Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0
Registries work stream

- Support identity data workflow: Load, Validate, Normalize, Standardize, Reconcile (Identity Match)
- Standardized APIs for registry to consumer system provisioning
- Change-log and event-driven endpoints for provisioning and integration
- Interfaces to support self-service identity data management
- Delegated admin of identity workflow: Merge/split identities, early onboarding, audit & reporting
- Allow choice of databases
- Scale from small to large deployments
- Supports HA and DR deployments
- Provide monitoring hooks

Provisioning and Integration work stream

- RESTful APIs for Registry-to-Consumer system (de-)provisioning
  - event-driven push style
  - consumer-initiated pull
    - per user id
  - bulk provisioning
  - SCIM binding (defined SCIM schema extension for CIFER registry to consumer data model (users, groups, entitlements)
- Event-driven notification endpoint provided by Registry (JMS, XMPP)
- Configurable Diff-based provisioning engine
  - E.g., consumers request all user/group changes
    - that have occurred since their last request
    - that have occurred since a given point in time
    - that have occurred since a given change log rowId
- Configurable flat-file (re)generation utility
  - configurable population filter
  - configurable selection of data fields
- Support for data routing, transformation and connectors per standard enterprise integration patterns
- Provide monitoring hooks

Authentication work stream

- Multi-factor AuthN integrated into packages commonly used by CIFER-adopting institutions (namely Shib and CAS)
- Social2SAML so that SAML-protected web apps and relying parties have the option of serving populations who authenticate via a social IdP of their choice
- Account lifecycle management: From identity proofing through credential issuance to password management and Identity Assurance Profile support
   - Account claim/activation process
   - Password sync
- Self-service account linking (associate multiple log-in credentials with a single person identity)
- Authentication to native mobile apps
- Support for delegation scenarios (avoiding the impersonation model via technologies like SAML Enhanced Client or Proxy)
- Process authentication (How can services authenticate for, say, access to protected APIs)
- Provisioning of account information into other systems (Radius, Cloud services…)
- Provide monitoring hooks

Access Management work stream

- Management services for group, role and privilege-based access control,
- Management services for creation and deployment of authorization policies and permissions
- Standardized representations for permissions and their atoms (Subjects, Actions, Resources, Limits)
- APIs for access management services
- UIs for access management services
- Monitoring hooks

Identity Console work stream

- Self-service UI for identity-related actions
- Access request administration
- Password strength and reset policy configuration
- Admin UI for monitoring, configuring IAM services and flows
    - cross-function log and audit tools