Kuali Rice Development
  1. Kuali Rice Development
  2. KULRICE-6053

Add documentation on "Integrating KIM with other IDM services" to the KIM technical docs

    Details

    • Type: Improvement Improvement
    • Status: Open Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: Backlog
    • Component/s: Documentation
    • Labels:
    • Similar issues:
      KULRICE-6693Add documentation on CallbackServiceExporter to the technical documentation for KIM
      KULRICE-4494Integrate Document Search security with KIM
      KULRICE-4667Evaluate remote KIM services: analysis & decision
      KULRICE-1405Review Authentication Proposal with the technical integration committee
      KULRICE-4666Evaluate "remote" KIM services
      KULRICE-2983Update thin client integration model so that it provides for proper connection to KIM services
      KULRICE-6075Technical Guide: Review & Update KIM Chapter
      KULRICE-5339Finish integration with presentation controller/authorizer/AttributeSecurity checking KIM
      KULRICE-2221Add Methods to IdentityManagementService to indicate editability of various components
      KULRICE-6827Loss of useful javadocs on KIM services
    • Rice Module:
      KIM

      Description

      This is currently a pretty big hole in our existing KIM technical docs that we need to fill. There are various strategies here, including but not limited to:

      1) Straight overriding of the different KIM services
      2) Population of the KIM database tables via some sort of ETL process
      3) A hybrid of these two

      It would probably be good to include examples of this If we could show integrating with LDAP that would be really super. Also showing how to integrate with authentication services would also be good (like CAS, Shiboleth, etc.). A general example of how to override services is probably also in order. We already have descriptions in there of the different services, but we should discuss the fact that it should be possible to override the services individually since they should be independent (from a database perspective) of each other.

        Issue Links

          Activity

          Hide
          Eric Westfall added a comment -

          I included Jonathan, Ailish and Mike as watchers on this in case they have any additional thoughts on what this documentation should include. Mike and Innovativ are working on a session entitled "Implementing KIM at your Institution" for Kuali Days 8 which I think will share a lot of the same content with what this documentation should include so we may be able to collaborate some here.

          Show
          Eric Westfall added a comment - I included Jonathan, Ailish and Mike as watchers on this in case they have any additional thoughts on what this documentation should include. Mike and Innovativ are working on a session entitled "Implementing KIM at your Institution" for Kuali Days 8 which I think will share a lot of the same content with what this documentation should include so we may be able to collaborate some here.
          Hide
          Jonathan Keller added a comment -

          I'll ask Curtis Bray over here if he would be willing to share the code they've written to integrate with our local LDAP server. I know they've mapped the services so the internal tables are not being loaded.

          Show
          Jonathan Keller added a comment - I'll ask Curtis Bray over here if he would be willing to share the code they've written to integrate with our local LDAP server. I know they've mapped the services so the internal tables are not being loaded.
          Hide
          Jonathan Keller added a comment -

          Identity is probably the easiest one with group a close second. However, I don't think you can fully replace the role service. There are too many dynamic roles which look at workflow/KNS/KFS data. So, that brings in the various approaches to use an external role system.

          1) Override the RoleService - check the role - if not in the KIM tables, check the external system (or vice-versa)
          2) Map application/derived KIM roles to external roles and use the KimRoleTypeService model to perform the access to the external services.

          And, the Permission and Responsibility services are probably too specific to KFS to be worth implementing against an external datasource.

          Show
          Jonathan Keller added a comment - Identity is probably the easiest one with group a close second. However, I don't think you can fully replace the role service. There are too many dynamic roles which look at workflow/KNS/KFS data. So, that brings in the various approaches to use an external role system. 1) Override the RoleService - check the role - if not in the KIM tables, check the external system (or vice-versa) 2) Map application/derived KIM roles to external roles and use the KimRoleTypeService model to perform the access to the external services. And, the Permission and Responsibility services are probably too specific to KFS to be worth implementing against an external datasource.
          Hide
          Eric Westfall added a comment - - edited

          Thanks, that's all great feedback. I think you are correct on the services which are most likely to be overridden. I think the concept of keeping the role service untouched but using KimRoleTypeServices to plug into other authz sources is probably the best model. There may be cases at some institutions though where they may want to aggregate multiple authz systems by overriding the role service, though that seems like that will probably be an uncommon case to me.

          One other thing I'm struggling with a bit on this is how service overrides of things like the IdentityService affect the GUIs. I know we've got the UIDocumentService that attempts to separate that out, do we think that overrides to this service may need to be made in this case? The UI stuff maps directly to the business object impls if I recall correctly. So, in Curtis' case, if he has completely replaced the IdentityService implementation with LDAP, what affect does that have on the Person document? Or is he just not using it?

          I know there are ways to turn off certain pieces of the Person document GUI, so I think its also imperative as part of this that we document how that is done as well (I believe it's a specific permission).

          Show
          Eric Westfall added a comment - - edited Thanks, that's all great feedback. I think you are correct on the services which are most likely to be overridden. I think the concept of keeping the role service untouched but using KimRoleTypeServices to plug into other authz sources is probably the best model. There may be cases at some institutions though where they may want to aggregate multiple authz systems by overriding the role service, though that seems like that will probably be an uncommon case to me. One other thing I'm struggling with a bit on this is how service overrides of things like the IdentityService affect the GUIs. I know we've got the UIDocumentService that attempts to separate that out, do we think that overrides to this service may need to be made in this case? The UI stuff maps directly to the business object impls if I recall correctly. So, in Curtis' case, if he has completely replaced the IdentityService implementation with LDAP, what affect does that have on the Person document? Or is he just not using it? I know there are ways to turn off certain pieces of the Person document GUI, so I think its also imperative as part of this that we document how that is done as well (I believe it's a specific permission).
          Hide
          Jonathan Keller added a comment -

          The UI document service really does not do a very good job of splitting it out. It should have been written against the KIM service APIs for data retrieval and updates. But, since the needed APIs did not exist at the time, it uses the implementation classes directly
          ...
          ok - just finished reading your comment
          ...
          Yes, replacing the UI Document Service would be absolutely required to use the KIM person UI if you replace the identity service. However, I think some of the feeling was that while the inquiries still needed to work, the document itself would probably not be used as that external system would already have an interface. In UCD's case, the person document will not be used. It's a read-only view of our LDAP information.

          As for turning off parts of the document, I don't know about those.

          Show
          Jonathan Keller added a comment - The UI document service really does not do a very good job of splitting it out. It should have been written against the KIM service APIs for data retrieval and updates. But, since the needed APIs did not exist at the time, it uses the implementation classes directly ... ok - just finished reading your comment ... Yes, replacing the UI Document Service would be absolutely required to use the KIM person UI if you replace the identity service. However, I think some of the feeling was that while the inquiries still needed to work, the document itself would probably not be used as that external system would already have an interface. In UCD's case, the person document will not be used. It's a read-only view of our LDAP information. As for turning off parts of the document, I don't know about those.
          Hide
          Eric Westfall added a comment -

          We should also include in this a section on the identity archive service and which services you would need to override (i.e. kimIdentityService vs. kimIdentityDelegateService).

          Show
          Eric Westfall added a comment - We should also include in this a section on the identity archive service and which services you would need to override (i.e. kimIdentityService vs. kimIdentityDelegateService).
          Hide
          Jessica Coltrin (Inactive) added a comment -

          setting to 2.1 since this is new information and not going to happen for 2.0

          Show
          Jessica Coltrin (Inactive) added a comment - setting to 2.1 since this is new information and not going to happen for 2.0
          Hide
          Matt Sargent added a comment -

          follow-up with our rSmart friends on this one...

          Show
          Matt Sargent added a comment - follow-up with our rSmart friends on this one...
          Hide
          Jessica Coltrin (Inactive) added a comment -

          According to Leo, Tony has some on integration with cas and Shibboleth

          Show
          Jessica Coltrin (Inactive) added a comment - According to Leo, Tony has some on integration with cas and Shibboleth

            People

            • Assignee:
              Unassigned
              Reporter:
              Eric Westfall
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:

                Structure Helper Panel