Embed Size (px)
Citation preview
Illinois Shared Learning Environment
The One-Slide Summary
Create, Find, Map, Use, and Visualize Data Linked to Content and Standards enabling Personalized Learning and Career Preparedness for All Illinois Learners (P-K12 & Life-Long).
Local School DistrictCollect,
Assemble, & Propagate
Ed-FI Data Model
Partner InstitutionsData Centers
GOMB
Learning Maps & Learning Content Ap
plicatio
ns an
d D
ashb
oard
sDyn
amic
Clo
ud
In
fras
tru
ctu
re
Apps
Partners:
ISLE Grant $12M: DCEO -> NCSA/UIUC
ISLE-IGA: NCSA/UIUC -> NIU,SIU, & IC
Participating LEA:2 SLC Pilot35 RttT-3
~ 20% of Illinois Students with RttT-3 SD, ~840 to go.
DB
Compute
ED-FI Data ModelData Store
Services
Students, Educators, Parents, Researchers, Schools, Institutions and Agencies empowered by the Middleware infrastructure
and Dynamic Self-Service Procurement Cloud Platform Services:*Learning Maps *Applications *Dashboards*Portal Integration
*Databases *Collaboration Tools *Development Incubator *Advanced Analytics*Shared Data Services*Enterprise Services
ApplicationProgramInterface
( API )
Illinois Shared Learning Environment – ISLE
Search & Registry Index for Content
ConsumersProducers Content Brokers
SLC (Service Agreement): ISBE/LEARttT-3 Grant $43M: ISBE/LEARttT-Early Childhood $34M: ISBE/LEAPathways/STEM LE $10M: ISBE/DCEO
Create, Find, Map, Use, and Visualize Data Linked to Content and Standards enabling Personalized Learning and Career Preparedness for All Illinois Learners (P-K12 & Life-Long).
Learning Maps & Learning Content
Ap
plicatio
ns an
d D
ashb
oard
sDyn
amic
Clo
ud
In
fras
tru
ctu
re
Apps
DB
Compute
Students, Educators, Parents, Researchers, Schools, Institutions and Agencies empowered by the Middleware infrastructure and
Dynamic Self-Service Procurement Cloud Platform Services:*Learning Maps *Applications *Dashboards*Portal Integration
*Databases *Collaboration Tools *Development Incubator *Advanced Analytics*Shared Data Services*Enterprise Services
Partner InstitutionsData Centers
Partners:
ISLEK12 School Districts,
Partners, & Data Centers
Illinois Shared Learning Environment
The Platform’s Three Pillars of Support:Data, Identity, & Presentation
The Core-Central K12 Federation Services
• IlliniCloud is a non-profit organization providing services for primarily for K12 school district all over the state of Illinois. Acting as a K12 federation operator and service provider, the IlliniCloud is establishing three foundational service dimensions for the K12 community:
•Data Services•Identity Services•Presentation Services
• Minimal threshold of Adoption: The implementation is focused on mitigating integration requirements for K12 school districts adoption of services with little to no modification of existing practices and procedures.
What Are The Three Service Pillars?
End-User Facing InterfacesTenants (School Districts)
Backend Interfaces & ServicesTenants (School Districts)
The Platform’s First Pillar of Support:Data Services
Illinois Shared Learning Environment
Operational Data Store
Raw Source System Data Matrices
Intermediate Data Model(s)
Data ProductPropagation
Source 1
Source …
Source N
Any Data Model
Reports
Analytics
Collection Assemble Produce
How Does The Data Service Work?
District/LEAHow Does the Data Validation Service Work?
14
Data is collected in the ODS, where the Data Validation
Rules Engine runs to check for errors
If the data is rejected, an error message is generated to the user
Teacher/Staff Data
Valid data is moved to the Data Marts
Better Research Leads to Better
Decisions
Analyze the data in a spreadsheet
Prepare a report Create a presentation
Data can now be analyzed –longitudinal data analysis can be
performed
Student Information
Data is Stored in the Longitudinal Data Warehouse
IlliniCloud
User corrects data and resubmits
NO ERRORS
REAL TIME REPORTS
ERRORS
Data Entry
Ingest Data Validationand Assembly
SIF 2.5 for each local district sites.
Implicitly enables use of Application Programmatic Interfaces
(API)
School District ZIS
Source 1
Source …
Source N
Any DM
Reports
Analytics
RelationalData Store
ObjectData Store
Ed FI API
InBloom API
Data Propagationfor
Alternative DataModels
How Does Data Service Propagation Work for Apps?
SIF/ZIS Integration API
SP
SP
SP
SP
SP
SP
The Platform’s Second Pillar of Support:Identity Services
Illinois Shared Learning Environment
3rd Party Service Providers & Other Federations
Districts (1 .. N)using
Active Directory
Districts (1 .. N)using
eDirectory
Districts (1 .. N)using
LDAP/Kerberos
Trust
Trust
Proxy IDP/SP
School District
Metadata
Non-School District
Metadata
inCommon Google 4 Edu Other Service Providers
Read-OnlyQuery
Functionality
Workforce Development
Users/Orgs
FederatedCentralService
School District Users/Orgs
SAML 2.0OAuthOpenID
NativeDirectoryInterface
TrustTrust
Trust
What is the Federated Identity Service?
Authentication Delegation to Authoritative Source
Trust
SP
SP
SPSP
IDP
Does not Forwardto Federated Idm“Cloud Provider”
Google EDU
InC Net+
Apps
InCommon Federation
Metadata
IDP
K12 FederationIDP Proxy
Metadata
PublishSubscribe
SP
SP
K12 Federation Service Providers
K12Org 1
Directory
SP
SP
AuthoritativeDirectory Source
K12Org …
K12Org N
AD | LDAP | Kerberos | eDirectory
SSO Enabled
Not SSO Enabled
K12 Organization Local Service Providers
School Districts have preexisting directories and business procedures that govern practices & processing
SSO Enabled
Centralized Idm (SAML2) provides local directory mapping and profiles for federated service uses
Custom ISLE Applications
How Does the Federated Identity Service Work?
External Federations & Service Providers
SP Custom District Applications
How Do Attribute/Value Assertions & Web SSO Sessions Work?
IDP
K12 FederationIDP Proxy
Request
If No Session thenPrompt Fed-Login
else goto 4
Collects: eduPersonPrincipleName
Manages theDelegated Authentication
Challenge/Response
Collects & Assembles: eduPersonAffiliation
Manages computingeduPersonEtitlementsthat are needed for SP.
BrowserAccesses Protected
App Resource
1
2
Advanced Configuration:IDP/P + SP
iTrust Federation Registry
03
4
Response
IDP Attribute Resolvers & Filters:•eduPersonPrincipleName•eduPersonAffiliation•eduPersonOrgDN•eduPersonEntitlement *(Agreed)
If Session thenProcess Attribute Assertions for SP
SPUser has
Navigated here
SP Attributes Needed & Parsing:•eduPersonPrincipleName•eduPersonAffiliation•eduPersonOrgDN•eduPersonEntitlement *(Agreed)
5
7 8
6
** May Have Distinct “Entitlements” for Individual Applications/Resources
“eduPersonEntitlement” Attribute value(s) to assert:http://ApplicationName.ext/role/ILDATA_Building_Adminstrator, http://ApplicationName.ext/role/ILDATA_Sheridan_Announcement..,http://ApplicationName.ext/role/ILDATA_Sheridan_Attendence
How does eduPersonEntitlement Look Up-Close?
IDP Attribute Resolvers & Filters:•eduPersonPrincipleName [email protected]•eduPersonAffiliation Facualty, Staff, …, Library Walk-in•eduPersonOrgDN dc=district, dc=ext•eduPersonEntitlement *(Agreed) Any String as a UR(N,I,L)
Privilege GroupsOf Interest
SP Attributes Required Values When Group Member:Needs fine grain privilege mapping to align to some collection of cohort declarations the users is a member of in the authoritiative source system of reference.
Because the Login User Has Relative: “memberOf” Attributes Associated
The Platform’s Third Pillar of Support:Presentation Services
Illinois Shared Learning Environment
PresentationService
Data Identity
Unknown UserMay see only
informational content
CASE 2: Federated IDP Other Than IC IDP/P Authenticates User and implicitly claims identity authorityfor a user’s logical session.
Known User with Affiliation assigned may use
organizations informational content, services, and
applications
Known User No Affiliation &
Organization Domainmay use public Applications
CASE 1: Non-Authenticated Users, Anonymous
CASE 3: Authenticated by IC IDP/P implies defined Domain and Affiliationwith Authorities expressed in Entitlements
LEA Tenant
Who Will Use the Presentation Service?
Visual Workspace:
What is the Presentation Service, a “Portal” ?
1.) Web Browser Based Visual Presentation & Workspace Much like the graphical user interface provided by a computer’s operating system (Windows, Macintosh, Tablets, & Smart-phones).
Horizontal (Button – Bar) S #1 S #2 S #... S #N Input:
Vertical (Button – Bar)
Button # 1 Button # 2 Button #... Button #N
Input:
Header: * Optional: May include Active Controls
Footer: * Optional: May include Active Controls
Button
Icon
Symbol
Buttons & Menus• Clickable Actions or Pop-up• May Take Input• May Grouped
• Visually• Functionally
• Can be Combined with• Visual Theme• Preferences
• May be Locate Anywhere
Portlet # 1 Floating Window
Portlet Workspace
Portlet #2 Window w/no Controls
Portlet Workspace
Portlet # 3 : Minimized Window
Portlet # .. : Minimized Window
Portlet # N: Invisible Win/Service
Background Visual Attributes are generally user definableand persisted as Preferences
Portlet Attributes: are generally user definable and persisted as Preferences (for each portlet) including size (min, max, full) & relative workspace location and window state.
Portlets• Optional Visual Window • May Contain
• Buttons • Input/Forms• Any Media Content
• May be an Application• May be a Service• May be Resized or Static
• Full Screen (WrkSpc)• Floating Window• Minimized (Visible)• Layered
• May be Remote Service• May be Local Service• May be Support Any Media• Shares Session Attributes
• User/Role• Organization• Access Rules• Authorizations
Portal is the outer visual wrapper and user interface• Manages User Identity for primary SSO/Sessions • Shares Session State with Gadgets & Portlets
Portal Leverages SSO Service
How Does the “Portal” Work for Users?
Login:
Tab Bar InfoPage
ISLEApps
Illinois Open Education
Resource Search
Tab Bar ISLEApps
Illinois Open Education
Resource Search
MyPage
DistrictApps
EducatorDashboard
Multi-Tenancy Application Launcher: Individual school districts are “tenants”
Anonymous &Non-District Authenticated Users:Public Apps & Informational Page(s)
Each tenant must be able to customize the appearance & content of the portal for its own needs. Users who log into the portal get the appropriate experience for the tenant (district) to which they are connected.
Customization examples include logo, colors, header/footer text, navigation (tabs), and content (portlets). Tenants, moreover, not only need to manage these items, they also need to “manage the managers” – they must be able to grant or deny access to these management functions with regard to their own staff
How Does the “Portal” Login Process Work?
Multi-Tenancy Global Login (IDP/Proxy): “Get User & Organization”
A.) Input eduPersonPrincipleName
UserID: MyLoginID @ Domain Name List . 123
Login Name[@domainName.ext]
Populates “OrgDN” Listfor Login Name
if more than one force a choice.
B.) Derive: eduPersonOrgDN(/OrgUnitDN)
C.) Compute: eduPersonAffiliation
faculty studentstaffalummemberaffiliateemployeelibrary-walk-in
Typical “Affiliation” List for Login Name• if “Educator” then “faculty,member,employee”•If “Staff Employee” then “staff,member,employee”•If “Student” then “student, member”•If “Parent/Gardian“ then “Affiliate”•If “Externally AuthN then “library-walk-in”
Login:
Tab Bar TenantInfo
ISLEApps
Illinois Open Education Resource
Search
Anonymous User Invokes Login Action
Authentication Service ActionMulti-Tenancy Global Login (IDP/Proxy): “Delegate Authentication as Required”
D.) Compute: eduPersonEntitlement
https://uportal.illinicloud.org/role/tenancy -manager
https://uportal.illinicloud.org/role/isle-app -manager
https://uportal.illinicloud.org/role/portal-admin
https://uportal.illinicloud.org/role/portal-educator
https://uportal.illinicloud.org/role/portal-student
1
Det
erm
ine
Tena
ncy
for
Auth
entic
ation2
Det
erm
ine
Role
P
rivile
ges
Illinois Open Education
Resource Search
EducatorDashboard
TabBar
IsleApps
DistrictApps
EC/PK Apps
MyPage
TabBar
IsleApps
TenantApps
Office Apps
MyPage
Illinois Open Education
Resource Search
EducatorDashboard
TabBar
IsleApps
DistrictApps
AdminTools
MyPage
TabBar
IsleApps
Grade 8
AppsOffice Apps
MyPageSt
uden
t
Staff
Teac
her
General Purpose Login Process
User’s “Tenant & Role” are Manifested as a Result of Login
Adm
inis
trat
Tenant Portal-Manager Controls •Visual Attribute Customizations•User Role Based Content Customizations
Three Pillars of Support Married WithApplication Programmatic Interfaces:
Offer Significant Potential for LEAs to Realize the Promise Envisioned for the ISLE
Platform Operated as a K12 Federation for K12 by K12!
Illinois Shared Learning Environment
illiniCloud Services Application Providers
inCommon Services
inBloom Services
inBloomApplicationProviders
Prov
ider
Re
gist
ratio
n
ApplicationRegistry
SD001
SD002
SD …
SDNNN
inBloomData, Rolesand Identity
inCommonData, Rolesand Identity
FederatedIAM
Service
inCommonServices andApplications
inCommonFederation
Fed
2Fed
Pers
on R
oles
Net+ and AffiliateServices
Auth
[N/Z
]
Auth[N/Z]
Data-Store
Org SD
SD Staff
SD Edu
Edu Kid
inBloomData, Rolesand Identity
IAMIntegration
API Service
inBloomApplications
Data, Role & Id
Directory
App/Key
ODS
SIF_2.5to
EDFI
Local Systemto
SIF_2.5
SD001
SD002
SD …
SDNNN
inBloom Operator
API Service
Auth
[N/Z
]
Dat
a, R
ole
& Id
Role
s &
Id
FederatedServices
MD
Agrg
tr
Application Providers
Third Party ApplicationProviders
Custom Vendor Integration
Questions&
Comments
