User Provisioning ProjectPresented to ITLC September 28, 2010

David Walker, ITAG Co-ChairInformation and Educational Technology, UC Davis

Mary Doyle, ITAG ITLC LiaisonInformation Technology Services, UC Santa Cruz

Project Team

Arlene Allen, UCSB

Dede Bruno, UCOP

Mary Doyle, UCSC

Max Garrick, UCI

David Walker, UCD

Albert Wu, UCLA

Overview

The Charge from ITLC What UCTrust does Currently What we are Proposing High-level Design Proposal for Provisioning Resource Assumptions Current status Discussion

The Charge from ITLC

1. ITAG should recommend a specific middleware platform/approach to evaluate and pilot

2. ITAG should consider various projects/initiatives that could serve as a pilot for the approach

3. ITAG should present thoughts/observations relating to resources required to complete a successful pilot.

What UCTrust Does Now

A Service Provider (SP) specifies the identity attributes it requires.

Identity Providers (IdP) configure their Attribute Release Policies (ARP) for the SP.

At the start of a session, the SP requests attributes from the IdP for the current user. The IdP returns requested attributes that are allowed by the ARP.

What Are We Proposing, and How Does it Differ?

UCTrust federates authentication and identity information during a session.

Many applications need information about their users at other times (e.g., Connexxus, SumTotal.)

We propose extending UCTrust to exchange identity information when the user is not online.

This was a pain point for SumTotal and Connexxus, among other UC-wide projects.

Proposal for User Provisioning

A Service Provider (SP) specifies the identity attributes it requires and the people it requires those attributes for.

Identity Providers (IdP) configure their Attribute Release Policies (ARP) for the SP. The IdP also defines the group of its community members required by the SP.

At a time determined by the SP, the SP requests all attributes allowed by the ARP.

Four Types of Requests Snapshot

All identity information for all people. Subscription

Identity information will be transmitted to the application as add, delete, and update transactions on an event-driven basis.

Change Log All add, delete, and update transactions that

have been generated since the last Snapshot, Subscription, or Change Log.

SSO Event The existing Shibboleth access type.

High-Level Design

Proposed Project Phases and TasksPhase 1 Detailed Planning – 8 weeks

1.1 Staffing/Recruiting

1.2 Develop Detailed Project Plan

1.3 Develop Detailed Architecture

Phase 2 Design, Build, Test – Approximately one year

2.1 Technology evaluation and selection

2.2 Develop Communications Plan

2.3 Design and Implement Common IAM Interface

2.4 Prepare Product Documentation

2.5 Test, QA

2.6 Release Product

2.7 Pilot Deployment

Phases and Tasks, continued…..

Phase 3 Deployment (~ 9 months done by each UC location)

3.1 Implement Group Manager (Grouper)

3.2 Implement eduPersonTargetedID

3.3 Campus policy, procedure, relationships for brokering requests

3.4 Integrate Common IAM Interface with local IAM (Snapshot)

3.5 Integrate Common IAM with local IAM (Subscription and Change Log)

Resource Assumptions - Roles

Role Staffing (mostly fractions of time TBD)

Project Management 1

Outreach/Change Management 1

Technical Architect/Lead 1

Software Development 3

Technical Writer/Logistics 1

Total 7

Campus Deployment Resource (per campus)Each campus will likely require between 1 and 3 FTE during Phase 3 to completedeployment. The number of FTE required will depend on the specific configurationof each campus’s identity management infrastructure.

Potential Pilot Projects

• Addition of UCSB to UCLA Administrative Services

• ServiceNow.com (if UC-wide Agreement in place)

Current Status

The high level design has been vetted with the IT Architecture Group and the UCTrust Work Group.

The proposal is now presented for ITLC consideration and direction to move forward (or not).

Assuming approval, next phase of project will commence in early 2011.

Discussion

• Questions/comments?

• Is ITLC ready to endorse moving forward with the proposed project?