Week notes (2017-12-04 – 2017-12-08)

I thought I'd try this weeknotes thing. I guess if can remember my history, I won't be doomed to repeat it. Plus, it might be cathartic.


Monday started with unpacking after I was moved office over the weekend. The department has recently restructured our Infrastructure Services group, and wants to put team members in newly formed teams in adjacent offices. Our team (the Identity and Access Management team) is now spread a bit further apart, but at least is no longer in the attic with doorways to duck through.

I also read some of my new book on Kubernetes. My line manager has been enthusing about Docker, so I'm getting to grips with that too. As we investigate IdM solutions, it's handy being able to get a containised version up and running quickly to prod.


While cycling in on Tuesday, I had a Stagecoach bus driver straddle two lanes as he overtook when I was in the left-hand lane. There was no reason the driver couldn't have overtaken entirely in the right-hand lane, as there was no traffic up ahead. When I caught up with the bus at the Cutteslowe Roundabout and asked the driver to give more space, he said he had given me three foot, which was "plenty" and that he straddled the lanes so he could pull back in. Told Stagecoach about it, cc'd Cyclox.

At work, there was more reading of the book and prodding IdMs (mainly WSO₂'s Identity Server). I think by this point I also has a single-node Kubernetes cluster running in a VM, courtesy of minikube. Looking neat so far. Hoping that it'd provide a good way to build a test IAM landscape to play with.

Also provided a bit of support to a comms person who wanted something changed in OxPoints, our organisational and physical estate linked open dataset.


Today was the last day for our IdM Core Project project manager. There was eating of cake from Patisserie Valerie.

Team meeting. As the basis of our web SSO solution (Webauth) reaches end of life, it looks like the migration project is beginning to splutter into life as far as project management is concerned. Migration could be as simple as having Shibboleth talk directly to our Kerberos infrastructure, communicating well, and hand-holding current services off the old WebKDC, so it might seem odd to encapsulate it in a project.

In prodding WSO₂'s Identity Server, I'm reaffirming my feeling that it and its ilk still doesn't fit the gap we have around identity data management and related processes/workflows/lifecycles.

Had an encouraging conversation with another IAM team member about how our IdM Core project should have gone, with more playing and experimentation, and a more agile approach to the whole project. This doesn't mean that we should have foregone requirements analysis and baselining, but that once we reached a certain point we should have been confident enough to start trying something out and putting it in front of users to say "would something like this work for you?". One or both of us also had reservations about another (open-source) IdM product we'd been looking at, but I don't think I can adequately express them here.


Work-from-home day, but I came in for a meeting anyway.

At a bit of a loss for things to do. Installed MidPoint. Read through the SCIM documentation and specifications, trying to work out how it would fit with what we want. We're trying to distinguish between users (people) and accounts, and a lot of IdMs and related specifications (including SCIM) appear to conflate them.

Got given IT Services chocolate, featuring our strapline "Delivering innovative and responsive IT to the University of Oxford". Thought that there's too much risk aversion here, stifling both of those adjectives.


Met a colleague for coffee to discuss IdM and the project; encouraged.

Another meeting about implementation approach for the project (3b of 6). It's becoming increasingly clear that there are so many unspoken assumptions and preconceptions about what we {are,should be,plan to be} doing and the scope of each component. I've been arguing that we ought to develop an Identity Data Management application in-house, which we might later plug into an off-the-shelf IdM that does all the boring standard stuff. This has scared people, who think (rightly) that developing an IdM "from scratch" is a huge undertaking and reinventing the wheel. So instead we can either "hide it in the integration" between our upstream systems of record and the IdM, or call it something different and so be clearer about its scope, e.g. "profile management", "MDM for identities". Hiding it in the integration seems a bit devious, and means you've got to acquire an IdM up-front, which might be cart-before-horse (get the data sorted first, then start doing something with it). I need to write this up properly.


Calmer than last week. The useful bits (communication, building shared understanding) have been in the meetings.

Informal meetings with colleagues over coffee: 3