October 15, 2010
GoogleApps@USF
From Development to Deployment & Beyond
Eric Pierce
Identity Management Architect
#E10_SESS128
About Me
– Started at USF in 1996
– Help Desk
– System Administrator
• Student Email
• Student Unix Accounts/Webpages
• Student Blogs
– Identity Management Architect
• Identity Reconciliation
• Provisioning
• Authentication & Authorization
University of South Florida
• 47,000+ students
• 4 Campuses
– Tampa
– St. Petersburg
– Lakeland
– Sarasota/Manatee
• Medical School & research
facilities in Tampa
#E10_SESS128
Student Email pre-GoogleApps
• Difficult to maintain
– Cobbled together over a number of years
– Assortment of Commercial & OSS technologies
•
•
•
•
CommuniGate
SquirrelMail
AMaViS
SpamAssassin
• Fighting spam was a losing battle
– 6 servers dedicated to spam/virus scanning
– Long delays & constant tweaking required
#E10_SESS128
Student Email pre-GoogleApps
• Students wanted:
–
–
–
–
More space
Less spam
Calendaring & collaboration tools
More reliability
• I wanted:
– More reliability
– Geographic redundancy
– To spend less time fighting spam or fixing hardware issues
#E10_SESS128
Upgrade or Outsource?
• Price
– About $1 million over 3 years to keep it ‘in-house’
– Fully redundant storage for 70K+ mail users is expensive
– So is commercial spam/virus scanning
• Features
– No single package compares to GoogleApps or Live@edu
– Even with multiple applications, many features are not available
• Resources
– IT resources required to develop new features and/or upgrades
– More admin time required for maintenance and trouble-shooting
#E10_SESS128
Get the students involved!
• Student Government
– Improving Email was a top priority during a ‘Town-Hall’ meeting with the CIO
– Helped generate ‘buzz’ about the switch
– Promoted GoogleApps to the students
• Create Pilot Groups
– We selected 300 volunteers to evaluate GoogleApps & Live@edu
– I stayed in contact with that group throughout the rollout period
– Pick students from across campuses/colleges/departments
• Limited-release beta testing
– The pilot group could send invitations to 5 other students
– Those students could send invitations to 3 more
#E10_SESS128
Implementation
o
o
o
o
o
o
Scope – Students and Affiliates only
Project Initiated – October 2007
Student testing began – November 2007
Selection completed – December 2007
Released to students – February 2008
Legacy mail system shutdown – June 2008
#E10_SESS128
Identity Management
GoogleApps was a major component in our IdM plan
–
–
–
–
Web Single SignOn (Jasig CAS)
Automated account provisioning
Unified Acceptable Use policy
Increased password strength requirements
•
•
•
•
•
8 character minimum
Regular-Expression tests
Cracklib scoring
Windows Password Complexity requirements
6-month password expiration
#E10_SESS128
Account Provisioning
• Utilized the PHP client to work with our existing account
management application
• Up & running in an afternoon
• Fully integrated with our account manager in a few days
Lesson Learned
Use the Java or Python client
o PHP client is not updated often (at all?)
o Many new API features are not available in the PHP client
#E10_SESS128
On-Demand Account Creation
The announcement was in the middle of a semester, so a
single move wasn’t feasible
– An outage during the migration was unacceptable
– Users were able to move when they were ready
– A ‘cleanup’ after the semester ended moved all remaining accounts
#E10_SESS128
#E10_SESS128
#E10_SESS128
#E10_SESS128
Password-Syncing
• All web-based access is done through SSO
• IMAP clients and mobile access use the password stored at
Google
• We sync passwords - most schools don’t
– Most schools have students set their Google password separately
– Some enforce the separation and keep students from setting them to
the same value
– Lots of discussion of this on the Internet2 IdM list
• http://listserv.educause.edu/cgi-bin/wa.exe?A0=IDM
#E10_SESS128
Mail Migration
• Mail Migration was semi-automated:
– GoogleApps account created automatically
– Username added to the migration DB
– Daily process:
• Changed legacy IMAP password
• Created the migration CSV file
• Emailed CSV to the admin group
– Admin (usually me) logged into the GA admin page and
started the migration process
#E10_SESS128
Promotion
•
•
•
•
•
Student Government special event
Multiple mass emails to all students
Multiple articles in the Oracle
New Student Orientation brochure
Announcement in Blackboard Portal
Lesson Learned
Google has help with planning the rollout
http://deployment.googleapps.com/Home/resources-user-adoption
#E10_SESS128
Results
Where has 2+ years of GoogleApps taken us?
#E10_SESS128
Student Reaction
• Students love the new system
– 70x storage increase
– Docs & Calendar have been widely utilized
– Several classes use Sites for assignments and portfolios
• Biggest complaints?
– Not USF-branded enough
– Missing features from ‘regular’ Google accounts
– Some faculty felt like “second-class citizens”
#E10_SESS128
Cost-Savings
• Outsourcing Email != fewer jobs
–
–
–
–
The university gets more results from the same number of jobs
Mail administration time has dropped from 2 FTE to .1 FTE
Both mail admins have moved to Identity Management
Most of the work involved with GoogleApps is now IdM-related
• Retired or repurposed 12 servers & 2 storage arrays
• HUGE savings over upgrading legacy system
– Hardware/software upgrades: $300,000/yr
– Additional Personnel requirements: $60,000/yr
#E10_SESS128
Help Desk
• We expected a major impact to the help desk, but the
traffic level has stayed roughly the same
– Many more applications to cover, but students are more familiar
with Google tools
– Help desk staff training is quicker & easier
Lesson Learned
Have regular Q&A sessions with Help Desk staff
o Better answers for your customers
o Fewer support tickets for you
#E10_SESS128
Campus Integration
• Directory Synchronization
– LDAP -> GoogleApps
– Contact entries are created for all non-GA accounts
• Group Synchronization
– Slow for very large groups
– We don’t use them effectively yet
Lesson Learned
Find group applications BEFORE planning groups
o Emergency notification
o College/department announcements
o Class-based access for docs or sites
#E10_SESS128
Staff & Faculty
• Exchange is still our ‘official’ mail system for faculty/staff
– Except in St. Petersburg
• Faculty/staff can opt-in and forward their mail to Google
• Exchange Integration has been a challenge
– Email is easy
– Calendars are harder
Lesson Learned
Having multiple Email environments is difficult
o If there is any way to move everyone to GoogleApps at one
time, go for it
#E10_SESS128
Where do we go from here?
• Google Calendar
– USF Calendar of Events
– Athletic practice & game schedules
– Class schedules
• Blackboard Integration
– Bboogle project (Calendar & Docs)
– Gtalk links & status display
#E10_SESS128
New Google Tools
• New GoogleApps Infrastructure
– GA accounts can be used with almost all Google tools
– Only for ‘early adopters’ right now
• Two-factor Authentication
– iPhone/Android app or text messages authenticate user
in addition to their password
– Can’t be used with SSO logins yet
#E10_SESS128
Questions?
Thank you for attending
Eric Pierce
[email protected]
#E10_SESS128