development of improv: a provisioning solution at unc-chapel hill
DESCRIPTION
When implementing a Provisioning solution for UNC-Chapel Hill, we found there was very little available in the Open Source ecosystem that addressed this Identity Management problem space. Thus we set about writing our own solution, in the hopes that we would then be able to contribute it back to the community. We have nearly completed the first phase of the outcome, a system we call IMPROV (Identity Management Provisioning.) It consists of a SPML-based router mechanism that interacts with individual Services that provide our login identifiers, the Onyen and the UNC Guest ID. We intend future phases to include De-provisioning for these identifiers, and Provisioning/De-provisioning for other services such as Heelmail (our Microsoft Live@EDU implementation) and Exchange. In this session, we plan to communicate the status of the project, discuss the architecture of IMPROV, and find others who would like to contribute to making this an Open Source project.TRANSCRIPT
June 10-15, 2012
Growing Community; Growing Possibilities
Celeste Copeland, UNC-Chapel Hill
Several years ago, did an RFP for a Provisioning solution ◦ Already have a home-grown Person Store
UNC, like many others, bought Sun IDM ◦ Then Oracle came along…
Left us with a few options ◦ Re-do RFP – seemed like a waste ◦ Go ahead and implement Sun IDM without knowing
the future of the product ◦ Wait and see what Oracle would choose to do ◦ Grow our own ◦ Grow our own AND try to make it Open Source
2012 Jasig Sakai Conference 2
OASIS Standard, currently v2.0 OASIS Provisioning Services TC ◦ Karsten Huneycutt
XML-based Core: listTargets, add, lookup, modify, delete Others: batch, bulk, search, suspend, update Custom: better error codes, Challenge-
Response
2012 Jasig Sakai Conference 3
Onyen service UNC Guest ID service Resource correlation service SPML router service ◦ Not actually a service, but a single join point around
the "create" method of all services that calls a set of scripts to check eligibility for services ◦ Eligibility is determined by consulting with the resource
correlation service before routing any request to the backend services ◦ After any successful add/delete/modify, the service will
update the correlation service with any necessary changes ◦ This is an initial implementation for our phase one
project; may switch to Grouper for eligibility
2012 Jasig Sakai Conference 4
2012 Jasig Sakai Conference 5
2012 Jasig Sakai Conference 6
Available under LGPL license http://code.google.com/p/spml-toolkit/
downloads/list SPML Router 1.0.0 Resource Correlation Service 1.0.0 UNC Prop Service 1.0.0 ◦ Simple example service ◦ Shows how the focus on the service implementation side
is almost exclusively on the business logic rather than the SPML plumbing
SPML Toolkit 2.0.0 ◦ Java library that contains everything needed to write an
SPML service or client
2012 Jasig Sakai Conference 7
De-provisioning of Onyens, Guest IDs, etc. More services: Exchange, Live@EDU/MS 365 Workflow Grouper
2012 Jasig Sakai Conference 8
Contact: [email protected] Contact: [email protected]
2012 Jasig Sakai Conference 9