Outsourcing IAM in North Carolina
A Statewide IAM Managed Service for K-12
San Francisco, CA
November 14-15, 2013
Mark Scheible and Steve Thorpe, MCNC
“Managing Identity and Access in an Era of
Distributed Services” – CAMP 2013
From the NCEdCloud IAM Project…
Challenges (Problem Statement):
1. Too many accounts for current Services
2. Cumbersome manual process of updating account information
from NC Student System to disparate local systems and services
3. Need solid foundation for K-12 cloud solutions growth
• 2 years of learning, interviewing, planning (IAM
Architecture Plan – 250 pages)
RFP (long drawn out process)
Vendor Selection
•Face-to-Face Interviews & Proof of Concept
IAM Service Contract Awarded - April, 2013 to
Organizations involved
NCDPI - NCEdCloud Sponsor (RttT Funding)
Friday Institute - NCEdCloud Program Manager
MCNC - NCEdCloud Service Manager
Identity Automation - NCEdCloud IAM Service Manager
and Provider
Simple Goals
Provide all K-12 staff, students, parents and guests with
a single login to all NCEdCloud Target Applications
and Services as well other cloud services that are
utilized by numerous LEA's.
Provide self-service capabilities to all end users and
delegated management tools to all LEA administrators.
Initial Scope:
Employees: ~250,000
Students: ~1.5 Million
LEAs (School Districts) – 115 (2,500 schools)
Charter Schools – 111+ (growing)
5 Target Applications Year 1
Future Scope:
Guardians: ~3 Million
Guests: Unknown
10 Target Applications per year
Core Components
Person Registry: a component of the core infrastructure that
provides an identity data warehouse for the NCEdCloud IAM
Service. This registry is responsible for matching, merging and
cleansing of data as it comes from the sources.
Central Directory: a component of the core infrastructure that
provides a directory service for the NCEdCloud IAM Service.
The Central Directory is the authoritative source for the
NCEdCloud Username and password. It is also the source of all
target system integrations whether by SAML, LDAP or direct
Core Services
My NCEdCloud - The interface for end users and
administrators that will provide self-service and
delegated administration capabilities
NCEdCloud SAML IdP - The service that will provide
sign-on capabilities to cloud systems that support the
SAML protocol and implementation
NCEdCloud Sync - The service responsible for
managing the lifecycle of accounts across ALL
systems (including the Target Applications) –
provision, update, deprovision
The NCEdCloud IAM infrastructure will be hosted
in Amazon's AWS environment. This service
provides unlimited scaling as well as a world
class high availability platform (across three
east cost data centers)
Year 1 Target Services
By March 2014:
• Google Apps for Education
• Central Directory Local Replica (CDLR)
• Zscaler – cloud-hosted firewall, content filtering
• Follet Destiny
• Discovery Education
Assessment Phase - Completed April 30, 2013
Design Phase - Completed June 30, 2013
Build Phase - Completed July 31, 2013 (Development)
Test Phase - Completed November 8, 2013 (Test)
Deployment Phase (Production)
November 11, 2013 - March 31, 2013 for early adopters
Full Production
Available April 1, 2014 for remaining LEAs and Charters
The RFP Process
Procurement was a lengthy process with many state
procedural requirements
Funding came from RttT, but was administered by the
NCDPI was overseen by the State IT Agency
Bottom Line – you NEED a champion (with influence)
The Data Sources – ALWAYS a challenge
Communication with the Vendor
Current Focus
LEA/Charter School Onboarding Process (for Early
Adopters) - Currently working with 10 EAs
Application Form (online)
Onboarding Checklist (Readiness Review)
Planning Session (In Person or Remote)
Creation of Governance Body (Oversight/Steering)
Plan for Integrating “Home Base” Applications
Pearson PowerSchool, OpenClass, SchoolNet
True North Logic (TNL) – Teacher assessment, PD
Future Opportunities
Federation of the NCEdCloud IdP
Regional Federation (NCTrust)
Use of NCEdCloud (K-12) student credentials to access
local Higher Education resources
Early College High School programs (piloting)
In State Admissions
Integration with CommIT ?
NCEdCloud IAM Web Site
• Overview videos of the IAM Service
• Documents (slides, IAM Plan, Service Management
• ncedcloud.mcnc.org
Mark Scheible – mscheible@mcnc.org
Steve Thorpe – thorpe@mcnc.org
Sammie Carter (Friday Institute) –

Outsourcing IAM In North Carolina