Office of Admin and Finance Image

Guidelines for Deploying Middleware Services

Introduction

The current implementations of new Customer Services Systems at several USM institutions present a unique opportunity to design a middleware infrastructure that serves both campus and inter-institutional needs. One of the core technologies encompassed in a middleware infrastructure is a common directory service.

A comprehensive infrastructure that enables network-based systems, services, and applications to function in a consistent way within the institution is a critical step towards insuring an environment that is simpler for users to access information resources and is easier to support. Among the immediate advantages for an institution are fewer user ID / password pairs (later Single SignOn), systems that function cooperatively, as well as potentially common processes for authorization to systems and resources.

This comprehensive infrastructure similarly can benefit the USM, by enabling applications, systems and services to be accessed in common ways as well as to establish a well defined set of tools and systems for reconciling identity, managing authorizations, and coordinating activities among USM institutions.

Potential benefits and applications

  • Library patron management

Currently, the Libraries must negotiate with and collect information from the databases maintained by each institution individually. As the PeopleSoft HR and SA applications are implemented at each institution, these applications will need to provide the required information to the library patron database.

In the long-term, campus and inter-institutional middleware services have the potential to significantly simplify this process by providing the needed patron identification services to the library system.

  • ID management for campus application services

As systems and services become more distributed, there is a need for a centrally supported identity management system. Such a system is used to establish a unique identity for each individual at an institution and to share that information with authorized systems and services, so as to establish a common identity that may be shared among disparate systems, services and applications.

  • Universities at Shady Grove

All USM institutions intend to offer classes at the Universities at Shady Grove. Potentially, students could enroll in classes at more than one USM institution. In such cases, immediate access to affiliation information would be very valuable.

  • Distance Education

At most USM institutions, electronic services are provided with a focus on students earning a degree. With the rise of distance education, it is expected that many more non-traditional learners will enroll in courses from one or more institutions for career or life-style enhancement and without the expectation of working toward a degree. Identifying and providing services for these peripatetic, ad hoc students will be facilitated by a middleware infrastructure that provides identification, authentication, and authorization services.

  • Other collaborative projects

One of the most frequently used services currently for a people identifier directory service is standard white pages directory information (email address, location, phone number). Currently, much of this is only kept current on individual campuses. A USM-wide white pages directory should be an early collaborative service.

Many licensed materials require authenticated access. While many licenses are institution-specific, it is envisioned that leveraged purchasing will increase. Thus, some USM-wide authentication service will likely be developed. In a similar vein, access to campus Intranets from a host outside of the campus domain is often arbitrated by a Proxy Service. Validating that an individual from another institution might be eligible for access to an Intranet could be another collaborative project supported in part by this directory service.

  • Encrypted email, Digital Signatures

Among the drivers for common directories is the ability to identify individuals. Equally important is the ability to identify with certainty that a particular document was created and/or approved by an individual whose identity can be verified. The directory is a necessary precursor to supporting a Public Key Infrastructure (PKI). In addition to supporting Digital Signatures, PKI also provides mechanisms for document encryption.

  • Other than people related information

It should be noted that most of the discussion in this document relates to information about people with affiliations with USM institutions. The LDAP technology can as easily support information about places and objects. For example, it would be possible to use the directory to hold course equivalency information, common vendor information, shared network resources, and more.

 

Architectural Phases

Phase I

Campus infrastructure - The build out of a middleware infrastructure must start at the individual institution. The source of any commonly accessible information must start with the information held by each institution. Even though the end-game is for a cooperative system wherein systems, information and other resources may be shared, there is significant value to each individual institution to construct its enterprise directory. Such a directory is the key piece of the infrastructure. The exercise of establishing the directory can help clarify numerous institutional processes and will likely raise a number of policy issues that will need to be addressed.

Phase II

System-wide identity reconciliation - In order to share systems, information and other resources among several participating organizations, there must be an ability to uniquely identity each individual across the participating organizations.

Phase III

Shibboleth Clubs, roles and PKI - The end-game in this effort is the creation of a cooperative collection of organizations that can share information and resources. Shibboleth provides a technical way to accomplish this. Among the features and capabilities that are desired is the ability to grant access to a shared resource (housed at a remote institution) based on the relationship of an individual to the home institution along with a negotiated relationship between the two organizations.