Despite some challenges, the IT changeover in the Marburg schools was successful. With UCS@school, a reliable, future-proof and user-friendly solution for authentication was found that is particularly well suited due to its modularity as well as flexibility.
User
- 23 schools
- 11,500 students
- 1,100 teachers
- 4,700 terminals, 80 server systems, 500 access points and 80 switches
- 12 IT employees
Requirements
- Unite networks and users in one system with a contemporary structure
- Shorten support runtimes
- Faster provision of new IT services
- Physical merger of networks (school network and administrative network)
- More flexible and faster response to sudden problems (e.g. corona pandemic)
- More time for on-site support in Marburg schools
- Overcoming shadow IT and meeting the individual needs of schools and students
- And our main goal: building a sustainable and more user-friendly authentication basis for users with central management of all end devices via mobile device management (MDM)
Solution
- Future-proof and user-friendly authentication based on UCS@school (one UCS Primary Directory Node, one Backup Directory Node, two Replica Directory Nodes for monitoring and one LDAP Connector for future systems)
- Management of end devices via Mobile Device Management (MDM) incl. Single Sign-on
- GPG-encrypted import of user data
- Import from the country directory service LUSD as a customer-specific repository
- Reverse proxy for LDAP directory and setup of UCS Microsoft 365 Connector
- Concept for collective authentications in the Windows login of Azure AD planned
Read more about the project in the blog!
Two networks and one problem
Before the Marburg Media Center decided to convert the school IT, the IT consisted of an administrative network (HZD, MS Office) and an educational network (various providers, LibreOffice). This dual network structure (two networks per school, i.e. a total of 46 networks in 23 schools) regularly led to problems for end users at the client in the educational network. Due to their systemic incompatibility, documents uploaded by the administration could usually only be opened, edited and shared with MS Office and not with the open source variant LibreOffice.
To integrate the individual networks into one large system and to adequately represent schools with all their fields of activity, i.e. including secretaries, janitors and support staff, Marburg decided to collaborate with Univention. The goal of the project was to establish a future-proof authentication basis with central administration of all end devices via a central mobile device management (MDM) and manageable assignment to the cloud domain, using open source software, while maintaining the same level of performance.
In the beginning was the login
Within an interconnected network with an increasing number of services and users, the question of authentication is essential. A high degree of automation was required for the nearly 13,000 user-specific logins, which was to be achieved through UCS@school.
Central server resources were purchased to set up a central identity management (IDM) system, and virtualization was introduced. Based on the school network scenario documentation from Univention, the Marburg media center worked out a network concept. Within a short period of time, the following four basic components of the new system were set up: a UCS Primary Directory Node, a Backup Directory Node as well as two Replica Directory Nodes for monitoring and an LDAP Connector for future systems.
Despite the corona-related changes and challenges, the project implementation was very successful: both, the LDAP and SAML authentication with MS 365 Connector worked in the complex multi-tenant environments. Connecting the schul.cloud organizations was also a success. After an extensive test phase in a pilot school in summer 2022, it is offered productively in all Marburg schools and gradually introduced school by school.
Challenges for the Marburg IT
One of the biggest challenges in the course of the project were unexpected changes that could not be taken into account in the detailed project plan. After all, the pandemic fundamentally shifted priorities in project implementation in Marburg. While originally the establishment of a school network-wide domain had priority, the schools were now to be equipped first with the cloud office offering from Microsoft 365, the messenger schul.cloud from Heinekingmedia and devices such as iPads from Apple. This shift in priorities brought with it new requirements, as the LDAP directory now had to be made accessible to external service providers. The solution for Marburg IT was to set up a reverse proxy, which was also essential for the UCS Microsoft 365 Connector.
Further challenges arose from the familiarization with new systems such as UCS@school, the sudden need to make teachers’ end devices available and connect them due to the pandemic, and the complex and difficult extensibility of the LDAP authentication base. It was also necessary to solve the implementation of Microsoft 365 in multi-tenant (multiplications, setup within the system, connection of ADs) instead of single-tenant.
Why Univention?
According to the IT managers in Marburg, the UCS ecosystem with its numerous apps offers a solid and flexible basis for individual adaptations and requirements for the IT environment for the schools. Univention’s open source solutions’ modularity and flexibility, as well as the ability to easily and automatically import user data from the LUSD state directory service, were of particular relevance in the decision-making process. The latter, as a GPG-encrypted student import – implemented by Univention as a customer-specific repository for Marburg – is an important feature for the conversion of the IT in the Marburg schools. Besides a good ecosystem, the efficient communication with Univention’s Professional Services Team and the well-developed documentation for UCS@school and UCS were decisive for the success of the project.
Conclusion
Further Planning in Marburg
In the future, the Marburg IT team would like to provide even more user feedback during data conversion and validation in the event of incorrect login data, e.g., accidentally set punctuation such as “&” or “-” in the first and last names. In addition, more school networks are to be migrated, RADIUS Auth used for the WLAN, Windows devices managed via MDM, and server and network devices configured via Ansible.
Newsletter
Stay updated on all news about Univention and our IAM products via email.
Get started
Make an appointment and get to know our IAM solution.