Presentation is loading. Please wait.

Presentation is loading. Please wait.

MACE-Dir: Attributes, Schema and Information Models for Education and Research InCommon Virtual Working Groups, May 21, 2013 Keith Hazelton MACE-Dir Chair,

Published byIlene Park Modified over 8 years ago

Similar presentations

Presentation on theme: "MACE-Dir: Attributes, Schema and Information Models for Education and Research InCommon Virtual Working Groups, May 21, 2013 Keith Hazelton MACE-Dir Chair,"— Presentation transcript:

1 MACE-Dir: Attributes, Schema and Information Models for Education and Research InCommon Virtual Working Groups, May 21, 2013 Keith Hazelton MACE-Dir Chair, UW-Madison Jon Saperia InCommon User Identifiers Chair, Harvard U Mark Scheible InCommon/Quilt Federation Pilots, MCNC

2 Introduction to MACE-DirMACE-Dir The Evolution of eduPerson--New Draft Out for RevieweduPerson – New identifiers to solve a long-standing set of problems – Keeping track of changes to eduPersonPrincipalName values Crafting a Schema for K-12 Use System for Cross-Realm Identity Management (SCIM)SCIM – A new model for identity data provisioning and integration Exploring Curricular Data Needs Elsewhere in Schema-Land – An Online Schema and Attribute Registry out of the NSTIC pilotsSchema and Attribute Registry 2 – 11/11/2015, © 2012 Internet2 OVERVIEW

3 Formed back when LDAP was The New Thing on campuses Responding to a need for a common core set of identity attributes in higher education identity and access management Published the first version of the eduPerson specification in early 2001 – The LDAP Recipe Released at the same time (h/t Michael Gettes) Any time you visit an InCommon relying party using campus login to Shibboleth, your institution is using eduPerson Over the years also published specifications for – isMemberOf – eduCourse 3 – 11/11/2015, © 2012 Internet2 Introduction to MACE-DirMACE-Dir

4 New draft out for review: eduPerson (201305 Draft 08)eduPerson (201305 Draft 08) New attributes… Jon Saperia of Harvard University led an InCommon group on User Identifiers MACE-Dir hosted the User Identifier conference calls The group ended up advocating the inclusion of three new identifer-class attributes in eduPerson 4 – 11/11/2015, © 2012 Internet2 The Evolution of eduPersoneduPerson

5 Inconsistent use of existing attributes for: – ePPN Too often used as mail attribute Used to show identity domain which can be incompatible with email address – Mail Need for a stable user identifier Overloading mail attribute – Used as an identifier to applications – Used to display identity to users – Other administrative uses 5 – 11/11/2015, © 2012 Internet2 User Identifier Issues

6 Use when user identifier is required as an institutional email address – not a recommended practice to use email address as an identifier Once assigned MUST NOT be reassigned Email domain is treated as an administrative domain under control of identity system that created the ID User must be reachable via this email address 6 – 11/11/2015, © 2012 Internet2 Using institutionalUserMailAddress

7 Long-lived, non re-assignable Scoped and ID portion must be unique within issuing identity system Part to right of “@” MUST be same administrative domain as the identity system that created ID SHOULD NOT be treated as an email address Example: – eduPersonUniqueId: 28c5353b-8bb3-4984- a8bd-4169ba94c606@foo.edu 7 – 11/11/2015, © 2012 Internet2 Using eduPersonUniqueID

8 Allows association of previous addresses used with a principal MUST NOT include any currently valid institutionalUserMailAddress value There is no ordering to the list of entries 8 – 11/11/2015, © 2012 Internet2 Using institutionalUserMailAddressPrior

9 New draft out for review: eduPerson (201305 Draft 08)eduPerson (201305 Draft 08) Another new attribute – eduPersonPrincipalNamePrior (ePPNP) – Helps in situations where a user’s ePPN value has changed – Important when Relying Parties are using ePPN for authorization purposes (as in.htaccess files) Continued international discussions on uses of existing attributes – For example, last two weeks, lively thread on eduPersonEntitlement – For one example, a way to signal “This user should receive access per the terms of the contract mapped to this entitlement value (URI)” 9 – 11/11/2015, © 2012 Internet2 The Evolution of eduPersoneduPerson

10 In practice, a small number of attributes do a lot of service – Identifiers (where needed) – Affiliations (scoped, generally) – Group memberships – Entitlements Tendency to use “cooked” attributes (affiliations, groups, entitlements) rather than ask for a large set of atomic facts from which to compute an allow/deny decision Example: A learning management system (LMS) controlling access to course materials – Roster information via isMemberOf (vs eduCourseMember) – “Ticket” to use a particular e-text via an entitlement URI 10 – 11/11/2015, © 2012 Internet2 The Evolution of eduPersoneduPerson

11 The North Carolina Education Cloud (NCEdCloud) - RttT – Foundational project is an IAM “Managed Service” Covers ALL K-12 students, teachers & staff, parents, guests Single username/password for access to cloud services Led by the Friday Institute at NC State University MCNC has been providing IAM consulting resources for two years – Developed an architecture document describing what was needed – RFP process completed, contract awarded to Identity Automation – Service consists of Data Integration of sources, building and maintaining a Person Registry, Directory environment, and Federated Identity Management for roughly 3 million identities – Provisioning of Cloud Service accounts K-12/Community College Pilot using federated identities – Part of InCommon/Quilt project to extend FIM to K12, CC, etc. 11 – 11/11/2015, © 2012 Internet2 Crafting a Schema for K-12 Use

12 Why a separate K12 Schema? K12 has additional challenges/requirements – K12 students are minors Special/additional regulations apply (e.g. COPPA, CIPA) Students cannot authorize attribute release (parent involvement?) – Delivery of online services/content may be age- or grade-based – Granularity of K12 organizational structure may be finer than HE – IT Staffing, Skillsets in K12 frequently not focused on IAM/SAML – 13-year relationship with moves between schools/districts – Parents could easily have a longer relationship (multiple children) – 1:1 student/client device is rare (particularly primary grades) 12 – 11/11/2015, © 2012 Internet2 K12 Schema Development

13 Existing schema (e.g. eduPerson) are not sufficient Attributes we know or suspect will be needed – Grade level – Over/Under 13 (for COPPA) – School Identifier – School District – School Region (in some states) – Parent or Guardian “link” (connecting parent to student) – Parent or Guardian consent (to release attributes) Schema development work plan – Mailing list, Conference calls (under auspices of MACE-Dir) 13 – 11/11/2015, © 2012 Internet2 K12 Schema Development

14 A new API and schema for identity data provisioning and integration Came from a vendor consortium Now transferred to an IETF working group Provisioning and integration is a different beast than Web SSO access control Think cloud providers, SaaS – They may need a persistent service-specific set of user accounts and identity data – Perhaps driving a need for the sharing of a richer set of attributes from our campus IAM systems SCIM defines a standard mechanism for schema extension (like auxiliary object classes in LDAP) 14 – 11/11/2015, © 2012 Internet2 System for Cross-Realm Identity Management (SCIM)SCIM

15 SCIM is coming to higher education via two paths Grouper has SCIM support on its latest roadmap CIFER (Community Identity Framework for Education and Research) CIFER – Open source IAM initiative under the auspices of Internet2, Kuali and Apereo (Jasig/Sakai) – Recommending SCIM as a core API for identity data provisioning and integration across the IAM infrastructure – Developing SCIM schema extensions to cover the CIFER identity registry data model MACE-Dir will host review and comment discussions as requested 15 – 11/11/2015, © 2012 Internet2 System for Cross-Realm Identity Management (SCIM)SCIM

16 New collaboration being launched by Penn State and the University of Wisconsin-Madison MACE-Dir will provide a venue for the collaboration – As it did for InCommon User Identifiers Provisioning to LMS is one use case But many other uses are made of curricular data including mash-ups with location information and academic organizational structure – Planning your course schedule, can you get from Chem 205 to Art History 101? – UW-Madison evolved a set of Enterprise Business Objects (EBOs) for curricular dataEnterprise Business Objects (EBOs) for curricular data – Collaborative exploration of requirements and potential solutions 16 – 11/11/2015, © 2012 Internet2 Exploring Curricular Data Needs

17 An online Schema and Attribute Registry now at version 1.0Schema and Attribute Registry An early NSTIC pilot deliverable from the Internet2 Scalable Privacy projectScalable Privacy – NSTIC: National Strategy for Trusted Identities in CyberspaceNational Strategy for Trusted Identities in Cyberspace Higher education has thought longer and harder about schema and attributes than government and industry The registry as a way to demonstrate prior art and show patterns of use – Includes eduPerson, SCHAC, OpenID Connect, Open Social,… – Each attribute is associated with an attribute class (identifier, name, entitlement, profile) to facilitate cross-schema comparisons 17 – 11/11/2015, © 2012 Internet2 Elsewhere in Schema-Land

18 18 – 11/11/2015, © 2012 Internet2 Your Input: Other Topics Needing Attention

19 MACE-Dir mailing list – Subscribe at https://lists.internet2.edu/sympa/subscribe/mace-dirhttps://lists.internet2.edu/sympa/subscribe/mace-dir InCommon User Identifiers: Via review of eduPerson draft – Subscriber comments to mace-dir@internet2.edumace-dir@internet2.edu – Non-subscriber comments to i2mi-info@internet2.edui2mi-info@internet2.edu K-12 Schema work – Subscribe at https://lists.internet2.edu/sympa/subscribe/k12personhttps://lists.internet2.edu/sympa/subscribe/k12person SCIM – Subscribe at https://lists.internet2.edu/sympa/subscribe/cifer-provhttps://lists.internet2.edu/sympa/subscribe/cifer-prov Other questions: hazelton@wisc.eduhazelton@wisc.edu 19 – 11/11/2015, © 2012 Internet2 To Participate in the Work

20 MACE-DIR: ATTRIBUTES, SCHEMA AND INFORMATION MODELS FOR EDUCATION AND RESEARCH May 21, 2013, InCommon Virtual Working Groups Thank you! For more information, please visit www.internet2.edu 20 – 11/11/2015, © 2012 Internet2

Download ppt "MACE-Dir: Attributes, Schema and Information Models for Education and Research InCommon Virtual Working Groups, May 21, 2013 Keith Hazelton MACE-Dir Chair,"

Similar presentations

Leverage MarkITS for agile solutions delivery that balances strategic thinking with tactical execution for “Business & Technology Convergence” MarkITS.

Leverage MarkITS for agile solutions delivery that balances strategic thinking with tactical execution for “Business & Technology Convergence” MarkITS.
Program Management Portal: Overview for the Client

Program Management Portal: Overview for the Client
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
IAM Online Friday, February 12, 2010 “Introduction to Federated Identity Management” John O’Keefe, Lafayette College Questions either via Adobe Connect.

IAM Online Friday, February 12, 2010 “Introduction to Federated Identity Management” John O’Keefe, Lafayette College Questions either via Adobe Connect.
Towards a Semantic Modeling of Learners for Social Networks Asma Ounnas, ILaria Liccardi, Hugh Davis, David Millard, and Su White Learning Technology Group.

Towards a Semantic Modeling of Learners for Social Networks Asma Ounnas, ILaria Liccardi, Hugh Davis, David Millard, and Su White Learning Technology Group.
Outsourcing IAM in North Carolina

Outsourcing IAM in North Carolina
Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, November 2005.

Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, November 2005.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.

Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.
How Do You Establish Student Identity Remotely: A Survey Keith Hazelton, University of Wisconsin-Madison Ann West, Internet2/InCommon Federation 2010 Fall.

How Do You Establish Student Identity Remotely: A Survey Keith Hazelton, University of Wisconsin-Madison Ann West, Internet2/InCommon Federation 2010 Fall.
Massachusetts: Transforming the Healthcare Economy John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.

Massachusetts: Transforming the Healthcare Economy John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
University of Chicago University of Illinois Indiana University University of Iowa University of Maryland University of Michigan Michigan State University.

University of Chicago University of Illinois Indiana University University of Iowa University of Maryland University of Michigan Michigan State University.
Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
Enabling Cloud Services & Federated Authentication UPN & Email Infrastructure Changes Chris Pruess ITS AIS Directory & Authentication Services.

Enabling Cloud Services & Federated Authentication UPN & Infrastructure Changes Chris Pruess ITS AIS Directory & Authentication Services.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
State of Information Technology Presentation for Faculty Council November 14, 2013 Mike Carlin Vice Chancellor for IT and CIO.

State of Information Technology Presentation for Faculty Council November 14, 2013 Mike Carlin Vice Chancellor for IT and CIO.
Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,

Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,

Similar presentations

Ads by Google