Go to the U of M home page ESUP logo - click to go to ESUP website ESUP blog logo - click to go to ESUP blog

Wednesday, December 4, 2013

Q and A with Arash Forouhari

(Update as of April 21, 2014: ESUP is no longer going live with Oracle's Identity Manager (OIM). Please read this blog post for the most up-to-date information.) 

Last week the Identity Management team agreed to move up their Oracle Identity Manager (OIM) deployment date to Spring, 2014. We sat down with the IdM project director, Arash Forouhari, to get a better idea of what this change in delivery date means for the University.

ESUP: It seems like there are a lot of terms surrounding identity management that may be used interchangeably, but really are different. Can you give quick definitions for Internet ID, OIM, and X.500?

Arash Forouhari (AF): Sure. Internet ID is a unique id created by an identity management system and assigned to each user provisioned in the system. An Internet ID is used to access applications, systems and resources. X.500 ID and Internet ID refer to the same thing but Internet ID is the University’s preferred term.

Oracle Identity Manager (OIM) is the University’s new identity management platform replacing X.500.

X.500 is the term used to refer to the University’s current identity management solution, which has been in production for the last 20 years. When OIM is in place, the University will discontinue using this term.

ESUP: What was the original implementation strategy and how is this new strategy different?

AF: The original strategy was to deploy (OIM) as part of ESUP go-live next fall and decommission X.500 (current IdM solution) at the same time. The new strategy is 4-5 months earlier than we had originally planned. Also, the new deployment model is a controlled, phased approach where the X.500 feeds and downstream systems are moved to OIM from X.500 one component at a time. This reduces risk and allows us to validate components individually.

ESUP: Why did you decide to start earlier?

AF: We changed our approach mainly to reduce the risks of going with a ‘big bang’ implementation. By deploying OIM earlier than ESUP, our team has the opportunity to identify and correct any issues.

ESUP: What are the challenges to launching early?

AF:  The main challenge to launching early is keeping two IdM systems (OIM and X.500) in sync. Specifically, processing user data and account creations as applications are migrated from X.500 to OIM with applications that create user accounts in real-time.

ESUP: Will anything look different to the University community?

AF: No, the login screen will look the same. Late next summer the dirtools page (you will need to log in to see the page), where users go to perform Internet ID self service, will look different, but we will communicate those changes in advance.

ESUP: If a college or unit uses identity management data attributes to deliver appropriate content to their in-house computer applications, will they need to update those apps sooner than planned for ESUP?

AF: No. The data attributes consumed by applications are retrieved from our directory servers (LDAP) and the structure and the actual data values will not be changing. The only change will be OIM populating LDAP instead of X.500 which will be transparent to applications and users.

ESUP: A few months ago, you recorded a video about single sign on. Does any of the information in that video change as a result of this launch date change?

AF: No, this change doesn’t impact our single sign on platform or strategy.

ESUP: Great, thanks for your time, Arash! If you have questions about any of the new functionality coming as a result of ESUP, please let us know. Send us an email at esup@umn.edu.


  1. Can the single sign on approach include the Wellness Plan, and access to StayWell? That is a request that I receive very often! I am the Director of Human Resources with responsibility for Benefits, including the Wellness Plan.

  2. Stay Well is a third-party vendor, an outside company who contracts with the University to offer services. The University's new identity management system is designed to work in a "federated" environment where we can pass credentials and access along to third party systems, but only if that company uses our standard protocol, called shibboleth. We do that with Google today, for example. At this time we do not know when Stay Well will be able make a "shibboleth" authentication option, but they know about this issue and would like to resolve it for the University community. We have let the business owners of the Stay Well relationship know about your concerns. While this is not, strictly speaking, in scope for ESUP, we are happy to get this question to the business owner.