User Provisioning Project Presented to ITLC September 28, 2010 David Walker, ITAG Co-Chair Information and Educational Technology, UC Davis Mary Doyle,

Slides:

Advertisements

Similar presentations

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Advertisements

1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.

<<replace with Customer Logo>>

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Financial Systems Needs Assessment Project Update Monthly Research Administrators Meeting March 11, 2010.

John Langsford 13 September 2006 CI Implementation Project.

© 2003 Open Mobile Alliance Ltd. All Rights Reserved. Used with the permission of the Open Mobile Alliance Ltd. under the terms as stated in this document.

Information Technology Architecture Group (ITAG)‏ David Walker Information & Educational Technology University of California, Davis

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

SIMI: Secure Identity Management Infrastructure for the CSU A. Michael Berman, Cal Poly Pomona.

Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

The Information Technology Architecture Group (ITAG) David Walker, UCD Arlene Allen, UCSB.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Meeting InCommon Silver Profile Standards at UCD and UCB Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis.

Mapping an Electronic Research Administration System Discussion and Review Points for UC Davis.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Shibboleth Case Studies: Shibboleth as the Campus Web SSO Albert Wu, UCLA Datta Mahabalagiri, UCLA.

Release & Deployment ITIL Version 3

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

OSIAM4HE Proposed org structure Authored by the strategy and organization team.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Information Technology Architecture Group ITAG, Version 2.0 Or, how our role supports the evolution of interoperable systems February ITLC.

Functional Model Workstream 1: Functional Element Development.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

UC-ITAG ANNUAL UPDATE Oct. 22, 2014 ITLC Meeting, UC Irvine.

Information Technology Architecture Group ITAG, version 2.0 We need resource commitments! February ITLC.

Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.

Integrating with UCSF’s Shibboleth system

UC Middleware Needs David Walker Information & Educational Technology University of California, Davis

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

1-1 System Development Process System development process – a set of activities, methods, best practices, deliverables, and automated tools that stakeholders.

UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma

Statewide Financial System (Internal Use Only) Agency Task List Kickoff Meeting June 9, 2010 Presented by: Mary Acquaviva Org Readiness.

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

Information Resources and Communications University of California, Office of the President UC-Wide Activities in Support of Research and Scholarship David.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

1 UCD Kuali Rice Road Map David Walker Curtis Bray Hampton Sublett Information & Educational Technology University of California, Davis.

SA1/SA2 meeting 28 November The status of EGEE project and next steps Bob Jones EGEE Technical Director EGEE is proposed as.

Developing an Electronic Dossier System for UCLA Faculty: Planning Proposal Presentation to Committee on IT Infrastructure November 30,

Implementing SiteManager in a non-P/L/C State Dawn E. Scheel, P.E. TxDOT.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

11 ITLC – Middleware Report May 27, 2010 The work of a subgroup of ITAG.

Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.

11 ITLC – ITAG Update May 27, Overview ITAG Work Plan for 2010 Governance and Operations for Shared Services Web Browser Standards.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

ESSRT In-Process Review September 10, Agenda 1.Work Completed Till Date 2.Scope of future activities and deliverables 2.

User Provisioning Project Design Phase Presented to ITLC March 24, 2011 David Walker, ITAG Co-Chair Information and Educational Technology, UC Davis Mary.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

3rd Helix Nebula Workshop on Interoperability among e-Infrastructures and Commercial Clouds Carmela ASERO, EGI.eu 17 September 2013, Madrid

ITAG Status Report David Walker Information & Educational Technology University of California, Davis

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

IS&T Project Reviews September 9, Project Review Overview Facilitative approach that actively engages a number of key project staff and senior IS&T.

UCTrust Integration for UC Grid David Walker University of California, Davis ucdavis.edu Kejian Jin University of California, Los Angeles kjin.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

8/3/16 Prepared for ITLC by ITAC

Géant-TrustBroker Dynamic inter-federation identity management

ESA Single Sign On (SSO) and Federated Identity Management

Agenda Introductions Brief review of our project charge

Today Introducing IAMUCLA ISIS to Shibboleth Migration

User Provisioning Project

Presentation transcript:

User Provisioning Project Presented to ITLC September 28, 2010 David Walker, ITAG Co-Chair Information and Educational Technology, UC Davis Mary Doyle, ITAG ITLC Liaison Information Technology Services, UC Santa Cruz

Project Team Arlene Allen, UCSB Dede Bruno, UCOP Mary Doyle, UCSC Max Garrick, UCI David Walker, UCD Albert Wu, UCLA

Overview The Charge from ITLC What UCTrust does Currently What we are Proposing High-level Design Proposal for Provisioning Resource Assumptions Current status Discussion

The Charge from ITLC 1.ITAG should recommend a specific middleware platform/approach to evaluate and pilot 2.ITAG should consider various projects/initiatives that could serve as a pilot for the approach 3.ITAG should present thoughts/observations relating to resources required to complete a successful pilot.

What UCTrust Does Now  A Service Provider (SP) specifies the identity attributes it requires.  Identity Providers (IdP) configure their Attribute Release Policies (ARP) for the SP.  At the start of a session, the SP requests attributes from the IdP for the current user. The IdP returns requested attributes that are allowed by the ARP.

What Are We Proposing, and How Does it Differ?  UCTrust federates authentication and identity information during a session.  Many applications need information about their users at other times (e.g., Connexxus, SumTotal.)  We propose extending UCTrust to exchange identity information when the user is not online.  This was a pain point for SumTotal and Connexxus, among other UC-wide projects.

Proposal for User Provisioning  A Service Provider (SP) specifies the identity attributes it requires and the people it requires those attributes for.  Identity Providers (IdP) configure their Attribute Release Policies (ARP) for the SP. The IdP also defines the group of its community members required by the SP.  At a time determined by the SP, the SP requests all attributes allowed by the ARP.

Four Types of Requests  Snapshot  All identity information for all people.  Subscription  Identity information will be transmitted to the application as add, delete, and update transactions on an event-driven basis.  Change Log  All add, delete, and update transactions that have been generated since the last Snapshot, Subscription, or Change Log.  SSO Event  The existing Shibboleth access type.

High-Level Design

Proposed Project Phases and Tasks Phase 1Detailed Planning – 8 weeks 1.1Staffing/Recruiting 1.2Develop Detailed Project Plan 1.3Develop Detailed Architecture Phase 2Design, Build, Test – Approximately one year 2.1Technology evaluation and selection 2.2Develop Communications Plan 2.3Design and Implement Common IAM Interface 2.4Prepare Product Documentation 2.5Test, QA 2.6Release Product 2.7Pilot Deployment

Phases and Tasks, continued….. Phase 3Deployment (~ 9 months done by each UC location) 3.1Implement Group Manager (Grouper) 3.2Implement eduPersonTargetedID 3.3Campus policy, procedure, relationships for brokering requests 3.4Integrate Common IAM Interface with local IAM (Snapshot) 3.5Integrate Common IAM with local IAM (Subscription and Change Log)

Resource Assumptions - Roles RoleStaffing (mostly fractions of time TBD) Project Management1 Outreach/Change Management1 Technical Architect/Lead1 Software Development3 Technical Writer/Logistics1 Total7 Campus Deployment Resource (per campus) Each campus will likely require between 1 and 3 FTE during Phase 3 to complete deployment. The number of FTE required will depend on the specific configuration of each campus’s identity management infrastructure.

Potential Pilot Projects Addition of UCSB to UCLA Administrative Services ServiceNow.com (if UC-wide Agreement in place)

Current Status  The high level design has been vetted with the IT Architecture Group and the UCTrust Work Group.  The proposal is now presented for ITLC consideration and direction to move forward (or not).  Assuming approval, next phase of project will commence in early 2011.

Discussion Questions/comments? Is ITLC ready to endorse moving forward with the proposed project?