MACE-Dir: Attributes, Schema and MACE-Dir: Attributes, Schema and Information Models for Education Information Models for Education and Research and Research InCommon Virtual Working Groups, May 21, 2013 Keith Hazelton MACE-Dir Chair, UW-Madison Jon Saperia InCommon User Identifiers Chair, Harvard U Mark Scheible InCommon/Quilt Federation Pilots, MCNC
20
Embed
MACE-Dir: Attributes, Schema and Information Models for Education and Research InCommon Virtual Working Groups, May 21, 2013 Keith Hazelton MACE-Dir Chair,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
MACE-Dir: Attributes, Schema and Information MACE-Dir: Attributes, Schema and Information Models for Education and ResearchModels for Education and Research
InCommon Virtual Working Groups, May 21, 2013
Keith HazeltonMACE-Dir Chair, UW-MadisonJon SaperiaInCommon User Identifiers Chair, Harvard UMark ScheibleInCommon/Quilt Federation Pilots, MCNC
• Introduction to MACE-Dir• The Evolution of eduPerson--New Draft Out for Review
– New identifiers to solve a long-standing set of problems– Keeping track of changes to eduPersonPrincipalName values
• Crafting a Schema for K-12 Use• System for Cross-Realm Identity Management (SCIM)
– A new model for identity data provisioning and integration
• Exploring Curricular Data Needs• Elsewhere in Schema-Land
– An Online Schema and Attribute Registry out of the NSTIC pilots
• New draft out for review: eduPerson (201305 Draft 08)• Another new attribute
– eduPersonPrincipalNamePrior (ePPNP)– Helps in situations where a user’s ePPN value has changed– Important when Relying Parties are using ePPN for authorization
purposes (as in .htaccess files)
• Continued international discussions on uses of existing attributes– For example, last two weeks, lively thread on eduPersonEntitlement – For one example, a way to signal “This user should receive access
per the terms of the contract mapped to this entitlement value (URI)”
• In practice, a small number of attributes do a lot of service– Identifiers (where needed)– Affiliations (scoped, generally)– Group memberships– Entitlements
• Tendency to use “cooked” attributes (affiliations, groups, entitlements) rather than ask for a large set of atomic facts from which to compute an allow/deny decision
• Example: A learning management system (LMS) controlling access to course materials– Roster information via isMemberOf (vs eduCourseMember)– “Ticket” to use a particular e-text via an entitlement URI
• The North Carolina Education Cloud (NCEdCloud) - RttT– Foundational project is an IAM “Managed Service”
• Covers ALL K-12 students, teachers & staff, parents, guests• Single username/password for access to cloud services• Led by the Friday Institute at NC State University• MCNC has been providing IAM consulting resources for two years
– Developed an architecture document describing what was needed– RFP process completed, contract awarded to Identity Automation– Service consists of Data Integration of sources, building and
maintaining a Person Registry, Directory environment, and Federated Identity Management for roughly 3 million identities
– Provisioning of Cloud Service accounts• K-12/Community College Pilot using federated identities
– Part of InCommon/Quilt project to extend FIM to K12, CC, etc.
• Why a separate K12 Schema?• K12 has additional challenges/requirements
– K12 students are minors• Special/additional regulations apply (e.g. COPPA, CIPA)• Students cannot authorize attribute release (parent involvement?)
– Delivery of online services/content may be age- or grade-based– Granularity of K12 organizational structure may be finer than HE– IT Staffing, Skillsets in K12 frequently not focused on IAM/SAML– 13-year relationship with moves between schools/districts– Parents could easily have a longer relationship (multiple children)– 1:1 student/client device is rare (particularly primary grades)
• Existing schema (e.g. eduPerson) are not sufficient• Attributes we know or suspect will be needed
– Grade level– Over/Under 13 (for COPPA)– School Identifier– School District– School Region (in some states)– Parent or Guardian “link” (connecting parent to student)– Parent or Guardian consent (to release attributes)
• Schema development work plan– Mailing list, Conference calls (under auspices of MACE-Dir)
• SCIM is coming to higher education via two paths• Grouper has SCIM support on its latest roadmap• CIFER (Community Identity Framework for Education and
Research)– Open source IAM initiative under the auspices of Internet2, Kuali
and Apereo (Jasig/Sakai)– Recommending SCIM as a core API for identity data provisioning and
integration across the IAM infrastructure– Developing SCIM schema extensions to cover the CIFER identity
registry data model• MACE-Dir will host review and comment discussions as requested
• An online Schema and Attribute Registry now at version 1.0• An early NSTIC pilot deliverable from the Internet2 Scalable
Privacy project– NSTIC: National Strategy for Trusted Identities in Cyberspace
• Higher education has thought longer and harder about schema and attributes than government and industry
• The registry as a way to demonstrate prior art and show patterns of use– Includes eduPerson, SCHAC, OpenID Connect, Open Social,…– Each attribute is associated with an attribute class (identifier, name,
entitlement, profile) to facilitate cross-schema comparisons
MACE-Dir: Attributes, Schema and MACE-Dir: Attributes, Schema and Information Models for Education and Information Models for Education and ResearchResearch
May 21, 2013, InCommon Virtual Working Groups
Thank you!
For more information,please visit www.internet2.edu