user provisioning project presented to itlc september 28, 2010 david walker, itag co-chair...
TRANSCRIPT
User Provisioning ProjectPresented to ITLC September 28, 2010
David Walker, ITAG Co-ChairInformation and Educational Technology, UC Davis
Mary Doyle, ITAG ITLC LiaisonInformation Technology Services, UC Santa Cruz
Project Team
Arlene Allen, UCSB
Dede Bruno, UCOP
Mary Doyle, UCSC
Max Garrick, UCI
David Walker, UCD
Albert Wu, UCLA
Overview
The Charge from ITLC What UCTrust does Currently What we are Proposing High-level Design Proposal for Provisioning Resource Assumptions Current status Discussion
The Charge from ITLC
1. ITAG should recommend a specific middleware platform/approach to evaluate and pilot
2. ITAG should consider various projects/initiatives that could serve as a pilot for the approach
3. ITAG should present thoughts/observations relating to resources required to complete a successful pilot.
What UCTrust Does Now
A Service Provider (SP) specifies the identity attributes it requires.
Identity Providers (IdP) configure their Attribute Release Policies (ARP) for the SP.
At the start of a session, the SP requests attributes from the IdP for the current user. The IdP returns requested attributes that are allowed by the ARP.
What Are We Proposing, and How Does it Differ?
UCTrust federates authentication and identity information during a session.
Many applications need information about their users at other times (e.g., Connexxus, SumTotal.)
We propose extending UCTrust to exchange identity information when the user is not online.
This was a pain point for SumTotal and Connexxus, among other UC-wide projects.
Proposal for User Provisioning
A Service Provider (SP) specifies the identity attributes it requires and the people it requires those attributes for.
Identity Providers (IdP) configure their Attribute Release Policies (ARP) for the SP. The IdP also defines the group of its community members required by the SP.
At a time determined by the SP, the SP requests all attributes allowed by the ARP.
Four Types of Requests Snapshot
All identity information for all people. Subscription
Identity information will be transmitted to the application as add, delete, and update transactions on an event-driven basis.
Change Log All add, delete, and update transactions that
have been generated since the last Snapshot, Subscription, or Change Log.
SSO Event The existing Shibboleth access type.
High-Level Design
Proposed Project Phases and TasksPhase 1 Detailed Planning – 8 weeks
1.1 Staffing/Recruiting
1.2 Develop Detailed Project Plan
1.3 Develop Detailed Architecture
Phase 2 Design, Build, Test – Approximately one year
2.1 Technology evaluation and selection
2.2 Develop Communications Plan
2.3 Design and Implement Common IAM Interface
2.4 Prepare Product Documentation
2.5 Test, QA
2.6 Release Product
2.7 Pilot Deployment
Phases and Tasks, continued…..
Phase 3 Deployment (~ 9 months done by each UC location)
3.1 Implement Group Manager (Grouper)
3.2 Implement eduPersonTargetedID
3.3 Campus policy, procedure, relationships for brokering requests
3.4 Integrate Common IAM Interface with local IAM (Snapshot)
3.5 Integrate Common IAM with local IAM (Subscription and Change Log)
Resource Assumptions - Roles
Role Staffing (mostly fractions of time TBD)
Project Management 1
Outreach/Change Management 1
Technical Architect/Lead 1
Software Development 3
Technical Writer/Logistics 1
Total 7
Campus Deployment Resource (per campus)Each campus will likely require between 1 and 3 FTE during Phase 3 to completedeployment. The number of FTE required will depend on the specific configurationof each campus’s identity management infrastructure.
Potential Pilot Projects
• Addition of UCSB to UCLA Administrative Services
• ServiceNow.com (if UC-wide Agreement in place)
Current Status
The high level design has been vetted with the IT Architecture Group and the UCTrust Work Group.
The proposal is now presented for ITLC consideration and direction to move forward (or not).
Assuming approval, next phase of project will commence in early 2011.
Discussion
• Questions/comments?
• Is ITLC ready to endorse moving forward with the proposed project?