SlideShare a Scribd company logo

SIF IDM Profile Introduction

Richard Tong
Richard Tong
Education
1 of 27
Download to read offline
SIF IDM 101: Identification Management Profile Introduction Hattie Leary Hattie.Leary@anoka.k12.mn.us Richard Tong rtong@amplify.com Vince Paredes vparedes@sifassociation.org Linda Marshall Linda.Marshall@nsip.EDU.AU
A Primer of the SIF IDM Profile  Background for a comprehensive IDM profile  The new solution  The use cases  Logical IDM model  IDM workflow best practice (Also covered in IDM 102)  Migration path from 2.0 (To-be-covered in IDM 102)  The real-world story and next steps (To-be-covered in IDM 102)  Appendix
Background for SIF IDM Profile Why do we need SIF Identity Management Profile?
User ID and password are needed for all kinds of web applications in education. SIF Enabled Educational Infrastructure needs to provide mechanism to seamless authenticate end users and grant authorization request. User ID and password from mobile clients into SIF Enabled Educational Infrastructure API and/or hosted applications need to be supported. APIs, Desktop or backend applications and Custom Apps (such as data ingestion engine, sync engine, ESB, Data Warehouse, administrative applications, collaboration tools, custom Apps, etc.) need to identify themselves and pass credentials from their end users for participating in the overall SIF Enabled Educational Infrastructure community. Where is identity needed?
Benefits of Identity Integration (Single Sign-On or Same Sign-On)  Reduced Administrative Costs  All user authentication information resides in SEA/LEA, which reduces the need to maintain, monitor and potentially synchronized multiple stores.  Reduces password-related user support requests.  Increased ease of use / adoption  Each user only has a single username and password which grants them seamless access to all of their current resources and SIF Enabled Educational Infrastructure resources.  Single Sign-On also saves users time, since each individual sign-on process can take 5 to 20 seconds to complete.  Enhanced Security  Password policies established for SEA/LEA network will also be in effect for SIF Enabled Educational Infrastructure.  Automatic provisioning and deprovisioning of users prevents unwarranted access.  Sending an authentication credential that is only valid for a single use can increase security for users who have access to sensitive data.
Beyond SSO  Before SSO can happen, how are Identifications in both IDP and SP provisioned and linked to ensure consistency?  How are authorization and entitlement information exchanged in either SSO enabled environment or even Same-sign-on environments?  We also need cross-app authorization,
Requirement for the SIF IDM Profile Solution  Provide a common logical data model for all participant applications  Provide a standard least-common-denominator data schema for compliant applications to exchange IDM related data  Expand on the current SIF 2.5 profiles  Align with CEDS (We already embed the new profile in CEDS 3.0 by working with the CEDS team)  Provide a best practice workflow framework to support the common use cases  Provide a migration path and real-world case studies to ease the adoption and transition
The SIF IDM Profile Solution Scope, Logical Model, Individual Entity Objects, and Recommended Workflow
Scope of SIF IDM Use Cases
Scope of SIF IDM Use Cases  Provisioning of Identity and Access across multiple connected systems  Provisioning of identity in a directory service provider  Provisioning or de-provisioning of identity in an existing system  on-demand (personal event driven)  Batch (at BOY, EOY, MOY, etc.)  Provisioning of identity and profile in a new system  Single-Sign-On among multiple education systems
IDM Logical Model 2013
SIF 2.7 IDM ProfileIdentificationManagementLogicalEntityModel StudentPersonal RefId Student_Id Personal_Attributes OrganizationUser RefId PersonId OrginalAssociationId AssociationType Org_Id StartDate EndDate AuthoritativeSourceId IDM_Authentication RefId OrgUserId IDP_Login_Id IDP_App_Id IDP_Type StartDate EndDate AuthoritativeSourceId IDM_Authorization RefId OrgUserId App_Id App_Function StartDate EndDate AuthoritativeSourceId StaffPersonal RefId Staff_Id Personal_Attributes StudentContactPersonal RefId StudentContact_Id Personal_Attributes SchoolInfo RefId Org_Attributes ParentOrgId IDM_Applications RefId App_Name App_URI App_Default_Function App_Function_List App_Default_IDP_Id App_IDP_List StartDate EndDate
From 2.7 to 3.1  2.7 Focus on backward compatibility. The OrganizationUser provides the key connection to studentpersonal, staffpersonal, and studentcontactpersonal as well as schoolinfo. It can be adopted immediately in 2.x environment.  3.1 Uses the new 3.0 PartyOrganizationAssociation object to replace OrganizationUser. Therefore it is more flexible.
IDM Entities * Note: We primarily use the 2.7 entity names in this section. For 3.1, the logic is the same, but the names and relationships are a little different to reflect the new entities.
OrganizationUser  This object is the link from the IDM data to the existing StudentPersonal, StaffPersonal, etc. in the current SIF model. This is directly corresponding to the CEDS 2.0 OrgPersonRole, which is an association of Person, Role and Organization.  The Ed-Fi model equivalents are Student/Staff/Parent.  For organization mapping, CEDS/Ed-Fi define them as Educational Organization/Programs.  The time dimension (StartDate (required field), EndDate (optional field)) would be the key aspect to identify the LifeCycle of the OrganizationUser. This object would become the key reference object for all identification propagation across systems.
Application  Application Profile – The application System(s) that participates in the overall integration App Ecosystem where SSO and coordinated Access Control are needed.  App_Name and App_URI are for navigation and display  App_Default_Function could be used for service invocation (for example, within an EcoSystem, there could be several applications that provide “chat” functions or even “IdP” functions)  App_Default_IDP point to the Application that authenticate the users for this app. For example, the “ParentDashboard” application might be using “DistrictLDAP” as its ID Provider.
Authentication  Authentication Profile – to establish authentication map between OrganizationUser and IDP’s LoginID. This profile will also be used to provision or deprovision user from SIS/HR to IDP (Identity Provider such as Active Directory, LDAP, or OpenID provider).  LoginID as defined in the IDP Directory of the SEA/LEA institutions.  IDP_App_ID - the IDP where this user is provisioned on (for example, staff might use one IDP called “StateStaffDirectory”, and parent might use another IDP service called “OpenIDProvider” to log in)  OrganizationUserID – A reference to the OrganizationUser  StartDate  EndDate
Authorization  Authorization Profile – to establish role/permission map between OrganizationUser and Downstream Application’s role and permission. This profile will primarily be used to provision or deprovision user from SIS/HR to one particular educational system.  OrganizationUserID reference the OrganizationUser (  App_ID – Reference to the target application where this OrganizationUser is provisioned. For example, Hattie Leary as a Staff in Anoka will be mapped to Administrator in Library Management System.  App_Function is the function that the application is providing for the OrganizationUser. For example, Hattie is using “Moodle” to serve “LMS” function for her.
OrganizationPartyAssociation (3.x)  This object is almost functional equivalent to the OrganizationUser in the 2.7 logical model. There are several subtle differences:  The OrganizationPartyAssociation does not have start/end date, so it can be used to trigger a scheduled provision event.  “OrganizationUser” has a field “OriginalAssociationId” which can be used to store the StateID, EmployeeID, StudentID or other non-GUID type keys, while OrganizationPartyAssociation does not. For implementation purpose, it is would be easier to control data quality when keys can be checked against existing database keys. Therefore, OrganizationUser object is better suited when backward compatibility is required.
Person (A 3.x concept, also connected to the 3.0 student object)  The objective for the person object is to establish the cross- domain longitudinal reference link to any personal information within the SIF framework. All personal and demographical information will be referred to this object. For identity management purpose, the information carried in the Person Profile should be consistent throughout the systems and first created from SIS/HR.  The reality is that a lot of the existing system does not share master data management (MDM) for person and it is recommended to have this person linkage to be optional rather than mandated to allow existing system adoption of the new IDM paradigm and allow continuous improvement.
Design highlight and consideration  Person vs. OrganizationUser  Person is longitudinally traceable and consistent.  OrganizationUser is more relevant in application identity and role-based access control context. OrganizationUser is conceptually equivalent to the union of StudentPersonal, StaffPersonal and StudentContactPersonal. In CEDS 3.0, OrganizationUser = OrgPersonRole  Authentication  SIF IDM data interchange does not really care that much about the specific authentication mechanism, as long as single-sign- on could be established.  Authorization  Similarly, SIF IDM data interchange does not enforce the RBAC mechanism in applications, as long as the authorization is honored.  Application  New 3.0 object that reflects the ecosystem reality
SIF IDM Service Workflow 2013
IDM Workflow Diagram IDM Workflow 1. OrganizationUser 2. (StudentPersonl, StaffPersonal, StudentContactPersonal) 3. Person ~ Optional 4. EducationalOrganization ~ Optional * Authentication 1. OrganizationUser 2. (StudentPersonl, StaffPersonal, StudentContactPersonal) 3. Person ~ Optional 4. EducationalOrganization ~ Optional * Authorization Target Applications (Portal, LMS, or other SSO Participants) App User Management (Person and Organization) App RBAC Service Identity Administration And Configuration Facility App Identity To Domain Provision and Synchronization Service Identity Federation Runtime Authoritative Sources (HR, SIS, SLDS) App Provisioning Source (Person and Organization) App Domain Access Control Identity Administration And Configuration Facility Source Identity To Domain Provision and Synchronization Service Application Registry (Optional application references populated through the Application Registration Service or Manual Entry) Application Profile Identity Provider (Owned by SEA/LEA Directory (eg. AD or LDAP or NDS ) LogOn ID Federated SSO (eg. ADFS or SiteMinder Or OpenSSO) 1. Application Registration (optional) 2. User Authentication Provisioning 3. User Authorization Provisioning 4. Run-time SSO 1 2 3 4 2 3
Appendix: CEDS Conceptual Mapping to the SIF IDM Profile (Source: CEDS)
Conceptual Model Organizations People Teaching, Learning, Assessment Roles Time
27 All can be represented as Roles Key Concept: OrgPersonRole

Recommended

SIF IDM Profile Usage Guide - Presentation at the 2014 annual conference
SIF IDM Profile Usage Guide - Presentation at the 2014 annual conferenceSIF IDM Profile Usage Guide - Presentation at the 2014 annual conference
SIF IDM Profile Usage Guide - Presentation at the 2014 annual conference
Richard Tong
 
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET Journal
 
Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Id m what-why-how presentationv2.0
Id m what-why-how presentationv2.0Id m what-why-how presentationv2.0
Id m what-why-how presentationv2.0
John Bernhard
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 
Business Intelligence
Business Intelligence Business Intelligence
Business Intelligence
Athari_1996
 
Acc Updated Resume
Acc Updated ResumeAcc Updated Resume
Acc Updated Resume
MadhavaReddy Pandhiri
 
IDM Introduction
IDM IntroductionIDM Introduction
IDM Introduction
Aidy Tificate
 

Recommended

SIF IDM Profile Usage Guide - Presentation at the 2014 annual conference
SIF IDM Profile Usage Guide - Presentation at the 2014 annual conferenceSIF IDM Profile Usage Guide - Presentation at the 2014 annual conference
SIF IDM Profile Usage Guide - Presentation at the 2014 annual conference
Richard Tong
 
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET Journal
 
Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Id m what-why-how presentationv2.0
Id m what-why-how presentationv2.0Id m what-why-how presentationv2.0
Id m what-why-how presentationv2.0
John Bernhard
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 
Business Intelligence
Business Intelligence Business Intelligence
Business Intelligence
Athari_1996
 
Acc Updated Resume
Acc Updated ResumeAcc Updated Resume
Acc Updated Resume
MadhavaReddy Pandhiri
 
IDM Introduction
IDM IntroductionIDM Introduction
IDM Introduction
Aidy Tificate
 
Active Directory Self-Service Suite Overview
Active Directory Self-Service Suite OverviewActive Directory Self-Service Suite Overview
Active Directory Self-Service Suite Overview
EmpowerID
 
A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management System
CSCJournals
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Systems, Inc.
 
Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)
Microsoft Norge AS
 
Two Factor Authentication for Salesforce
Two Factor Authentication for SalesforceTwo Factor Authentication for Salesforce
Two Factor Authentication for Salesforce
ArrayShield Technologies Private Limited
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity Provisioning
Mike Reams
 
CIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSOCIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSO
CloudIDSummit
 
External Search Match
External Search MatchExternal Search Match
External Search Match
Anoop Savio
 
project on Agile approach
project on Agile approachproject on Agile approach
project on Agile approach
Prachi desai
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm Workshop
Mohamed Atef
 
How to Get More Out of Your Integration Systems
How to Get More Out of Your Integration SystemsHow to Get More Out of Your Integration Systems
How to Get More Out of Your Integration Systems
tibbr
 
Social intranet portal on share point for a global infrastructure company
Social intranet portal on share point for a global infrastructure companySocial intranet portal on share point for a global infrastructure company
Social intranet portal on share point for a global infrastructure company
Mike Taylor
 
Open am and_radiantone
Open am and_radiantoneOpen am and_radiantone
Open am and_radiantone
Jose R
 
Digital Library iPad Application for Referring Documents
Digital Library iPad Application for Referring DocumentsDigital Library iPad Application for Referring Documents
Digital Library iPad Application for Referring Documents
Softweb Solutions
 
Identity and Authentication in Office 2013 and Office 365 from Microsoft
Identity and Authentication in Office 2013 and Office 365 from MicrosoftIdentity and Authentication in Office 2013 and Office 365 from Microsoft
Identity and Authentication in Office 2013 and Office 365 from Microsoft
David J Rosenthal
 
CHATBOT FOR COLLEGE RELATED QUERIES | J4RV4I1008
CHATBOT FOR COLLEGE RELATED QUERIES | J4RV4I1008CHATBOT FOR COLLEGE RELATED QUERIES | J4RV4I1008
CHATBOT FOR COLLEGE RELATED QUERIES | J4RV4I1008
Journal For Research
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES) International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)
irjes
 
Securing Oracle Database 12c
Securing Oracle Database 12cSecuring Oracle Database 12c
Securing Oracle Database 12c
Inprise Group
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
WSO2
 
Study on Use Case Model for Service Oriented Architecture Development
Study on Use Case Model for Service Oriented Architecture DevelopmentStudy on Use Case Model for Service Oriented Architecture Development
Study on Use Case Model for Service Oriented Architecture Development
ijwtiir
 
Introduzione a GAE - Alessandro Aglietti e Lorenzo Bugiani
Introduzione a GAE - Alessandro Aglietti e Lorenzo BugianiIntroduzione a GAE - Alessandro Aglietti e Lorenzo Bugiani
Introduzione a GAE - Alessandro Aglietti e Lorenzo Bugiani
firenze-gtug
 
Programming objects with android
Programming objects with androidProgramming objects with android
Programming objects with android
firenze-gtug
 

More Related Content

What's hot

A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management System
CSCJournals
 
Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)
Microsoft Norge AS
 
Open am and_radiantone
Open am and_radiantoneOpen am and_radiantone
Open am and_radiantone
Jose R
 
Identity and Authentication in Office 2013 and Office 365 from Microsoft
Identity and Authentication in Office 2013 and Office 365 from MicrosoftIdentity and Authentication in Office 2013 and Office 365 from Microsoft
Identity and Authentication in Office 2013 and Office 365 from Microsoft
David J Rosenthal
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
WSO2
 
Study on Use Case Model for Service Oriented Architecture Development
Study on Use Case Model for Service Oriented Architecture DevelopmentStudy on Use Case Model for Service Oriented Architecture Development
Study on Use Case Model for Service Oriented Architecture Development
ijwtiir
 

What's hot (20)

Active Directory Self-Service Suite Overview
Active Directory Self-Service Suite OverviewActive Directory Self-Service Suite Overview
Active Directory Self-Service Suite Overview
 
A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management System
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
 
Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)
 
Two Factor Authentication for Salesforce
Two Factor Authentication for SalesforceTwo Factor Authentication for Salesforce
Two Factor Authentication for Salesforce
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity Provisioning
 
CIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSOCIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSO
 
External Search Match
External Search MatchExternal Search Match
External Search Match
 
project on Agile approach
project on Agile approachproject on Agile approach
project on Agile approach
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm Workshop
 
How to Get More Out of Your Integration Systems
How to Get More Out of Your Integration SystemsHow to Get More Out of Your Integration Systems
How to Get More Out of Your Integration Systems
 
Social intranet portal on share point for a global infrastructure company
Social intranet portal on share point for a global infrastructure companySocial intranet portal on share point for a global infrastructure company
Social intranet portal on share point for a global infrastructure company
 
Open am and_radiantone
Open am and_radiantoneOpen am and_radiantone
Open am and_radiantone
 
Digital Library iPad Application for Referring Documents
Digital Library iPad Application for Referring DocumentsDigital Library iPad Application for Referring Documents
Digital Library iPad Application for Referring Documents
 
Identity and Authentication in Office 2013 and Office 365 from Microsoft
Identity and Authentication in Office 2013 and Office 365 from MicrosoftIdentity and Authentication in Office 2013 and Office 365 from Microsoft
Identity and Authentication in Office 2013 and Office 365 from Microsoft
 
CHATBOT FOR COLLEGE RELATED QUERIES | J4RV4I1008
CHATBOT FOR COLLEGE RELATED QUERIES | J4RV4I1008CHATBOT FOR COLLEGE RELATED QUERIES | J4RV4I1008
CHATBOT FOR COLLEGE RELATED QUERIES | J4RV4I1008
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES) International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)
 
Securing Oracle Database 12c
Securing Oracle Database 12cSecuring Oracle Database 12c
Securing Oracle Database 12c
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
Study on Use Case Model for Service Oriented Architecture Development
Study on Use Case Model for Service Oriented Architecture DevelopmentStudy on Use Case Model for Service Oriented Architecture Development
Study on Use Case Model for Service Oriented Architecture Development
 

Viewers also liked

Gae cloud computing_bar_camp_bologna
Gae cloud computing_bar_camp_bolognaGae cloud computing_bar_camp_bologna
Gae cloud computing_bar_camp_bologna
firenze-gtug
 
Aidilab - Android Firenze GTUG
Aidilab - Android Firenze GTUGAidilab - Android Firenze GTUG
Aidilab - Android Firenze GTUG
firenze-gtug
 
Firenze Gtug Kick Off QP
Firenze Gtug Kick Off QPFirenze Gtug Kick Off QP
Firenze Gtug Kick Off QP
firenze-gtug
 

Viewers also liked (9)

Introduzione a GAE - Alessandro Aglietti e Lorenzo Bugiani
Introduzione a GAE - Alessandro Aglietti e Lorenzo BugianiIntroduzione a GAE - Alessandro Aglietti e Lorenzo Bugiani
Introduzione a GAE - Alessandro Aglietti e Lorenzo Bugiani
 
Programming objects with android
Programming objects with androidProgramming objects with android
Programming objects with android
 
Gae cloud computing_bar_camp_bologna
Gae cloud computing_bar_camp_bolognaGae cloud computing_bar_camp_bologna
Gae cloud computing_bar_camp_bologna
 
Aidilab - Android Firenze GTUG
Aidilab - Android Firenze GTUGAidilab - Android Firenze GTUG
Aidilab - Android Firenze GTUG
 
Youtube broadcast live - Massimiliano D'Ambrosio
Youtube broadcast live - Massimiliano D'AmbrosioYoutube broadcast live - Massimiliano D'Ambrosio
Youtube broadcast live - Massimiliano D'Ambrosio
 
Html5 apps - GWT oriented
Html5 apps - GWT orientedHtml5 apps - GWT oriented
Html5 apps - GWT oriented
 
Intel ndk - a few Benchmarks
Intel ndk - a few BenchmarksIntel ndk - a few Benchmarks
Intel ndk - a few Benchmarks
 
Arduino - Massimiliano D'Ambrosio
Arduino - Massimiliano D'AmbrosioArduino - Massimiliano D'Ambrosio
Arduino - Massimiliano D'Ambrosio
 
Firenze Gtug Kick Off QP
Firenze Gtug Kick Off QPFirenze Gtug Kick Off QP
Firenze Gtug Kick Off QP
 

Similar to SIF IDM Profile Introduction

Campus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson UniversityCampus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium
 
Shibboleth identity provider (idp) what it is, and why you should consider a ...
Shibboleth identity provider (idp) what it is, and why you should consider a ...Shibboleth identity provider (idp) what it is, and why you should consider a ...
Shibboleth identity provider (idp) what it is, and why you should consider a ...
Gluu
 
Integrating SIS’s with Salesforce: An Accidental Integrator’s Guide
Integrating SIS’s with Salesforce: An Accidental Integrator’s GuideIntegrating SIS’s with Salesforce: An Accidental Integrator’s Guide
Integrating SIS’s with Salesforce: An Accidental Integrator’s Guide
Salesforce.org
 
Security Framework for Multitenant Architecture
Security Framework for Multitenant ArchitectureSecurity Framework for Multitenant Architecture
Security Framework for Multitenant Architecture
DataWorks Summit
 
Directions Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxDirections Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docx
mariona83
 
mainppt-210725060740.pdf
mainppt-210725060740.pdfmainppt-210725060740.pdf
mainppt-210725060740.pdf
STYLISHGAMER1
 

Similar to SIF IDM Profile Introduction (20)

Oracle Open World S308250  Securing Your People Soft Application Via Idm
Oracle Open World S308250  Securing Your People Soft Application Via IdmOracle Open World S308250  Securing Your People Soft Application Via Idm
Oracle Open World S308250  Securing Your People Soft Application Via Idm
 
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson UniversityCampus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson University
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access Management
 
Azure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAzure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - Ajay
 
Sap basis and_security_administration
Sap basis and_security_administrationSap basis and_security_administration
Sap basis and_security_administration
 
Identity is key - Robin Gorris
Identity is key - Robin GorrisIdentity is key - Robin Gorris
Identity is key - Robin Gorris
 
Shibboleth identity provider (idp) what it is, and why you should consider a ...
Shibboleth identity provider (idp) what it is, and why you should consider a ...Shibboleth identity provider (idp) what it is, and why you should consider a ...
Shibboleth identity provider (idp) what it is, and why you should consider a ...
 
LTS Secure Identity Management
LTS Secure Identity ManagementLTS Secure Identity Management
LTS Secure Identity Management
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference Architecture
 
Integrating SIS’s with Salesforce: An Accidental Integrator’s Guide
Integrating SIS’s with Salesforce: An Accidental Integrator’s GuideIntegrating SIS’s with Salesforce: An Accidental Integrator’s Guide
Integrating SIS’s with Salesforce: An Accidental Integrator’s Guide
 
Security Framework for Multitenant Architecture
Security Framework for Multitenant ArchitectureSecurity Framework for Multitenant Architecture
Security Framework for Multitenant Architecture
 
TOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONTOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTION
 
Power BI Security Best Practices.pdf
Power BI Security Best Practices.pdfPower BI Security Best Practices.pdf
Power BI Security Best Practices.pdf
 
GDPR
GDPRGDPR
GDPR
 
Directions Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxDirections Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docx
 
Identity Management
Identity ManagementIdentity Management
Identity Management
 
Saipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_VitaeSaipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_Vitae
 
User Manager
User ManagerUser Manager
User Manager
 
Implementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudImplementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloud
 
mainppt-210725060740.pdf
mainppt-210725060740.pdfmainppt-210725060740.pdf
mainppt-210725060740.pdf
 

Recently uploaded

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 

Recently uploaded (20)

Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 

SIF IDM Profile Introduction

  • 1. SIF IDM 101: Identification Management Profile Introduction Hattie Leary Hattie.Leary@anoka.k12.mn.us Richard Tong rtong@amplify.com Vince Paredes vparedes@sifassociation.org Linda Marshall Linda.Marshall@nsip.EDU.AU
  • 2. A Primer of the SIF IDM Profile  Background for a comprehensive IDM profile  The new solution  The use cases  Logical IDM model  IDM workflow best practice (Also covered in IDM 102)  Migration path from 2.0 (To-be-covered in IDM 102)  The real-world story and next steps (To-be-covered in IDM 102)  Appendix
  • 3. Background for SIF IDM Profile Why do we need SIF Identity Management Profile?
  • 4. User ID and password are needed for all kinds of web applications in education. SIF Enabled Educational Infrastructure needs to provide mechanism to seamless authenticate end users and grant authorization request. User ID and password from mobile clients into SIF Enabled Educational Infrastructure API and/or hosted applications need to be supported. APIs, Desktop or backend applications and Custom Apps (such as data ingestion engine, sync engine, ESB, Data Warehouse, administrative applications, collaboration tools, custom Apps, etc.) need to identify themselves and pass credentials from their end users for participating in the overall SIF Enabled Educational Infrastructure community. Where is identity needed?
  • 5. Benefits of Identity Integration (Single Sign-On or Same Sign-On)  Reduced Administrative Costs  All user authentication information resides in SEA/LEA, which reduces the need to maintain, monitor and potentially synchronized multiple stores.  Reduces password-related user support requests.  Increased ease of use / adoption  Each user only has a single username and password which grants them seamless access to all of their current resources and SIF Enabled Educational Infrastructure resources.  Single Sign-On also saves users time, since each individual sign-on process can take 5 to 20 seconds to complete.  Enhanced Security  Password policies established for SEA/LEA network will also be in effect for SIF Enabled Educational Infrastructure.  Automatic provisioning and deprovisioning of users prevents unwarranted access.  Sending an authentication credential that is only valid for a single use can increase security for users who have access to sensitive data.
  • 6. Beyond SSO  Before SSO can happen, how are Identifications in both IDP and SP provisioned and linked to ensure consistency?  How are authorization and entitlement information exchanged in either SSO enabled environment or even Same-sign-on environments?  We also need cross-app authorization,
  • 7. Requirement for the SIF IDM Profile Solution  Provide a common logical data model for all participant applications  Provide a standard least-common-denominator data schema for compliant applications to exchange IDM related data  Expand on the current SIF 2.5 profiles  Align with CEDS (We already embed the new profile in CEDS 3.0 by working with the CEDS team)  Provide a best practice workflow framework to support the common use cases  Provide a migration path and real-world case studies to ease the adoption and transition
  • 8. The SIF IDM Profile Solution Scope, Logical Model, Individual Entity Objects, and Recommended Workflow
  • 9. Scope of SIF IDM Use Cases
  • 10. Scope of SIF IDM Use Cases  Provisioning of Identity and Access across multiple connected systems  Provisioning of identity in a directory service provider  Provisioning or de-provisioning of identity in an existing system  on-demand (personal event driven)  Batch (at BOY, EOY, MOY, etc.)  Provisioning of identity and profile in a new system  Single-Sign-On among multiple education systems
  • 12. SIF 2.7 IDM ProfileIdentificationManagementLogicalEntityModel StudentPersonal RefId Student_Id Personal_Attributes OrganizationUser RefId PersonId OrginalAssociationId AssociationType Org_Id StartDate EndDate AuthoritativeSourceId IDM_Authentication RefId OrgUserId IDP_Login_Id IDP_App_Id IDP_Type StartDate EndDate AuthoritativeSourceId IDM_Authorization RefId OrgUserId App_Id App_Function StartDate EndDate AuthoritativeSourceId StaffPersonal RefId Staff_Id Personal_Attributes StudentContactPersonal RefId StudentContact_Id Personal_Attributes SchoolInfo RefId Org_Attributes ParentOrgId IDM_Applications RefId App_Name App_URI App_Default_Function App_Function_List App_Default_IDP_Id App_IDP_List StartDate EndDate
  • 13.
  • 14. From 2.7 to 3.1  2.7 Focus on backward compatibility. The OrganizationUser provides the key connection to studentpersonal, staffpersonal, and studentcontactpersonal as well as schoolinfo. It can be adopted immediately in 2.x environment.  3.1 Uses the new 3.0 PartyOrganizationAssociation object to replace OrganizationUser. Therefore it is more flexible.
  • 15. IDM Entities * Note: We primarily use the 2.7 entity names in this section. For 3.1, the logic is the same, but the names and relationships are a little different to reflect the new entities.
  • 16. OrganizationUser  This object is the link from the IDM data to the existing StudentPersonal, StaffPersonal, etc. in the current SIF model. This is directly corresponding to the CEDS 2.0 OrgPersonRole, which is an association of Person, Role and Organization.  The Ed-Fi model equivalents are Student/Staff/Parent.  For organization mapping, CEDS/Ed-Fi define them as Educational Organization/Programs.  The time dimension (StartDate (required field), EndDate (optional field)) would be the key aspect to identify the LifeCycle of the OrganizationUser. This object would become the key reference object for all identification propagation across systems.
  • 17. Application  Application Profile – The application System(s) that participates in the overall integration App Ecosystem where SSO and coordinated Access Control are needed.  App_Name and App_URI are for navigation and display  App_Default_Function could be used for service invocation (for example, within an EcoSystem, there could be several applications that provide “chat” functions or even “IdP” functions)  App_Default_IDP point to the Application that authenticate the users for this app. For example, the “ParentDashboard” application might be using “DistrictLDAP” as its ID Provider.
  • 18. Authentication  Authentication Profile – to establish authentication map between OrganizationUser and IDP’s LoginID. This profile will also be used to provision or deprovision user from SIS/HR to IDP (Identity Provider such as Active Directory, LDAP, or OpenID provider).  LoginID as defined in the IDP Directory of the SEA/LEA institutions.  IDP_App_ID - the IDP where this user is provisioned on (for example, staff might use one IDP called “StateStaffDirectory”, and parent might use another IDP service called “OpenIDProvider” to log in)  OrganizationUserID – A reference to the OrganizationUser  StartDate  EndDate
  • 19. Authorization  Authorization Profile – to establish role/permission map between OrganizationUser and Downstream Application’s role and permission. This profile will primarily be used to provision or deprovision user from SIS/HR to one particular educational system.  OrganizationUserID reference the OrganizationUser (  App_ID – Reference to the target application where this OrganizationUser is provisioned. For example, Hattie Leary as a Staff in Anoka will be mapped to Administrator in Library Management System.  App_Function is the function that the application is providing for the OrganizationUser. For example, Hattie is using “Moodle” to serve “LMS” function for her.
  • 20. OrganizationPartyAssociation (3.x)  This object is almost functional equivalent to the OrganizationUser in the 2.7 logical model. There are several subtle differences:  The OrganizationPartyAssociation does not have start/end date, so it can be used to trigger a scheduled provision event.  “OrganizationUser” has a field “OriginalAssociationId” which can be used to store the StateID, EmployeeID, StudentID or other non-GUID type keys, while OrganizationPartyAssociation does not. For implementation purpose, it is would be easier to control data quality when keys can be checked against existing database keys. Therefore, OrganizationUser object is better suited when backward compatibility is required.
  • 21. Person (A 3.x concept, also connected to the 3.0 student object)  The objective for the person object is to establish the cross- domain longitudinal reference link to any personal information within the SIF framework. All personal and demographical information will be referred to this object. For identity management purpose, the information carried in the Person Profile should be consistent throughout the systems and first created from SIS/HR.  The reality is that a lot of the existing system does not share master data management (MDM) for person and it is recommended to have this person linkage to be optional rather than mandated to allow existing system adoption of the new IDM paradigm and allow continuous improvement.
  • 22. Design highlight and consideration  Person vs. OrganizationUser  Person is longitudinally traceable and consistent.  OrganizationUser is more relevant in application identity and role-based access control context. OrganizationUser is conceptually equivalent to the union of StudentPersonal, StaffPersonal and StudentContactPersonal. In CEDS 3.0, OrganizationUser = OrgPersonRole  Authentication  SIF IDM data interchange does not really care that much about the specific authentication mechanism, as long as single-sign- on could be established.  Authorization  Similarly, SIF IDM data interchange does not enforce the RBAC mechanism in applications, as long as the authorization is honored.  Application  New 3.0 object that reflects the ecosystem reality
  • 23. SIF IDM Service Workflow 2013
  • 24. IDM Workflow Diagram IDM Workflow 1. OrganizationUser 2. (StudentPersonl, StaffPersonal, StudentContactPersonal) 3. Person ~ Optional 4. EducationalOrganization ~ Optional * Authentication 1. OrganizationUser 2. (StudentPersonl, StaffPersonal, StudentContactPersonal) 3. Person ~ Optional 4. EducationalOrganization ~ Optional * Authorization Target Applications (Portal, LMS, or other SSO Participants) App User Management (Person and Organization) App RBAC Service Identity Administration And Configuration Facility App Identity To Domain Provision and Synchronization Service Identity Federation Runtime Authoritative Sources (HR, SIS, SLDS) App Provisioning Source (Person and Organization) App Domain Access Control Identity Administration And Configuration Facility Source Identity To Domain Provision and Synchronization Service Application Registry (Optional application references populated through the Application Registration Service or Manual Entry) Application Profile Identity Provider (Owned by SEA/LEA Directory (eg. AD or LDAP or NDS ) LogOn ID Federated SSO (eg. ADFS or SiteMinder Or OpenSSO) 1. Application Registration (optional) 2. User Authentication Provisioning 3. User Authorization Provisioning 4. Run-time SSO 1 2 3 4 2 3
  • 25. Appendix: CEDS Conceptual Mapping to the SIF IDM Profile (Source: CEDS)
  • 27. 27 All can be represented as Roles Key Concept: OrgPersonRole