1. User Provisioning Project
David Walker
Information and Educational Technology
University of California, Davis
ucdavis.edu

2. Overview What are we doing? What UCTrust does currently
Proposed addition to UCTrust's services
Current status

3. What Are We Doing?
UCTrust federates authentication and identity information during a session.
Many applications need information about their users at other times (e.g., Connexxus, SumTotal.
We are extending UCTrust to exchange identity information when the user is not online.
This was a pain point for SumTotal and Connexxus, among other UC-wide projects.

4. What UCTrust Does Now
A Service Provider (SP) specifies the identity attributes it requires.
Identity Providers (IdP) configure their Attribute Release Policies (ARP) for the SP.
At the start of a session, the SP requests attributes from the IdP for the current user. The IdP returns requested attributes that are allowed by the ARP.

5. Proposal for User Provisioning
A Service Provider (SP) specifies the identity attributes it requires and the people it requires those attributes for.
Identity Providers (IdP) configure their Attribute Release Policies (ARP) for the SP. The IdP also defines the group of its community members required by the SP.
At a time determined by the SP, the SP requests all attributes allowed by the ARP.

6. Four Types of Requests Snapshot Subscription Change Log SSO Event
All identity information for all people..
Subscription
Identity information will be transmitted to the application as add, delete, and update transactions on an event-driven basis.
Change Log
All add, delete, and update transactions that have been generated since the last Snapshot, Subscription, or Change Log.
SSO Event
The existing Shibboleth access type.

7. High-Level Design

8. Current Status
The design has been vetted with the IT Architecture Group and the UCTrust Work Group.
The project will be proposed to the ITLC on September 28
Assuming approval, project will commence in early 2011.