Implementing Kuali Identity Management at your Institution

Jasig Spring 2010Wednesday, March 10, 20108 am

2

Implementing Kuali Identity Management at your Institution

Eric Westfall

Indiana University

ewestfal@indiana.edu

Dan Seibert

University of California, San Diego

dseibert@ucsd.edu

Integrating KIM with other IdM products

Implementing Kuali Identity Management at your Institution

3

4

KIM Integration

Integration with various Identity Management

Systems

5

Integrating KIM with CAS

<Insert CAS slides here>

6

Integrating KIM with LDAP

• LDAP Integration Efforts• University of Arizona• San Joaquin Delta College• UC Davis

• Using CAS to connect to LDAP

7

KIM with LDAP (UofA example)

• UA netid is used for authentication• Identity information is available in UA’s Enterprise

Directory Service (EDS)• Connect to EDS using Spring LDAP and overriding the

KIM IdentityService

• KIM ParameterService provides map between KIM and LDAP attributes

• In order to use the KIM GUI’s properly, the UIDocumentService is also overridden

8

Integrating KIM with LDAP

Configure CAS to connect to LDAP

9

with

• Intra-campus Web SSO• Federated Access to a Rice application• KIM as an Identity Provider (IdP)• Using Shibboleth Attributes for KIM

authorization

10

with Federated Authentication

Shibboleth Login Process

11

with Federated Authentication

Protecting a Rice application as a Service Provider (SP)• A web server and openssl must be available first• Add Shibboleth filters to the web server.• Metadata defines the attributes to be passed

between the Identity Provider and Service Provider.• Override KIM Authentication Service

12

with Federated Authentication

Metadata Example:<AttributeRule

Name=“urn:mace:dir:attribute-def:eduPersonPrincipalName”

Header=“REMOTE_USER”

Alias=“eppn”>

<AnySite>

<AnyValue/>

</AnySite>

</AttributeRule>

13

with

KIM as an Identity Provider• Prerequisites: SSL certificate, source of SAML Metadata• Install Shibboleth IdP• Load SAML Metadata• Configure KIM as the User Authentication Mechanism• Implement kimAuthenticationService to authenticate the user

and provide the appropriate attributes.

14

with

KIM as user Authentication Mechanism• Define Login Handler to match AuthenticationService

Ex: Remote User for reference AuthenticationService

Username/Password for LDAP Implementation

• Provide service endpoint for AuthenticationServiceImpl

15

with Authorization Attributes

Using Shibboleth Attributes for KIM Authorization

• Identify Attribute Sources• Define Policies for Attribute Handling, for SPs• Define New Business Processes• Define New Policies

16

with Federated Authentication

17

with

KIM / Grouper Collaboration

18

with

Adapter OverviewCustom Implementation of KIM Services using Grouper Client API• GroupService• GroupUpdateService• IdentityService

19

with

Installation• grouperClient.jar• grouperKimConnector.jar• grouper.client.properties• Override kimGroupService, kimIdentityService

https://spaces.internet2.edu/display/GrouperWG/Grouper+integration+with+Kuali+Rice