[KULRICE-6053] Add documentation on "Integrating KIM with other IDM services" to the KIM technical docs Created: 09/Sep/09  Updated: 16/Jan/15

Status: Open
Project: Kuali Rice Development
Component/s: Documentation
Affects Version/s: None
Fix Version/s: Backlog

Type: Improvement Priority: Major
Reporter: Eric Westfall Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: Old
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Rely
is relied upon by KULRICE-6163 Include in KIM documentation informat... Closed
Similar issues:
KULRICE-6693Add documentation on CallbackServiceExporter to the technical documentation for KIM
KULRICE-4494Integrate Document Search security with KIM
KULRICE-4667Evaluate remote KIM services: analysis & decision
KULRICE-1405Review Authentication Proposal with the technical integration committee
KULRICE-4666Evaluate "remote" KIM services
KULRICE-2983Update thin client integration model so that it provides for proper connection to KIM services
KULRICE-6075Technical Guide: Review & Update KIM Chapter
KULRICE-5339Finish integration with presentation controller/authorizer/AttributeSecurity checking KIM
KULRICE-2221Add Methods to IdentityManagementService to indicate editability of various components
KULRICE-6827Loss of useful javadocs on KIM services
Rice Module:
KIM

 Description   

This is currently a pretty big hole in our existing KIM technical docs that we need to fill. There are various strategies here, including but not limited to:

1) Straight overriding of the different KIM services
2) Population of the KIM database tables via some sort of ETL process
3) A hybrid of these two

It would probably be good to include examples of this If we could show integrating with LDAP that would be really super. Also showing how to integrate with authentication services would also be good (like CAS, Shiboleth, etc.). A general example of how to override services is probably also in order. We already have descriptions in there of the different services, but we should discuss the fact that it should be possible to override the services individually since they should be independent (from a database perspective) of each other.



 Comments   
Comment by Eric Westfall [ 09/Sep/09 ]

I included Jonathan, Ailish and Mike as watchers on this in case they have any additional thoughts on what this documentation should include. Mike and Innovativ are working on a session entitled "Implementing KIM at your Institution" for Kuali Days 8 which I think will share a lot of the same content with what this documentation should include so we may be able to collaborate some here.

Comment by Jonathan Keller [ 10/Sep/09 ]

I'll ask Curtis Bray over here if he would be willing to share the code they've written to integrate with our local LDAP server. I know they've mapped the services so the internal tables are not being loaded.

Comment by Jonathan Keller [ 10/Sep/09 ]

Identity is probably the easiest one with group a close second. However, I don't think you can fully replace the role service. There are too many dynamic roles which look at workflow/KNS/KFS data. So, that brings in the various approaches to use an external role system.

1) Override the RoleService - check the role - if not in the KIM tables, check the external system (or vice-versa)
2) Map application/derived KIM roles to external roles and use the KimRoleTypeService model to perform the access to the external services.

And, the Permission and Responsibility services are probably too specific to KFS to be worth implementing against an external datasource.

Comment by Eric Westfall [ 10/Sep/09 ]

Thanks, that's all great feedback. I think you are correct on the services which are most likely to be overridden. I think the concept of keeping the role service untouched but using KimRoleTypeServices to plug into other authz sources is probably the best model. There may be cases at some institutions though where they may want to aggregate multiple authz systems by overriding the role service, though that seems like that will probably be an uncommon case to me.

One other thing I'm struggling with a bit on this is how service overrides of things like the IdentityService affect the GUIs. I know we've got the UIDocumentService that attempts to separate that out, do we think that overrides to this service may need to be made in this case? The UI stuff maps directly to the business object impls if I recall correctly. So, in Curtis' case, if he has completely replaced the IdentityService implementation with LDAP, what affect does that have on the Person document? Or is he just not using it?

I know there are ways to turn off certain pieces of the Person document GUI, so I think its also imperative as part of this that we document how that is done as well (I believe it's a specific permission).

Comment by Jonathan Keller [ 10/Sep/09 ]

The UI document service really does not do a very good job of splitting it out. It should have been written against the KIM service APIs for data retrieval and updates. But, since the needed APIs did not exist at the time, it uses the implementation classes directly
...
ok - just finished reading your comment
...
Yes, replacing the UI Document Service would be absolutely required to use the KIM person UI if you replace the identity service. However, I think some of the feeling was that while the inquiries still needed to work, the document itself would probably not be used as that external system would already have an interface. In UCD's case, the person document will not be used. It's a read-only view of our LDAP information.

As for turning off parts of the document, I don't know about those.

Comment by Eric Westfall [ 29/Oct/09 ]

We should also include in this a section on the identity archive service and which services you would need to override (i.e. kimIdentityService vs. kimIdentityDelegateService).

Comment by Jessica Coltrin (Inactive) [ 10/Jan/12 ]

setting to 2.1 since this is new information and not going to happen for 2.0

Comment by Matt Sargent [ 30/Jan/12 ]

follow-up with our rSmart friends on this one...

Comment by Jessica Coltrin (Inactive) [ 30/Jan/12 ]

According to Leo, Tony has some on integration with cas and Shibboleth

Generated at Sun Apr 05 22:14:43 CDT 2020 using JIRA 6.1.5#6160-sha1:a61a0fc278117a0da0ec9b89167b8f29b6afdab2.