June 10-15, 2012 Growing Community; Growing Possibilities Dedra Chamberlin, UCSF/UC Berkeley Eric Westfall, Indiana University

An agile, best-of-breed, community governed, comprehensive IAM solution for higher education 2012 Jasig Sakai Conference2

 Build upon existing open source IAM projects  Create a comprehensive, modular IAM stack  Implement open, standards-based architecture  Reduce ops costs (TCO) through improved integration, automation, QA  Focus on needs, challenges distinctive to HE  Avoid vendor lock-in  Do so by pooling community resources 2012 Jasig Sakai Conference3

4

Central repository of key information about entities belonging to an organization 2012 Jasig Sakai Conference5

6

 Consumer of data – SOR integration  Reconciler of data – ID match and reconciliation  Producer of data – Global unique ID  Organizer of data – standard representation of person profile data  Provider of data – integration with downstream systems/apps  Other key functions: ◦ Administration – merges, data integrity, reporting ◦ Identity lifecycle management 2012 Jasig Sakai Conference7

Why are we involved and what do we need? 2012 Jasig Sakai Conference8

 UC Berkeley and UCSF have merged IAM oversight and strategy  Both have IAM systems which need significant re-vamping and both need a person registry  Other UC schools also looking at IAM replacements  The UC system is moving to a common SOR for HR data (PeopleSoft in the cloud)  Great opportunity for exploring common person registry solutions 2012 Jasig Sakai Conference9

 Homegrown “sync code” handles ID match and basic provisioning  All integration from SORs is via nightly pull from EDW views  Person data stored in LDAP (currently Oracle DSEE), no “person registry” 2012 Jasig Sakai Conference10

2012 Jasig Sakai Conference11

 Replace sync code with something more sustainable in the long run – community development and support model  Opportunity to re-evaluate ID match data  Opportunity to introduce real-time integration with SORs (and hence downstream customers)  More integration options for downstream customers 2012 Jasig Sakai Conference12

 Homegrown, mainframe-based Individual Identifier System (IID) handles ID Match and Person data repo  Creates one global identifier for all Systems of Record upon account creation  Issues many regular batch feeds to downstream systems  Feeds Enterprise Directory Service (OpenDJ), which in turn feeds other downstream customers 2012 Jasig Sakai Conference13

2012 Jasig Sakai Conference14

 Mainframe retiring in about 3 years  Replace IID with something more sustainable in the long run – community development and support model  Opportunity to introduce real-time integration with SORs (and hence downstream customers)  More integration options for downstream customers 2012 Jasig Sakai Conference15

2012 Jasig Sakai Conference16

 Work with CIFER Registry workstream to develop registry solutions that can become part of community supported higher ed suite  Immediate future – decide on ID match solution and hopefully develop new ID match tools in partnership with Kuali  Near term – begin deploying a new Registry solution (jasig’s Open Registry or Penn State’s Central Person Registry)  Medium term – establish standard outbound integration options for the new registry 2012 Jasig Sakai Conference17

2012 Jasig Sakai Conference18

 Shared IAM Services ◦ Focus on identity functionality for the purpose of this discussion  Used by many Kuali projects ◦ but is general enough to be used outside of Kuali apps  Provides access to identity data through APIs  Database-backed reference implementation  Authoritative source for its consumers  An “integration platform” for IAM within Kuali 2012 Jasig Sakai Conference19

 There are a couple of predominant integration patterns for identity in KIM today ◦ Provisioning into the KIM database from SORs ◦ Integration with LDAP (or institution-specific identity stores) via KIM APIs  Furthermore, there are two architectural deployment models for KIM ◦ Bundled ◦ Standalone 2012 Jasig Sakai Conference20

2012 Jasig Sakai Conference21 Kuali Coeus. KIM Either provisioning into database from systems of record, or integration of KIM with directory or similar service LDA P Provisioning Database Provisioning

2012 Jasig Sakai Conference22 KIM Either provisioning into database from systems of record, or integration of KIM with directory or similar service LDA P Provisioning Database Provisioning Kuali Coeus Kuali OLE Some Application Some Other Application

 Kuali is continuing to build out HR and Student System functionality  These are traditionally Systems of Record for identity  ID Match is critical  Institutions can implement only the pieces of Kuali that they want ◦ This means applications like Kuali Student or KPME could be paired with things like PeopleSoft, Banner, Workday, SAP, Banner, etc Jasig Sakai Conference23

 We need to continue to evolve our architecture for identity and access management within Kuali  We have at least 10 major items on our project roadmap related to IAM  Working with others in various communities on a shared project like CIFER just makes sense  Identity registries and ID match are our initial area of focus because they are important when dealing with multiple identity sources 2012 Jasig Sakai Conference24

What are we talking about, what have we done, and what are we going to do? 2012 Jasig Sakai Conference25

 Objective of the Group ◦ Catalog requirements for identity registries ◦ Develop a plan to identify current gaps ◦ Evaluate available identity registry and ID match solutions ◦ Develop, document, and exercise standard APIs for interacting with identity registries  Involved Partners ◦ UC Berkeley, UCSF, Brown, U. Washington, Internet2, Indiana, Kuali, SFU, PSU, Open Registry, Rutgers, others  What are we looking at? ◦ A central, single authority Registry ◦ Identity Match functionality ◦ Working closely with the Provisioning side of CIFER 2012 Jasig Sakai Conference26

2012 Jasig Sakai Conference27

 Identity Registry Functional Model  Core Requirements Evaluation  ID Match ◦ Strawman design for ID match system ◦ Evaluation of OpenEMPI  Evaluations of three different Open Source Identity Registry solutions ◦ OpenRegistry ◦ Penn State’s Central Person Registry (CPR) ◦ Kuali Identity Management (KIM) 2012 Jasig Sakai Conference28

 For identity match ◦ Evaluated OpenEMPI and will decide w/in a month to use or explore other options (integrations, self- written)  For Registry ◦ Evaluated OpenRegistry and CPR ◦ Both fairly well-developed, team feels both are viable candidates  What about KIM? 2012 Jasig Sakai Conference29

 Next Steps ◦ Potential ID Match “task force” ◦ Continued evaluation of registry solutions ◦ Work on shared APIs from SOR’s into a registry ◦ APIs for downstream provisioning  Other Potential Goals ◦ Try and get OR out of incubation status ◦ Work with PSU to fully “open-source” CPR ◦ Increase active community involvement  Other Initiatives ◦ Kuali is doing an evaluation of mapping KIM APIs to CPR ◦ UC is doing architectural evaluations ◦ Both of these groups are eager to move things forward! 2012 Jasig Sakai Conference30

 Your Input ◦ We need your input on the integration points  SORs to Registry  Development of shared APIs  Your Experiences ◦ Have you tackled similar problems in the past? ◦ Have experience with implementation of an identity registry or ID match solution?  Your Help! ◦ If your campus has registry needs, consider getting involved by investing into this effort! 2012 Jasig Sakai Conference31

 Possible future IAM Online  Registries team wiki: ◦  Future Home Page (work-in-progress!): ◦  Send to if you are interested in finding out more info or getting involved in any of the 2012 Jasig Sakai Conference32

For more information contact: 2012 Jasig Sakai Conference33