Emerson David – University of California Davis David Elyea – San Joaquin Delta College Scott Gibson – University of Maryland Jeremy Hanson – Iowa State.

Slides:



Advertisements
Similar presentations
Service Manager for MSPs
Advertisements

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
Introduction to Kuali Rice ITANA Screen2Screen: Kuali on Campus May 2009 Eric Westfall – Kuali Rice Project Manager.
Edoclite and Managing Client Engagements What is Edoclite? How is it used at IU? Development Process?
Kuali Rice at Indiana University Important Workflow Concepts Leveraged in Production Environments July 29-30, 2008 Eric Westfall.
© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Integrating CRM On Demand with the E-Business Suite to Supercharge your Sales Team Presented by: Tom Connolly, Jason Lieberman Company: BizTech Session.
CASE STUDY: UNIVERSITY OF CALIFORNIA, DAVIS. UNIVERSITY OF CALIFORNIA, DAVIS Implemented Rice in October 2009 Integrated home-grown Faculty Merit.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Open source administration software for education software development simplified KRAD Kuali Application Development Framework.
Implementing Kuali Identity Management at your Institution Kuali Days VIII San Antonio Texas Pre-conference Workshop Monday, November 16, a.m. -
Introduction to Kuali Rice Presented at Internet2 April 2009 Eric Westfall – Kuali Rice Project Manager Bill Yock – Vice Chair, Kuali Rice Board of Directors.
Technical Overview of Kuali Rice UC Davis, Information & Educational Technology January 2009.
Electronically approve and create Suppliers in Oracle Financials using a combination of APEX and Oracle Workflow. NZOUG Conference 2010 Brad Sayer Team.
Kuali Rice Technical Overview February Components of Rice  KEWKuali Enterprise Workflow  KNSKuali Nervous System  KRADKuali Rapid Application.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
1 Kuali Identity Management Advanced CAMP: Identity Services Summit for Higher Ed Open / Community-Source Projects.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
What is Architecture  Architecture is a subjective thing, a shared understanding of a system’s design by the expert developers on a project  In the.
Technical Overview for “Functionals” (Kuali-eze…It’s a Foreign Language!) Ailish Byrne, Indiana University Barbara Sutton, Cornell University.
Eric Westfall – Indiana University Jeremy Hanson – Iowa State University Building Applications with the KNS.
Rice Status Update University of California July 20, 2009 Eric Westfall – Kuali Rice Project Manager.
Uniting Cultures, Technology & Applications A Case Study University of New Hampshire.
Kuali Nervous System Aaron Godert, Cornell University Jonathan Keller, University of California, Davis.
RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.
Identity Management Access control / access management
Open source administration software for education software development simplified Kuali – IDM Requirements Summary Eric Westfall - Indiana University Matt.
INTEGRATION WITH OTHER IDM SOLUTIONS Remember… The primary goal of KIM was to build a service- oriented abstraction layer for Identity and Access Management.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
Kuali Nervous System Aaron Godert, Cornell University Jonathan Keller, University of California, Davis.
Kuali Enterprise Workflow Presented at ITANA October 2009 Eric Westfall – Kuali Rice Project Manager.
KUALI IDENTITY MANAGEMENT Provides services for Identity and Access Management in Kuali Integrated Reference Implementations User Interfaces An “integration.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Presentation. Recap A multi layer architecture powered by Spring Framework, ExtJS, Spring Security and Hibernate. Taken advantage of Spring’s multi layer.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
Building Applications with the KNS. The History of the KNS KFS spent a large amount of development time up front, using the best talent from each of the.
1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
Kuali Enterprise Workflow Kuali Days – November 2008 Scott Gibson, University of Maryland Bryan Hutchinson, Cornell University James Smith, University.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Kuali Identity Management Overview. Why did we write KIM? Common Interface for Kuali Applications Provide a Fully-Functional Product A Single API for:
Kuali Rice Evolving the Technology Framework for Kuali Applications Brian McGough (Indiana University) Aaron Godert (Cornell University) Warner Onstine.
Kuali Rice A basic overview…. Kuali Rice Mission First and foremost to provide a consistent development framework and common middleware layer for Kuali.
Capital Asset Management May 14, 2008 Today’s Presenters: Anna Jensen, Director of Auxiliary Accounting, Capital Asset Management, Accounts Receivable,
Kuali Rice at Indiana University From the System Owner Perspective July 29-30, 2008 Eric Westfall.
Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.
.  A multi layer architecture powered by Spring Framework, ExtJS, Spring Security and Hibernate.  Taken advantage of Spring’s multi layer injection.
Windows Role-Based Access Control Longhorn Update
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
8th Sakai Conference4-7 December 2007 Newport Beach Integration: Users and Groups Mark J. Norton Nolaria Consulting.
Kuali Rice: General Overview Brian McGough Kuali Rice Project Manager Kuali Lead Architect Director, Enterprise Software, IU May 13, 2008.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Master Data Management & Microsoft Master Data Services Presented By: Jeff Prom Data Architect MCTS - Business Intelligence (2008), Admin (2008), Developer.
KEW Definitions Document Type The Document Type defines the routing definition and other properties for a set of documents. Each document is an instance.
KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions.
ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.
Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
What’s new with Grouper 26-April-2010, Spring Member Meeting Chris Hyzer, Grouper developer.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Introduction to Terra Dotta Applications Integration with Campus Data Systems for institutions beginning their software implementation.
Chart of Accounts Bill Overman, Indiana University.
October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.
Introducing OpenLMIS 13 December 2016.
CollegeSource Security Application &
Implementing Kuali Identity Management at Your Institution
Contract Management Software 100% Cloud-Based ContraxAware provides you with a deep set of easy to use contract management features.
Presentation transcript:

Emerson David – University of California Davis David Elyea – San Joaquin Delta College Scott Gibson – University of Maryland Jeremy Hanson – Iowa State University Eric Westfall – Indiana University IMPLEMENTING KUALI IDENTITY MANAGEMENT Pre-Conference Seminar

WELCOME! OUTLINE FOR TODAY’S SESSION… What is KIM? Terminology End-User Functionality and User Interface Services and Architecture Break Implementation Options Integration with other IAM Solutions Institutional Use Cases KIM in Rice 2.0

WHAT IS KIM? A module of Kuali Rice Services for Identity and Access Management Integrated Reference Implementation Maintenance User Interfaces An “integration platform” for IAM within Kuali Despite the name, KIM is not just Identity Management, it’s also Access Management!

WHAT KIM IS NOT KIM is NOT a full Identity and Access Management solution It does not provide built-in services for: Provisioning Duplicate identity reconciliation, merging, splitting Password management Authentication Can integrate with other solutions: CAS, Shibboleth, institution-specific, etc. Directory services Typically provided by 3 rd party LDAP solutions

MOTIVATIONS FOR THE CREATION OF KIM Expansion of Kuali Kuali Financial System Kuali Coeus Kuali Student Kuali OLE Kuali People Management More to come…! Kuali is continually expanding. Shared Identity API Shared Authorization API

WHAT WE DID NOT WANT KFSKC KS IDM

WHAT WE DID WANT KFSKC KS KIM

AUTHORIZATION AS A SERVICE Groups Perms Application Code Perms Application Code Who has access to what?

AUTHORIZATION AS A SERVICE Groups Perms Application Code Who has access to what? Kuali Identity Management

DESIGN CONSIDERATIONS Kuali applications need to be deployed in disparate environments throughout higher education Legacy and Pre-existing Implementations Existence of Other IdM Solutions Service independence Pluggable and Replaceable Services Service Bus integration Maintenance GUIs Workflow engine integration

KIM TERMINOLOGY Namespace Entity Principal Principal ID Principal Name Person Entity Type Group Role Qualifier Permission / Permission Template Responsibility / Responsibility Template

NAMESPACE Prevent Naming Conflicts Allow for Permissions to be Segmented Examples: KR-KNS KR-WRKFLW KFS-SYS KFS-AP KC-SYS

ENTITY Principal Principal ID Principal Name Entity Type Names Addresses Phone Numbers Addresses Affiliations

PERSON Person is a simplified representation of a Principal and it’s related Entity Includes only the “default” values for various entity attributes, including: Default name Default address Default phone number Default affiliation Etc. It exists to provide a more streamlined representation of the Entity and Principal data model for API clients to work with

GROUP Namespace Name Group Type Attributes Members Principals Nested groups Membership is effective dated

ROLE Namespace Name Role Type Members Principals Groups Nested roles Membership can be “qualified”

ROLE Permissions – granted to roles Responsibilities – assigned to roles Delegations Primary Secondary Role Type Services Derived roles Qualifier matching

PERMISSION / PERMISSION TEMPLATE Permission Template Permission Permission Details Permission Type Service Implement custom permission matching logic Assigned to Roles

RESPONSIBILITY / RESPONSIBILITY TEMPLATE Responsibility Template Review Resolve Exception Responsibility Responsibility Details Responsibility Actions Define workflow requests generated for responsibility Assigned to Roles

END-USER FUNCTIONALITY KIM provides various GUI screens which can be used for: Searching for identity data (groups, roles, permissions, etc.) Finding out more information about a particular piece of identity data Creating new identity data Editing existing data KIM maintenance functions provide integration with Kuali Enterprise Workflow for approval of changes Authorization to perform maintenance functions in KIM is also handled by KIM permissions Typically partitioned by namespace

USER INTERFACE – WE WILL LOOK AT Persons Groups Roles Permissions

PERSON LOOKUP

PERSON INQUIRY

PERSON INQUIRY - MEMBERSHIP

PERSON MAINTENANCE

GROUP LOOKUP

GROUP INQUIRY

GROUP MAINTENANCE

ROLE LOOKUP

ROLE INQUIRY – SIMPLE ROLE

ROLE INQUIRY – DERIVED ROLE

ROLE MAINTENANCE

PERMISSION LOOKUP

PERMISSION INQUIRY

PERMISSION MAINTENANCE

RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface API Let’s take a look at the service architecture for Kuali Identity Management

MAIN KIM SERVICES Identity Service Group Service Role Service Permission Service Responsibility Service

IDENTITY SERVICE Responsible for Principals and Entities Principals have a “name” which is intended to be the user name they use to authenticate All principals are associated with an entity There can be different types of entities, including Person and System

IDENTITY SERVICE Numerous pieces of data can be stored about an entity including: names, affiliations, external ids, employment information, address, phone, , privacy preferences (FERPA), etc. Example Service Operations: Get principal by id Get principal by principal name Get entity info by id Get entity info by principal id Get entity privacy preferences

GROUP SERVICE All groups identified uniquely by id or namespace + name Supports nested groups Example Service Operations: Get group by id Get group by name Get groups for principal Is member of group Get member group ids

ROLE SERVICE Roles can have members that are principals, groups or even other roles All members assigned to a role will be granted any permissions or responsibilities that are associated with the role Role membership can optionally be qualified Example Service Operations: Get role by name Get role qualifiers for principal Get role members

PERMISSION SERVICE KIM has the concepts of Permission Templates and Permissions Permission Template represents some course-grained permission Use Screen, Initiate Document, Maintain Records, etc. A Permission is created from a template and has more specific information identified on it’s permission details for example “Initiate Document” of type “Transfer of Funds”

PERMISSION SERVICE Evaluation of permissions is handled by the permission service. KIM provides plug points for implementing custom logic for permission checking Example: permission checks based on hierarchical data This is referred to as a “PermissionTypeService” Example Service Operations: Is principal authorized by permission name with details Is principal authorized by permission template name with details Get assignees for permission Get authorized permissions for principal Get ids of roles that have given permission

RESPONSIBILITY SERVICE Provides integration of KIM with workflow engine via Responsibility Actions These define what actions the principal needs to take (i.e. approve, acknowledge, fyi) on workflow processes Responsibility details identify when these actions are applied during the routing process Responsibility Actions also provide delegation support (for both routing and permission delegation) Example Service Operations: Get responsibilities by name Get responsibility actions Get responsibility actions by responsibility template Does principal have responsibility

ADDITIONAL KIM SERVICES Type Services Authentication Service Identity Management Service Role Management Service Person Service Identity Archive Service

KIM “TYPES” AND TYPE SERVICES In KIM, certain pieces of data are “typed” Types can be used as an organizational tool Also used to customize behavior via “Type Services” Types can be associated with a service which KIM delegates to for certain operations Note that Kim Type Services are not part of the “public” API for KIM, but rather are used behind some of the reference service implementations

SUPPORT KIM TYPE SERVICES Supported Type Services include: KimRoleTypeService KimPermissionTypeService KimGroupTypeService KimResponsibilityTypeService KimDelegationTypeService Let’s look at a couple of these in more detail

ROLE TYPE SERVICES To customize Role behavior you can implement a custom “RoleTypeService” This can provide for the following features: Qualifier Matching Validation (through UI) Derived Roles Qualifier conversion for nested Roles

ROLE QUALIFIER MATCHING RoleService delegates to two API methods on RoleTypeService doesRoleQualifierMatchQualification doRoleQualifiersMatchQualification Takes a set of incoming qualifiers and compares them with qualifiers on each role membership Return true if they “match” These operations are essentially the same, except the second one allows for checking multiple Role Qualifiers at once

ROLE QUALIFIER MATCHING Default implementation just does a straight equality comparison of “incoming qualifiers” and “role member qualifiers” Can implement custom qualification matching logic by creating a custom RoleTypeService Examples: Hierarchy-based check Other comparisons that may need to interact with data or services external to KIM

ROLE DERIVATION As discussed previously, in some cases Role membership cannot be defined statically Typically used for situations where roles are defined in other systems external to KIM Examples: “All Users of the System” – derive the role based on the KIM principal table “All students” – derive the role based on information stored in an external Student Information System

ROLE DERIVATION RoleService delegates to three operations on RoleTypeService: isApplicationRoleType hasApplicationRole getRoleMembersFromApplicationRole Note that the term “application role” and “derived role” mean the same thing in this context isApplicationRoleType is used to determine if the type implements a derived role hasApplicationRole is used to check if a given principal has the derived role getRoleMembersFromApplicationRole is responsible for resolving all the derived members

PERMISSION TYPE SERVICE To customize Permission behavior you can implement a custom “PermissionTypeService” This can be used to implement custom matching logic for permission details getMatchingPermissions Default implementation just does a straight equality comparison of incoming details against a list of possible permission candidates, returning the ones that “match” Custom logic can be implemented here for things like hierarchy-based checks or checks against external systems

AUTHENTICATION SERVICE Extracts information on who the current authenticated principal is Typically from the HttpServletRequest Informs the application of the principal name that has authenticated Default implementation simply reads the “remote user” on the HTTP request

IDENTITY MANAGEMENT SERVICE Client-side façade that sits on top of most of the KIM services Identity Service Group Service Permission Service Responsibility Service Provides caching functionality

ROLE MANAGEMENT SERVICE Client-side façade for the KIM Role Service Provides caching functionality Separate from IdentityManagementService Performing authorization checks based on permissions is best practice Because of this, role membership should not be checked directly in most cases

PERSON SERVICE Provides an API for working with simplified Person data model Person data model includes Default entity data Principal data for the entity Implements caching functionality

IDENTITY ARCHIVE SERVICE Handles archiving of identity data to provide important attributes as backup in the case of identity removal Sits behind the main IdentityService This comes into play depending on an institution’s retention policy on identities Some applications may store references to principal ids for long periods of time If the backend of the identity service fails to resolve a particular principal id, it will be searched for in the identity archive

KIM SERVICE ARCHITECTURE

IMPLEMENTATION OPTIONS Out-of-the-box (no changes) Data feeds into KIM database Service Customization Hybrid of the Strategies above

OUT-OF-THE-BOX Use the delivered KIM service reference implementations Use the delivered KIM database tables Create Persons, Groups, Roles manually via the GUI May do an initial load of person data Mostly used when only a small number of identities are required Best used for small applications on a Kuali Rice infrastructure that’s not institution-wide

DATA FEEDS INTO KIM DATABASE Use the delivered KIM service reference implementations Use the delivered KIM database tables Use batch or external processes to periodically populate KIM database with identity data Allows for KIM identity data set to match that available at institution No need to maintain data separately Care must be taken to ensure data parity and prevent stale data

SERVICE CUSTOMIZATION Override or replace the reference implementations for the various KIM services Each of the services in KIM can be customized individually Example: LDAP integration Has implications on the KIM user interface screens

KIM SERVICES Authentication Service – might override Identity Service – likely to override Group Service – might override Permission Service – unlikely to override Role Service – unlikely to override Identity Archive Service – unlikely to override Both Permission and Role Service have an extra abstraction layer behind them that allows for customization without overriding

HYBRID SOLUTIONS In practice, many implementations will use a hybrid of these various options For example: Load entity and principal data periodically into KIM database, use reference IdentityService implementation Use standard out-of-the-box GroupService implementation (no external integration) Customize the IdentityArchiveService to read historical identity data from an external source Use reference Permission and Role services

CHOOSING THE OPTION THAT’S RIGHT FOR YOU! Might depend on: which external systems or data sources you want to integrate with KIM size of your KIM implementation (amount of data) performance considerations expected usage of the KIM GUI screens the role that KIM will play at your institution

DISCUSSION TOPIC Has anyone already worked on KIM implementations in the audience? If so, which approach did you take? What was your outcome?

INTEGRATION WITH OTHER IDM SOLUTIONS Remember… The primary goal of KIM was to build a service- oriented abstraction layer for Identity and Access Management Integration with other IDM services was acknowledged, expected, and designed for!

KIM INTEGRATION Integration with various Identity Management Components

KIM INTEGRATION Rice Database KIM Service Layer Reference Implementations

KIM INTEGRATION WITH CAS – Authentication system for Single Sign On (SSO) Two ways to integrate: CAS Server Rice Client Application Integration with Rice Client application will be the most likely integration scenario this is what we will focus on

CAS – RICE CLIENT INTEGRATION Integrate the CAS client with: Kuali Rice Standalone Server A Kuali Rice client application KIM provides an “AuthenticationService” which is used to inform the Rice framework about the authenticated principal Default implementation simply reads REMOTE_USER Sufficient for CAS integration

CAS – SETUP Simply configure the standard CAS servlet filters in your web.xml as you would normally AuthenticationFilter Cas20ProxyReceivingTicketValidationFilter HttpServletRequestWrapperFilter The usernames entered into the CAS login must match the principal names in your KIM implementation

KIM INTEGRATION WITH Microsoft Active Directory provides “LDAP-like” directory services among other network services You can integrate with this through LDAP (see next topic) Can also use this for groups This particular usage has been implemented at Indiana University We will look at it in detail during the case studies

INTEGRATING KIM WITH LDAP FOR IDENTITY LDAP Integration Efforts University of Arizona San Joaquin Delta College UC Davis Naval Post Graduate School Others… rSmart has worked with these various institutions to implement this integration

INTEGRATING KIM WITH LDAP FOR IDENTITY Will be included as a standard feature in a future version of Kuali Rice. Code exists in Rice 2.0, not fully tested for Beta1 Essentially involves customizing the IdentityService to load entity data from LDAP Will learn more details about how this works in the University of Arizona case study

KIM INTEGRATION WITH Intra-campus Web SSO Federated Access to a Rice application Using Shibboleth Attributes for KIM authorization

FEDERATED AUTHENTICATION Shibboleth Login Process

FEDERATED AUTHENTICATION Protecting a Rice application as a Service Provider (SP) A web server and openssl must be available first Add Shibboleth filters to the web server. Metadata defines the attributes to be passed between the Identity Provider and Service Provider. Override KIM Authentication Service

FEDERATED AUTHENTICATION Metadata Example: <AttributeRule Name=“urn:mace:dir:attribute-def:eduPersonPrincipalName” Header=“REMOTE_USER” Alias=“eppn”>

AUTHORIZATION ATTRIBUTES Using Shibboleth Attributes for KIM Authorization Entity Attributes Group Roles Permissions / Responsibilities

KIM INTEGRATION WITH In collaboration with Kuali Rice, the Internet2 Grouper team created a connector from the KIM GroupService to Grouper This connector was released and is available in Grouper 1.6 and later releases

ADAPTER OVERVIEW Custom Implementation of KIM Services using Grouper Client API GroupService GroupUpdateService IdentityService

INSTALLATION grouperClient.jar grouperKimConnector.jar grouper.client.properties Override kimGroupService and kimIdentityService

HOW TO OVERRIDE A KIM SERVICE <beans xmlns= ans …

KIM INTEGRATION WITH Recall… Earlier we stated that KIM is NOT an identity aggregator or provisioning tool However, Microsoft Forefront has this functionality Indiana University has used this tool as part of it’s Kuali Identity Management implementation Essentially synchronizes identities from multiple sources into our KIM database Will talk about this more in the IU case study

DISCUSSION TOPIC Is anyone looking to integrate KIM with services other than those we have discussed here?

CASE STUDIES Indiana University University of Maryland San Joaquin Delta College University of California, Davis University of Arizona University of Washington 88

CASE STUDY: INDIANA UNIVERSITY

INDIANA UNIVERSITY Implemented Rice in February 2011 Kuali Financial System - partial implementation – May 2010, full implementation December 2012 Kuali Coeus 3.0 implemented July 2011 Implementation of KIM includes a hybrid of data loading into KIM database tables and service overrides KIM provides the primary IAM services for many of our enterprise software applications 90

IDENTITY DATA Indiana University uses a tool from Microsoft called Identity Lifecycle Management (ILM) ILM aggregates identity data from various sources – HR, PeopleSoft, etc. It can then feed that data in close to real time to other systems At IU, Kuali Identity Management is one of those systems Built a web service that sits on top of KIM that implements CRUD operations for identity data 91

ILM-KIM ARCHITECTURE 92

PRINCIPAL ID AND PRINCIPAL NAME In KIM the Principal ID must be unique across the implementation At IU we are using our PeopleSoft “Employee ID” for both our principal and entity ids We are using the user’s “network id” for their principal name 93

HISTORICAL DATA IU has a large historical data set of users Many of these could have participated in workflow transactions as long as 8 years ago KIM has the “IdentityArchiveService” that can be used to retrieve historical entity data – A subset of the full entity data We pull this historical data into the designated KIM table from an external source when it is requested 94

GROUPS AND ACTIVE DIRECTORY IU has a large Microsoft Active Directory implementation Contains many, many groups that customers want to use for role assignment and routing We override the GroupService so that it pulls from both the KIM database and from ADS (via LDAP) We identify ADS groups by giving them an “ADS” namespace Generate group ID based on ADS group name 95

ADS – KIM GROUP REQUIREMENTS Should be able to use ADS groups in addition to the out-of-the-box KIM group store Groups must have a unique ID Groups are also uniquely identified by a combination of Namespace and Name Group membership can be nested

ADS GROUP INTEGRATION – IMPLEMENTATION ADS groups are assigned a namespace of “ADS” which allows the GroupService to determine how to load the Group ADS groups have an ID assigned to them consisting of “ADS” and the group name i.e. ADS:MyAdsGroupName

ADS GROUP INTEGRATION – GROUPSERVICE Override the GroupService so that it loads groups from both ADS (via LDAP) and the KIM database IF - id starts with “ADS” or namespace equals “ADS”, query ADS ELSE - delegate to reference implementation Various operations need to be customized including operations to load GroupInfo objects as well as checking Group membership Also customize the Group Lookup screen so that it can search for Groups in ADS

AUTHENTICATION Use a customized version of CAS Override the default AuthenticationService implementation Pulls authenticated principal name from our custom CAS filter which we use for Java applications 99

USER INTERFACES Person – isn’t used to maintain person data, but does permit role/group assignment Group – can be used to create and edit groups unless their namespace is “ADS” Accomplished using permissions Role –using out-of-the-box implementation 100

FUTURE PLANS Upgrade to Rice 2.0 – Q Kuali Financial System – full implementation – Q Roll out of a system to track “Data Manager” and “Data Steward” roles and implement related workflow processes Integrate KIM roles and permissions with our Decision Support and reporting environments Integrate Role assignment with our HR system at time of hire or position change Begin modeling more Roles at IU using KIM to facilitate authz and role-based routing 101

CASE STUDY: UNIVERSITY OF MARYLAND

UNIVERSITY OF MARYLAND Implemented Rice September 2010 Invested in multiple Kuali Projects Currently using eDoc Lite Rice currently in production

UMD KIM IMPLEMENTATION Implemented Institutional versions of Identity Service Single Sign On Used out of the box implementations of Group Service Role Service Permission Service Responsibility Service Customized some screens

UMD IDENTITY DATA SOURCE University Person System (UPS) In House Identity system Contains student and employee Bio- Demographic data Database backed system UID’s from LDAP fed into UPS nightly

UMD IDENTITY ARCHITECTURE: SIMPLIFIED Legacy UPS Web LDAP RICE

UMD DATA MAPPING KIMUMD principalIdUPS: ID principalNameLDAP: UID entityIdUPS: ID employeeIdUPS: ID Name, Address, Phone and mapped easily Only mapped primaryDepartmentCode in Employment Info UMD does not use multiple principals for an entity

UMD IMPLEMENTATION Created a custom module and included it in our Rice deployment Identity Service implementation connects directly to the UPS database uses JPA for persistence layer Mapped our Unit Hierarchy as a KNS Business Object for use as Role Qualifiers and in workflow routing

UMD INSTITUTIONAL DATA MODIFICATIONS Created system user kr in institutional identity systems Added kr to LDAP to reserve principal name, user cannot login Added kr to UPS system

UMD RICE DATA MODIFICATIONS Assigned Technical Administrator Role, WorkflowAdmin Group, and NotificationAdmin Group via database insert to initial administrators All other role and group assignments to be done via screens to maintain audit trail Removed principal admin from all roles and groups Increased initial sequence values to prevent conflicts Added UMD Roles, Permissions, and Responsibilities via database insert

UMD PERSON LOOKUP MODIFICATIONS Principal Name is our LDAP UID which is referred to as Directory ID Entity ID maps to our UPS ID and is referred to as UID Added dropdown control populated by our unit hierarchy for Primary Department Removed unnecessary fields

UMD PERSON LOOKUP MODIFICATIONS UMD Person LookupRice Person Lookup

UMD AUTHORIZATION: NAMESPACES UMD-RICE - for all additional Rice roles and permissions Aids in tracking and prevents future conflict UMD-EDOC-IRPA – for all our customers roles and permissions Clean separation allows easier permission configuration

UMD AUTHORIZATION: PERMISSIONS Further restrict access to Identity screens Created permission for viewing Admin tab on Rice portal and modified portal to call KIM Assign roles in our customers namespace

UMD AUTHORIZATION: ROLES Most roles were created for workflow routing Customers maintain role assignments through role maintenance screen Created exception handling role for base UMD document type

UMD TECHNICAL TIPS Created proxy service that called Rice Identity Service if user not found in UMD Service Allowed us to focus on identity without authorization Aided in debugging during development Write SQL as independent of sequence primary keys as possible Use subselects and currval Easier to apply to multiple environments

UMD REMAINING WORK AND AFTER THOUGHTS Map Affiliation Caused Person screens to be un-editable (for assigning roles) Would have implemented Identity Service in OJB/KNS instead of JPA

CASE STUDY: SAN JOAQUIN DELTA COLLEGE

SJDC IMPLEMENTATION – PRE JULY 2010 Implemented KFS in July 2009 with subset of accounts and end users Overrode IdentityService to pull all entity data from an employee only LDAP Required custom ‘actor’ roles nested inside delivered KFS roles due to small end user base

SJDC IMPLEMENTATION - CURRENT Full campus usage of KFS began in July 2010 One other Rice client app to connect a few legacy systems to KSB Multiple systems of record for identity data including dual LDAP systems

SJDC IMPLEMENTATION - CURRENT Implemented hybrid solution for KIM Bulk loaded data into KIM tables Entity edits performed by Tech staff using KIM GUI screens or SQL Custom Rice lookup connected to student system application to pull identity data for payments to students not yet in KIM tables

SJDC IMPLEMENTATION - FUTURE PLANS Currently Implementing Active Directory Will set up singular LDAP with students and employees Next step is to use Microsoft Forefront to provision identity data Integrate KIM with Forefront Continue to use KIM tables Disable entity edits via the KIM UI Eventually implement KPME and link Forefront for HR data

CASE STUDY: UNIVERSITY OF CALIFORNIA, DAVIS

UNIVERSITY OF CALIFORNIA, DAVIS Deployed Rice to production in October 2009 Integrated home-grown Faculty Merit & Promotion system in February 2010 Upgraded to Rice in August 2010 Integrated Kuali Financial System – phased implementation – August

UCD KIM IMPLEMENTATION UC Davis has a homegrown aggregation system that pushes identity data into LDAP Identity Service is integrated with LDAP Makes calls to LDAP Service library which returns DTOs representing objects in any of three directories “Parses” the DTOs to build Entity and Principal objects [ getEntityInfo(), getPrincipalInfo(), etc. ] Authentication is configured for CAS KIM is the system of record for Roles, Groups, Permissions, and Responsibilities 125

IDENTITY DATA MAPPING Entity ID : Universal User ID in LDAP Principal IDs User Account IDs from account provisioning system exposed in LDAP System generated Principal Names Kerberos Login IDs from account provisioning system exposed in LDAP User defined Principal Names can change over time, but Principal IDs do not

FUTURE PLANS Upgrade to Rice 2.x – 2012 Kuali Financial System – full implementation – 2012 Kuali Coeus – 2012 Integrate KIM with Sun Identity Manager / Sun Role Manager Identity Roles Groups (possibly leverage Grouper & Sun products) Permissions & Responsibilities (maybe) 127

CASE STUDY: THE UNIVERSITY OF ARIZONA

THE UNIVERSITY OF ARIZONA Working on a KFS implementation UA netid is used for authentication Identity information is available in UA’s Enterprise Directory Service (EDS) Connect to EDS using Spring LDAP and overriding the KIM IdentityService In order to use the KIM GUI’s properly, the UIDocumentService is also overridden

KIM WITH LDAP Identity information is available in UA’s Enterprise Directory Service (EDS) Uses Spring LDAP as an adapter layer between Spring and LDAP datasource Uses KIM ParameterService to map between KIM and LDAP attributes Implement / Override KIM IdentityService In order to use the KIM GUI’s properly, the UIDocumentService is also overridden

KIM WITH LDAP Setup Spring LDAP module <bean id=”contextSource” … <bean id=”authenticationSource” … <bean id=”springSecurityAuthenticationSource ” … <bean id=”ldapTemplate ” …

KIM WITH LDAP The Spring LDAP integration and Kuali Rice ParameterService are injected into the EdsPrincipalDaoImpl instance. <bean id=”edsPrincipalDao” class=”edu.arizona.kim.dataaccess.impl.EdsPrincipalDaoImpl”> The EdsPrincipalDaoImpl is an implementation of PrincipalDao which connects to EDS and maps the principal and entity information into KIM domain objects.

SPRING CONFIGURATION EXAMPLE …

FIELD MAPPING PARAMETER entityId=uaid; principalId=uaid; principalName=uid; givenName=sn; principals.active=eduPersonAffiliation; lastName=sn; firstName=givenName; employmentInformation.employeeStatus=uwRegid.*; employmentInformation.employeeId=uwEmployeeID; names.lastName=sn; names.firstName=uwPersonRegisteredFirstMiddle

VALUE MAPPING PARAMETER principals.active.Y=staff,faculty,employee; principals.active.N=student,alum,affiliate;

KIM WITH LDAP Rice ParameterService maps EDS attributes to KIM KIM ClassAttribute NameEDS Attribute Name KimPrincipalInfoprincipalIduaid KimPrincipalInfoentityIduaid KimPrincipalInfoprincipalNameuid KimEntityNameInfolastNamesn KimEntityNameInfofirstNamegivenName KimEntityEmployementInformationInfoemployeeId KimEntityEmployementInformationInfo employee …

KIM WITH LDAP Implement and Override KIM Services kimIdentityService getPrincipal() getPrincipalByPrincipalName() lookupEntities() getEntityDefaultInfo() … UiDocumentService loadEntityToPersonDoc() saveEntityPerson()

CASE STUDY: UNIVERSITY OF WASHINGTON

THE UNIVERSITY OF WASHINGTON Proof of Concept May 2010 Deployed Rice to production February 2011 Integration with.NET Completed a proof of concept Future plans for Rice, KFS, Kuali Student Existing Homegrown systems Several integration points

THE UNIVERSITY OF WASHINGTON LDAP integration KIM integration with home-grown system Hybrid solution Secure web services Source control and build process

THE UNIVERSITY OF WASHINGTON Kuali App Server Astra LDAP SAGE UW Security Handler UW Entity Service UW KIM Group Service UW KIM Role Service Business Users End Users UW Workflow Service SAGE Post Processor Devs Kuali Rice Portal UI End Users

LDAP INTEGRATION Spring LDAP & Spring Security Modules Encryption Configuration Spring System parameters Mapping

ROLES AND GROUPS INTEGRATION JAX-WS used to generate Java classes Roles Mapped directly to ASTRA roles using convention ASTRA “span of control” mapped to KIM qualifiers Groups Mapped to specific roles within ASTRA

WORKFLOW INTEGRATION SimpleDocumentService Routing calls (create, route, approve, etc) Post Processor Callbacks through web services Notification to external system Qualifiers REST Workflow Web Service

OUTCOME AND FUTURE PLANS Highly functional All major integration points completed Code contributions Team confidence What’s Next?

KIM IN RICE 2.0 Lots of back-end changes (same UI) IdentityMangementService and RoleManagementService removed These were mainly used for consolidation and caching Standard and update services combined ex: GroupService and GroupUpdateService Services more standardized Create and update methods New “find” methods using SQL-like criteria Passing and returning immutable objects

KIM IN RICE CACHING New Caching!! OSCache was outdated, dead Caching is now done on each service Using Spring 3.1 cache abstraction with Ehcache You can substitute your own caching library Caching should be safer because we only store immutable objects in cache

2.0 – MODULARIZATION/REFACTORINGS New kim-api module (split from old rice-api module) Standardized package names for api org.kuali.rice.kim.api.group org.kuali.rice.kim.api.identity org.kuali.rice.kim.api.role Etc Simplified class naming: KimGroup -> Group Simplified field names: kimEntityAddressId -> id kimEntityEmployeeStatusCode -> employeeStatusCode

NEW MODEL OBJECT DESIGN Using Immutable objects with a Builder pattern Only have one state Thread-safe Can be used without undesired modifications Construct these with the help of a builder inner class Safer, but also more boilerplate

KIM IN RICE 2.X AND BEYOND Improved XML import/export More closely align data with PESC standards Convert User-Interface to KRAD Newly designed screens with UI expert

QUESTIONS? Finding out more about Kuali Identity Management and Kuali Rice in general Join the mailing list –