Introducing a Central ID Management System at Marburg Schools

When you hear Marburg, you probably first think of its nationally known Philipps University or the production site of the biotechnology company BioNtech. What is probably less well known to most outsiders is the role of the school authority. In this function, the university city is responsible for 23 schools of all types – from elementary school to vocational school. The approximately 11,500 students and 1,100 teachers can be accommodated in the schools’ more than 800 classrooms.

Currently, 15 employees of the “Media Center” department manage the school IT with its 4,700 end devices, 80 server systems, 500 access points and 80 switches. Despite the good equipment of the schools, the disadvantages of the schools’ own IT solutions as well as the limits of the respective networks became more and more visible over time and the desire for a central identity management (IDM) grew.

In this article, we would like to explain in more detail how exactly we proceeded in Marburg to organize a central provision of school IT at our school. We will also write about the cooperation with Univention and the system house Linet, that supported us in the operational implementation, and describe what problems arose and what solutions we found. For this, we will take you on a short journey back in time to pre-pandemic times, to the day when we took the first decisive step towards a central IDM with UCS@school from Univention.

Initial Situation: Two Networks and One Problem

Our motivation to fundamentally restructure the IT in the Marburg schools and to provide a sustainable and user-friendly authentication basis stemmed primarily from the fact that the IT for the education sector had previously been divided into an educational network and an administrative network. While the administrative network was run by the Hessian Center for Data Processing (HZD) and used MS Office, the educational network relied on various providers and the open source software LibreOffice.

This resulted in the fundamental problem of the dual network structure: managing 23 schools with 46 networks became a daily challenge for our IT specialists. Many of the documents could only be opened with Microsoft Office and not with LibreOffice – a real problem for the end user at the client in the educational network. However, this was not due to the functionality of the individual software solutions, but to their incompatibility with each other.

Instead of continuing to struggle with this error-prone dual network structure, we decided to work with Univention. They supported us through workshops, conceptual design, project management and support to bring the individual networks together in one large system and to adequately map the reality of schools in IT – including the use of IT by secretaries, janitors, support staff and other people in the administrative and educational context. After all, school is not a closed microcosm.

On the contrary: School is a central, open and overarching place of learning that is becoming increasingly digital. Reason enough to tackle the transformation to contemporary and user-oriented IT in Marburg’s schools.

Requirements: Out of Shadow IT, into Change

Once we had identified the exact deficits of our previous IT, we worked together to draw up a concept of what we required from the new IT solution:

• Connecting the Marburg schools to the fiber-optic network
• Unification of networks and users in a system that has a modern structure and covers the needs of our users.
• Shortening of support runtimes by dissolving user systems with missing domain administrations and partly still old networks
• Faster and more frequent provision of services
• Physical merging of networks and their logical separation
• More flexible and faster response to unexpected changes (e.g. pandemic)
• More time for on-site support in schools
• Overcoming shadow IT and mapping the “reality” of school needs
• And our main goal: building a sustainable and more user-friendly authentication base for users with centralized management of all devices via mobile device management (MDM)

Project Launch: In the Beginning was the Login

Within an overarching network with an increasing number of services and users, the question of authentication is essential. We knew that we had to deal with almost 13,000 user-specific logins, which required a high degree of automation. This is usually achieved by accessing the teacher and student database (LUSD) via the HZD. In the LUSD, you can choose between two products that have been released by the ministry: We chose UCS@school from Univention because the open source solution presented itself as more flexible and modular than the competition.

Additional first steps on the way to a central IDM at the Marburg schools were then the acquisition of central server resources including an introduction into virtualization. Based on the school network scenario documentation from Univention, we developed a network concept and added the selection of a new domain and certificate organization to our to-do list. The initial setup went smoothly. Within a short time, we had the four basic components of the new system up and running: a UCS Primary and a backup node, as well as two replica nodes for monitoring and LDAP Connector for future systems.

Decision for Univention: The Central Feature

While there are many different reasons for using UCS@school, the LUSD import was decisive for us in Marburg. The central feature is the GPG-encrypted import of student identities in the form of a CSV file. The import is implemented as a repository specially developed for us by Univention, which turned out to be a satisfactory process for us despite a few attempts at configuring the correct keys. As a school board, we nevertheless hope that the LUSD import will be even better documented and thus move closer to the (very well documented) core product UCS. This is a challenge with customer-specific solutions such as the LUSD import, which Univention is currently addressing through a cool solution in UCS 5 (german article).

Other benefits we see in using UCS@school for our schools and teachers:

• Centralized management of accounts, schools, classes, networks and permissions, as well as connectivity to additional third-party solutions of file sharing, office or email programs, teaching-learning software and other educational applications
• Secure use of private smartphones and tablets (BYOD)
• Focus on ID management in the educational environment and an intelligent rights concept for access to digital learning platforms, IT services and digital media

Pandemic: New Priorities and Initial Achievements

With the pandemic, our goal changed. Previously, we wanted to primarily establish a domain that spanned a network of school boards. The priorities had shifted and the new goal was to equip our schools with the cloud office offering from Microsoft 365, the messenger schul.cloud from Heinekingmedia, and devices such as iPads from Apple. As a result, we had to meet a new challenge: making our LDAP directory securely available to external service providers such as Microsoft.

Our solution was to work with the Braunschweig system house Linet to add a reverse proxy, which was also essential for setting up the UCS Microsoft 365 Connector. We were very satisfied with the connector. It is very well documented and its setup is only more difficult in the multi-tenant environment, which we opted for due to its better separability. Things are different in the single-tenant environment: Here, setting up the UCS Microsoft 365 Connector is self-explanatory.

In the end, we were able to achieve initial success despite the sudden corona-related changes. Both LDAP and SAML authentication with MS 365 Connector worked, even in multi-tenant environments. In addition, the schul.cloud organization, which was initially offered in a pilot school and has been productively offered in all Marburg schools since summer 2022, was successfully connected.

The basic setups went very quickly, being completed within a few days. More time-consuming than the setup, on the other hand, was the familiarization with the new systems from Microsoft, Heinekingmedia and Univention (possible boundary case tests, limitations and integration with each other). In our pilot school, it finally became clear that our previously identified and served user groups had to be supplemented by the user group parents. This revealed the importance of master data quality for automated systems. However, since there is no clear and secure data source for the new user group of parents so far, it is not included in our central IDM until such a source is developed.

Connecting the Teacher Service Devices: The Unlikely Event Occurs

Yet another year of pandemic caused unexpected twists and turns: teacher service devices were announced, resulting in a change in device management. If possible, teachers should be able to use the devices everywhere and for all in-service purposes. We had already found a reliable solution for the iPads with JAMF MDM, but the administration of Windows devices was no longer up to date and required an adequate alternative. We found this alternative in the MDM Microsoft Intune (Microsoft Endpoint Manager), which was available to us through the purchase of Microsoft’s Cloud Office offering.

With user synchronization already set up in the tenants, we thought we had reached our destination, but rejoiced too soon: Microsoft did not support SAML authentication in Windows login in Azure AD. This meant that the use of the Microsoft 365 Connector had to be paused, even though it had worked perfectly for online services and logins. To solve this issue, we developed a promising concept in IT that will be implemented productively in the next few months. Until then, the teacher accounts will be managed separately from UCS@school due to the lack of compatibility of the MS 365 Connector and the MDM Microsoft Intune.

Conclusion & Outlook: The Devil is in the Details

Looking back at the progress of the project so far, it can be said that the UCS ecosystem with its numerous apps provides a very good basis for individual customizations and concerns. Our Univention instances continue to run reliably in the scenarios used and, as expected of us at the beginning, convince with their flexibility and modularity. Despite our positive experience and logical decision in favor of the open source solution, I would like to briefly summarize some of the challenges we encountered.

First of all, the familiarization with completely new systems such as UCS@school should not be underestimated. This proved to be more time-consuming than expected and cannot be avoided even with a well thought-out project plan. After all, as important as project plans may be, they do not provide universal protection. The Corona pandemic and the associated connection of teacher devices and the development of mobile working taught us that even events that are considered “very unlikely” can occur.

LDAP turned out to be a diverse, widely used, and well-supported authentication base during the course of the project, but it was also technically very complex and difficult to extend. Equally challenging was the implementation of Microsoft 365 in the multi-tenant (multiplications, setup within the system, connection of ADs). In this case, it should be carefully considered beforehand whether a single-tenant environment might be an option.

One thing is certain, however: if you have good contacts and colleagues, good documentation, good ideas and a good ecosystem, the digital transformation in schools can succeed in the long term, as our positive practical experience shows. In the future, we would like to build on past success and provide more user feedback in the event of incorrect credentials, migrate the school networks, use RADIUS Auth for the WLAN, manage Windows devices via MDM, and configure server and network devices via Ansible.