Details
Dates
Mon 4/3/23
-
Tue 12/31/24
Acct/Dept
Enterprise Applications
Service
Project and Change Management Office / Information Technology Project Request
Type
PCMO Evaluated / Large DoIT Project / Division of IT Project
Classification
Project (20-230 Hours Effort)
Created
Thu 1/12/23 8:14 AM
Modified
Mon 4/22/24 8:27 AM
Divisional VP SupportDoes your divisional VP support this request?
No
Executive Sponsor DivisionThe executive sponsor's campus division.
Information Technology
Is there a mandated or requirement driving this request?Please indicate whether or not this request is mandated or required. If it’s mandated or required, you will be asked to attach supporting documentation.
No mandate or hard requirement driving this request
Project UrgencyIndicate if there is a mandate or requirement driving this request.
Not mandated or required
Project Resources & Effort
DoIT Departments InvolvedAny Division of IT departments that will be involved in this project.
ESYS (Enterprise Systems)
ISEC (Information Security)
Description
There are many third-party applications that authenticate via the campus Shibboleth authentication platform. As part of that authentication, some of those applications are sent an LDAP attribute called 'mail' that contains an email address. This address uses either the csuchico.edu domain or the mail.csuchico.edu domain, depending on logic in Account Center that tries to determine the correct primary affiliation (employees get csuchico.edu and students get mail.csuchico.edu). Applications use this attribute to identify the email address for the user, but some applications also use this attribute to determine the primary identifier (username) for that user.
This project is to migrate all applications to use an attribute that provides an email address with the csuchico.edu domain as part of our efforts to remove the mail.csuchico.edu domain from our applications.
Proposed milestones:
- Create a new attribute in OpenLDAP called 'email' (or whatever is decided). Use Account Center to populate that attribute with the @csuchico.edu email address for all accounts.
- Using the Shibboleth configuration files to create a list of applications that are currently being sent the existing 'mail' attribute. Identify owners and technical contacts for each of these applications.
- Work with each application owner to migrate their application to the new 'email' attribute. There are three possible situations that may need to be dealt with as part of this process:
- - The application does not rely on the 'mail' attribute as the primary identifier. This means that using the different attribute will simply update the email address of the application's user record. This is the easiest option.
- - The application relies on the email address as the primary identifier. Using the different attribute will result in a duplicate account getting created, but for this particular application there is no harm in that (since there's no history associated with the account). Updating the attribute will require a clean up effort to remove the old mail.csuchico.edu accounts, but should otherwise have minimal impact.
- - The application relies on the email address as the primary identifier and it is important to retain the existing accounts as they are so that user data is not lost. For these applications, we will need to coordinate with the vendor to develop a process for updating the usernames to the csuchico.edu domain at the same time that we switch to the new attribute. This will ensure that existing user data is retained.
- Once all applications that use the existing 'mail' attribute have been migrated to the new 'email' attribute, that attribute can be removed and this project will be complete.
Note: the learning management ecosystem will be a challenging component of this migration, since all applications that are integrated with either Canvas or Blackboard will need to be updated at the same time to avoid losing user data. It may be a good idea to wait to do this part until after Blackboard is no longer in use, but this may also hold up other post-migration projects so it may not be possible.