1 / 15

User Provisioning Project Presented to ITLC September 28, 2010

David Walker, ITAG Co-Chair Information and Educational Technology, UC Davis Mary Doyle, ITAG ITLC Liaison Information Technology Services, UC Santa Cruz. User Provisioning Project Presented to ITLC September 28, 2010. Project Team. Arlene Allen, UCSB Dede Bruno, UCOP Mary Doyle, UCSC

cedric
Download Presentation

User Provisioning Project Presented to ITLC September 28, 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. David Walker, ITAG Co-Chair Information and Educational Technology, UC Davis Mary Doyle, ITAG ITLC Liaison Information Technology Services, UC Santa Cruz User Provisioning ProjectPresented to ITLC September 28, 2010

  2. Project Team • Arlene Allen, UCSB • Dede Bruno, UCOP • Mary Doyle, UCSC • Max Garrick, UCI • David Walker, UCD • Albert Wu, UCLA

  3. Overview • The Charge from ITLC • What UCTrust does Currently • What we are Proposing • High-level Design Proposal for Provisioning • Resource Assumptions • Current status • Discussion

  4. The Charge from ITLC • ITAG should recommend a specific middleware platform/approach to evaluate and pilot • ITAG should consider various projects/initiatives that could serve as a pilot for the approach • ITAG should present thoughts/observations relating to resources required to complete a successful pilot.

  5. What UCTrust Does Now • A Service Provider (SP) specifies the identity attributes it requires. • Identity Providers (IdP) configure their Attribute Release Policies (ARP) for the SP. • At the start of a session, the SP requests attributes from the IdP for the current user. The IdP returns requested attributes that are allowed by the ARP.

  6. What Are We Proposing, and How Does it Differ? • UCTrust federates authentication and identity information during a session. • Many applications need information about their users at other times (e.g., Connexxus, SumTotal.) • We propose extending UCTrust to exchange identity information when the user is not online. • This was a pain point for SumTotal and Connexxus, among other UC-wide projects.

  7. Proposal for User Provisioning • A Service Provider (SP) specifies the identity attributes it requires and the people it requires those attributes for. • Identity Providers (IdP) configure their Attribute Release Policies (ARP) for the SP. The IdP also defines the group of its community members required by the SP. • At a time determined by the SP, the SP requests all attributes allowed by the ARP.

  8. Four Types of Requests • Snapshot • All identity information for all people. • Subscription • Identity information will be transmitted to the application as add, delete, and update transactions on an event-driven basis. • Change Log • All add, delete, and update transactions that have been generated since the last Snapshot, Subscription, or Change Log. • SSO Event • The existing Shibboleth access type.

  9. High-Level Design

  10. Proposed Project Phases and Tasks Phase 1 Detailed Planning – 8 weeks 1.1 Staffing/Recruiting 1.2 Develop Detailed Project Plan 1.3 Develop Detailed Architecture Phase 2 Design, Build, Test – Approximately one year 2.1 Technology evaluation and selection 2.2 Develop Communications Plan 2.3 Design and Implement Common IAM Interface 2.4 Prepare Product Documentation 2.5 Test, QA 2.6 Release Product 2.7 Pilot Deployment

  11. Phases and Tasks, continued….. Phase 3 Deployment (~ 9 months done by each UC location) 3.1 Implement Group Manager (Grouper) 3.2 Implement eduPersonTargetedID 3.3 Campus policy, procedure, relationships for brokering requests 3.4 Integrate Common IAM Interface with local IAM (Snapshot) 3.5 Integrate Common IAM with local IAM (Subscription and Change Log)

  12. Resource Assumptions - Roles Campus Deployment Resource (per campus) Each campus will likely require between 1 and 3 FTE during Phase 3 to complete deployment. The number of FTE required will depend on the specific configuration of each campus’s identity management infrastructure.

  13. Potential Pilot Projects • Addition of UCSB to UCLA Administrative Services • ServiceNow.com (if UC-wide Agreement in place)

  14. Current Status • The high level design has been vetted with the IT Architecture Group and the UCTrust Work Group. • The proposal is now presented for ITLC consideration and direction to move forward (or not). • Assuming approval, next phase of project will commence in early 2011.

  15. Discussion • Questions/comments? • Is ITLC ready to endorse moving forward with the proposed project?

More Related