Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am

2 Kuali Identity Management: Introduction and Implementation Options Eric Westfall Indiana University Dan Seibert University of California, San Diego

Integrating KIM with other IdM products Implementing Kuali Identity Management at your Institution

4 What is KIM? A module of Kuali Rice Common Interface and Service Layer Integrated Reference Implementation Set of User Interfaces KIM is not just “Identity Management”, it’s also “Access Management”

5 What KIM is Not A Full-Fledged Identity Management System Provisioning Hooks to update other systems Duplication Management An Identity Aggregator An Authentication Implementation

Why Did We Create KIM?

7 Motivations Expansion of Kuali Common Identity Management API Consistent Authorization Implementation

8 What we did not want KF S KC KS IDM

9 What we did want KF S KC KS KI M

10 Design Considerations Existence of Other IdM Solutions Legacy/Existing Implementations Replaceable Services Separation of Concerns Service Bus Maintenance GUIs

KIM Terminology

12 KIM Terminology Namespace Entity Principal Principal ID Principal Name Person Entity Type

13 KIM Terminology Group Role Qualifier Permission / Permission Template Responsibility / Responsibility Template

14 Namespace Prevent Naming Conflicts Allow for Permissions to be Segmented Examples: KR-KNS KR-WRKFLW KFS-SYS KFS-AP KC-SYS

15 Entity Principal Principal ID Principal Name Entity Type Names Addresses Phone Numbers Addresses

16 Group Namespace Group Type Attributes

17 Role Namespace Role Type Qualifiers Role Type Services Delegations Primary Secondary

18 Permission / Permission Template Permission Template Permission Permission Details Permission Type Service Assigned to Roles

19 Responsibility / Responsibility Template Responsibility Template Review Resolve Exception Responsibility Responsibility Details Responsibility Type Service Assigned to Roles

KIM Services

21 Components Service Interface API Reference Implementation Functional Maintenance User Interfaces

22 KIM Core Services Identity Service Group Service Role Service Permission Service Responsibility Service “Authentication” Service

23 Other KIM Services Identity Management Service Role Management Service Person Service Identity Archive Service “Update” Services

24 KIM Service Architecture

25 Remember… The primary goal of KIM was to build a service-oriented abstraction layer for Identity and Access Management Integration with other IDM services was acknowledged, expected, and designed for!

26 KIM Integration Rice Databas e Identit y Servic e Responsibili ty Service Permissio n Service Group Servic e Role Servic e KIM Service Layer Reference Implementations OpenRegistry ?

Integrating KIM with other IdM products Implementing Kuali Identity Management at your Institution

28 KIM Integration Integration with various Identity Management Systems

29 with CAS – Authentication system for Single Sign On (SSO) Two ways to integrate: 1.CAS Server 2.Rice Client Application Integration with Rice Client application will be the most likely integration scenario

30 CAS – Server Integration Implement a custom CAS AuthenticationHandler which interfaces with the KIM services or database Kuali already provides such an implementation in it’s Subversion repository kuali-cas project

31 CAS – Rice Client Integration Integrate the CAS client with: 1.Kuali Rice Standalone Server 2.A Kuali Rice client application KIM provides an “ AuthenticationService ” which is used to inform the Rice framework about the authenticated principal Default implementation simply reads REMOTE_USER Sufficient for CAS integration

32 CAS – Setup Simply configure the standard CAS servlet filters in your web.xml as you would normally AuthenticationFilter Cas20ProxyReceivingTicketValidationFilter HttpServletRequestWrapperFilter The usernames entered into the CAS login must match the principal names in your KIM implementation

33 with Microsoft Active Directory provides “LDAP-like” directory services among other network services We will concentrate on groups defined in ADS and how they can be integrated with the KIM GroupService This particular usage has been implemented at Indiana University

34 ADS – KIM Group Requirements Should be able to use ADS groups in addition to the out-of-the-box KIM group store Groups must have a unique ID Groups are also uniquely identified by a combination of Namespace and Name Group membership can be nested

35 ADS Group Integration – Implementation ADS groups are assigned a namespace of “ADS” which allows the GroupService to determine how to load the Group ADS groups have an ID assigned to them consisting of “ADS” and the group name i.e. ADS:MyAdsGroupName

36 ADS Group Integration – GroupService Override the GroupService so that it loads groups from both ADS (via LDAP) and the KIM database IF - id starts with “ADS” or namespace equals “ADS”, query ADS ELSE - delegate to reference implementation Various operations need to be customized including operations to load GroupInfo objects as well as checking Group membership Also customize the Group Lookup screen so that it can search for Groups in ADS

37 with Recall… Earlier we stated that KIM is NOT an identity aggregator Well, Microsoft Identity Lifecycle Manager (ILM) is! Current branding of this tool is Forefront Identity Manager Indiana University has used this tool as part of our Kuali Identity Management implementation Essentially synchronizes identities from multiple sources into our KIM database

38 Microsoft Identity Lifecycle Management

39 with Intra-campus Web SSO Federated Access to a Rice application KIM as an Identity Provider (IdP) Using Shibboleth Attributes for KIM authorization

40 with Federated Authentication Shibboleth Login Process

41 with Federated Authentication Protecting a Rice application as a Service Provider (SP) A web server and openssl must be available first Install Shibboleth Configure the web server Override KIM Authentication Service Start the Shibboleth daemon, shibd

42 with KIM as an Identity Provider Prerequisites: SSL certificate, source of SAML Metadata Install Shibboleth IdP Load SAML Metadata Configure KIM as the User Authentication Mechanism

43 with KIM as user Authentication Mechanism Define Login Handler to match AuthenticationService Impl Ex: Remote User for reference AuthenticationServiceImpl Username/Password for LDAP Impl

44 with Authorization Attributes Shibboleth Attributes as KIM Authorization Identify Attribute Sources Define Policies for Attribute Handling, for SPs Define New Business Processes Define New Policies

45 with Federated Authentication

46 with Collaborative development of KIM/Grouper Adaptors Chris Hyzer, University of Pennsylvania Differences between KIM and Grouper How they might work together

47 with Differences between KIM and Grouper

48 with Adapter Overview Custom Implementation of KIM Services using Grouper Client API GroupService GroupUpdateService IdentityService

49 with Installation grouperClient.jar grouperKimConnector.jar grouper.client.properties Override kimGroupService

50 Integrating KIM with LDAP UofA LDAP Integration Approach (UCDavis, SJDC also have implementations) Using CAS to connect to LDAP

51 KIM with LDAP (UofA example) UA netid is used for authentication Identity information is available in UA’s Enterprise Directory Service (EDS) Connect to EDS using Spring LDAP and overriding the KIM IdentityService KIM ParameterService provides map between KIM and LDAP attributes In order to use the KIM GUI’s properly, the UIDocumentService is also overridden

52 Integrating KIM with LDAP Configure CAS to connect to LDAP