OSS Tools session

concept of higher ed IdM suite

what's in the box and what's next to the box

how to we get to the box - what do we need

next steps - diagram architecture, documentation?

do we care about packaging that much?

differences - but if we can make interfaces standard, we can make progress

important thing - standards around each one of the boxes

inventory of the boxes that are missing

fill in boxes w/no OSS equivalent to what Oracle or Sun provided

how to connect the pieces - interfaces defined - provisioning to directories or authentication systems

define what an abastract authentication system

components that those interfaces connect to - what are they?

need end to end vision of what the components are

high level - need to demonstrate - unique aspects around higher ed the market has never addressed

influence some of the commercial products to support some of higher ed's standard interfaces

lack of vendor support for heterogeneous environment

open, not necessarily open source - open interfaces that are documented

immediate plans - Sun customers -

Mn State Colleges - Oracle bought Sun just after selection - they have four years on their contract - many have a 2 to 5 year window

One place has a 2 month window - switch to Oracle or turn it off

Directory server - they couldn't migrate that fast

Sun identity manager - provisioning engine - need to move away from

Have to switch to Oracle Sun directory server

not necessarily enough to just have open interfaces, you want the favorable software licensing terms of open source

any solutions can be considered, commercial and open source

SPML potentially can be the connectors

missing piece - no way of shipping information between provisioning components

these things haven't been standardized

time horizon - two years? probably not enough

What's going on now that could solve pieces of this problem

We have the middleware model, at least most of the high level components

Gap analysis

Short term, interim solution based on open source - nothing for provisioning/deprovisioning

Underlying LDAP information model - most people have more complicated information in their registry - information model, LDAP won't be enough

Evaluate the information model

We don't know what the problems are

We haven't tried to put the end-to-end suite together

Open metadir



biggest gap is in the provisioning space

timing - people are paying attention to the issue because of Oracle/Sun

Opportunites we can leverage now -

What Sun components are replaceable by other products

Whether commercial or open source - rethinking of your architecture approach - most people have been running our IdM infrastructure for 10 years - opportunity to review those choices

Framework for how it ought to work

How you ought to be thinking about IdM issues

List of components - all institutions can provide and compare

Multiple approaches that can run concurrent - technical plumbing, issues and decisions

Defined layers so you can pull out and fix just parts

Framework for how they're going to do things

Easier to share components

Common vision of where we ought to be heading

Framework won't connect systems - you need a protocol for that

Grouper - looking a groups - you can share if you're only doing that - but most provisioning is much more complex - going to require another level of complexity, and those things don't exist

SPML - can get around LDAP - next level is going to be semantic web stuff

Are we prepared as a community to take on that work?

Can tackle it in layers

High level framework - reference architecture - interfaces - technical protocol specifications

reference implementations that exercise the interfaces

Time horizon - better for people who have 3 years, 2 to 5 years

Higher Ed community not big enough?

Draw a line in the sand - anyone who has to have it solved by a certain date

Of those people - who will realistically not just go to Microsoft ILM

Monetary question - you can budget and fund it because there is a monetary driver

Is it on CIO's radar screen?  Top 5 in the ECAR report.  But not necessarily the Oracle/Sun problem

IAM issue, and resourcing/funding issue, leaning away from open source

don't let a good crisis go to waste

Oracle is going to present there are no alternatives - we want to create alternatives

Oracle is selling it as a suite - but really what are the boxes?

registry, directory, authn services, provisioning

worried about LDAP

registry is the mainframe - how to attack that problem

where are our pain points

Shibboleth - pretty mature project - why pay money for something else

can you make that same argument for the other boxes?

core missing piece is provisioning engine

intelligence lies at end points of the network - how do you transfer - but if a segment is missing

1.  Sun/Oracle, what to do

2.  What are the pieces out there, and reasons why to choose it?

2 goes to the reference framework

long term - to be competitive - you need to have a good understanding of the boxes, the suite, enough of a concept so that there can be commercial support - try to get that commercial support

define boxes

make sure that there can be solutions that either institutions or commercial providers can offer

such a low profile budget wise - IT doesn't get much attention - Oracle going gangbusters, Microsoft coming in - can't sell open source solutions

because this is diverse and complex - unless we can make it more manageable so it can be supported

Some name recognition in management for Kuali, etc.  But they're all about having Oracle do everything

Higher education differentiaters that are built into this suite

Who is using it? Apple is using OpenLDAP

component stream - combine components into a framework - packaging of the model

open identity solutions gained traction through marketing

Some entrepreneur will see the value in offering support package for the open source IdM stack

pick a date

get people in the room who are committed

sales force for IdM

on the web, on the net version of IdM

SaaS for IdM

jump ahead of the market

never be able to win that conversation with our CIO

how to build it as a web service

figure out a way to build it - have some revenue model on the other end

IdM as a service

needs to be the same across multiple schools if we are to attract commercial support

Schools who really need support may not be the ones represented here

Commercial affiliates - how to take a system and integrate it into what customer has

Having hard numbers on savings

1. software registry with functions and supportability

2.  group to deal with Sun/Oracle problem

3.  standards group - provisioning, registries


1. marketing

2. what are the boxes


inventory - what the pieces are

gap analysis

3.  connecting the boxes


reference architecture


4.  what do we need to do


lightweight projects people can work together on over the next six months

what is the functionality that goes with the boxes

https - Jboss - SAML - policy engine

Identity manager - need to support SPML

how does it take data in?

define to a lower level what the functionality of each box is

that being in the framework can help when something like Oracle/Sun happens

look at services catalog for IAM

WebSSO CAS and Shib - kind of the same, but different

options - need to understand the components

something that more fits your campus needs

come up with a high level architecture

Jack is on MS Higher Ed Advisory group

many of us will have to run a MS directory product

if you could move in a direction favorable to us, you can make inroads into higher ed

not in lieu of the OSS, but another option


tomorrow morning - forming working groups

please think about what you and your institution can do

streams - technical, managerial, coordination, marketing