june 10-15, 2012 growing community; growing possibilities dedra chamberlin, ucsf/uc berkeley eric...
TRANSCRIPT
June 10-15, 2012
Growing Community; Growing Possibilities
Open Source Person Registries-
You want ‘em we got ‘em!
Dedra Chamberlin, UCSF/UC BerkeleyEric Westfall, Indiana University
2012 Jasig Sakai Conference 2
What is CIFER?An agile, best-of-breed, community governed, comprehensive IAM solution for higher education
2012 Jasig Sakai Conference 3
Build upon existing open source IAM projects
Create a comprehensive, modular IAM stack
Implement open, standards-based architecture
Reduce ops costs (TCO) through improved integration, automation, QA
Focus on needs, challenges distinctive to HE
Avoid vendor lock-in Do so by pooling community resources
CIFER Objectives
2012 Jasig Sakai Conference 4
CIFER Workstreams
2012 Jasig Sakai Conference 5
What is a Registry?Central repository of key information about entities belonging to an organization
2012 Jasig Sakai Conference 6
IAM in university environments
2012 Jasig Sakai Conference 7
Consumer of data – SOR integration Reconciler of data – ID match and
reconciliation Producer of data – Global unique ID Organizer of data – standard representation
of person profile data Provider of data – integration with
downstream systems/apps Other key functions:
◦ Administration – merges, data integrity, reporting◦ Identity lifecycle management
What is a Registry?
2012 Jasig Sakai Conference 8
Where Are We Now?Why are we involved and what do we need?
2012 Jasig Sakai Conference 9
UC Berkeley and UCSF have merged IAM oversight and strategy
Both have IAM systems which need significant re-vamping and both need a person registry
Other UC schools also looking at IAM replacements
The UC system is moving to a common SOR for HR data (PeopleSoft in the cloud)
Great opportunity for exploring common person registry solutions
The UC Story
2012 Jasig Sakai Conference 10
Homegrown “sync code” handles ID match and basic provisioning
All integration from SORs is via nightly pull from EDW views
Person data stored in LDAP (currently Oracle DSEE) , no “person registry”
UCB Registry
2012 Jasig Sakai Conference 11
Current UCB Architecture
2012 Jasig Sakai Conference 12
Replace sync code with something more sustainable in the long run – community development and support model
Opportunity to re-evaluate ID match data Opportunity to introduce real-time
integration with SORs (and hence downstream customers)
More integration options for downstream customers
Problems UCB would like to solve
2012 Jasig Sakai Conference 13
Homegrown, mainframe-based Individual Identifier System (IID) handles ID Match and Person data repo
Creates one global identifier for all Systems of Record upon account creation
Issues many regular batch feeds to downstream systems
Feeds Enterprise Directory Service (OpenDJ), which in turn feeds other downstream customers
UCSF Registry
2012 Jasig Sakai Conference 14
Current UCSF Architecture
2012 Jasig Sakai Conference 15
Mainframe retiring in about 3 years Replace IID with something more
sustainable in the long run – community development and support model
Opportunity to introduce real-time integration with SORs (and hence downstream customers)
More integration options for downstream customers
Problems UCSF would like to solve
2012 Jasig Sakai Conference 16
Next Gen Architecture UCB/UCSF
17
Work with CIFER Registry workstream to develop registry solutions that can become part of community supported higher ed suite
Immediate future – decide on ID match solution and hopefully develop new ID match tools in partnership with Kuali
Near term – begin deploying a new Registry solution (jasig’s Open Registry or Penn State’s Central Person Registry)
Medium term – establish standard outbound integration options for the new registry
2012 Jasig Sakai Conference
Next Steps
2012 Jasig Sakai Conference 18
The Kuali Story
2012 Jasig Sakai Conference 19
Shared IAM Services◦ Focus on identity functionality for the purpose of
this discussion Used by many Kuali projects
◦ but is general enough to be used outside of Kuali apps
Provides access to identity data through APIs
Database-backed reference implementation Authoritative source for its consumers An “integration platform” for IAM within
Kuali
Kuali Identity Management
2012 Jasig Sakai Conference 20
There are a couple of predominant integration patterns for identity in KIM today◦ Provisioning into the KIM database from SORs◦ Integration with LDAP (or institution-specific
identity stores) via KIM APIs Furthermore, there are two architectural
deployment models for KIM◦ Bundled◦ Standalone
KIM Integration Patterns
2012 Jasig Sakai Conference 21
Bundling KIM in an Application
Kuali Coeus .KIM
Either provisioning into database from systems of record, or integration of KIM with directory or
similar service
LDAP
Provisioning
Database
Pro
visio
nin
g
2012 Jasig Sakai Conference 22
Standalone KIM in the Enterprise
KIM
Either provisioning into database from systems of record, or integration of KIM with directory or
similar service
LDAP
Provisioning
Database
Pro
visio
nin
g
Kuali Coeus
Kuali OLE
Some Application
Some Other
Application
2012 Jasig Sakai Conference 23
Kuali is continuing to build out HR and Student System functionality
These are traditionally Systems of Record for identity
ID Match is critical Institutions can implement only the pieces
of Kuali that they want◦ This means applications like Kuali Student or
KPME could be paired with things like PeopleSoft, Banner, Workday, SAP, Banner, etc.
Why is Kuali involved in CIFER?
2012 Jasig Sakai Conference 24
We need to continue to evolve our architecture for identity and access management within Kuali
We have at least 10 major items on our project roadmap related to IAM
Working with others in various communities on a shared project like CIFER just makes sense
Identity registries and ID match are our initial area of focus because they are important when dealing with multiple identity sources
Continuing to Evolve
2012 Jasig Sakai Conference 25
The CIFER Registry Group
What are we talking about, what have we done, and what are we going to do?
2012 Jasig Sakai Conference 26
Objective of the Group◦ Catalog requirements for identity registries◦ Develop a plan to identify current gaps◦ Evaluate available identity registry and ID match
solutions◦ Develop, document, and exercise standard APIs for
interacting with identity registries Involved Partners
◦ UC Berkeley, UCSF, Brown, U. Washington, Internet2, Indiana, Kuali, SFU, PSU, Open Registry, Rutgers, others
What are we looking at?◦ A central, single authority Registry◦ Identity Match functionality◦ Working closely with the Provisioning side of CIFER
Identity Registry Group
2012 Jasig Sakai Conference 27
2012 Jasig Sakai Conference 28
Identity Registry Functional Model Core Requirements Evaluation ID Match
◦ Strawman design for ID match system◦ Evaluation of OpenEMPI
Evaluations of three different Open Source Identity Registry solutions◦ OpenRegistry◦ Penn State’s Central Person Registry (CPR)◦ Kuali Identity Management (KIM)
What’s Been Done?
2012 Jasig Sakai Conference 29
For identity match ◦ Evaluated OpenEMPI and will decide w/in a month
to use or explore other options (integrations, self-written)
For Registry◦ Evaluated OpenRegistry and CPR◦ Both fairly well-developed, team feels both are
viable candidates What about KIM?
Where are we now?
2012 Jasig Sakai Conference 30
Next Steps◦ Potential ID Match “task force”◦ Continued evaluation of registry solutions◦ Work on shared APIs from SOR’s into a registry◦ APIs for downstream provisioning
Other Potential Goals◦ Try and get OR out of incubation status◦ Work with PSU to fully “open-source” CPR◦ Increase active community involvement
Other Initiatives◦ Kuali is doing an evaluation of mapping KIM APIs to CPR◦ UC is doing architectural evaluations◦ Both of these groups are eager to move things forward!
What’s next?
2012 Jasig Sakai Conference 31
Your Input◦ We need your input on the integration points
SORs to Registry Development of shared APIs
Your Experiences◦ Have you tackled similar problems in the past?◦ Have experience with implementation of an
identity registry or ID match solution? Your Help!
◦ If your campus has registry needs, consider getting involved by investing into this effort!
What’s Needed?
2012 Jasig Sakai Conference 32
Possible future IAM Online Registries team wiki:
◦ https://spaces.internet2.edu/x/BJ2KAQ Future Home Page (work-in-progress!):
◦ http://www.ciferproject.org Send email to [email protected] if you
are interested in finding out more info or getting involved in any of the workstreams!
More information
2012 Jasig Sakai Conference 33
Questions?For more information contact:[email protected]