MACE-Dir: Attributes, Schema and Information Models for Education and Research InCommon Virtual Working Groups, May 21, 2013 Keith Hazelton MACE-Dir Chair,

Slides:



Advertisements
Similar presentations
Leverage MarkITS for agile solutions delivery that balances strategic thinking with tactical execution for “Business & Technology Convergence” MarkITS.
Advertisements

Program Management Portal: Overview for the Client
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
IAM Online Friday, February 12, 2010 “Introduction to Federated Identity Management” John O’Keefe, Lafayette College Questions either via Adobe Connect.
Towards a Semantic Modeling of Learners for Social Networks Asma Ounnas, ILaria Liccardi, Hugh Davis, David Millard, and Su White Learning Technology Group.
Outsourcing IAM in North Carolina
Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, November 2005.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.
How Do You Establish Student Identity Remotely: A Survey Keith Hazelton, University of Wisconsin-Madison Ann West, Internet2/InCommon Federation 2010 Fall.
Massachusetts: Transforming the Healthcare Economy John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
University of Chicago University of Illinois Indiana University University of Iowa University of Maryland University of Michigan Michigan State University.
Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
Enabling Cloud Services & Federated Authentication UPN & Infrastructure Changes Chris Pruess ITS AIS Directory & Authentication Services.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
FIM-ig Federated Identity Management Interest Group.
State of Information Technology Presentation for Faculty Council November 14, 2013 Mike Carlin Vice Chancellor for IT and CIO.
Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,
Internet Use by the General Public Guidelines from the AVCC, Content, University IT Systems and the Internet provided framework for addressing copyright.
Identity and Access Management PM COP Forum May 20, 2014Tuesday10100 AMLamont Library.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Student Success Plan A Cross-Industry Collaboration to Enhance Student Support.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
DEPARTMENT OF PUBLIC INSTRUCTION / MCNC The National Report: State, K-12, and Federal Government CAMP: June 23 rd, 2010, 10:45-11:45 Presenters: Tim Poe.
IAM REFERENCE ARCHITECTURE BRICKS EMBEDED ARCHITECTS COMMUNITY OF PRACTICE MARCH 5, 2015.
COMPDIRS NATHAN DORS APRIL 16, AGENDA  IAM – who we are, what we do  HRP Modernization & Workday  What’s new in IAM?  Identity.UW soft.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago.
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
19 May 2003, TERENA, Zagreb Civilizing eduPerson Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group Keith Hazelton,
Copyright 2003 – Cedar Enterprise Solutions, Inc. All rights reserved. Business Process Redesign & Innovation University of Maryland, University College.
Federal Aviation Administration By: Giles Strickler, UCS Program Manager Procurement Policy (AJA-A11) Date:September 22, 2010 Unified Contracting System.
Identity Management Practical Issues Associated with Sharing Federated Services William A. Weems The University of Texas Health Science Center at Houston.
CIFER (Community Identity Framework for Education and Research) Overview for Prospective Contributors ciferproject.org Bill Yock Director, Enterprise Information.
The State of Identity Management on Your Campus Session Moderators Jacob Farmer, Indiana University Theresa Semmens, North Dakota State University November.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
1 Beyond Content Packaging: LETSI’s Open Learning Architecture Avron Barr letsi.org LETSI is an international non-profit federation committed to open standards.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
May I introduce you to eduPerson? Keith Hazelton Sr. IT Architect, UW-Madison TNC 2001, Antalya, Turkey, 15-May-2001.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Welcome to CAMP Directory Workshop Ken Klingenstein, Internet2 and University of Colorado-Boulder.
Accreditation (AdvancED) Process School Improvement Activities February 2016 Office of Service Quality Veda Hudge, Director Donna Boruch, Coordinator of.
Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.
University of Southern California Identity and Access Management (IAM)
Web SSO with Cloud Resources using AD Federation Services
Access Policy - Federation March 23, 2016
OpenRegistry Initiative
Group Services CIO Council Update
Cloud Security– an overview Keke Chen
Shared Services – Technical and Security Considerations
Data and Applications Security Developments and Directions
John O’Keefe Director of Academic Technology & Network Services
ESA Single Sign On (SSO) and Federated Identity Management
University of Southern California Identity and Access Management (IAM)
PASSHE InCommon & Federated Identity Workshop
The Attribute and the ecosystem
Presentation transcript:

MACE-Dir: Attributes, Schema and Information Models for Education and Research InCommon Virtual Working Groups, May 21, 2013 Keith Hazelton MACE-Dir Chair, UW-Madison Jon Saperia InCommon User Identifiers Chair, Harvard U Mark Scheible InCommon/Quilt Federation Pilots, MCNC

Introduction to MACE-DirMACE-Dir The Evolution of eduPerson--New Draft Out for RevieweduPerson – New identifiers to solve a long-standing set of problems – Keeping track of changes to eduPersonPrincipalName values Crafting a Schema for K-12 Use System for Cross-Realm Identity Management (SCIM)SCIM – A new model for identity data provisioning and integration Exploring Curricular Data Needs Elsewhere in Schema-Land – An Online Schema and Attribute Registry out of the NSTIC pilotsSchema and Attribute Registry 2 – 11/11/2015, © 2012 Internet2 OVERVIEW

Formed back when LDAP was The New Thing on campuses Responding to a need for a common core set of identity attributes in higher education identity and access management Published the first version of the eduPerson specification in early 2001 – The LDAP Recipe Released at the same time (h/t Michael Gettes) Any time you visit an InCommon relying party using campus login to Shibboleth, your institution is using eduPerson Over the years also published specifications for – isMemberOf – eduCourse 3 – 11/11/2015, © 2012 Internet2 Introduction to MACE-DirMACE-Dir

New draft out for review: eduPerson ( Draft 08)eduPerson ( Draft 08) New attributes… Jon Saperia of Harvard University led an InCommon group on User Identifiers MACE-Dir hosted the User Identifier conference calls The group ended up advocating the inclusion of three new identifer-class attributes in eduPerson 4 – 11/11/2015, © 2012 Internet2 The Evolution of eduPersoneduPerson

Inconsistent use of existing attributes for: – ePPN Too often used as mail attribute Used to show identity domain which can be incompatible with address – Mail Need for a stable user identifier Overloading mail attribute – Used as an identifier to applications – Used to display identity to users – Other administrative uses 5 – 11/11/2015, © 2012 Internet2 User Identifier Issues

Use when user identifier is required as an institutional address – not a recommended practice to use address as an identifier Once assigned MUST NOT be reassigned domain is treated as an administrative domain under control of identity system that created the ID User must be reachable via this address 6 – 11/11/2015, © 2012 Internet2 Using institutionalUserMailAddress

Long-lived, non re-assignable Scoped and ID portion must be unique within issuing identity system Part to right of MUST be same administrative domain as the identity system that created ID SHOULD NOT be treated as an address Example: – eduPersonUniqueId: 28c5353b-8bb – 11/11/2015, © 2012 Internet2 Using eduPersonUniqueID

Allows association of previous addresses used with a principal MUST NOT include any currently valid institutionalUserMailAddress value There is no ordering to the list of entries 8 – 11/11/2015, © 2012 Internet2 Using institutionalUserMailAddressPrior

New draft out for review: eduPerson ( Draft 08)eduPerson ( Draft 08) Another new attribute – eduPersonPrincipalNamePrior (ePPNP) – Helps in situations where a user’s ePPN value has changed – Important when Relying Parties are using ePPN for authorization purposes (as in.htaccess files) Continued international discussions on uses of existing attributes – For example, last two weeks, lively thread on eduPersonEntitlement – For one example, a way to signal “This user should receive access per the terms of the contract mapped to this entitlement value (URI)” 9 – 11/11/2015, © 2012 Internet2 The Evolution of eduPersoneduPerson

In practice, a small number of attributes do a lot of service – Identifiers (where needed) – Affiliations (scoped, generally) – Group memberships – Entitlements Tendency to use “cooked” attributes (affiliations, groups, entitlements) rather than ask for a large set of atomic facts from which to compute an allow/deny decision Example: A learning management system (LMS) controlling access to course materials – Roster information via isMemberOf (vs eduCourseMember) – “Ticket” to use a particular e-text via an entitlement URI 10 – 11/11/2015, © 2012 Internet2 The Evolution of eduPersoneduPerson

The North Carolina Education Cloud (NCEdCloud) - RttT – Foundational project is an IAM “Managed Service” Covers ALL K-12 students, teachers & staff, parents, guests Single username/password for access to cloud services Led by the Friday Institute at NC State University MCNC has been providing IAM consulting resources for two years – Developed an architecture document describing what was needed – RFP process completed, contract awarded to Identity Automation – Service consists of Data Integration of sources, building and maintaining a Person Registry, Directory environment, and Federated Identity Management for roughly 3 million identities – Provisioning of Cloud Service accounts K-12/Community College Pilot using federated identities – Part of InCommon/Quilt project to extend FIM to K12, CC, etc. 11 – 11/11/2015, © 2012 Internet2 Crafting a Schema for K-12 Use

Why a separate K12 Schema? K12 has additional challenges/requirements – K12 students are minors Special/additional regulations apply (e.g. COPPA, CIPA) Students cannot authorize attribute release (parent involvement?) – Delivery of online services/content may be age- or grade-based – Granularity of K12 organizational structure may be finer than HE – IT Staffing, Skillsets in K12 frequently not focused on IAM/SAML – 13-year relationship with moves between schools/districts – Parents could easily have a longer relationship (multiple children) – 1:1 student/client device is rare (particularly primary grades) 12 – 11/11/2015, © 2012 Internet2 K12 Schema Development

Existing schema (e.g. eduPerson) are not sufficient Attributes we know or suspect will be needed – Grade level – Over/Under 13 (for COPPA) – School Identifier – School District – School Region (in some states) – Parent or Guardian “link” (connecting parent to student) – Parent or Guardian consent (to release attributes) Schema development work plan – Mailing list, Conference calls (under auspices of MACE-Dir) 13 – 11/11/2015, © 2012 Internet2 K12 Schema Development

A new API and schema for identity data provisioning and integration Came from a vendor consortium Now transferred to an IETF working group Provisioning and integration is a different beast than Web SSO access control Think cloud providers, SaaS – They may need a persistent service-specific set of user accounts and identity data – Perhaps driving a need for the sharing of a richer set of attributes from our campus IAM systems SCIM defines a standard mechanism for schema extension (like auxiliary object classes in LDAP) 14 – 11/11/2015, © 2012 Internet2 System for Cross-Realm Identity Management (SCIM)SCIM

SCIM is coming to higher education via two paths Grouper has SCIM support on its latest roadmap CIFER (Community Identity Framework for Education and Research) CIFER – Open source IAM initiative under the auspices of Internet2, Kuali and Apereo (Jasig/Sakai) – Recommending SCIM as a core API for identity data provisioning and integration across the IAM infrastructure – Developing SCIM schema extensions to cover the CIFER identity registry data model MACE-Dir will host review and comment discussions as requested 15 – 11/11/2015, © 2012 Internet2 System for Cross-Realm Identity Management (SCIM)SCIM

New collaboration being launched by Penn State and the University of Wisconsin-Madison MACE-Dir will provide a venue for the collaboration – As it did for InCommon User Identifiers Provisioning to LMS is one use case But many other uses are made of curricular data including mash-ups with location information and academic organizational structure – Planning your course schedule, can you get from Chem 205 to Art History 101? – UW-Madison evolved a set of Enterprise Business Objects (EBOs) for curricular dataEnterprise Business Objects (EBOs) for curricular data – Collaborative exploration of requirements and potential solutions 16 – 11/11/2015, © 2012 Internet2 Exploring Curricular Data Needs

An online Schema and Attribute Registry now at version 1.0Schema and Attribute Registry An early NSTIC pilot deliverable from the Internet2 Scalable Privacy projectScalable Privacy – NSTIC: National Strategy for Trusted Identities in CyberspaceNational Strategy for Trusted Identities in Cyberspace Higher education has thought longer and harder about schema and attributes than government and industry The registry as a way to demonstrate prior art and show patterns of use – Includes eduPerson, SCHAC, OpenID Connect, Open Social,… – Each attribute is associated with an attribute class (identifier, name, entitlement, profile) to facilitate cross-schema comparisons 17 – 11/11/2015, © 2012 Internet2 Elsewhere in Schema-Land

18 – 11/11/2015, © 2012 Internet2 Your Input: Other Topics Needing Attention

MACE-Dir mailing list – Subscribe at InCommon User Identifiers: Via review of eduPerson draft – Subscriber comments to – Non-subscriber comments to K-12 Schema work – Subscribe at SCIM – Subscribe at Other questions: 19 – 11/11/2015, © 2012 Internet2 To Participate in the Work

MACE-DIR: ATTRIBUTES, SCHEMA AND INFORMATION MODELS FOR EDUCATION AND RESEARCH May 21, 2013, InCommon Virtual Working Groups Thank you! For more information, please visit 20 – 11/11/2015, © 2012 Internet2

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.