Date: Fri, 29 Mar 2024 15:21:04 +0000 (UTC) Message-ID: <2146376548.8161.1711725664724@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_8160_1082785050.1711725664724" ------=_Part_8160_1082785050.1711725664724 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Wiki space for work on 2010 Advance CAMP Action Item:
Note: Discu= ssion is underway on possibly creating a working group on provisioning.&nbs= p; See Chad's email
|
Overview |
---|---|
Deliverables/Goals |
Implemented and adopted standard and software= |
Group Members |
Tom Zeller, U. Memphis (lead), Keith Hazelton=
& Brad Schwoerer, (U. Wisc). Steven Carmody (Brown), Jens Haeusser (UB=
C), Nate Klingenstein (Internet2), Jeremiah Adams (UC Boulder), Benn O=
shrin (Internet2), Chad La Joie (Itumi) |
Status |
Work In Progress |
Mailing List |
<provision@internet2.edu> =
sub provision FirstName LastName |
Fortunately, the OASIS Provisioning Serv= ices TC has been restarted, public mail list archive here.
As of this writing, the nature of SPML redevelopment has not been define= d. However, there appears to be clear agreement regarding the need for a si= mple adoptable standard, perhaps with the addition of "reasonable defaults"= to the specification.
There is interest in standardizing attributes used for provisioning, ala= inetOrgPerson, and analog to SAMLv2.
Provisioning across organizational boundaries appears to be a driver beh= ind the desire for SPML enhancement. It would be good to define "Federated = Provisioning".
Federated provisioning may mean "the provisioning of federation" or "pro= visioning over a federated protocol" or a combination: "the provisioning of= federation over a federated protocol".
For reference, InCommon defines a federation as :
"A federation is an association of organizations that use a common=
set
of attributes, practices and policies to exchange information about<=
br>
their users and resources in order to enable collaborations and
transactions."
The provisioning of federation can be thought of as the provisioning of = linkages between objects in a federation. These linkages may themselves def= ine a federation.
Provisioning over a federated protocol would leverage a federation to ma= intain the trust relationship between a provisioning requester and a provis= ioned target.
[ This is a summary of a thread on the PS= TC archives. ]
Use cases which will assist in the further development of SPML are desir= able, please send ideas to <provision@internet2.edu>, or= submit them to the OASIS PSTC either as a member of via the comments mecha= nism. If you do not with to participate in the PSTC, I (TomZ) will be happy= to help your use case along.
Here is an example use case from JHUAPL= .
These provisioning use cases may also be of interest to the OASIS SSTC r= egarding the Change Notify proposal to SAML.
Requests for use cases have been sent to grouper-dev, macc-paccman, and = this AI's list, as well as out-of-band.
Use Case : Federated Group Provisioning
A resource accessed by members of a federation may not necessarily be we= b based. Examples are file system locations or mail groups where authorizat= ion is provided by an LDAP directory, specifically a group in an LDAP direc= tory.
Assuming that identities for non-local members are maintained out-of-ban= d, an LDAP authorization group may be comprised of two groups, one consisti= ng of local members and a second group consisting of non-local members. Ass= ume that the membership of the non-local authorization group is maintained = by a federated partner, since the federated partner is authoritative for id= entities in its domain.
Access to a resource by members of a federation may be provisioned via s= ynchronization of a group between federated partners.
This synchronization, for federated partners using Grouper, could take t= he form of provisioning a non-local group from a local group via a Grouper = changelog consumer. Another form of synchronization may use the draft= SAML Change Notify proposal.
Use Case : Federated Privilege and Access Management Provisionin=
g, XACML
...
Provisioning and federated provisioning emerged as topics of interest at= ACAMP. It would be great if interested parties could collaborate on some s= ort of statement summarizing interest from higher-ed. For example, "we real= ly need OSS supporting federated provisioning and here's why ..."
Please feel free to use this space to collaborate.
...
A provisioning library implementation is a good thing. Perhaps we should= contribute to OpenSPML or roll our own ?
- Gather participants.
- Agree on deliverables, especially regarding federated provisioning sta= ndards.
-
- Glossary of provisioning terminology based on SPMLv2 - quick win ?
- Survey of provisioning software currently in use via ACAMP or educause= - quick win ?
- Classic provisioning software - by next I2MM or ACAMP ?
- Federated provisioning software - ?
-
- As mentioned during ACAMP, initializing a provisioning glossary based = on the SPMLv2 spec might be a good starting point. The graceful provisionin= g operations could be discussed and hopefully we can agree on common termin= ology and technical examples for LDAP directory services such as Active Dir= ectory.
- Federated, just-in-time, and "classic" (in advance of usage) provision= ing are different - we might further define and characterize these. Interes= t of participants will likely vary.
- Collaboration on "classic" provisioning software and tools is desireab= le. Correlate with UNC-SPML AI.
-
Report :
There is a rather fortuitous interest in provisioning, especially federa= ted provisioning, in the PSTC and SSTC as well as I2.
Sucesses :
Roadblocks :
Deliverable/goal for final AI call in mid-November :
Beyond mid-November :