From fragmented systems to unified control

Mitigating Errors in the User Life Cycle with Reporting

Vives University successfully migrated to and unified their identity management and governance with midPoint, achieving automation, compliance, and effective system management.

Challenge: Hogeschool Zuid-West-Vlaanderen (KATHO) and the Katholieke Hogeschool Brugge-Oostende (KHBO), which merged to form Vives University, were using complex house and bash scripting with SQL databases. A flexible IGA platform that could be easily integrated was needed.

Process: The IT team adopted midPoint to manage user lifecycle, reporting, and data validation, while developing their own connectors for necessary system integration.

Outcome: MidPoint manages the staff and students in a complex organizational structure, with ongoing integration and feature exploration to enhance the university’s internal efficiency.

About Vives

Vives University of Applied Sciences

Vives is one of the largest universities in Flanders, Belgium. The university was created by the merger of the KATHO and KHBO. It offers contemporary and competence-oriented higher education, innovative practice-oriented research, and social services to answer the societal challenges of today and tomorrow. Vives offers more than twenty graduate and thirty bachelor’s programs. Their IT team administrates 20,000 active identities (e.g., student, faculty). The team does not need to administrate any alumni identities.

The Objective: The newly established Vives University needed to migrate and unify identity management and governance with an IGA system that would guarantee a smooth migration, introduce automation, and overall modernize the identity management and governance processes.

The Challenge: Before the merger, KATHO and KHBO were using complex house and bash scripting with SQL databases. The integration of these two environments would have been almost impossible without a flexible IGA platform that could be easily integrated within their existing infrastructure.

The Process: The IT team made the decision to adopt midPoint due to its open source nature and integration possibilities. The university wanted to automate and streamline all account provisioning and routines between points. Furthermore, they needed to incorporate midPoint into their existing infrastructure, which was possible thanks to a clever connector mechanism. MidPoint is now an orchestrator in this process, and it has been integrated with Student Information, HR, and other systems. The data gets pulled from these systems and stored in midPoint. MidPoint then creates and manages user accounts across different systems and resources, such as AD, SQL tables, and CSV files. The entire process is fully automated and works seamlessly with the information from the source systems. Since the IT team has expertise in connector development, they were able to craft custom connectors for certain specialized software used by the university that sped up the entire integration process.

User Lifecycle: One of the objectives of the university was to manage the user lifecycle through midPoint. For student identities, the account creation process is now quite fast and straightforward. When a new student enrolls in the university, their account is created immediately through the student administration process and picked up by midPoint. This means that within five minutes, the student is able to access the organization’s systems and resources. The user lifecycle for students is tied to their enrollment and end date, which means that when the student’s enrollment period ends, the account is deactivated or terminated automatically by midPoint.

Staff accounts have to request a unique account name from a central organization within the association of universities. This process can take up to 24 hours to complete within an HR system. For new staff members, midPoint generates a temporary account name and email address from the moment they are registered in the HR system. When the real account name is received, the rest of the provisioning process is completed. The association has agreements in place to create a unique account name for employees who are also students, and two separate accounts are created. They use an external system for handling activation codes and password changes. However, midPoint receives the status and the new password and does the provisioning of passwords. The IT team uses velocity templates to send activation codes to new users to activate their accounts and midPoint’s notification feature to send confirmation to users when they change their password.

Reporting and Data Validation: In addition to these user-facing notifications, midPoint also generates reports for internal use, specifically for the HR department. The reports provide a summary of accounts that will be terminated within the next three weeks, which can help the HR department stay on top of contract renewals and avoid any oversights or lapses. The university has integrated all their HR data into midPoint, but sometimes the data can be incorrect. For example, HR may mistakenly enter an end date for an employee a year ago, which should not trigger an immediate account deletion in midPoint.

To address this, the university has been using a delayed delete function in midPoint. When an employee is no longer on the payroll, their account is disabled. However, it is kept in the system for three months before it is permanently deleted. This gives HR a chance to correct any mistakes and ensure that the account should in fact be deleted. The university also uses reporting in midPoint to monitor the system and ensure that the data is correct. They have weekly reports that are sent to managers and other stakeholders in the organization. These reports provide an overview of the status of the system and highlight any potential issues, such as incorrect data and inconsistencies. The reports are primarily used for custom control reporting, but they also provide information to other people in the university. The reports are periodical and are used to see the status of the system and highlight any potential issues, such as incorrect data and inconsistencies. The reports are primarily used for custom control reporting, but they also provide information to other people in the university. The reports are periodical and are used to see the status of the system and to identify any potential issues that need to be addressed. If any wrong data is identified, a report is created so that the responsible person can take action to mitigate the issue.

Resources: The university appreciates the open community that has been built around midPoint. They have contributed to translating midPoint into Dutch and often get involved in answering questions on the community mailing list. Evolveum offers extensive resources including technical documentation, a book, and video tutorials to help institutions utilize the platform. The university found the library of connectors with open code to be particularly valuable, greatly simplifying the integration process with their existing infrastructure.

Davy Priem, IT Architecture and Security Coordinator at Vives:

“We value other open aspects Evolveum provides, such as technical documentation. The library of connectors with open code is super cool. You can plug in whatever you want.”

The Outcome: The process from deployment to production took the university roughly a year. They continue integrating midPoint with other systems using existing connectors and developing new ones. MidPoint is used in a complex organizational structure to manage identity and access for all staff and students. By integrating various systems and processes, midPoint streamlines account provisioning and management while ensuring compliance with organizational policies and standards. MidPoint can handle these complex processes and integrate with external organizations to ensure that staff accounts are created properly.

The delayed delete and reporting functions in midPoint have helped the university manage their identity system more effectively. By implementing delayed delete, they ensure that accounts are not deleted prematurely, while reporting helps them identify and address any issues before they have an impact in the system. The university continues to explore the many features midPoint provides and assess which features could be used next to improve the user experience and the effectiveness of the IT team. The organization appreciates the open code, as they can test a specific feature and learn about it before deciding for its deployment. Moreover, it can be done without navigating through various offers of package services that require the service range and licensing examination, which is standard with non-open alternatives.

The Future Plans At the moment, only the IT staff have access to midPoint. The university might look into extending midPoint to end users in the future. This could be handy especially due to various self-service features such as access requests, which would improve the end user experience and take the burden off the IT staff. The organization is also working on a self-service portal that could integrate selected midPoint features into it using the REST API. The motivation for building the self-service platform is to give users/professors the ability to access a more efficient and user-friendly interface for making requests related to exams and account examination. The self-service portal will be a layer on top of midPoint, since there are many other systems that need to be accessed. The portal will also allow users to request various assets, such as software licenses, hardware equipment, and other resources that they need to perform their job functions. This may include a feature where teachers can create or request a bundle of resources that they need for a particular class or project.

Name	Provider	Purpose	Expiry	More information
PHPSESSID	Evolveum s.r.o.	Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.	When you close your browser
moove_gdpr_popup	Evolveum s.r.o.	When this Cookie is enabled, these Cookies are used to save your Cookie Setting Preferences. You can enable or disable your Cookie Settings on our website at anytime via Cookie Settings.	1 year	Read more
wordpress_test_cookie	Evolveum s.r.o.	Tests that the browser accepts cookies.	Session	Read more
wp-settings-[user_id]	Evolveum s.r.o.	Used to preserve user’s wp-admin settings	1 year	Read more
wordpress_[hash]	Evolveum s.r.o.	On login, WordPress uses the wordpress_[hash] cookie to store your authentication details. Its use is limited to the Administration Screen area, /wp-admin/	Session	Read more
wordpress_logged_in_[hash]	Evolveum s.r.o.	Remember User session	Session	Read more
wordpress_sec_[hash]	Evolveum s.r.o.	This cookie is used to store your authentication details. Its use is limited to the admin console area, /wp-admin/	Session	Read more
wp-postpass_[hash]	Evolveum s.r.o.	This cookie is used to grant access to password protected areas of the site.	10 days
wp-settings-time-[user_id]	Evolveum s.r.o.	The number on the end is your individual user ID from the user’s database table. This is used to customize your view of admin interface, and possibly also the main site interface.	1 year	Read more

Name	Provider	Purpose	Expiry	More information
woocommerce_cart_hash	Evolveum s.r.o.	Helps WooCommerce determine when cart contents/data changes.	When you close your browser	Read more
woocommerce_items_in_cart	Evolveum s.r.o.	Helps WooCommerce determine when cart contents/data changes.	When you close your browser	Read more
wp_woocommerce_session_[hash]	Evolveum s.r.o.	Contains a unique code for each customer so that it knows where to find the cart data in the database for each customer.	2 days	Read more
tk_ai	Evolveum s.r.o.	Stores a randomly-generated anonymous ID. This is only used within the dashboard (/wp-admin) area and is used for usage tracking, if enabled.	Session	Read more
comment_author_{HASH} comment_author_email_{HASH} comment_author_url_{HASH}	Evolveum s.r.o.	When visitors comment on your blog, they too get cookies stored on their computer. This is purely a convenience, so that the visitor won’t need to re-type all their information again when they want to leave another comment.	These are set to expire a little under one year from the time they’re set.	Read more

From fragmented systems to unified control

Mitigating Errors in the User Life Cycle with Reporting

About Vives

Vives University of Applied Sciences

Davy Priem, IT Architecture and Security Coordinator at Vives:

“We value other open aspects Evolveum provides, such as technical documentation. The library of connectors with open code is super cool. You can plug in whatever you want.”

Cookie settings

Strictly necessary

Third party

Technical