Friday, 16 September 2011
4-6pm EDT, 3-5pm CDT, 2-4pm MDT, 1-3pm PDT
Dial-in and Adobe Connect information to be provided
Because there is a lot to cover, relatively limited time, and quite a few people on the call, it is important that we adhere closely to the agenda in terms of both timeline and content.
- Reports from the subgroups
- Registries - 20 min
- Provisioning - 20 min
- Access Management - 20 min
- Update from Strategy and Organization subgroup
- Discussion of participation and coordination framework - 30 min
- Process to get framework drafted and delivered, and preparation for handling responses - 20 min
- Review of next steps and plan for communication to the community - 10 min
Summarized across documents that team produced. Follow on to discussion in Chicago. Documentation includes a functional model and list of requirements on the deliverables page (brought in by various participants, not prioritized, not compared to gaps, not ready for rfp or rfi, but consolidated across list of participants)
(note to me - Get deliverables page, requirements section)
columns for each of the projects, self-assessed. greens/yellows/reds
for each of the 3 projects on list of reqs.
KIM is deficient in the emerging space. The other two are more full-featured in that aspect. State of the projects varies.
- Open registry been around for awhile but not in production yet (Rutgers will do soon).
- Penn State’s will be in deployment soon - is local development, is fresh, but was not developed with shared use, lots of institutions using, in mind.
- Kim not developed with enterprise registry in mind, not assessed yet on what it would take to get it there. Maybe the team will do that assessment next?
No recommendation yet - work not to the point where team could do that. The 3 not assessed to that level yet. Could be quite a bit of work to do that? Good that there is a good amount of general consistency across the 3.
Hampton question: Could the matching engine be decoupled? Would that increase the value to our larger higher ed environments?
Renee answer - Penn State: they’re using dataflux which is 3rd-party … address info across various countries. Is de-coupled from central person registry. But their registry calls/apis cut across (check on this wording)? So haven’t looked into more full decoupling. This is just one identity management function within the registry and there are others.
Ben(?) - ?
Bob: modular strategies would be good as each institution might want to use some but not all pieces, different ones per institution.
Ben(?): set of institutions that are doing ERP sites and matching going on in external systems. But the matching algorithm is some sort of plug-in in many instances.
Hampton question: Can we at this point eliminate any 1of them?
Bob: not yet. Still want to compare on extensible data model, even if not using the rest of Penn State code - still may be things to cherry-pick in each on the table (or others).
Bill: They are compatible architecturally, so it is conceivable that we could take pieces of each into the best solution, correct?
Bob: yes, but haven’t looked at all, for example, licensing terms. Agreed to continue on for next 6 months and see where each is at that point.
Hampton: additional research to look at these options might be worth it, to figure out if a collection of functionality could be brought together.
Provisioning team (Rob):
(Note to me: get the notes file and agenda content that Rob pointed everyone to on the website)
Rob: Met a few times, 1xweekly by phone, consolidated scope and questions, and architecture within IDM stack and how a provisioning mechanism (future) would be structured. 3-layer diagrams, is layer between registries and the consuming systems that depend on the identiy system that is maintained in the registry. Provisioning - input layer, middle layer, beneath that the interface btw the provisioning engine & external apps.
Try to coalesce the discussion - not as far along as provisioning team - agree to 9 things:
- 1 convinced provisioning is critical
- 2 scope provisioning so that goal = consistency, process of live with centralized and decentralized having similar info and changes happening primarily in centralized and mirrored out into decentralized. maintenance of consistency. Not thinking in terms of synchronization, with implicit expectation that the data is the same in centralized and decentralized. Might not be (data transforms) Synching is one method. May not be the only one. Not direct copy, so think in terms of maintaining consistency.
- 3 scoped beyond just people info. Is also about groups, roles, privileges,
- 4 minimize latency is an expectation - (maybe not real time) Make it as close to immediate as possible. Could make the consistency fragile (temporary data inconsistencies) - so must be ways of resolving the inconsistencies. Will be an important process. This is more like a full synch.
- 5 (see tomzero link?) have to deal with different target systems and source systems
- committed to standardization on input and output parts of the systems
- see his notes file and agenda content on the web, that he refered us to for the others ….
We’re probably thinking the remaining work is more than 1 person’s work, 6 months of work for a few people, to determine the interface to the provisioning engine and registry and/or other. Pluggable logic mechanisms for doing business logic in the provisioning engine.
Output standards, talked about 3: xaml change notification, skim, fpml(?). …..
talked about commercial environment, oracle’s IDM but doesn’t expose the open source well, (then talked about another one - I missed that)
Didn’t talk about other open implementations
Bob question: viable candidates in the other open implementations?
Rob: not assessed but likely answer is yes
Keith: question that our group would define right now is on the candidate work list. Critical is the interfaces between provisioning and registry. If ldap(x?) does this, then it would be a strong one.
Keith: both groups feel the interfaces is important btw registry and provisioning … is there an action item re this?
Access Management (Jacob)
Jacob: fairly short update. Not as far along, resource constraints. More detailed review of the AM alternatives, will have that in about 10 days.
Renee: What are you taking a look at?
Jacob: 2-3: Kim, Grouper, OpenAM? Putting together a few institutional use cases to then create the evaluation matrix (what they will assess).
Jacob?: something akin to the grouper api, if we agree on a common interface between products, then we could take the products out of scope.
Keith?: Is AM is provisioning of groups, role, privileges, and how they will be provisioned?
Tom: policy enforcement happens (open am) single sign-on, etc.. Or upstream, managing the info that should feed policy enforcement (grouper)
Tom?: AM needs to be well integrated with provisioning engine … what kinds of events are going to be included in the enterprise AM …
(this should be follow on discussion coming up in internet2 conference in Raleigh - :-) )
Bob: This may be the most complicated space of all of them. Modelling policy and policy goals, etc., and there are a couple good products out there already being used, whereas there aren’t already good registry or provisioning services.
?: so integration and pluggability with others would be important. harmonize. that could be hard problem - don’t know yet.
Bill: Talk more about Open AM?
A (several): OpenAM is part of the Fordroc (sp?) suite - one of the Sun/IDM pieces? thin model, registry not provisioning?) doing person mgmt in your HR system? Talk with some campus who worked with Aegis to find out what the experience was. UC Davis (Hampton) could talk about the later/offline
Strategy and Organization management (Bill)
Purpose: come up with organizational structure that allows contributions & maintains continuity
Overview: coordination model: loosely coupled coalition of existing orgs (Kuali, Jasig, Internet2, etc.) with multiple workstreams, and parties involved with various of them (not all parties interested in same modules)
OSIAM4HI group - Coordination agreement (vision, strategy, reference arch) coordination committee with a caretaker per workstream & contributing members - see his diagram in the slides - MOU, goals, objectives, timeline per workstream
Committees: help to write reference architecture and interoperability standards,help resolve potential conflicts, communication to the general public on effort and status, marketing
Module team per workstream: discrete set of IAM functionality, resources, roles, and responsibilities being contributed
Primary caretakers: ongoing sustainment of the code base, may be beyond the original contributing members. Established non-profit entities. MOU documents the process, e.g. integration testing, in addition to IP, resources, contribution matrix
Next steps: coordination committee helping to flesh out the language of the agreements that everyone would sign
Ken: How difficult is it to get these agreements through an institution review process (in our experience)?
Discussion about how this is similar to current Kuali agreement, internet2/apache license agreement, etc..
Ken: cost of this administration model - any idea what the size of this will be? Contribution to the management of this from each of the partners?
Hampton: haven’t attempted to quantify this yet, but have put that on the caretaker’s organization - have the group to continue to flesh that out
Ken: recreate bitnet structure as an alternative?
Keith: group was mandated to use a federated model so they didn’t go into /compare this. Can imagine having to rationalize a new org.
?: is like outsourcing the managment, not really a new model
Ken: asking existing parties if they want to take on this committee role (Kuali?, Jasig?, Internet2?) Did we knock on these doors to ask?
Bob: Haven’t sized this to get to this point, so no, we haven’t asked.
Bill: E.g., Rice model is really lean, though is taking on additional responsibilities. Additional questions to answer on this one, though.
Hampton: Ideal time to bring to the group to get these conversations going.
Norm: have you considered using (pessc?) - service contract agency sort-of.
Bob: a possibility, hasn’t been alot there but could be discussed
Ken: a few of us will be at the I2 meeting in a few weeks and people from these other orgs will be there. Don’t know if we are ready to take it to that level in discussion yet?
Hampton: we haven’t talked about timing yet. But Bill’s materials were constructed with these kinds of things in mind. Constructive feedback on these materials with that in mind would be good.
Discussion btw Bob and ?: lightweight modules easy to integrate
(Authentication is a workstream in AM? What are the others?)
Last agenda item:
?: in the past -- had a wiki page, cover email, do we need a different way of communicating now?
Hampton: good progress, getting close to forming a picture of what direction we are moving in. But may be premature to bring out to potential parties yet. May be better for the teams to continue on a little longer to have a better idea of which of these teams / modules will go on? Hampton & others: Shy away from solicitation at this point, not necessarily from communication. Not ready to formulate the ask yet.
Ken: Nothing more will be ready for discussion at I2 in Raleigh then?
Keith?: No particular asks ready, but discussion ok.
Ken: Can someone facilitate that at I2? And how about at Educause 2 weeks later?
Keith?: Should we organize a meeting to plan that? I2 & Educause?
Hampton: Is it reasonable for the prior communication team to put that together?
Keith?: any volunteers for drafting the communication and then we review? (Bob did a great job of this last time.)
Bob: What Bill put together is exactly what we would need to start that discussion and communication, so supplement the vision material that is there, the public page, etc..
(Where is the public page?)
?: Would Norm be willing to help Bob?
Bill: tremendous work going on.
Hampton: thanks all for this work, steve for tech support, candace for notes
Bill Yock, Bob Morgan, Hampton Sublett, Steve Olshansky, Jimmy Vuccolo, Jacob, Benno, Steve Carmody, Tom Zeller, Eric Westfall, Rob Carter, Aaron Neal, Renee Shuey, Scott Gibson, Norm, Candace , Steve Carmody, Keith, Ken Klingenstein,Tom Barton, Dedra,