Project rename, New site, New info
As of June 2012, the former OSIdM4HE Initiative is now known as the CIFER Project (yes, much easier to pronounce, we think so too). CIFER stands for Community Identity Framework for Education and Research.
Prospectus: On June 18 2012 the CIFER Project published a Prospectus describing project motivations, plans, and structures, inviting new participation and investment. Check it out at ciferproject.org .
(This section has now-historical material about the initiative from May 2011 to January 2012.)
Summary: Participants from a number of organizations have been collaborating on creating a coherent set of open-source Identity and Access Management (IAM) software packages to meet the needs of Higher Education and Research. In the development phase the initiative is called "Open Source Identity Management for Higher Education", OSIdM4HE (while seeking a better name). The activity arose in response to concerns raised by many institutions that current products, both open-source and commercial, are not meeting their IAM needs effectively and affordably. Technical analysis has identified requirements in a number of functional areas, and an assessment of some candidate open-source products. The group has also developed proposals for organizational and funding structures to support development and integration projects. Input is now being sought from the community in various forums regarding next steps.
The team's working materials can be found in the OSIdM4HE Team space.
For more information contact firstname.lastname@example.org
Initial Report, August 2011
If you've followed the research and higher-education (R&HE) IT scene in recent years you know that there is a lot of concern about the state of institutional Identity and Access Management (IAM) systems. IAM services are increasingly recognized as key to institutional security and efficiency, but building comprehensive systems from either commercial or open-source offerings is complicated and expensive. Many new requirements are creating pressure on currently deployed systems:
- new populations, new institutional relationships
- more applications requiring enterprise access management, with greater risks
- outsourcing, cloud services integration
- federated authentication, social identities, support for multi-institutional research collaborations
- assurance, identity lifecycle management, compliance, access certification
- enterprise-scale IAM enablement: service orientation, workflow, event-driven, notification, reporting, user self-service, etc.
- and many more ...
Many open-source software packages are widely used, but generally these are just parts of the overall system: CAS, Shibboleth, simpleSAMLphp, Grouper, Kerberos, OpenLDAP, etc. Other packages are promising but not yet ready: OpenRegistry is one example. Kuali Identity Management (KIM) covers many aspects of the IAM space but most of its services are not yet ready to extend beyond the needs of Kuali applications.
Commercial products are widely deployed in R&HE, but some popular ones have changed their spots recently, making many sites unhappy. These products are usually expensive, and are often monolithic, hard to integrate with homegrown or open-source components.
Conversations among R&HE IAM managers and architects in many venues have made it clear that lots of institutions need to take action soon, and that their requirements are very similar. At the same time, in the Kuali Rice project drivers have been identified from both new Kuali applications and those deploying Rice as institutional infrastructure to scale up KIM to meet enterprise IAM needs. These threads of interest came together at the joint Jasig / InCommon ACAMP meetings in Denver in May 2011, where a core group met to think big about how to address these issues. There was agreement that there is a real opportunity here; there is a lot of work to do and problems to overcome; and success is most likely if the resources of a number of organizations can be harnessed.
A workshop was organized in Chicago August 9-10 2011 to bring together more key players to further explore the problem space and build consensus on a path forward. 15 people attended, representing the Kuali Foundation, Internet2/InCommon, Jasig, and several universities.
This group first divided the IAM space into functional areas, identifying gaps and overlaps in the current HE open-source product scene. It then zeroed in on three key elements – identity registries, provisioning, and access management. Subgroups were chartered to dive deeply into the requirements in each of these areas, to create recommendations to align current efforts and propose initiatives to fill existing gaps. A fourth subgroup was chartered with developing the organizational and branding structure for the initiative.
Progress Report, October 2011
After an additional six weeks of work since our initial report, we are now getting a better sense of the scope of the proposed work, the opportunities and difficulties it faces, and what we need to do to attract investment and create stable long-lasting structures. The team remains convinced that this important work needs to be done, that it is feasible to do it given the likely resources and existing products and projects; and that many organizations in higher education and research will be able to benefit from it, and will be interested in investing in it.
We have opened theOSIdM4HE "team" space on the Internet2 wiki for public viewing.
This space has all the working materials from the various subteams. Like any project our working space may be a bit messy and insider-y but we hope those interested will get a better view into what we're thinking about by browsing these pages. We're hoping to open this space to more active participation soon; stay tuned.
Work has happened primarily in the four subteams: Strategy&Organization, Registries, Provisioning, and Access Management. Here are brief reports on that work:
Strategy and Organization Team: The subteam worked both on organizing the current initiative work and on proposed organizational structures and marketing materials for the envisioned projects. See in particular the "Proposed Org Structure" and
"Cooperation Agreement" draft documents on that page. This subteam continues to work on enhancing these materials and plans for engaging potential stakeholders.
Registries Team : A set of requirements was gathered and several potential starting projects/products were compared against that set. All had pluses and minuses; there is no obvious favorite. Subteam members continue to work on assessing the work it would take for their projects to meet the requirements, so potential investors can guage the needed resources.
Provisioning and Integration Team : Architectural principles and goals of provisioning services were developed, and a report on relationships with existing projects and industry standards has been produced. The subteam continues to work on fleshing out a proposed project.
Access Management Team : The subteam looked at the existing widely-used open-source access management products in HE, KIM and Grouper, and has recommended approaches for integration and future development.
Progress Report, January 2012
The work of the OSIdM4HE Initiative continues, including technical analysis, organization and planning, and outreach. New participants have joined the discussion. The group is working hard to "make it real" by developing concrete proposals targeted at organizational decision makers that can lead to significant resource commitments early in 2012.
For the full report, see Progress Report January 2012 .
The following people have been participating in the Initiative work.
- Tom Barton - University of Chicago / Internet2
- Eric Westfall - Indiana University / Kuali Rice
- Benn Oshrin - Internet2 / UC Berkeley / Jasig
- RL "Bob" Morgan - University of Washington / Internet2
- Chris Hyzer - University of Pennsylvania / Internet2
- Tom Zeller - Unicon / Internet2
- Renee Shuey - Penn State University
- Scott Gibson - University of Maryland / Kuali Rice
- Norm Wright - USC / Kuali Student
- Aaron Neal - Indiana University / Kuali KPME
- Jacob Farmer - Indiana University
- Rob Carter - Duke University
- Keith Hazelton - University of Wisconsin-Madison / Internet2
- Jimmy Vuccolo - Penn State University
- Hampton Sublett - University of California, Davis / Kuali Rice / UCTrust
- Dedra Chamberlin - University of California, Berkeley
- Bill Thompson - Unicon / Jasig
Frequently anticipated questions
Q: Is the initiative accepting new participants? Do I need to make some sort of commitment?
A: Yes, we are interested in new participants from higher-ed (and partners) who are actively engaged in IAM projects or deployments and who share our vision and goals. Contact email@example.com if you are interested.
Q: Is this initiative trying to start a new open-source organization, and/or a new "brand", to compete with one or more of Kuali, Jasig, SAKAI, Internet2, InCommon, etc?
A: Regarding the brand: if there is to be a coordinated open-source IAM suite, it will need a label of some kind to identify it distinct from its component parts (and it won't be "OSIdM4HE"). Whether that is a new brand or an extension of an existing one is to be determined. Regarding the organization: at this time we are focusing on a vehicle for coordination among existing projects and organizations to ensure they can work together, not creating a new organization. The message is clear from the R&HE community that people would like to see existing development organizations work together better, rather than make new ones.