Embed Size (px)
Citation preview
KUALI IDENTITY MANAGEMENT
• Provides services for Identity and Access Management in Kuali
• Integrated Reference Implementations
• User Interfaces
• An “integration platform” for IAM within Kuali
THE INTEGRATION PLATFORM
• KIM Defines Service contracts and APIs for:
• Identities
• Groups
• Roles
• Permissions
• Responsibilities
KIM INTEGRATION
Rice Database
Identity Service
Responsibility Service
Permission Service
Group Service
Role Service
KIM Service Layer
Reference Implementations
MOTIVATIONS FOR THE CREATION OF KIM
• Expansion of Kuali
• Kuali Financial System
• Kuali Coeus
• Kuali Student
• Kuali OLE
• Kuali People Management (HR/Payroll)
• More to come…! Kuali is continually expanding.
• Shared Identity API
• Shared Authorization API
DESIGN REQUIREMENTS• Kuali applications need to be deployed in disparate
environments throughout higher education
• Legacy and Pre-existing Implementations
• Existence of Other IdM Solutions
• Service independence
• Pluggable and Replaceable Services
• Service Bus integration
• Maintenance GUIs
• Workflow engine integration
KIM AS AN IDENTITY REGISTRY
• KIM was originally designed to provide the standard IAM apis for Kuali
• It was not originally designed to be an authoritative identity registry
• As a result, not very many institutions have used it this way
• However, with the continued maturity of Kuali Student and KPME, we need to evolve!
VISION FOR IAM IN KUALI
• Since KIM is a shared service, we want to leverage this as much as possible.
• Include as much identity data as possible there.
• Leverage the management facilities provided therein
• Integrate with our source systems instead of provisioning into KIM, but still provide provisioning support
VALID KIM INTEGRATION MODELS
• Kuali Silo – single Kuali application implementation
• Enterprise Kuali – multiple Kuali and non-Kuali applications using the same KIM
• Half-n-Half – using Kuali for either Student or HR system, but not both
• Pure Kuali – using Kuali for both Student and HR systems
KUALI SILO
Kuali Coeus …. . . . . . .KIM
DatabaseEither provisioning into database
from systems of record, or integration of KIM with directory or
similar service
LDAP
ENTERPRISE KUALI
Kuali Coeus
KIM
DatabaseEither provisioning into database
from systems of record, or integration of KIM with directory or
similar service
LDAP
Kuali OLE
Some Application
Some Other Application
HALF-N-HALF
Kuali HR
KIM
Database
HR data enters KIM through use of provided management interfaces
(which would include ID match and reconciliation). Student data is provisioned from the student
system.
Kuali OLE
Some Application
Some Other Application
SOR – Student System
Provisioning
PURE KUALI
Kuali HR
KIM
Database
Student and HR data enters KIM through use of provided
management interfaces (which would include ID match and
reconciliation).
Kuali OLE
Some Application
Some Other Application
Kuali Student
IDENTITY SERVICE
• For the purpose of the registry group, the Identity Service is our main area of interest
• KIM Identity Terminology• Principals• Entities• Person
PRINCIPALS AND ENTITIES• Principal
• Principal ID
• Principal Name
• Entity Type
• Names
• Addresses
• Phone Numbers
• Email Addresses
• Affiliations
PERSON• Person is a simplified representation of a Principal and it’s
related Entity• Includes only the “default” values for various entity attributes,
including:• Default name• Default email address• Default phone number• Default affiliation• Etc.
• It exists to provide a more streamlined representation of the Entity and Principal data model for API clients to work with
IDENTITY SERVICE
• Responsible for Principals and Entities
• Principals have a “name” which is intended to be the user name they use to authenticate
• All principals are associated with an entity
• There can be different types of entities, including Person and System
IDENTITY SERVICE• Numerous pieces of data can be stored about an entity
including: names, affiliations, external ids, employment information, address, phone, email, privacy preferences (FERPA), etc.
• Example Service Operations:
• Get principal by id
• Get principal by principal name
• Get entity info by id
• Get entity info by principal id
• Get entity privacy preferences
PERSON SERVICE
• Provides an API for working with simplified Person data model
• Person data model includes
• Default entity data
• Principal data for the entity
• Implements caching functionality
IDENTITY ARCHIVE SERVICE• Handles archiving of identity data to provide important
attributes as backup in the case of identity removal
• Sits behind the main IdentityService
• This comes into play depending on an institution’s retention policy on identities
• Some applications may store references to principal ids for long periods of time
• If the backend of the identity service fails to resolve a particular principal id, it will be searched for in the identity archive
END-USER FUNCTIONALITY• KIM provides various GUI screens which can be used for:
• Searching for identity data (groups, roles, permissions, etc.)
• Finding out more information about a particular piece of identity data
• Creating new identity data
• Editing existing data
• KIM maintenance functions provide integration with Kuali Enterprise Workflow for approval of changes
• Authorization to perform maintenance functions in KIM is also handled by KIM permissions
• Typically partitioned by namespace
USER INTERFACE – WE WILL LOOK AT
• Persons
• Groups
• Roles
• Permissions
PERSON LOOKUP
PERSON INQUIRY
