8/12/2011 Conference Call Notes 4-5pm EDT
- Rob Carter, Duke University (convener)
- Keith Hazelton, University of Wisconsin, Internet2, Bamboo Project
- Tom Zeller, University of Memphis, Internet2, Unicon
- Lucas Rockwell, UCSF, UC System
- Rob: Duke University - convener (because Tom Barton didn't want
Keith to leave Chicago with two groups to convene
- Keith: Wisconsin and Internet2, but heavily involved in IAM needs
of the Bamboo Project, and willing to try out our ideas with
the Bamboo participants as that becomes possible.
- TomZ: Memphis, I2, Unicon – working with both the Grouper project
and the Shibboleth project, with strong interest in how SAML
may play in this space
- Lucas: UCSF and the wider University of California system, which is
looking for system-wide solutions in the IdM space now
- Agenda bash
- Rob: We have roughly one month to produce a report back to the larger
group from Chicago, so we'll need to make some quick progress in
framing up the problem we're presented with. To that end, the
first call's agenda includes discussion of goals for the next four
weeks (putatively, framing the scope of "provisioning" in this
context, refining a gap analysis within that scope, and developing a
high-level solution strategy for the space that we can advocate to the
wider Chicago group. We also need to consider organizational
matters, and look at setting some very short-term objective as AIs
for the next call (probably in a week).
- There was general agreement to the agenda as proposed.
- TomZ: will have to leave around 4:30 ET for another engagement.
- Rob: Should we take a few minutes to discuss the background from the
Chicago meeting, since Lucas wasn't able to be there (just to make
sure we're on the same page)?
- Lucas: would find it helpful
- Rob: Shall I take a stab at it, or would someone else like to?
- Keith: wanted to hear Rob's take on the meeting
- TomZ: Go for it.
- Rob: In overview: A bunch of us realized that lots of our institutions have
critical needs in the area traditionally addressed by commercial
products that call themselves "identity manager" solutions. Many of
us are either looking for solutions because we've reached the point of
needing better support in this area. Many others are shopping for
alternatives in the aftermath of the Sun/Oracle merger. Many schools
have done home-grown solutions in the space (mostly only
addressing their own most pressing needs) but have found little in the
way of shared open source alternatives. Meanwhile, some larger
open source projects (notably, the Kuali project) are reaching the
point in their lifecycle at which they need to address IdM issues
and are considering development in the space. Some of us agreed
that it might be worthwhile to get together and see if some cooperative
effort might be possible in this space, and if there might be some
points of convergence we could take advantage of.
In the discussion, we ended up identifying about eight high-level
components of an IdM stack that we felt were significant for higher
ed. After a prioritization exercise, we settled on three technical and
one organizational priority to try and address first, and formed sub-
groups to start considering each one in greater detail. The top three
technical priorities were:
- Registries. Our sense of this space was that it would
encompass the part of an IdM stack where source data
(probably coming in from multiple authoritative sources)
would be collected, stored, merged, deconflicted, potentially
used to synthesize additional identity data (roles, for
example). We pluralized the word in recognition of there
potentially being multiple registries – users, clearly ,but
possibly other types of identities, as well.
- Access Management. Our sense here was that this group
would think about how the identity information in the
registries gets translated into a form usable for making
access control decisions, and how systems that need to
make those decisions interact with the data in order to make
them consistently and quickly.
- Provisioning. This is our present group. In the Chicago
discussion, there were actually two distinct areas discussed;
provisioning and data presentation. The distinction
between them was largely the distinction between "push"
methodologies and "pull" methodologies – "provisioning"
was used as a proxy for the "push" methods – ways in which
data in the IdM (in the repositories) would be pushed out to
other systems (perhaps in the form of account creation,
perhaps in the form of data synchronization, or perhaps in
other forms). Data presentation was to some extent a proxy
for "directory services", although it frequently was discussed
as including things like query APIs. One of the questions
we will need to answer is whether our view of provisioning
will scope the "data presentation" portion of the space
in or out of view – it could easily be considered part of our
scope, or as a separate issue all to itself.
- Lucas: background was helpful – just to clarify – which of "push" or "pull"
are we saying is definitely in scope?
- Rob: I think "push" is automatically in scope for our discussions – if we
want to also discuss "pull", we can, but if we want to limit ourselves
to "push", it's probably OK for us to do so.
- Keith: Would hope that pull can be in-scope for us. SCIM has both push
and pull semantics defined for its approach. Also, is it in-scope to
discuss as part of provisioning how we get data into the
provisioning engine – whether we use hand crafted connectors for
each source system or somehow try to standardize an interface for
incorporating data into the engine?
- Rob: A good question – I could see two different questions, really – one
around whether the provisioning engine takes data only from
the registries (where it may have arrived from lots of other
source systems) or whether the provisioning engine takes data
from source systems as well, and one around whether the
input of data to registries is par tof the registry discussion or
part of the provisioning discussion. I could see it going either
way, logically, although I have a bias (coming from an OIM
background) for separating the two into provisioning (which
just covers the flow of data from the registry to other systems)
and reconciliation (which is Oracle's term for the loading of
data into the registry). The two can certainly be treated as a
single whole, though.
- Keith: Right - both are possible, and architecturally, it's just a box with
an "in" side and an "out" side.
- Lucas: Calling out the difference between the two is important and useful.
Provisioning (IMO) is more geared toward getting data from the
registry to subordinate systems, not necessary getting it back to the
sources. Data synchronization is perhaps another phrase for it.
- Keith: In the end, our goal is an open source IdM stack that works, so
the interaction between the registry and the provisioning engine is
critical – input to the provisioning engine has to be addressed from
one of the two sides (whether by the registry folks or by us). Getting
source data into the registry to begin with is another issue that's
- Rob: Agreed – regardless of anything else, the interface by which data
gets from the registries into provisioning tools/services is
critical, and needs to be negotiated between us and the
registry folks, no matter what. Depending on our and their
opinions, getting data into the registry could be construed as
just another kind of provisioning task (this time from a source
system into the registry).
- Keith: Right – the same tools could be reused there potentially, but what
we're really worried about at this point is the interface between
us (provisioning) and them (registries).
- Rob: Since Tom needs to leave soon – did you have any early thoughts to
add before you have to go?
- TomZ: A picture would be useful – even if really simple and really high
level – to describe what we're talking about. it should
include both push and pull mechanisms, and should mention
moving info around within the organization across the
different components. It should include provisioning within
the organization as well as across federations and into the
cloud. We can use the wiki to house some of this initial
documentation. In Cicago we talked about sending a message
to folks to describe what we're doing – ti would we worthwhile
to poll people outside the group about what they're doing in
this space – Surfnet is working on some stuff with a group in
Finland, UNC-CH did some work with SPML not too long ago,
some folks from the EU seemed interested in an approach
similar to what we're doing (an open source IdM "stack"). If
we put together a picture and distribute it, then we can use it
to poll and see who's interested in the space and who's doing
something already that's of interest to us.
- Rob: Definitely worthwhile to get a picture early on.
- Tomz: Niels from SurfNet has a good picture in this space – I can
find a link and forward it to the group. SCIM has some good
documentation of information flows as well
- Keith - the SCIM link should be out in email to the group – perhaps good to
go review the SCIM model and see where we think it might
fit or not fit in our use cases.
- TomZ: SCIM has gone a long way but has a few gaps left to address – its
primary gaps are probably in the area of handling merges of
identities (editor's note: I'm guessing this referred to what
we at Duke call "consolidations" – where one individual ends
up with two identities and needs to have them collapsed into
a single identity?) Also there is work toward developing a
concept of roles and entitlements in SCIM – Chris (editor's
note: Which Chris?) is advocating they consider both
roles and groups… Their strategy on and position around
entitlements isn't as clear yet… Perhaps we can provide them
clarifying use cases in some of these areas.
- Keith – That's definitely concrete, and worth some effort. It's not clear if
SCIM will catch on or not, but we can at least bet on it and
to give them good advice when we can. Perhaps take as a
a goal tracking the SCIM project and providing input on
the university / VO cases that drive needs for things like
merging and entitlements.
- Tom – would be nice to work out some use cases using different solution
models – saml, spml, and SCIM – to show how they each
might work. In the end, there might be more than one type of
box in the middle.
- Rob: definitely – we don't have to envision a one-size-fits-all
- Keith : Also something that we can discuss in the strategy group on the
- Tom had to leave the call at roughly this point…
- Rob: We should probably address some of the organizational questions
with our remaining time. So far, we've gone longer than I expected,
but the discussion has been fruitful.
- Keith: The extent of discussion on this first call suggests we have some
of the right people at the table, at least.
- Rob: Definitely – so discussing organizational trivia, do we:
(a) want a mailing list? - All: yes (Keith: archiving would be good too)
(b) want to use the same wiki page - All: yes (if we need ore pages
we can always create them
( c) Concalls weekly? - All: yes (given our short time frame)
(d) Concalls on this bridge at this time each week? All: yes
- Rob: Good enuf. we need to document AIs for the next call in a week,
then. How about:
+ *Rob: Take a first stab at drafting a picture of the overall
architectural diagram and how we fit in it.
Rob will use Graffle to produce a high level diagram*
+ *All: Review the documentation from the SCIM project, particularly
the SCIM scenarios documentation, and see where you think
there are gaps between our needs and the use cases/
scenarios SCIM is addresing.*
+ *Keith: Will send out URLs for the SCIM documentation and web
site for us to review*
+ *Rob: Will send out some other items for though before the next
At this point, we adjourned for one week, to return on the same conference bridge from 4pm - 5pm ET August 17th for a followup call. Expect emails during the week leading up to the next call.