2015, follows.

IDM Team:

  • Work on HLDAP for HarvardKey go-live
  • Configuration work on SailPoint IIQ to support efficient processing of large quantities of updates

Cloud Team:

  • Configuration for HarvardKey pre-production environment
  • Further refinement and testing of HLDAP for HarvardKey go-live

HarvardKey Team:

  • Final security and regression testing of HarvardKey application
  • Developed MFA enrollment capability for end users within HarvardKey

Green Ocean Team:

  • Finalized reporting options for HarvardKey claiming
  • Finished development of MIDAS 3.0 functionality for September 17 release

9/8/15 - IDMFEED Modifications

Modify IDMFEED as required by OAKProd change. This release is described in greater detail in ServiceNow ticket CHG0013569.

9/8/15 - Update XID UI Text

Update UI text in XID application to reflect migration from PIN to HarvardKey. This release is described in greater detail in ServiceNow ticket CHG0013552.

9/3/15 - HUIDs in IDMRW

Resolve issue with missing HUIDs in IDMRW due to incorrect PNG status. This release is described in greater detail in ServiceNow ticket CHG0013566.

9/2/15 - Modification of CNL List

Modify CNL list to exclude some school and stat codes. This release is described in more detail in ServiceNow ticket CHG0013565.

8/26/15 - Summary: PI-4, Sprint 5

A summary of objectives completed during the fifth sprint of Program Increment 4, which ended August 26, 2015, follows.

IDM Team:

  • Implemented critical fix to not provision mobile phone number to University AD
  • Continued work on FAS Communities for provisioning

Cloud Team:

  • Enhanced monitoring of PIN/CAS/IdP (after migration)
  • Streamlined New Relic configuration
  • Worked with my.harvard on final data streams for go-live

Green Ocean Team:

  • Developed additional MIDAS 3.0 functionality
  • Developed Communities to support FAS population

HarvardKey Team:

  • Completed final enhancements of HarvardKey application to support Alumni group; deployed to stage

8/24/15 - ServiceNow to Have Access to Alumni Data

Enable access to appropriate Alumni data for HUIT Support Services in ServiceNow, so that staff can support Alumni helpdesk functions. This release is further described in ServiceNow ticket CHG0013396.

8/12/15 - Summary: PI-4, Sprint 4

A summary of objectives completed during the fourth sprint of Program Increment 4, which ended August 12, 2015, follows.

IdM Team:

  • Realignment of Waveset to support my.harvard data flows
  • Update for mobile phone number in directory

Green Ocean Team:

  • Continued work on Midas 3.0 release
  • Work to support FAS migration to SailPoint IdentityIQ
  • Identity API deployed to production
  • ServiceNow DB View to support Alumni

Cloud Team:

  • Completed PIN/CAS cloud migration
  • Completed IdP cloud migration
  • Completed App Portal cloud migration

HarvardKey Team:

  • Addressed findings of accessibility and end-user testing within HarvardKey self-service application
  • Support PIN/CAS and IdP migrations

8/10/15 - Migrate Alumni HUIDs (Person Details)

Migrate known Alumni HUIDs so that Alumni can import their data to into IdDB. This release is further described in ServiceNow ticket CHG0013332.

8/10/15 - Migrate IdP to the Cloud

Migrate the Harvard identity provider (IdP) to the cloud. This release is elaborated upon in ServiceNow ticket CHG0012745.

8/3/15 - MIDAS 2.6 Hotfix

Deploy MIDAS 2.6 hotfix and restart MIDAS WebLogic domain. This release is elaborated upon in ServiceNow ticket CHG0013241.

7/30/15 - SHA-2 Certificate for PIN

The March SHA-2 deployment was reverted due to customer technical difficulties; however, we are now ready to implement SHA-2 for PIN.  For reference, the old change tickets are CHG0011726 and CHG0011728.

7/30/15 - UC Kerberos Change in AD

Change in UC AD pertaining to Kerberos.

7/29/15 - Summary: PI-4, Sprint 3

A summary of objectives completed during the third sprint of Program Increment 4, which ended July 29, 2015, follows.

HarvardKey Team

  • Incorporated modifications to the HarvardKey application user interface based on Perkins accessibility findings
  • Blocked PIN authentication and self-manage for HarvardKey holders

Green Ocean Team

  • Deployed enhancement to MIDAS (2.6) to production to support Alumni requirements
  • Supported data migration of Alumni records to identity registry

IdM Team

  • Stabilization period for IIQ migration to the cloud
  • Development of Auth LDAP IIQ connector to support attribute release

Cloud Team

  • Support Harvard Phone project by providing pilot user access to Harvard LDAP
  • Network preparations to support PIN/CAS migration to the cloud

7/29/15 - UC AD Update

Update UC from AD 2003 to AD 2008.

7/28/15 - UC Provisioning Change

Update to remove a file connector that is no longer needed.

7/21/15 - MIDAS 2.6 Release

This release adds new Alumni-specifc functionality to MIDAS because, in the near future, the IAM identity registry (IdDB) will begin receiving data for all living Alumni. The release is described in further detail in ServiceNow ticket CHG0013094.

7/16/15 - Remove Java

Remove an unused instance of Java. This release is described in greater detail in ServiceNow ticket CHG0013070.

7/15/15 - Summary: PI-4, Sprint 2

A summary of objectives completed during the second sprint of Program Increment 4, which ended July 15, 2015, follows.

HarvardKey Team

  • Added additional attributes to PIN/CAS and SAML (for eCommons and Alumni)
  • Connections from HarvardKey to IdDB built for claim elements (login name, recovery info, claimed status)
  • Deployed enhanced HarvardKey application and authentication to stage environment to enable Alumni testing

IDM Team

  • SailPoint IIQ migrated to the cloud
  • Multiple connectors for FAS deployment (IIQ to HomeDir, FASLDAP, FASAD)

Green Ocean Team

  • Added HarvardKey claim attributes to IdDB and SailPoint IIQ view
  • Support integration testing and data migration for the Alumni team

Cloud Team

  • Phonebook migrated to the cloud
  • Various fixes for Harvard LDAP
  • Extended Harvard LDAP schema to support attribute release work

7/14/15 - Migrate SailPoint IIQ to the Cloud

Migrate IAM's instance of SailPoint IdentityIQ (IIQ) to the cloud. This release is further elaborated upon in ServiceNow release CHG0012605.

7/13/15 - Restart LDAP Machines

Restart two LDAP machines to install VMTools. This release is described in detail in ServiceNow ticket INC01335034.

7/8/15 - Migrate Phonebook to AWS

Migrate the Phonebook application to Amazon Web Services. This release is described in greater detail in ServiceNow ticket CHG0012993.

6/29/15 - HarvardKey Claim Database Attributes

Add HarvardKey claim status attributes to the IAM identity registry to enable assessment of the status of HarvardKey accounts claimed. This release is described in detail in ServiceNow ticket CHG0012984.

6/17/15 - Summary: PI-4, Sprint 1

A summary of objectives completed during the first sprint of Program Increment 4, which ended June 17, follows.

Green Ocean Team

  • New version of IAM API deployed to stage
  • Began work on POI sponsored affiliations in MIDAS

HarvardKey Team

  • Built eligibility functionality for HarvardKey
  • Support for PIN/CAS/IdP cloud migration

IDM Team

  • IIQ infrastructure
  • Work on Kerberos connector

Cloud Team

  • Security testing for PIN/CAS
  • Documentation of SailPoint IIQ architecture

6/13/15 - General Patching

General patching. These activities are more fully described in ServceNow tickets INC01178701 and CHG0012588.

6/12/15 - SSL Certificate Expiring

Act on expiring SSL certificate for specified Harvard domain. Please contact the IDM team directly for more specific information.

6/12/15 - Migrate HL View to IAMUTILITY

Move external clients to the IAMUTILITY schema so that Directory Services can go to a single location for all data view clients. This release is elaborated upon in ServiceNow ticket CHG0012851.

6/10/15 - Remove CSS Entries

Remove entries from the content switch that are no longer used in order to reduce monthly billing amount. This release is described in more detail in ServiceNow ticket CHG0012590.

6/4/15 - Program Increment 3 Summary

The third IAM program increment, PI-3, was made of up of six two-week sprints running from March 12 to June 3, 2015. Key achievements for this PI, listed by objective, follow. You can also download the PI-3 demo slide deck here.

Objective 1

Complete Alumni development, final integrations: authentication integration, MIDAS development, UX changes.
Demonstrations:
New version of HarvardKey application, with responsive design and accessible feedback mechanisms. MIDAS application views of Alumni data (varying details based on role of MIDAS user).
Benefits:

  • All Alumni can use HarvardKey to access the new ACE community
  • HarvardKey provides greater levels of security assurance (compliance with password policies), as well as greater ease of use and accessibility for end users
  • Support staff from AAD and HUIT have tools to support Alumni users

Objective 2

Replace FAS account management and provisioning: reconfigure database and Sailpoint IIQ configurations (Cube and Communities), continued HarvardKey work.
Demonstration:
Not applicable.
Benefits:

  • Incremental progress toward overall goals

Objective 3

Externally-driven program commitments: changes to SailPoint IdentityIQ to comply with audit findings, report for HR on MIDAS users
Demonstration:
 Not applicable.
Benefits:

  • Compliance with audit findings
  • Progress in HR collaboration on MIDAS

Objective 4

Platform investment, migrate applications to the cloud: concentrated effort to migrate all lower environments of applications in order to generate cost savings
Demonstration:
Not applicable.
Benefits:

  • Cost savings achieved

Objective 5

Proof of concept for multifactor authentication: enable two-step verification as part of HarvardKey.
Demonstration:
Set up of Duo MFA app on an iPhone and subsequent use of multifactor authentication as part of the HarvardKey login process.
Benefits:

  • HarvardKey users get additional protection by adding an additional factor of authentication — something you know (your password) plus something you have (your smartphone with one-time authentication code)
  • Flexible implementation allows users to opt in as desired
  • Easy setup for smartphones, as well as an option for those without smartphones

PI-3 Objectives, Acceptance Criteria, and Features

The original objectives, acceptance criteria, and features for PI-3 are listed below for reference.

Objective and Acceptance Criteria Feature(s)
1. Complete Alumni development: final integrations, prepare for rollout
At the end of PI, all functionality for Alumni users is complete.
  1. Integrate Alumni with AuthN application
  2. Support management of alumni identities in MIDAS
  3. Implement user experience changes recommended by vendor
  4. Meet business transition, rollout, and training needs
2. Replace FAS account management and provisioning
At the end of PI, demonstrate FAS users' ability to claim accounts and use identities provisioned through IIQ.
  1. Move sponsored account creation out of Waveset
  2. Enable FAS users to claim a HarvardKey (claim, manage, and authenticate)
  3. Change databases/feeds to support FAS
  4. Reconfigure Cube and Community logic in IIQ
  5. Data analysis (all schools) to find collisions and prevent creation of future duplicates
  6. Preliminary requirements work for group management
3. Meet externally-driven program commitments
At the end of PI, all program commitments have been met.
  1. Comply with OCG mandate to improve security of SSN data
  2. Implement changes per IIQ audit outcomes
  3. New report for HR on MIDAS users
  4. POI update and integration
4. Invest in platform improvements and migrate applications to the cloud
At the end of PI, all listed applications are in the cloud, providing enhanced functionality and cost savings.
  1. SailPoint IIQ
  2. Phonebook
  3. PIN/CAS/IdP
  4. Public LDAP
  5. AuthProxy
  6. FindPerson
  7. Connections
5. Multifactor authentication and HarvardKey
At the end of PI, have conducted a proof of concept for a vended MFA solution.
  1. Set up proof-of-concept implementation of two-step verification as part of HarvardKey
Additional Commitments:
  • Capture HMS functional and technical requirements in order to plan HMS implementation project

6/3/15 - Remove Filter for Attribute 7

Remove the filter for Attribute 7. This release is further elaborated upon in ServiceNow ticket CHG0012728.

6/2/15 - Support FAS Sponsored Affiliation POI Roles

Support FAS sponsored affiliation POI roles and remove prior SPAC table. This release is further elaborated upon in ServiceNow ticket CHG0012736.

6/1/15 - PeopleSoft Department Code File (Fix Imports)

Correct issue in which some imports erroneously give .OK.log file. This release is described in greater detail in ServiceNow ticket CHG0012751.

5/26/15 - General Patching

These releases are further elaborated upon in ServiceNow tickets CHG0012586 and CHG0012589.

5/26/15 - Suppress 'AP' Student Status in Exports

Suppress "AP" student status in exports. This release is further elaborated upon in ServiceNow ticket CHG0012665.

5/20/15 - Summary: PI-3, Sprint 5

A summary of objectives completed during the fifth sprint of Program Increment 3, which ended May 20, follows.

Green Ocean Team

  • Alumni performance testing
  • MIDAS updates for new population/functionality
HarvardKey & PIN Team
  • Support HarvardKey with PIN/CAS-registered applications
  • Prepare HarvardKey app for PI-3 demo
Cloud Team
  • Phonebook to stage
  • Migrate Crypter application to VPC
  • Automatic provisioning and logging for AuthZProxy application
IDM Team
  • Data aggregation work in SailPoint Identity IQ
  • Dionysus and AD naming changes deployed to production

5/19-5/21/15 - General Patching

General server patching. This release is described further in the following ServiceNow tickets: INC01178701, CHG0012584, CHG0012586, CHG0012587, CHG0012589.

5/18/15 - Decommission LDAPDB in Prod

This release is elaborated upon in ServiceNow ticket CHG0012664.

5/7/15 - Halt IDM-AD Connectors for Monthly Patching

Suspension of several IDM-AD connectors while regularly scheduled patching is performed on the Windows servers. This release is further described in ServiceNow ticket CHG0012521.

5/6/15 - Summary: PI-3, Sprint 4

A summary of objectives completed during the fourth sprint of Program Increment 3, which ended May 6, follows.

Cloud Team

  • Prepared PIN/CAS and IdP for regression testing in P-1

IDM Team

  • Deployed Dionysus and AD naming changes

Green Ocean Team

  • Configured AWS CloudWatch logging for Identity API
  • Developed new MIDAS user roles with permissions to view and/or edit Alumni data

PIN Team

  • Added user interface functionality to the HarvardKey application based on Isobar's UX designs and internal work, including adding links, changint text, building FAQs, and adding selection choices

4/22/15 - Summary: PI-3, Sprint 3

A summary of objectives completed during the third sprint of Program Increment 3, which ended April 22, follows.

During Sprint 4, the IAM team undertook a significant push to migrate applications and services to the cloud in order to decommission 13 on-premise servers and realize significant cost savings. Resources from all the scrum teams were diverted to this effort during the sprint. In addition, the teams accomplished the following:

Green Ocean Team

  • Four enhancement requests from customers were deployed to production
  • Work progressed on integrating the two different Identity APIs used by SIS and Alumni

Cloud/DevOps Team

  • PIN/CAS, Phonebook, and IdP deployed to cloud dev/QA environments
  • Public LDAP and AuthzProxy deployed to cloud stage environments

IDM Team

  • SailPoint IIQ deployed and tested in cloud QA environment
  • Work on IIQ Cube refactoring ready for deployment to cloud QA environment

PIN Team

  • Refinement of HarvardKey application based on UX designs
  • Development of passphrase (simple and long) option for HarvardKey, per policy revisions

4/15/15 - IDDBSync New VPC

Deploy IDDBSync in the new VPC.

4/15/15 - Benefits Group DB View

Replace a query running against remedy server that will be decommissioned. This release is outlined in ServiceNow ticket CHG0012270.

4/14/15 - Views for Campus Notification Email Lists

Create views in IAMUTILITY schema of IAM* database instances to provide email lists for Campus Notifications. This release is outlined in ServiceNow ticket CHG0012267.

4/14/15 - ITSM DB View

Remedy defects in the existing ITSM DB view and move the existing V_Directory_Internal view to different schema. This release is outlined in ServiceNow ticket CHG0012292.

4/8/15 - Summary: PI-3, Sprint 2

A summary of objectives completed during the second sprint of Program Increment 3, which ended April 2, follows.

PIN Team

  • Created dev instance for CAS in the cloud
  • Created the ability to allow passphrase when creating a password in HarvardKey application

IDM Team

  • IIQ release v1.0.20 (last on-premise deployment)
  • Regression testing of IIQ release v.2.0.0 (cloud migration)

Cloud Team

  • SHA-2 certificates and ELB SecurityPolicy deployed for all AWS environments
  • Preparation for AuthZProxy migration

Green Ocean Team

  • Testing automation framework for MIDAS
  • Enhanced MIDAS to allow viewing of Alumni and new sponsored POI roles

4/8/15 - PACS: Update Summer School Clearances

Addresses the FAS Clearance expiration for summer students at midnight the day their role expires. This fix will make the clearance (FAS_AY1 and FAS_AY2) expire at the same time the credential expiration was changed to. Further details on this release in ServiceNow ticket CHG0012200.

4/7/15 - Exclude Alumni Name/Address from Existing XML Exports

Ensure that, in certain cases, the new alumni name types are excluded from exposure to XML exports. Further details on this release in ServiceNow ticket CHG0012199.

4/6/15 - Harvard OTD & ExactTarget Service Providers

Adds additional attributes to be released in a SAML assertion; modifies service provider metadata; adds or modifies new service providers. Further details on this release in ServiceNow ticket CHG0012201.

3/31/15 - Disable WINS Service on Old FAS Server

Full information on this release can be found in ticket CHG0012037.

3/24-3/26/15 - FAS Domain Controller Relocation

These releases cover physical relocation of two FAS domain controllers from 10X to Summer:

  • CHG0012035: FAS-ADC4 at 9 a.m. on March 24
  • CHG0012036: FAS-ADC2 at 9 a.m. on March 26

3/25/15 - Summary: PI-3, Sprint 1

A summary of objectives completed during the first sprint of Program Increment 3, which ended March 25, follows.

Green Ocean Team:

  • Migrated IDMRW write applications to Oracle 11G
  • Created matching algorithm for the IAM Identity API in order to enhance person-matching details in FindPerson

Cloud & DevOps Team:

  • AWS logs now being delivered to Splunk in all environments in order to enable troubleshooting for developers and testers
  • Refining H-LDAP architecture in the cloud based on new requirements for SailPoint IIQ

IDM Team:

  • IIQ Communities Database Deployment adds alumni role attributes and H-LDAP/Alumni-related community tags to our authoritative data source
  • Preparatory work for v1.0.20 release

PIN Team:

  • Enhanced HarvardKey "Forgotten Password" functionality
  • Implemented Healthcheck for HarvardKey

3/20/15 - 3/21/15 - Database Consolidation/Write App Migration

This project entails movement of the applications that write to the IDMRW schema. The movement will be from the old IdDB Oracle 10g instance to the IAMDB Oracle 11g instance.  The reasons for this move include:

  • Removal of old IAM databases ITIS10G, LDAPDB, and IdDB that run on Oracle 10g.
  • Simplification of database structure to remove multiple streams between databases.
  • Provide one consolidated database for IAM applications on premise while replicating that database to the cloud.

3/17/15 - SHA-2 Certificates & SSL Protocol Updates

• SHA-2 certificates for major applications: PIN/CAS/IdP and all other IAM services
• SSL protocol updates

3/13/15 - IIQ Communities Database Deployment

Friday, March 13, beginning at 5 p.m.: IIQ Communities Database Deployment (CHG0011916) is scheduled for after-hours Friday. We will be adding alumni role attributes and HLDAP/Alumni-related community tags to our authoritative data source. The recurring 15-minute task for processing change records will be paused. Approximately 100,000 accounts were affected in our stage environment under this release; we expect a similar number in production, since stage was recently refreshed from production. While we do not expect any outage as a result of this release, there will be a delay in provisioning any updates from IdDB to UNIVAD. However, since this release has intentionally been scheduled to take place on a Friday evening, we anticipate that the system will have ample time to catch up before the beginning of the work week.

3/11/15 - Program Increment 2 Summary

The second IAM program increment, PI-2, was made of up of six two-week sprints running from Dec. 3 2014 to Mar. 11, 2015. Key achievements for this PI, listed by objective, follow. You can also download the PI-2 demo slide deck here.

Objective 1

Advance Alumni release:data migration, account management.
Demonstration:
 Use of IAM API to migrate Alumni data into IdDB, registration of an alumni user with HarvardKey; management of HarvardKey by alumni user
Benefits:

  • Person’s identity remains constant throughout the lifecycle of affiliation with Harvard
  • IAM APIs provide near real-time data transfer
  • Use of recovery emails negates confusing (and often forgotten) security questions

Objective 2

Meet externally-driven program commitments.
Demonstration:
Not applicable
Benefits:

  • FAS Google Apps using updated API settings
  • Maintained InCommon Bronze certification by implementing updated algorithm
  • PIN3 service decommissioned, providing better service and cost savings

Objective 3

Agressively invest in platform improvements to speed future developments.
Demonstration:
 Not applicable
Benefits:

  • Database rationalization – co-location of all schemas in one on-premise database and one external database in the cloud (with redundancy across multiple regions) to consolidate and streamline functionality

Objective 4

Replace FAS account management and provisioning.
Demonstration:
Account management actions — password change and reset
Benefits:

  • Design to integrate Sponsored Affiliates into MIDAS POI functionality provides increased functionality

Other Accomplishments During PI-2

  • Extensive requirements gathering on HMS provisioning

PI-2 Objectives, Acceptance Criteria, and Features

The original objectives, acceptance criteria, and features for PI-2 are listed below for reference.

Objective and Acceptance Criteria Feature(s)
1. Advance Alumni release: data migration, account management
At the end of PI, data migration into IIQ and account management for Alumni is viable.
  1. Deploy Identity APIs
  2. Develop credential capturing functionality (re-register)
  3. Alumni provisioning into Harvard LDAP
2. Meet externally-driven program commitments
At the end of PI, all program commitments have been met.
  1. Support Cloud Services for FAS Google Apps
  2. Respond to findings within IIQ audit
  3. Update algorithm to maintain InCommon Bronze certification
  4. Decommission PIN3 service
3. Aggressively invest in platform improvements to speed future development
At the end of PI, platforms are improved and stabilized.
  1. Database rationalization
  2. PIN/IIQ to the cloud
4. Replace FAS account management and provisioning
At the end of PI, demonstrate account management and sponsored account functionality for FAS.
  1. Account management, self-service, and support desk
  2. Replace connectors to FAS targets and develop cube in IIQ
  3. Re-create sponsored account functionality
Additional Commitments:
  • Capture HMS functional and technical requirements in order to plan HMS implementation project

3/10/15 - Kivuto Launch

Launch of new authentication customer Kivuto.

3/5/15 - Exports Scripts (DB Consolidation)

As part of database rationalization, make Exports scripts point to IAMDB.IDMRW in production.

3/4/15 - LDAP Loader (DB Consolidation)

As part of database rationalization, make LDAP loader point to IAMDB.IDMRW in production.

2/25/15 - Summary: PI-2, Sprint 5

A summary of objectives completed during the fifth sprint of Program Increment 2, which ended Feb. 25, follows.

PIN Team:

  • Continued work on Account Management application for Alumni
  • Atributes added for release in SAML assertion

IDM Team:

  • Created framework for automated unit testing for SailPoint IIQ
  • Released Waveset Google API changes to production

Green Ocean Team:

  • In QA: New LDAP related-communities tags (support for SailPoint IIQ)
  • In QA: Event logging for Identity API

Cloud Team:

  • Deployed H-LDAP in production with health check embedded
  • ACLs created for IAMDB in production

2/19/15 - Google Connector for Waveset

The Identity and Access Management team is scheduled to deploy changes into production (CHG0011785) for Waveset beginning at 7 p.m. Thursday, February 19, with work anticipated to last until 10 p.m. No impact to user or account administration is expected, though the Waveset application may be unavailable during this period.

Waveset currently provisions @google and @g accounts using a Google API that will be deprecated as of April 15, 2015. Thursday’s deployment will replace this outdated API with the current version.

2/18/15 - GSE Database View

This release updates an existing database view related to GSE.

2/18/15 - IAMUTILITY Image View

  • Verify new view in IAMPROD in IAMUTILITY schema with same view name and same structure
  • Verify list of accounts created (ticket) and grants copied to new schema view

2/18/15 - LDAP Loader and Exports Scripts

As part of database rationalization, this release will make exports scripts and LDAP loader point to IAMDB.IDMRW in prod.

2/17/15 - Add Attributes for Release in SAML Assertion

This IDPEXP release will add three additional attributes to be released in a SAML assertion.

2/11/15 - Summary: PI-2, Sprint 4

A summary of objectives completed during the fourth sprint of Program Increment 3, which ended Feb. 11, follows.

Green Ocean Team:

  • Worked on migration of all IdDB.IDMRW write applications to IAMDB.IDMRW Stage
  • Deployed to production: Stream from IDDB.IDMRW to IAMDB.IDMRW and removal of stream from IDDB.IDMRW to ITIS10.IDMRW
  • Worked on business logic for Alumni Identity API

PIN Team:

  • Continued work on Account Management application for Alumni
  • Added attributes for release in SAML assertion

IDM Team:

  • Waveset Google API in preparation for changes from Google
  • Development complete, QA & regression testing started for provisioning Alumni data to Harvard LDAP

Cloud & DevOps Team:

  • Harvard LDAP deployed to production
  • SHA-2 SSL for HLDAP (POC)

2/4/15 - Create Stream from IDDB.IDMRW to IAMDB.IDMRW

Create a stream to populate an IDMRW schema in IAMDB in Stage and Production. This schema and stream addition in stage and production should not affect anything except database table space sizes. These can be retrieved from IdDB, since IdDB has both IDMRW2 and IDMRW schemas present.

Acceptance Criteria:
Creation of streams and data populated in IAMDB.IDMRW in both stage and production.

2/4/15 - Remove ITS10 Stream

As part of database rationalization, the stream between IDDB.IDMRW to ITIS10.IDMRW will be removed and ITIS10.IDMRW schema deleted.

1/30/15 to 1/31/15 - OS-Level and DB Patching

The OS will be patched on all of the SailPoint Production application servers. In addition, the OS on the SailPoint Production database server as well as the Oracle Database (IIQPRD) itself will be patched.

1/28/15 - Summary: PI-2, Sprint 3

A summary of objectives completed during the third sprint of Program Increment 2, which ended Jan. 28, follows.

IDM Team:

  • Changes to SailPoint IIQ to accommodate new HarvardKey-related schema
  • Development of Google connectors for FAS (next sprint QA)

PIN Team:

  • Continued development on the Alumni account management application
  • Added customer-requested attributes for release in SAML assertion

Green Ocean Team:

  • Alumni-specific business logic added to Identity API
  • Engineering automated integration testing

Cloud and DevOps Team:

  • Rebuild of QA and stage stacks for H-LDAP in new cloud VPC
  • Security scan done of H-LDAP (in preparation for move to prod)
  • Changes to H-LDAP to accommodate new HarvardKey-related schema

1/26/15 - Decommission PIN3 Servers

Decommission PIN3 servers after achieving our goal for all PIN3 webgates to be decommissioned by the end of January 2015.

1/12/15 to 1/16/15 - Refresh IDM Staging Data with Production

Stage environments unavailable.

Schemas: IDMRW, IDMRW2, IDCARDDATA, IOMGR, PACSDATA, HUIDA

Highlights:

  • Import/export schedule will be suspended in stage
  • Web applications and web services will not be able to connect to the back-end stage database
  • LDAP in stage will not be affected
  • Snapshot of production data will be taken on Monday, Jan. 12
  • Load of production data to stage will occur between Tuesday and Wednesday, Jan. 13-14
  • To reset our exports in stage so they function as expected, we will be generating zero-day files, currently planned for Thursday, Jan. 15

1/15/15 - Summary: PI-2, Sprint 2

A summary of objectives completed during the second sprint of Program Increment 2, which ended Jan. 14, follows. Note that this sprint was extended (from an end date of Dec. 17 to Jan. 14) due to Harvard's winter recess.

PIN Team:

  • Reconfigured IDP to use the SHA-2 algorithm (maintaining Harvard's InCommon Bronze certification)
  • Progress on account management, including work to read new Alumni data from IdDB

IDM Team:

  • Work on Google connectors and H-LDAP configuration in IIQ
  • Investigation into Waveset performance issues

Cloud/DevOps Team:

  • Set up CloudWatch and change log in H-LDAP; schema applied
  • Created ACLs on IAMDB and wrote application
  • Proof-of-concept work on several IAM applications regarding migration to cloud

Green Ocean Team:

  • Completed DB rationalization work in dev environment
  • Continued work on Identity APIs – applying further logic and enhancements

1/14/15 - AD-API 2.0

  • Create Identifier, if needed, should allow for relaxed attribute entry (last 4 digits of user SSN is no longer required)
  • Match response should block IDs with Last Name of "Duplicate Of"
  • Match response should block IDs beginning with zero

1/6/15 - Reconfigure IdP to Use SHA-2 Algorithm

Reconfigure the Harvard IdP to use SHA-2 algorithm in order to maintain InCommon Bronze certification.
Note: Hard deadline is Jan. 15, 2015 for production.

Acceptance Criteria:

  • IdP reconfigured in PROD environment

2014

12/18/14 - Summary: PI-2, Sprint 1

A summary of objectives completed during the first sprint of Program Increment 2, which ended December 18, follows.

IDM Team:

  • Started work on changes required by revisions to Google API
  • Continued tuning work on IdentityIQ and preparing for new groups functionality

Green Ocean Team:

  • Alumni data model deployed to production
  • Continued enhancements to API for sharing

PIN Team:

  • Continued work on Account Management application
  • Assistance for PIN3 migration
  • Configured PIN for authentication against data model changes

Cloud/DevOps Team:

  • Hardening of Harvard LDAP
  • Preliminary exploration for moving SailPoint to Cloud

12/3/14 - Program Increment 1 Summary

The first IAM program increment, PI-1, was made of up of six two-week sprints running from Sept. 10 to Dec. 3, 2014. Key achievements for this PI, listed by objective, follow. You can also download the PI-1 demo slide deck here.

Objective 1

Implement data model to support migration of HMS and Alumni.
Demonstration:
Migrate Alumni data into IdDB
Benefits:

  • Person’s identity remains constant throughout the lifecycle of affiliation with Harvard
  • Expanded common person data model provides new options for internal service providers to expand access to resources for Alumni

Objective 2

Develop data migration methods.
Demonstration:
Provision 0365 for HMS and import Alumni data via Identity API
Benefits:

  • Enable provisioning of HMS users to Office 365
  • Enable provisioning of Alumni users for authentication and access to resources

Objective 3

Prepare to enable the development of account management (note: this objective was revised slightly after the start of PI-1).
Demonstration:
SailPoint aggregating user data from multiple sources and self-service process for claiming a new account that integrates with SailPoint/IIQ
Benefits:

  • Self-service user onboarding for account creation, able to be be deployed flexibly by Schools and departments
  • Unified process for employees, students, and POIs that will be consistent across Harvard, resulting in less user confusion and improved Service Desk support

Objective 4

Network design to support cloud migration (note: this was originally a feature under Objective 2).
Demonstration:
Presentation on LDAP
Benefits:

  • New LDAP provides the ability to house all credentials for Alumni and other schools

Other Accomplishments During PI-1

  • Deployed FindPerson API for SIS Wave 0
  • Deployed new Connections API and ‘Facebook Printing’ capability for HLS
  • Deployed new PeopleSoft import for all Schools per Provost’s request

PI-1 Objectives, Acceptance Criteria, and Features

The original objectives, acceptance criteria, and features for PI-1 are listed below for reference.

Objective and Acceptance Criteria Feature(s)
1. Implement data model to support migration of HMS and Alumni
At the end of PI, demonstrate the migration of a single record into IdDB from each of these sources.
  1. Data model needed for Alumni
  2. Data model needed for HMS
  3. Move IdDB to the cloud
2. Develop migration methods
At the end of PI, start migrating records for Alumni via a reusable process, and build an interim O365 migration method for HMS.
4. New LDAP in the cloud to support migrations
5. API definition (Identity Service) needed for Alumni
6. Intermediary bridge solution for HMS O365 migration
3. Prepare sufficiently to enable claiming/provisioning in PI-2
At the end of PI, be able to have staged all requirements to implement provisioning by the end of PI-2.
8. Claim app supports use cases
9. IIQ API to set username, password, and immediate provisioning
4. Implement credential management (password reset, credential recovery) in IIQ
At the end of PI, IIQ-provisioned users will be able to manage credentials using IIQ.
11. Enable University AD users to change passwords via IIQ
Additional Commitments:
  • Prepare to support O365 migration for University
  • Prerequisite for Alumni and HMS IIQ connectors
  • Stabilize IIQ foundation release
  • Complete development for new requirements for InCommon Bronze self-certification (October)
  • Complete integration testing for PeopleSoft import changes
  • Deploy ID API stabilization release to support SIS/support SIS integration testing

11/20/14 - Summary: PI-1, Sprint 5

A summary of objectives completed during the fifth sprint of Program Increment 1, which ends November 20, follows.

Green Ocean Team:

  • Integration testing completed for PeopleSoft
  • New schema created for testing of IDMRW/IDMRW2

IDM Team:

  • Continued implementation of Harvard LDAP (formerly known as Cloud LDAP)
  • Stopped provisioning to Postini from Waveset
  • Addressing SailPoint IdentityIQ audit findings

PIN Team:

  • Continued work on the Account Management application
  • Deployed enhancement to PIN/CAS for InCommon Bronze certification

Topaz Team:

  • FIM work in P-1 environment (throttling, QA)
  • IdDB sync logs ready for DevOps

11/6/14 - Waveset Stabilization Release

Waveset Stabilization Release CHG0011148 has been approved for 11/06/14, starting at 6:30 p.m. and ending no later than 10:30 p.m. All customer-facing servers are cycled individually, so no downtime is expected.
 
After reviewing the testing results performed in lower environments, as Waveset product owner Ken Schwartz has signed off on the results and authorized a deployment to production. The deployment will be performed by Erin Rankin and Michael Trenc, with assistance of other individuals as required.
 
Business Drivers:
(1) Modify UPN logic
(2, 3) Fix identified bugs
(4) Switch from Postini to Google Vault
 
Scope

  1. Update UPN black list to include two additional domains: sdac.harvard.edu and hmc.harvard.edu
  2. Prevent creation of user names greater than 20 character
  3. Address random assignment of UPN to unrelated account
  4. Disable Postini 

Please feel free to contact Ken Schwartz with any questions or concerns. Additional notifications will be posted as needed.

11/5/14 - Summary: PI-1, Sprint 4

A summary of objectives completed during the fourth sprint of Program Increment 1, which ends November 5, follows.

Green Ocean Team:

  • Work on processing changes needed for new PeopleSoft data import
  • Continued development for APIs for Alumni project, including producing a developer’s guide

IDM Team:

  • IIQ Build 19 into production (ehancements, bug fixes and some future positioning work); detailed on the IAM Knowledge Base wiki (PIN-protected)
  • Configured SailPoint IIQ to connect to Cloud LDAP

PIN Team:

  • Installed final elements to support InCommon Bronze certification in both CAS and IdP
  • Continued work on account management application (including both claiming and credentials)
  • Cloud LDAP deployed

Topaz Team:

  • Requirements documented for O365 support and provisioning
  • Deployed IDDB sync to prod

11/4/14 - IIQ Stabilization Release

A stabilization release for SailPoint IIQ (CHG0011150) has been approved for 11/4/14, starting at 6:30 p.m. and ending no later than 10:30 p.m. All customer-facing servers are cycled individually, so no downtime is expected.
 
After reviewing the testing results performed in lower environments, IIQ Product Owner Ken Schwartz has signed off on those results and  authorized a deployment to production. The deployment will be performed by Erin Rankin and Michael Trenc, with assistance of other individuals as required.
 
A recap of information is located on the IAM Knowledgebase wiki (password-protected) at https://wiki.harvard.edu/confluence/display/IAM/SailPoint+19.
 
Please feel free to contact Ken Schwartz with any questions or concerns. Additional notifications will be posted as needed.

10/23/14 - PI-1 Midway Report

At the midway point of the IAM program's Program Implement 1 — October 22, 2014 — we are pleased to announce completion of the following program objectives. Please contact IAM Community Program Manager Gretchen Grozier with questions or for more details, and watch this space for further updates on items deployed during the remainder of PI-1.

Green Ocean Team:

  • Data model for Alumni moved to stage (P-1)
  • APIs under development
  • Finalized functional specification document for Alumni data import

Topaz Team:

  • FIM deployed to production
  • HMS Bridge moved to stage (P-1)

PIN Team:

  • LDAP moved to the cloud with IdDB (continuing testing)
  • Continued development of account management

IDM Team:

  • SailPoint IIQ stabilization work continuing
  • Completed Office 365 migration tool support

10/8/2014 — Summary: PI-1, Sprint 1

A summary of objectives completed during the first sprint of Program Increment 1, which ends October 8, follows.

Green Ocean Team:

  • Data model for Alumni finalized
  • Preliminary functional requirements for APIs (person/role/address) created

Topaz Team:

  • Further requirements gathering for HMS
  • IDdB sync infrastructure defined

PIN Team:

  • Work on claim app base rules continued
  • Proof of concept (POC) of claim app and IIQ integration
  • Created POC instance of IDdB in the cloud

IDM Team:

  • SailPoint IIQ stabilization release work completed
  • Community membership structure created

10/2/2014 - Print-Ready Connections View

Additional functionality was added to the Connections internal directory to enable a "print-ready" view of search results.

8/16/14 - SailPoint IdentityIQ Foundation

Update — 8/18/14:

This weekend, the IAM team successfully deployed the foundation release for our SailPoint IdentityIQ provisioning project. This release represents the first step toward providing common integration across the many identity stores across the University, and specifically manages the migration of provisioning of the University Active Directory (AD) using IdentityIQ. This is a major milestone for the program – the core provisioning infrastructure is now live! The initial provisioning run completed with a success rate of more than 99.9%, and has successfully performed more than 7000 updates. Our next steps include supporting the SIS production go-live and provisioning all Office 365 consumers.

8/14/14:

The SailPoint IdentityIQ foundation release will take place the weekend of Aug. 16, 2014. The scope of this release includes migrating provisioning of the University Active Directory (AD) from HUIT’s Oracle Waveset instance to a new enterprise provisioning solution, SailPoint IdentityIQ. This release is a major milestone for the program: full production deployment of the data infrastructure for the SailPoint system, a provisioning connector, and administrative user access to the IdentityIQ console for IAM and Support Services staff. Please note that in this phase, no change is visible to end users – this release is a back-end platform change to lay the foundation for expanded provisioning in the coming year.

During the transition from Waveset to the new SailPoint tools, the provisioning of updates and new accounts will be paused. Active Directory will not be impacted, and users and applications will be able to use AD with no interruption in service. Once the cutover is completed on Saturday, processing will resume, and systems should be in a normal state for the start of the business day on Monday, August 18. We will send further communication once release activities are concluded, or in the event of an incident. In the event of an urgent need, you can reach Jane Hill personally at any time during the weekend at the numbers below.

For more information about the SailPoint IdentityIQ foundation release, please contact Jane Hill, director of IAM product management (jane_hill@harvard.edu; 617.496.4539 office; 617.599.7617 mobile), or Gretchen Grozier, IAM community program manager (gretchen_grozier@harvard.edu; 617.495.4644 office).

8/15/14: Find Person (Stage)

IAM's Find Person service offering will go live in a stage environment Aug. 15, 2014, and any Harvard unit that currently creates identities is invited to pilot integrating the features into their applications. Work with Harvard’s next-generation Student Information Service (SIS) is already underway as that project moves forward toward its projected initial launch in Academic Year 2015-16.

Find Person makes searching for existing records easier and more accurate, as well as returning better information about potential matching records. It searches the entire main identity database – rather than just IDGen, as with prior functionality – revealing more potential matches and significantly decreasing the possibility of creating a duplicate record. If no potential duplicates are found, Find Person enables creation of a new unique identifier – either a HUID, UUID, or University Active Directory ID (ADID).

This initial version of FindPerson includes the ability to find by essential person info (last name, first name, and either the date of birth or the last four digits of a Social Security number), the existing name and birthdate used by IDGen, or complete social with conditional birth month and day values. Email and gender will be added by the end of August, and future releases will include fuzzy matching of names (i.e. returning a record for “John Harvard” when searching for “Jon Harvard”).

The service itself is implemented with a RESTful HTTP-based API, so that it can be easily integrated into applications and other services built in any language. Units that are interested in piloting the new Find Person functionality should contact Masha Shoykhet at masha_shoykhet@harvard.edu for more information.

7/9/14 - POI to IDGen

Beginning July 9, 2014, all Persons of Interest (POIs) new to Harvard will be issued Harvard ID (HUID) numbers using the IDGen system. IDGen has a built-in matching algorithm that greatly reduces the incidence of duplicates, while the previous method of issuing POI-specific Harvard ID numbers that begin with a leading zero lacked a programmatic check for potential identity matches. While this may seem on the surface to be a minor change, this adjustment to how HUIDs are assigned to contractors, vendors, tenants of Harvard-owned property, and other sponsored Harvard affiliates is a significant development in the IAM program's ongoing effort to simplify user experience while increasing Harvard's overall security posture. 

For those in POI roles, moving to IDGen assignation of HUIDs means that, because they are given permanent ID numbers from the onset, these individuals will never need to worry about transitioning from one number to another when switching roles or moving to permanent positions. For those working in ID Services functions, the switch eliminates the need to maintain lists of available leading-zero numbers or make time-consuming efforts to manually search for duplicate IDs when on-boarding new POIs. MIDAS will perform an IDGen number lookup for each new POI, as well as attempt to match the new POI’s basic personal information against an existing identity database – thereby significantly reducing the issuance of duplicate IDs. (For the sake of avoiding unnecessary disruption to current affiliates, it will continue to be possible to extend dates for existing POI roles already issued a leading-zero Harvard ID number, but this policy will be revisited at a future date.)

5/13/14 - PIN Reference Site Migration

The PIN Reference help site will move from its location at reference.pin.harvard.edu to its new home at reference.iam.harvard.edu on May 13, 2014.

The links circled in red in the screenshots below will redirect users to the corresponding section on the new reference site:

  • FAQ
  • Help
  • Developer Resources
  • About Us
  • How to Create a Strong PIN
  • About Internet Security
  • Privacy
  • What is a Login Type?
  • What is a Login ID?
  • What is a PIN/Password?
  • New User? Forgot your PIN/Password?


Content has remained largely the same, but may now appear under different headings and/or sections. Therefore, we encourage you to check that your applications do not have any embedded links to the current PIN Reference site. If they do, you should replace those links with URLs beginning with http://reference.iam.harvard.edu.

Note: PIN authentication and self-service will NOT be affected during this release.

4/7/14 - Connections (Internal Online Directory)

Update - the following stabilization releases are scheduled for the week of April 7, 2014:

  • Incremental data update deployed Monday, April 7 (5 p.m.)

  • Stabilization release for the web application scheduled Tuesday, April 8 (8 p.m.)

Initial release of the new Connections internal directory was completed on March 25, 2014, at 8 p.m.

Production deployment of the software and hardware upgrade to HU-LDAP will take place Tuesday, March 18; at approximately 6 p.m., the production service name will be pointed to the new back-end environment to cut over to the new virtual hardware and DS389 software. This timing has been selected to coincide with student spring break, when usage rates are somewhat lower. IAM partners are strongly encouraged to monitor the progress of the release via email and perform health checks on any relying applications immediately after the cutover. Participation in pre-release validation by partners has been happening for several months. Nevertheless, to mitigate the risk of customers encountering unexpected issues after the cutover, we have made arrangements to have the legacy HU-LDAP environment available on a different host name for a limited time.  

The IAM team is excited to complete this first major release in our Directory Services project stream, eliminating a long-standing risk to a key HUIT and Harvard Community service resulting from an aging environment. If you have any questions about the project or release, please contact Jane Hill at jane_hill@harvard.edu, 617-599-7617, or 6-4539.

3/13/14 - HU-LDAP Upgrade

Update - 3/13/14:

Additional information pertaining to the production release:

  1. For customers who wish to switch to the new 389 DS server before we flip DNS, we recommend adding the following entry into your host file to avoid needing to modify applications and avoid certificate errors before and during the transition:
    128.103.69.62 hu-ldap.harvard.edu
    You can then remove this entry at any time after the release.

  2. While users may encounter small blips, this release does NOT call for an outage and the system is NOT anticipated to go down.

  3. A significant amount of pre-work will be completed before 6 p.m. With this in mind, we expect that the release will take about an hour and those responsible for health-checking customer applications should plan to do so at approximately 7 p.m.

Update — 3/11/14:

LDAP customers have been notified that the HU-LDAP production release will take place Tuesday, March 18 at 6 p.m.

A conference bridge at 866-890-3820 will open at 5:45 p.m. and remain open until at least 8 p.m. for customers to report any issues. The bridge password is 221 841 33. Issues should also be emailed to ithelp@harvard.edu and directory_services@harvard.edu. Please provide the name of a point person for the team assigned to perform health checks of customer applications after release completion.

Update — 2/10/14:

LDAP customers have been invited to connect to and run queries against production HU-LDAP in preparation for production release scheduled for March.

Update — 12/24/13:

LDAP customers have been invited to test again following additional work performed on the indexes Dec. 23 resulting in improved query performance.

Update — 12/23/13:

LDAP customers have been notified that

  • they can resume testing efforts in stage
  • they should test connectivity to production instances, as ACLs in production environment have been completed
  • release schedule is modified, with AuthLDAP now scheduled for release Jan. 9 and HU-LDAP to follow the week of Jan. 13 pending additional validation in stage

Update — 12/19/13:

LDAP customers have been notified that both instances of stage LDAP (Auth and HU) will be unavailable for testing while the development team works through issues identified during earlier testing.

Update — 12/16/13:

LDAP customers have been notified to resume testing following the previous week's redeployment to stage, which rendered both HU-LDAP and AuthLDAP stage unavailable on 12/12 and 12/13.

Update — 12/13/13:

HU-LDAP stage came up mid-morning and was available for testing. 

Update — 12/11/13:

Stage HU-LDAP and AuthLDAP environments were down for maintenance. An email notice was sent to the ldap-user mailing list notifying them of an outage for the entire day in order to address the issues in the previous update.

Update — 12/10/13:

Some LDAP users have reported issues with a small number of queries. ServiceNow tickets have been opened and are being worked by our group. 

Update — 12/05/13:

Anyone using the new AuthLDAP test instance should note that the password policy has not yet been loaded. Impact on testing is that password lock-out will not take place; password changes/resets will not take effect;  and password phase enforcement is not yet in place.  

Update — 12/04/13:

The DNS flip has been completed for HU-LDAP.  All current stage customers are asked to begin testing. An email from Directory Services with instructions will be sent out shortly. All LDAP customers that responded with their server details should already have received a request to telnet to the new HU-LDAP test instance at 128.103.69.52. Any connectivity issues are being tracked in ServiceNow. 

Update — 12/2/13 :

The new AuthLDAP test instance is currently available for customer testing

The new HU-LDAP test instance is currently being tested by IAM Team.  Customers will be invited to test by the end of this week..

11/22/13:

Dear LDAP customers and stakeholders:

IAM is in the process of rolling out an important infrastructure upgrade of our LDAP environment. Migration to the new servers will be taking place in P-1 (stage) in December, with the production migration after the holidays. This upgrade includes migrating to a 389 directory server from the old Sun Directory Server product. More technical information on the 389 directory server can be found here. We will hold a meeting on Nov. 12, 2013, at which we will provide a more detailed update about our plans for LDAP in upcoming months. 

In preparation for the migration, we need information about your servers that currently connect or will connect to HU-LDAP and/or AuthLDAP; this enables us to update the ACLs to ensure access. We are sending this message to our full user list to ensure we reach everyone. However, please coordinate within your team to send one spreadsheet in response to this request for information for each user account that is used to log in to HU-LDAP. Please download this spreadsheet template, rename it accordingly, and return to Directory Services at directory_services@harvard.edu no later than November 15, 2013. 

The cutover to the new servers will be accomplished via a DNS flip on a set date, and it is very important that all teams have tested their use of HU-LDAP in Stage. With this in mind, please proceed as follows:

1)     Provide the current ACL information, even if there is no change from your existing environment

2)     Test connectivity to the new servers (instructions will be provided at a later date)

3)     Confirm that you can query to the new instances with your current query software (confirm compatibility with DS389)

As always, you can write to ithelp@harvard.edu with any questions, or open a request with our team through ServiceNow. Please watch this space for additional information as the project moves forward.  

Reminder: The stage HU-LDAP hostname is hu-ldap-test.harvard.edu on port 636.

1/16/14 - AuthLDAP

AuthLDAP Stabilization Period Status Update — 2/10/14: 

The release was a success. Actual release activities unfolded as planned in the time allotted on 1/16/14.  Subsequently, there have been no incidents related to the AuthLDAP instances. 

Update — 1/6/14:

Two releases related to authentication services are planned for this week and next. Please note that these upgrades do not require PIN-registered applications to make any changes. 

  • Tuesday, Jan. 7, after 8 p.m.: As previously announced, login options for one-way federation will be added to the PIN system.
  • Thursday, Jan. 16: Upgrade of the back-end LDAP used by PIN and XID starts. The release will not cause any interruptions to authentication for end users, but PIN and XID self-service will be offline for several hours so that password data can be copied to the new instances.

More detail about the releases is as follows:

  • Authentication LDAP will be moved to new virtual hardware, and the outdated Oracle (Sun) directory server software will be replaced a version of OpenLDAP (389 Directory Server).
  • All PIN-based authentication services are being tested by the IAM team; there is no need to test your web applications.
  • Cutover to the new production instances will take place off-hours:
    • New production environments will be validated before service hostnames are changed to point to new services
    • Any unexpected failures of the new system can be addressed quickly by reverting to the legacy environment
    • Conference bridges will be open during the release events to ensure communication and immediate response to any incidents reported by stakeholders or customers. Bridge information will be published on the day of release.

For more information, or to report any questions or concerns, please contact Jane Hill at jane_hill@harvard.edu.

1/6/14:

The AuthLDAP release previously scheduled for this week has been rescheduled to Thursday, Jan. 16 to allow additional time for testing and validation. This effort has taken longer than expected due to the complexity of the environment and related setup. One-way federation will be released Tuesday, Jan. 7, as originally announced.

  • Note that this LDAP release will not cause any interruption to authentication by PIN system end users
  • PIN and XID self-service will be offline for several hours so that password data can be copied to the new instances
  • Actual cutover to the new production instances (a DNS change) will take place off-hours
  • Release scope includes a hardware upgrade and replacement of the Oracle (Sun) directory server software with a version of OpenLDAP (DS389)

The HU-LDAP upgrade release is also being rescheduled; a revised date will be announced later this week.

For more information, or to report any questions or concerns, please contact Jane Hill at jane_hill@harvard.edu.

1/7/14 - PIN2 Authentication: One-Way Federation

One-Way Federation (OWF) is an enhancement to Harvard's PIN2 authentication system. OWF allows users to choose a type of login ID when logging into PIN-protected applications instead of forcing the use of a HUID/password pair.

Learn more about OWF, including a case study and FAQs, in the Getting Started with One-Way Federation guide.