concept of higher ed IdM suite
what's in the box and what's next to the box
how to we get to the box - what do we need
next steps - diagram architecture, documentation?
do we care about packaging that much?
differences - but if we can make interfaces standard, we can make progress
important thing - standards around each one of the boxes
inventory of the boxes that are missing
fill in boxes w/no OSS equivalent to what Oracle or Sun provided
how to connect the pieces - interfaces defined - provisioning to directories or authentication systems
define what an abastract authentication system
components that those interfaces connect to - what are they?
need end to end vision of what the components are
high level - need to demonstrate - unique aspects around higher ed the market has never addressed
influence some of the commercial products to support some of higher ed's standard interfaces
lack of vendor support for heterogeneous environment
open, not necessarily open source - open interfaces that are documented
immediate plans - Sun customers -
Mn State Colleges - Oracle bought Sun just after selection - they have four years on their contract - many have a 2 to 5 year window
One place has a 2 month window - switch to Oracle or turn it off
Directory server - they couldn't migrate that fast
Sun identity manager - provisioning engine - need to move away from
Have to switch to Oracle Sun directory server
not necessarily enough to just have open interfaces, you want the favorable software licensing terms of open source
any solutions can be considered, commercial and open source
SPML potentially can be the connectors
missing piece - no way of shipping information between provisioning components
these things haven't been standardized
time horizon - two years? probably not enough
What's going on now that could solve pieces of this problem
We have the middleware model, at least most of the high level components
Gap analysis
Short term, interim solution based on open source - nothing for provisioning/deprovisioning
Underlying LDAP information model - most people have more complicated information in their registry - information model, LDAP won't be enough
Evaluate the information model
We don't know what the problems are
We haven't tried to put the end-to-end suite together
Open metadir
OpenRegistry
Grouper
biggest gap is in the provisioning space
timing - people are paying attention to the issue because of Oracle/Sun
Opportunites we can leverage now -
What Sun components are replaceable by other products
Whether commercial or open source - rethinking of your architecture approach - most people have been running our IdM infrastructure for 10 years - opportunity to review those choices
Framework for how it ought to work
How you ought to be thinking about IdM issues
List of components - all institutions can provide and compare
Multiple approaches that can run concurrent - technical plumbing, issues and decisions
Defined layers so you can pull out and fix just parts
Framework for how they're going to do things
Easier to share components
Common vision of where we ought to be heading
Framework won't connect systems - you need a protocol for that
Grouper - looking a groups - you can share if you're only doing that - but most provisioning is much more complex - going to require another level of complexity, and those things don't exist
SPML - can get around LDAP - next level is going to be semantic web stuff
Are we prepared as a community to take on that work?
Can tackle it in layers
High level framework - reference architecture - interfaces - technical protocol specifications
reference implementations that exercise the interfaces
Time horizon - better for people who have 3 years, 2 to 5 years
Higher Ed community not big enough?
Draw a line in the sand - anyone who has to have it solved by a certain date
Of those people - who will realistically not just go to Microsoft ILM
Monetary question - you can budget and fund it because there is a monetary driver
Is it on CIO's radar screen? Top 5 in the ECAR report. But not necessarily the Oracle/Sun problem
IAM issue, and resourcing/funding issue, leaning away from open source
don't let a good crisis go to waste
Oracle is going to present there are no alternatives - we want to create alternatives
Oracle is selling it as a suite - but really what are the boxes?
registry, directory, authn services, provisioning
worried about LDAP
registry is the mainframe - how to attack that problem
where are our pain points
Shibboleth - pretty mature project - why pay money for something else
can you make that same argument for the other boxes?
core missing piece is provisioning engine
intelligence lies at end points of the network - how do you transfer - but if a segment is missing
1. Sun/Oracle, what to do
2. What are the pieces out there, and reasons why to choose it?
2 goes to the reference framework
long term - to be competitive - you need to have a good understanding of the boxes, the suite, enough of a concept so that there can be commercial support - try to get that commercial support
define boxes
make sure that there can be solutions that either institutions or commercial providers can offer
such a low profile budget wise - IT doesn't get much attention - Oracle going gangbusters, Microsoft coming in - can't sell open source solutions
because this is diverse and complex - unless we can make it more manageable so it can be supported
Some name recognition in management for Kuali, etc. But they're all about having Oracle do everything
Higher education differentiaters that are built into this suite
Who is using it? Apple is using OpenLDAP
component stream - combine components into a framework - packaging of the model
open identity solutions gained traction through marketing
Some entrepreneur will see the value in offering support package for the open source IdM stack
pick a date
get people in the room who are committed
sales force for IdM
on the web, on the net version of IdM
SaaS for IdM
jump ahead of the market
never be able to win that conversation with our CIO
how to build it as a web service
figure out a way to build it - have some revenue model on the other end
IdM as a service
needs to be the same across multiple schools if we are to attract commercial support
Schools who really need support may not be the ones represented here
Commercial affiliates - how to take a system and integrate it into what customer has
Having hard numbers on savings
1. software registry with functions and supportability
2. group to deal with Sun/Oracle problem
3. standards group - provisioning, registries
Jens
1. marketing
2. what are the boxes
survey
inventory - what the pieces are
gap analysis
3. connecting the boxes
framework
reference architecture
protocols
4. what do we need to do
projects
lightweight projects people can work together on over the next six months
what is the functionality that goes with the boxes
https - Jboss - SAML - policy engine
Identity manager - need to support SPML
how does it take data in?
define to a lower level what the functionality of each box is
that being in the framework can help when something like Oracle/Sun happens
look at services catalog for IAM
WebSSO CAS and Shib - kind of the same, but different
options - need to understand the components
something that more fits your campus needs
come up with a high level architecture
Jack is on MS Higher Ed Advisory group
many of us will have to run a MS directory product
if you could move in a direction favorable to us, you can make inroads into higher ed
not in lieu of the OSS, but another option
follow-up
tomorrow morning - forming working groups
please think about what you and your institution can do
streams - technical, managerial, coordination, marketing