Uploaded image for project: 'Kuali Rice Roadmap'
  1. Kuali Rice Roadmap
  2. KRRM-41

Research how Kuali Rice can better support Federated Identity Management Services

    Details

    • Type: Rice Research Item
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Component/s: KIM
    • Labels:
      None
    • Rice Theme:
      Industry Standards
    • Priority Score:
      7
    • Priority - KFS:
      Medium
    • Priority - KC:
      Medium
    • Priority - KS:
      Low
    • Priority - Rice:
      Medium
    • Theme:
      Ease of Implementation
    • Application Impact:
      Low
    • Effort Estimate:
      Medium ~ 500 hrs

      Description

      Develop services and integration between KIM and other IdM solutions. Integration and/or fedeartion with Shibboleth, InCommon, and other proprietary solutions.

        Attachments

          Issue Links

            Activity

            Hide
            cfairlie Cath Fairlie (Inactive) added a comment -

            We would like to see that the service definitions of Rice can support being implemented by other IDM solutions. But development of integration would be done by implementers and contributed back.

            Show
            cfairlie Cath Fairlie (Inactive) added a comment - We would like to see that the service definitions of Rice can support being implemented by other IDM solutions. But development of integration would be done by implementers and contributed back.
            Hide
            cfairlie Cath Fairlie (Inactive) added a comment -

            Work on Rice (KIM) service contract to ensure support for IDM solutions is high.

            Show
            cfairlie Cath Fairlie (Inactive) added a comment - Work on Rice (KIM) service contract to ensure support for IDM solutions is high.
            Hide
            clbray Curtis Bray (Inactive) added a comment -

            There was some discussion around this topic back in May 2010. There collaboration workgroup never advanced, but if there is a business interest in this topic then it may be worthwhile to restart that collaboration workgroup.

            https://wiki.kuali.org/x/DwAoE

            Show
            clbray Curtis Bray (Inactive) added a comment - There was some discussion around this topic back in May 2010. There collaboration workgroup never advanced, but if there is a business interest in this topic then it may be worthwhile to restart that collaboration workgroup. https://wiki.kuali.org/x/DwAoE
            Hide
            ewestfal Eric Westfall added a comment - - edited

            It's still unclear to me exactly what enhancements Rice would need to make in order to better support federated identity, but here are some possible ideas for how we might scope this roadmap item:

            1) Add the ability to store an additional property on principals that qualify their principalID by a "system of origin" or something along those lines. The would help with the fact that principal ids are in a global namespace in KIM which can make it difficult to track interaction of users who are granted access to a system as part of a federated relationship.
            2) Add some out-of-the-box Shibboleth integration which understands certain "standard" attributes that might be sent in SAML from an identity provider.
            3) Attempt to come up with a standard set of shibboleth attribute that KIM can understand related to authorizations/permission.
            4) Work on one or two specific use cases (i.e. researchers collaborating across multiple institutions with Kuali Coeus) and attempt to implement it in a test environment scenario to help us identify the challenges that might be inherent in such an integration.

            Those are some ideas. Any thoughts on specific scope we should focus on for this item?

            Show
            ewestfal Eric Westfall added a comment - - edited It's still unclear to me exactly what enhancements Rice would need to make in order to better support federated identity, but here are some possible ideas for how we might scope this roadmap item: 1) Add the ability to store an additional property on principals that qualify their principalID by a "system of origin" or something along those lines. The would help with the fact that principal ids are in a global namespace in KIM which can make it difficult to track interaction of users who are granted access to a system as part of a federated relationship. 2) Add some out-of-the-box Shibboleth integration which understands certain "standard" attributes that might be sent in SAML from an identity provider. 3) Attempt to come up with a standard set of shibboleth attribute that KIM can understand related to authorizations/permission. 4) Work on one or two specific use cases (i.e. researchers collaborating across multiple institutions with Kuali Coeus) and attempt to implement it in a test environment scenario to help us identify the challenges that might be inherent in such an integration. Those are some ideas. Any thoughts on specific scope we should focus on for this item?
            Hide
            sagee Sandra Agee (Inactive) added a comment -

            Business Feature
            -Meet the needs to have universities collaborating not just between universities but also with the private industry.
            -Ability to offer single sign on
            -Ability to meet governmental authentication for higher level insurance identity requirements, LA2, and higher risk apps
            -Ability to meet NCommon Gold certificate based strategy requirements. i.e. BI Med projects
            -Ability to use login from "openid' to federal app
            -Identity Leverage

            High Level Business Scenario's

            Open id -to fed app
            Parents view bills/balances but no access to grades

            Identity Leverage
            Student identity...flow from class list to enterprise structure
            If a student is added in class receive automatic access to wiki's, research, resources....
            If a student drops their privileges are revoked

            If student
            Student drops class

            Additional High level Scope

            Item number 3 is not necessarily in scope. Shibboleth may or may not be used/needed.

            Additional research is needed to determine path, tools...

            Additional Scop

            Show
            sagee Sandra Agee (Inactive) added a comment - Business Feature -Meet the needs to have universities collaborating not just between universities but also with the private industry. -Ability to offer single sign on -Ability to meet governmental authentication for higher level insurance identity requirements, LA2, and higher risk apps -Ability to meet NCommon Gold certificate based strategy requirements. i.e. BI Med projects -Ability to use login from "openid' to federal app -Identity Leverage High Level Business Scenario's Open id -to fed app Parents view bills/balances but no access to grades Identity Leverage Student identity...flow from class list to enterprise structure If a student is added in class receive automatic access to wiki's, research, resources.... If a student drops their privileges are revoked If student Student drops class Additional High level Scope Item number 3 is not necessarily in scope. Shibboleth may or may not be used/needed. Additional research is needed to determine path, tools... Additional Scop
            Hide
            ewestfal Eric Westfall added a comment -

            Changing summary of this issue to better indicate that it's actually a research item into how Rice might be able to better support federated idm services. One other thing that was discussed was looking at one of the specific use cases for federation within the Kuali space. Federated Kuali Coeus instances was the obvious example that came up and that is probably the most logical one to pursue, seeing if we can get other members of the community who might be interested in that topic to participate in research and possible proof-of-concept.

            Show
            ewestfal Eric Westfall added a comment - Changing summary of this issue to better indicate that it's actually a research item into how Rice might be able to better support federated idm services. One other thing that was discussed was looking at one of the specific use cases for federation within the Kuali space. Federated Kuali Coeus instances was the obvious example that came up and that is probably the most logical one to pursue, seeing if we can get other members of the community who might be interested in that topic to participate in research and possible proof-of-concept.
            Hide
            ewestfal Eric Westfall added a comment -

            Also, from Sandi's comment, it sounds like we should research levels of assurance as well as the various incommon certifications (silver, gold, etc.) and if there are anything within Rice or Kuali in general we should be doing to help ourselves be more compliant with those. Additionally, looking at open ID and how that might fit into Kuali applications is also on the list.

            Show
            ewestfal Eric Westfall added a comment - Also, from Sandi's comment, it sounds like we should research levels of assurance as well as the various incommon certifications (silver, gold, etc.) and if there are anything within Rice or Kuali in general we should be doing to help ourselves be more compliant with those. Additionally, looking at open ID and how that might fit into Kuali applications is also on the list.
            Hide
            kymber Kymber Horn added a comment -

            Removing assignees that are no longer members of ARC. Current members of ARC will be asked to review and claim unassigned Roadmap items prior to our next voting cycle.

            Show
            kymber Kymber Horn added a comment - Removing assignees that are no longer members of ARC. Current members of ARC will be asked to review and claim unassigned Roadmap items prior to our next voting cycle.

              People

              • Assignee:
                Unassigned
                Reporter:
                byock Bill Yock (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: