june 10-15, 2012 growing community; growing possibilities dedra chamberlin, ucsf/uc berkeley eric...

June 10-15, 2012

Growing Community; Growing Possibilities

Open Source Person Registries-

You want ‘em we got ‘em!

Dedra Chamberlin, UCSF/UC BerkeleyEric Westfall, Indiana University

2012 Jasig Sakai Conference 2

What is CIFER?An agile, best-of-breed, community governed, comprehensive IAM solution for higher education


Build upon existing open source IAM projects

Create a comprehensive, modular IAM stack

Implement open, standards-based architecture

Reduce ops costs (TCO) through improved integration, automation, QA

Focus on needs, challenges distinctive to HE

Avoid vendor lock-in Do so by pooling community resources

CIFER Objectives


CIFER Workstreams


What is a Registry?Central repository of key information about entities belonging to an organization


IAM in university environments


Consumer of data – SOR integration Reconciler of data – ID match and

reconciliation Producer of data – Global unique ID Organizer of data – standard representation

of person profile data Provider of data – integration with

downstream systems/apps Other key functions:

◦ Administration – merges, data integrity, reporting◦ Identity lifecycle management

What is a Registry?


Where Are We Now?Why are we involved and what do we need?


UC Berkeley and UCSF have merged IAM oversight and strategy

Both have IAM systems which need significant re-vamping and both need a person registry

Other UC schools also looking at IAM replacements

The UC system is moving to a common SOR for HR data (PeopleSoft in the cloud)

Great opportunity for exploring common person registry solutions

The UC Story


Homegrown “sync code” handles ID match and basic provisioning

All integration from SORs is via nightly pull from EDW views

Person data stored in LDAP (currently Oracle DSEE) , no “person registry”

UCB Registry


Current UCB Architecture


Replace sync code with something more sustainable in the long run – community development and support model

Opportunity to re-evaluate ID match data Opportunity to introduce real-time

integration with SORs (and hence downstream customers)

More integration options for downstream customers

Problems UCB would like to solve


Homegrown, mainframe-based Individual Identifier System (IID) handles ID Match and Person data repo

Creates one global identifier for all Systems of Record upon account creation

Issues many regular batch feeds to downstream systems

Feeds Enterprise Directory Service (OpenDJ), which in turn feeds other downstream customers

UCSF Registry


Current UCSF Architecture


Mainframe retiring in about 3 years Replace IID with something more

sustainable in the long run – community development and support model

Opportunity to introduce real-time integration with SORs (and hence downstream customers)

More integration options for downstream customers

Problems UCSF would like to solve


Next Gen Architecture UCB/UCSF

17

Work with CIFER Registry workstream to develop registry solutions that can become part of community supported higher ed suite

Immediate future – decide on ID match solution and hopefully develop new ID match tools in partnership with Kuali

Near term – begin deploying a new Registry solution (jasig’s Open Registry or Penn State’s Central Person Registry)

Medium term – establish standard outbound integration options for the new registry

2012 Jasig Sakai Conference

Next Steps


The Kuali Story


Shared IAM Services◦ Focus on identity functionality for the purpose of

this discussion Used by many Kuali projects

◦ but is general enough to be used outside of Kuali apps

Provides access to identity data through APIs

Database-backed reference implementation Authoritative source for its consumers An “integration platform” for IAM within

Kuali

Kuali Identity Management


There are a couple of predominant integration patterns for identity in KIM today◦ Provisioning into the KIM database from SORs◦ Integration with LDAP (or institution-specific

identity stores) via KIM APIs Furthermore, there are two architectural

deployment models for KIM◦ Bundled◦ Standalone

KIM Integration Patterns


Bundling KIM in an Application

Kuali Coeus .KIM

Either provisioning into database from systems of record, or integration of KIM with directory or

similar service

LDAP

Provisioning

Database

Pro

visio

nin

g


Standalone KIM in the Enterprise

KIM

Either provisioning into database from systems of record, or integration of KIM with directory or

similar service

LDAP

Provisioning

Database

Pro

visio

nin

g

Kuali Coeus

Kuali OLE

Some Application

Some Other

Application


Kuali is continuing to build out HR and Student System functionality

These are traditionally Systems of Record for identity

ID Match is critical Institutions can implement only the pieces

of Kuali that they want◦ This means applications like Kuali Student or

KPME could be paired with things like PeopleSoft, Banner, Workday, SAP, Banner, etc.

Why is Kuali involved in CIFER?


We need to continue to evolve our architecture for identity and access management within Kuali

We have at least 10 major items on our project roadmap related to IAM

Working with others in various communities on a shared project like CIFER just makes sense

Identity registries and ID match are our initial area of focus because they are important when dealing with multiple identity sources

Continuing to Evolve


The CIFER Registry Group

What are we talking about, what have we done, and what are we going to do?


Objective of the Group◦ Catalog requirements for identity registries◦ Develop a plan to identify current gaps◦ Evaluate available identity registry and ID match

solutions◦ Develop, document, and exercise standard APIs for

interacting with identity registries Involved Partners

◦ UC Berkeley, UCSF, Brown, U. Washington, Internet2, Indiana, Kuali, SFU, PSU, Open Registry, Rutgers, others

What are we looking at?◦ A central, single authority Registry◦ Identity Match functionality◦ Working closely with the Provisioning side of CIFER

Identity Registry Group


Identity Registry Functional Model Core Requirements Evaluation ID Match

◦ Strawman design for ID match system◦ Evaluation of OpenEMPI

Evaluations of three different Open Source Identity Registry solutions◦ OpenRegistry◦ Penn State’s Central Person Registry (CPR)◦ Kuali Identity Management (KIM)

What’s Been Done?


For identity match ◦ Evaluated OpenEMPI and will decide w/in a month

to use or explore other options (integrations, self-written)

For Registry◦ Evaluated OpenRegistry and CPR◦ Both fairly well-developed, team feels both are

viable candidates What about KIM?

Where are we now?


Next Steps◦ Potential ID Match “task force”◦ Continued evaluation of registry solutions◦ Work on shared APIs from SOR’s into a registry◦ APIs for downstream provisioning

Other Potential Goals◦ Try and get OR out of incubation status◦ Work with PSU to fully “open-source” CPR◦ Increase active community involvement

Other Initiatives◦ Kuali is doing an evaluation of mapping KIM APIs to CPR◦ UC is doing architectural evaluations◦ Both of these groups are eager to move things forward!

What’s next?


Your Input◦ We need your input on the integration points

SORs to Registry Development of shared APIs

Your Experiences◦ Have you tackled similar problems in the past?◦ Have experience with implementation of an

identity registry or ID match solution? Your Help!

◦ If your campus has registry needs, consider getting involved by investing into this effort!

What’s Needed?


Possible future IAM Online Registries team wiki:

◦ https://spaces.internet2.edu/x/BJ2KAQ Future Home Page (work-in-progress!):

◦ http://www.ciferproject.org Send email to [email protected] if you

are interested in finding out more info or getting involved in any of the workstreams!

More information

https://spaces.internet2.edu/x/BJ2KAQ



http://www.ciferproject.org/

http://www.ciferproject.org/

mailto:[email protected]


Questions?For more information contact:[email protected]

mailto:[email protected]

june 10-15, 2012 growing community; growing possibilities dedra chamberlin, ucsf/uc berkeley eric...

Documents

jasig sakai conference9

jasig sakai conference2

jasig sakai conference3

jasig sakai conference16

jasig sakai conference10

jasig sakai conference13

jasig sakai conference15

jasig sakai conference11