Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10,...
-
Upload
laura-mosley -
Category
Documents
-
view
213 -
download
0
Transcript of Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10,...
Implementing Kuali Identity Management at your Institution
Jasig Spring 2010Wednesday, March 10, 20108 am
2
Implementing Kuali Identity Management at your Institution
Eric Westfall
Indiana University
Dan Seibert
University of California, San Diego
Integrating KIM with other IdM products
Implementing Kuali Identity Management at your Institution
3
4
KIM Integration
Integration with various Identity Management
Systems
5
Integrating KIM with CAS
<Insert CAS slides here>
6
Integrating KIM with LDAP
• LDAP Integration Efforts• University of Arizona• San Joaquin Delta College• UC Davis
• Using CAS to connect to LDAP
7
KIM with LDAP (UofA example)
• UA netid is used for authentication• Identity information is available in UA’s Enterprise
Directory Service (EDS)• Connect to EDS using Spring LDAP and overriding the
KIM IdentityService
• KIM ParameterService provides map between KIM and LDAP attributes
• In order to use the KIM GUI’s properly, the UIDocumentService is also overridden
8
Integrating KIM with LDAP
Configure CAS to connect to LDAP
9
with
• Intra-campus Web SSO• Federated Access to a Rice application• KIM as an Identity Provider (IdP)• Using Shibboleth Attributes for KIM
authorization
10
with Federated Authentication
Shibboleth Login Process
11
with Federated Authentication
Protecting a Rice application as a Service Provider (SP)• A web server and openssl must be available first• Add Shibboleth filters to the web server.• Metadata defines the attributes to be passed
between the Identity Provider and Service Provider.• Override KIM Authentication Service
12
with Federated Authentication
Metadata Example:<AttributeRule
Name=“urn:mace:dir:attribute-def:eduPersonPrincipalName”
Header=“REMOTE_USER”
Alias=“eppn”>
<AnySite>
<AnyValue/>
</AnySite>
</AttributeRule>
13
with
KIM as an Identity Provider• Prerequisites: SSL certificate, source of SAML Metadata• Install Shibboleth IdP• Load SAML Metadata• Configure KIM as the User Authentication Mechanism• Implement kimAuthenticationService to authenticate the user
and provide the appropriate attributes.
14
with
KIM as user Authentication Mechanism• Define Login Handler to match AuthenticationService
Ex: Remote User for reference AuthenticationService
Username/Password for LDAP Implementation
• Provide service endpoint for AuthenticationServiceImpl
15
with Authorization Attributes
Using Shibboleth Attributes for KIM Authorization
• Identify Attribute Sources• Define Policies for Attribute Handling, for SPs• Define New Business Processes• Define New Policies
16
with Federated Authentication
17
with
KIM / Grouper Collaboration
18
with
Adapter OverviewCustom Implementation of KIM Services using Grouper Client API• GroupService• GroupUpdateService• IdentityService
19
with
Installation• grouperClient.jar• grouperKimConnector.jar• grouper.client.properties• Override kimGroupService, kimIdentityService
https://spaces.internet2.edu/display/GrouperWG/Grouper+integration+with+Kuali+Rice