Jasig — Spring 2010 Wednesday March 10 2010

Jasig - Spring 2010 Wednesday, March 10, 2010 8: 30 am Kuali Identity Management: Introduction and Implementation Options

Kuali Identity Management: Introduction and Implementation Options Eric Westfall Indiana University ewestfal@indiana. edu Dan Seibert University of California, San Diego dseibert@ucsd. edu 2

Implementing Kuali Identity Management at your Institution Integrating KIM with other Id. M products 3

What is KIM? • • • A module of Kuali Rice Common Interface and Service Layer Integrated Reference Implementation Set of User Interfaces KIM is not just “Identity Management”, it’s also “Access Management” 4

What KIM is Not • A Full-Fledged Identity Management System • Provisioning • Hooks to update other systems • Duplication Management • An Identity Aggregator • An Authentication Implementation 5

Why Did We Create KIM?

Motivations • Expansion of Kuali • Common Identity Management API • Consistent Authorization Implementation 7

What we did not want KF S IDM KC IDM KS 8

What we did want KF S KIM KC KS 9

Design Considerations • • • Existence of Other Id. M Solutions Legacy/Existing Implementations Replaceable Services Separation of Concerns Service Bus Maintenance GUIs 10

KIM Terminology

KIM Terminology • Namespace • Entity • Principal ID • Principal Name • Person • Entity Type 12

KIM Terminology • Group • Role • Qualifier • Permission / Permission Template • Responsibility / Responsibility Template 13

Namespace • Prevent Naming Conflicts • Allow for Permissions to be Segmented • Examples: • • • KR-KNS KR-WRKFLW KFS-SYS KFS-AP KC-SYS 14

Entity • Principal ID • Principal Name • • • Entity Type Names Addresses Phone Numbers Email Addresses 15

Group • Namespace • Group Type • Attributes 16

Role • • • Namespace Role Type Qualifiers Role Type Services Delegations • Primary • Secondary 17

Permission / Permission Template • • • Permission Template Permission Details Permission Type Service Assigned to Roles 18

Responsibility / Responsibility Template • Review • Resolve Exception • • Responsibility Details Responsibility Type Service Assigned to Roles 19

KIM Services

Components • Service Interface API • Reference Implementation • Functional Maintenance User Interfaces 21

KIM Core Services • • • Identity Service Group Service Role Service Permission Service Responsibility Service “Authentication” Service 22

Other KIM Services • • • Identity Management Service Role Management Service Person Service Identity Archive Service “Update” Services 23

KIM Service Architecture 24

Remember… • The primary goal of KIM was to build a service-oriented abstraction layer for Identity and Access Management • Integration with other IDM services was acknowledged, expected, and designed for! 25

KIM Integration KIM Service Layer Identity Servic e Group Servic e Role Servic e Permissio Responsibili n Service ty Service Reference Implementations Rice Databas e Open. Registry ? 26

Implementing Kuali Identity Management at your Institution Integrating KIM with other Id. M products

KIM Integration with various Identity Management Systems 28

with • • Intra-campus Web SSO Federated Access to a Rice application KIM as an Identity Provider (Id. P) Using Shibboleth Attributes for KIM authorization 29

with • • Intra-campus Web SSO Federated Access to a Rice application KIM as an Identity Provider (Id. P) Using Shibboleth Attributes for KIM authorization 30

with Federated Authentication Shibboleth Login Process 31

with Federated Authentication Protecting a Rice application as a Service Provider (SP) • A web server and openssl must be available first • Install Shibboleth • Configure the web server • Override KIM Authentication Service • Start the Shibboleth daemon, shibd 32

with KIM as an Identity Provider • Prerequisites: SSL certificate, source of SAML Metadata • Install Shibboleth Id. P • Load SAML Metadata • Configure KIM as the User Authentication Mechanism 33

with KIM as user Authentication Mechanism • Define Login Handler to match Authentication. Service Impl Ex: Remote User for reference Authentication. Service. Impl Username/Password for LDAP Impl 34

with • • Authorization Attributes Shibboleth Attributes as KIM Authorization Identify Attribute Sources Define Policies for Attribute Handling, for SPs Define New Business Processes Define New Policies 35

with Federated Authentication 36

with • Collaborative development of KIM/Grouper Adaptors Chris Hyzer, University of Pennsylvania • Differences between KIM and Grouper • How they might work together 37

with • Differences between KIM and Grouper 38

with Adapter Overview Custom Implementation of KIM Services using Grouper Client API • Group. Service • Group. Update. Service • Identity. Service 39

with • • Installation grouper. Client. jar grouper. Kim. Connector. jar grouper. client. properties Override kim. Group. Service 40

Integrating KIM with LDAP • Uof. A LDAP Integration Approach (UCDavis, SJDC also have implementations) • Using CAS to connect to LDAP 41

KIM with LDAP (Uof. A example) • UA netid is used for authentication • Identity information is available in UA’s Enterprise Directory Service (EDS) • Connect to EDS using Spring LDAP and overriding the KIM Identity. Service • KIM Parameter. Service provides map between KIM and LDAP attributes • In order to use the KIM GUI’s properly, the UIDocument. Service is also overridden 42

Integrating KIM with LDAP Configure CAS to connect to LDAP 43