Grand Canyon University (GCU), a private Christian college, has increased enrollment more than tenfold since 2003. Prior to 2010, GCU used a mix of manual processes and limited automation to provision and manage user accounts, resulting in more and more work for the IT department as the university has continued to grow. GCU adopted an identity management strategy based on Microsoft Forefront Identity Manager 2010, which, with help from Ensynch, a Microsoft Gold Certified Partner, the university now uses for managing identities, credentials, and identity-based access across more than a half-dozen applications. An integrated solution for identity management has resulted in faster account provisioning; enhanced security; improved access to employee information; a more satisfactory experience for students, faculty, and staff; and a significant reduction in IT workload.Situation
Phoenix, Arizona–based Grand Canyon University (GCU) is a private, accredited Christian college. Founded in 1946 by the Baptist General Convention of Arizona, GCU offers online and campus-based bachelor-, master-, and doctoral-degree programs. The university is recognized as a leading provider of online education by sources that include Fortune Small Business magazine, Technology & Learning magazine, and the Online Education Database.
From its founding until 2003, GCU operated as a traditional nonprofit college. In 2004, private investors acquired GCU and converted it to a for-profit institution. Since then, the university has enhanced its senior management team, expanded its online platform and programs, and initiated a marketing and branding effort to further differentiate itself—part of an overall strategy to support profitable, sustainable growth while bringing value to students, employees, and investors. If enrollment figures are any indication, that strategy has been successful; GCU has increased enrollment from approximately 3,000 students at the end of 2003 to more than 41,500 students at the end of 2009.
|Identity management solutions from other vendors were 5 to 10 times more expensive and would have required additional training to augment our IT skill set.|
Director of IT Infrastructure, Grand Canyon University
Like most universities, GCU relies on several systems and applications to support the business of education. UltiPro, a cloud-based solution, supports human resources (HR). Microsoft Dynamics CRM is used to track potential students. GCU uses the Blackboard ANGEL learning management system for online classes, and it uses the CampusVue student information system to manage and deliver information on student data, degree programs, and academic records. Student and faculty email is hosted by Microsoft Live@edu, staff email is provided by Microsoft Exchange Server 2007, and GCU uses FM:Space to track space allocation at its facility and handle physical moves. Many of these applications rely on Active Directory Domain Services—a feature of the Windows Server 2008 R2 operating system—for authentication and access rights. The university maintains two Active Directory service forests: STAFF, which houses staff and faculty accounts, and STUDENT, which houses student accounts.
As GCU has grown, so has its need for a comprehensive identity management strategy. Prior to 2010, the provisioning, deprovisioning, and management of staff accounts were supported by manual processes. HR would enter new employee information in UltiPro, and then manually generate a trouble ticket for the IT department. In turn, IT staffers made the necessary adjustments in about a half-dozen different systems and applications by hand. As enrollment at the university has grown, so has the IT department’s identity management workload.
“We couldn’t keep up with the workload, even with two people devoted to such efforts,” says Dan Cotterman, Director of IT Infrastructure at GCU. “Processing requests from HR took up to a week, resulting in new hires sometimes showing up for work before their accounts were ready and presenting security risks with respect to terminations. In addition, because our global address list [GAL] only contained first name, last name, and email address, people had no easy way of determining someone else’s department, title, or office location. Of course, all of these manual processes sometimes resulted in duplication of effort and errors in data entry.”
Provisioning of student and faculty accounts was somewhat automated, albeit in a way that was difficult to support or extend. Information on new students flowed from Microsoft Dynamics CRM through Microsoft BizTalk Server 2009 into CampusVue. The IT department then used a custom tool called Accounts that was developed by a consultant to provision accounts in Live@edu, CampusVue, and the STUDENT Active Directory forest. The Accounts tool, which was based on PHP and ran on Apache, used a number of complex Perl scripts for import and export. It also provided web-based password reset capabilities for the STUDENT Active Directory forest and Live@edu.
“The Accounts tool was a custom application based on technologies we don’t typically use, which made it hard to maintain and virtually impossible to extend,” says Cotterman. “Our goal was to move toward a single, integrated solution for identity management—one capable of supporting all our identify management needs across students, faculty, and staff.”Solution
Grand Canyon University adopted an identity management strategy based on Microsoft Forefront Identity Manager 2010, a comprehensive solution for managing identities, credentials, and identity-based access policies across heterogeneous environments. “We identified the leading vendors of identity management solutions—including Microsoft, Oracle, and CA Technologies—and evaluated their offerings in the context of our current technology stack and skill set,” says Cotterman. “Microsoft came out on top in all areas, including ease of implementation, ease of management, and costs. Identity management solutions from other vendors were 5 to 10 times more expensive and would have required additional training to augment our IT skill set.”
After selecting Forefront Identity Manager in January 2010, GCU set out to find a capable implementation partner. The university chose Ensynch, an Insight company and a Managed Microsoft Systems Integrator (SI) and Gold Certified Partner, for Identity and Security, which has multiple Microsoft Forefront Identity Manager MVPs on staff. “Ensynch did a great job,” says Cotterman. “One area where Ensynch really excelled was in helping us communicate with stakeholders across the business—for example, by helping us explain why we were asking for certain things and the benefits that stakeholders would receive.”A Phased Approach to Implementation
To quickly begin delivering results, GCU decided on a phased approach to implementation. In phase one, which focused on improving identity management for staff, the university used Forefront Identity Manager to:
- Automate the application of changes to the university’s STAFF Active Directory forest and Microsoft Exchange Server 2007 infrastructure based on changes made by the HR department in UltiPro.
Populate the GAL with information—such as department, title, supervisor, and office location—from FM:Space.
Work on phase one began in March 2010 and took just over four months. During the first four weeks, Ensynch led GCU through an infrastructure optimization assessment process, which helped uncover the real business drivers for the project and led to a roadmap on how to progress. The design phase that followed took five to six weeks, after which the project team spent approximately eight weeks building and testing the solution before deploying it in July 2010.
With phase one complete, GCU had successfully automated identity lifecycle management for staff. Phase two focused on expanding the use of Forefront Identity Manager to manage the identity lifecycle for students and faculty—including the orchestration of changes to user accounts in Microsoft Dynamics CRM, CampusVue, Live@edu, and the STUDENT Active Directory forest.
Although it could have implemented phase two using only Forefront Identity Manager, GCU decided to retain BizTalk Server as a solution component. Cotterman explains the logic behind that decision: “We were already familiar with a service bus approach based on BizTalk Server. We could have used Forefront Identity Manager to connect directly with all target systems, but it would have required having Ensynch build the necessary connectors. By using Forefront Identity Manager for policy enforcement and BizTalk Server for integration, we can bring additional systems and applications into the fold using existing IT skills.”
To meet the university’s needs, Ensynch extended Forefront Identity Manager by using an open-source, community-supported solution from CodePlex to provide enhanced reporting (see fimdpe.codeplex.com). Ensynch also implemented more granular role-based access control for applications than the amount supported out of the box, including access based on:
- Membership in a calculated set, such as all employees in the HR department.
Phase two also included deployment of Active Directory Federation Services 2.0—a downloadable feature for the Windows Server 2008 R2 operating system—to provide single sign on for UltiPro based on users’ domain credentials. “In the past, users in the HR department had to maintain a separate username and password for UltiPro,” says Cotterman. “Today, if a user is logged on to our domain, he or she can click on a link to our cloud-based HR solution and immediately start using it—without having to log on or maintain separate credentials.”
Cotterman sees Active Directory Federation Services as a tool that will quickly be expanded to support single sign on for other hosted or cloud-based solutions. “We rely on Coupa for requisition and procurement management, WingSpan for employee performance management, and Kronos for employee time-tracking—all of which are hosted in the cloud,” he says. “With Active Directory Federation Services, we’ll be able to easily deliver single sign on across all those cloud applications.”Efficient Automation
Today, the university’s HR system is the authoritative source of information for staff and faculty data. Forefront Identity Manager picks up changes made in UltiPro on an hourly basis and determines what to do with them based on certain employee attributes. For example, staff and faculty get Active Directory credentials, and staff also get an Exchange Server account. Additionally, Forefront Identity Manager extracts information from FM:Space as space assignments or physical moves around the facility are made, using it to populate the university’s GAL. Self-service password reset is available for on-premises staff and is now the primary means of password reset for domain-joined systems.
“Hiring managers automatically receive an email with a new hire’s account information—including account name, email address, and temporary password,” says Cotterman. “Desktop support personnel are notified as soon as a new account is provisioned, allowing for faster setup of that user’s PCs.”Architecture
GCU implemented Forefront Identity Manager on the Windows Server 2008 R2 Enterprise operating system. Forefront Identity Manager and BizTalk Server both use Microsoft SQL Server 2008 Enterprise database software running on Windows Server 2008 R2 Enterprise for data storage. The Forefront Identity Manager web portal, an out-of-the-box solution component, runs on Windows SharePoint Services 3.0.Benefits
The university’s adoption of Forefront Identity Manager has yielded several benefits, including faster account provisioning, improved security, and more accurate and complete information in its GAL. These improvements are delivering an improved experience for students, faculty, and staff, who no longer need to wait for access to the university’s systems and applications. The new solution has also resulted in a significant reduction in IT workload—enabling GCU to reallocate two IT staffers to delivering new business value instead of maintaining user accounts. With help from Ensynch, the university has been able to realize all these benefits quickly and cost-effectively.
|We’ve made a major leap forward in terms of IT maturity and are now much better positioned to support the needs of faculty, students, and staff.|
Director of IT Infrastructure, Grand Canyon University
“We now have a comprehensive identity management strategy—supported by a single, integrated solution,” says Cotterman. “The entire account provisioning process is automated in a predictable, consistent manner, and we couldn’t be more pleased with the way everything is working. We’ve made a major leap forward in terms of IT maturity and are now much better positioned to support the needs of faculty, students, and staff.”One-Hour Account Provisioning
GCU has greatly reduced the time to provision accounts for new hires, which took up to a week in the past. “Accounts for new hires are provisioned within one hour of that new employee being entered into our HR system,” says Cotterman. “Part of that time savings comes from helping HR optimize their processes; now that they know their actions drive the account provisioning process, they’re entering information on new hires more quickly—not just when they need to process the new hire’s first paycheck.”
Delegation of authority enables privileged HR and administrative personnel to use the Forefront Identity Manager web portal to enter new employees immediately, allowing urgent actions to be fulfilled even more quickly.Increased Security
Deprovisioning of employee accounts is just as fast, which helps improve security for situations such as terminations. “Terminated employee accounts are also deprovisioned within an hour, and account access can be immediately blocked by HR through use of the Forefront Identity Manager web portal,” says Cotterman. “This improves security for all IT systems and line-of-business applications that use Active Directory Domain Services for authentication. A Forefront Identity Manager workflow handles the rest, including removal of user accounts from Microsoft Dynamics CRM and CampusVue.”Improved Access to Employee Information
Account information in the university’s systems is now much more accurate. “Today, we have one source of the truth,” says Cotterman. “In the past, issues such as typos and misspellings or changes to an employee’s preferred name—such as William versus Bill—caused reconciliation issues a few times per month,” says Cotterman. “Today, employees can change fields such as preferred name through the self-service portal, and those changes are automatically propagated to all affected systems.”
Employee information is also more complete and accessible. The university’s GAL now includes every employee’s title, department, department code, manager, and office location—all information that was difficult for people to look up in the past.Reduced IT Effort
The integrated identity management solution is also helping GCU reduce its IT and help-desk workloads. “We’ve reduced the IT effort related to user account maintenance by about 320 hours per month—equivalent to two full-time IT employees,” says Cotterman. “Help-desk calls are also down because staff can now reset their own passwords, change preferred names, and so on.”
With employee attributes, such as specific departments, now included in the GAL, IT personnel are also more efficient at maintaining distribution lists. “In the past, distribution lists were maintained on a user-by-user basis,” explains Cotterman. “Today, those lists can be managed by using groups of employees, such as everyone in the Finance department.”
This IT time savings has enabled the reallocation of existing IT staffing budget to new projects. “The IT time savings we’re realizing with Forefront Identity Manager is like saving [U.S.]$150,000 per year, in that it enables me to reallocate two full-time resources to delivering new business value instead of maintaining user accounts,” Cotterman says.Improved Experience for Students, Faculty, and Staff
Streamlined account provisioning is improving the user experience for staff, faculty, and students, who now have faster, easier access to all the IT resources they need—from their first day at GCU. “Staff are more productive because their accounts are ready on day one,” says Cotterman. “Our use of Active Directory Federation Services is also making staff more productive because they don’t need to maintain as many user names and passwords for the cloud-based solutions we use.”
Faculty and students are also benefiting from an improved experience. “In the past, although provisioning student and faculty accounts was somewhat automated, it could still take a few days,” says Cotterman. “Today, after a student is enrolled in a class, the necessary user accounts are automatically provisioned in all the right systems. New students receive an email with a temporary password and a link to our web portal, where they can set their own password, get a GCU email address, and, if necessary, return at a later time to reset the password.”Cost-Effective, Rapid Results
With assistance from Ensynch, GCU was able to quickly and cost-effectively adopt an integrated strategy for identity lifecycle management. Each phase of the project took approximately four months to implement, at a cost of 10 to 20 percent of the amount that solutions from other vendors would have cost.
“Thanks to the guidance and assistance provided by Ensynch, our implementation of Forefront Identity Manager 2010 has been an unqualified success,” says Cotterman. “The largest effort on our part was working with the different departments within GCU to agree on and optimize the associated business processes. There was a little pushback in the beginning because the groups were all busy, but Ensynch did a great job helping us with the use cases and ultimately selling the benefits. All stakeholders are very pleased today, and the IT department has quickly gained additional credibility across the organization.”
Microsoft Higher EducationFor More Information
For more information on how Microsoft and its partners are helping to support higher education institutions worldwide, please visit:
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers in the United States and Canada who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:www.microsoft.com
For more information about Ensynch (an Insight company), call (866) 367-9624 or visit the website at:
For more information about Grand Canyon University, visit the website at: