Federation and Cloud Services

Federation and Cloud Services

for the K12 Community

for the K12 Community

Quilt/InCommon K12 Pilot Project Summary

Two Cases: Illinois and Nebraska

What is Envisioned, Experiences, and Challenges

Bernie Acs{[email protected]}, Jim Peterson {[email protected]}, Jason Radford {[email protected]}

Illinois Shared Learning

Environment

Environment

Create, Find, Map, Use, and Visualize Data Linked to Content and Standards enabling Personalized Learning and Career

Preparedness for All Illinois Learners (P-K12 & Life-Long).

Local School District

Collect, Assemble, & Propagate Partner Institutions Data Centers Participating LEA: 2 SLC Pilot 35 RttT-3 ~ 20% of Illinois Students

ED-FI Data Model Data Store Services Application Program Interface ( API )

Illinois Shared Learning Environment – ISLE

Search & Registry Index for Content

Consumers Producers Content

Brokers

& Propagate Ed-FI Data Model

GOMB

Learning Maps & Learning Content A

p p lic a tio n s a n d D a s h b o a rd s D y n a m ic C lo u d I n fr a s tr u c tu re Apps

Partners:

ISLE Grant DCEO -> NCSA/UIUC

ISLE-IGA: NCSA/UIUC -> NIU,SIU, & IC

~ 20% of Illinois Students with RttT-3 SD, ~840 to go.

DB

Compute

Students, Educators, Parents, Researchers, Schools, Institutions and Agencies empowered by the Middleware infrastructure and Dynamic Self-Service Procurement Cloud Platform Services: *Learning Maps *Applications *Dashboards*Portal Integration

*Databases *Collaboration Tools *Development Incubator *Advanced Analytics*Shared Data Services*Enterprise Services

SLC (Service Agreement): ISBE/LEA

RttT-3 Grant : ISBE/LEA

RttT-Early Childhood : ISBE/LEA

Create, Find, Map, Use, and Visualize Data Linked to Content

and Standards enabling Personalized Learning and Career

Preparedness for All Illinois Learners (P-K12 & Life-Long).

Learning Maps, Assemssments, & Learning Content

A p p lic a tio n s a n d D a s h b o a rd s D y n a m ic C lo u d I n fr a s tr u c tu re Partner Institutions Data Centers

ISLE

K12 School Districts,

Partners, & Data Centers

A p p lic a tio n s a n d D a s h b o a rd s D y n a m ic C lo u d I n fr a s tr u c tu re Apps DB Compute

Students, Educators, Parents, Researchers, Schools, Institutions

and Agencies empowered by the Middleware infrastructure and

Dynamic Self-Service Procurement Cloud Platform Services:

*Learning Maps *Applications *Dashboards*Portal Integration

*Databases *Collaboration Tools *Development Incubator

*Advanced Analytics*Shared Data Services*Enterprise Services

Nebraska K12/P20W Pilot

Nebraska

K-12 Federation

Learning Object

Repository

SIS

DB

Ed-Fi

ODS

E

T

L

E

T

L

Compute Metrics Basic Services VM Hosting Learning Management Systems

Auto-provision &

De-District

Integration

IdP Proxy

Authentication & Authorization

Ed-Fi Dashboards

Self-service

Portal

Auto-provision & De-provision

Internet2 (K.C. GigaPop)

•

Network

Nebraska-Education CURRENT

Partners (261)

–

223 public school districts

–

16 Educational Service

Units

•

Network

Nebraska-Education POTENTIAL

Partners (460+)

–

28 public school districts

–

1 Educational Service

Unit

Units

–

10 public colleges

–

7 nonpublic colleges

–

2 tribal colleges

–

3 nonpublic schools

–

1 public library

Unit

–

7 nonpublic colleges

–

159 nonpublic schools

–

269 public libraries

K12 to P20

Vision Resources

•

Compelling case for effective utilization of resources

–

Might call this zero system administration.

–

http://www.azed.gov/aelas/files/2013/10/aelas-business-case-v1.5.pdf

•

Jack’s story is the vision of interoperability through standards

–

http://www.setda.org/wp-content/uploads/2013/11/Data-to-Information.pdf

•

Data Quality Campaign infographic vision on using data

•

Data Quality Campaign infographic vision on using data

–

http://www2.dataqualitycampaign.org/files/Data-Rich%20Year%20Infographic.pdf

•

Visionary Resources: A little on the techie side

–

Learning Registry

http://www.learningregistry.org

–

Advanced Distributed Learning:

http://www.adlnet.gov/

–

SCORM

http://scorm.com/scorm-explained/

–

IMS Global:

http://www.imsglobal.org/

Illinois Shared Learning

Environment

Environment

Exploring the Learning Map Concept:

A Revolutionary Catalyst for

What is a Learning Map?

1.) Visual Representation of a Series of Learning Objectives & Assessment of Mastery

1 Learning Objective #1 Assessment Measures #1 2 Learning Objective #2 Assessment Measures #2 N Learning Objective #N Assessment Measures #N … Learning Objective #... Assessment Measures #... 3 Learning Objective #3 Assessment Measures #3

2b

2a

1

3b

3a

…

N

•

The visualization may be non-linear with branches and junctions having alternative paths.

Branch

Node

Junction

Node

multiple

Path

options

multiple

Paths

converge

2

3

How Does a Learning Map Work?

2.) Coded Alignment of Objectives and Measures enables Content to be Linked to a Map!

Objectives Measures

Linked

Learning Modules

Aligned and Coded with

Linked

Assessment Bank Items

Aligned and Coded with

1 2 3 4 5 … N

User Interface Options

(Hoover Over & Zoom Into)

Actions

(Clicks, Pop-up Options)

Content

Aligned and Coded with

Objectives Empower:

•Learners to explore proficiency tasks

•Mentors to find, create, and share

•Measures of effectiveness can be quantified by community experience and qualitative analysis of use.

Aligned and Coded with

Objectives Empower:

•Learners to explore skill proficiency

•Mentors to find, create, and share

•Measures of effectiveness can be quantified by community experience and qualitative analysis of use.

Link Content Aligned by Codes (Tagging)

Create, Find, Use, and Shared–Experience Pooling

Objective Modules & Assessment Items

•

Maps may be Presented using Interactive-Visual-Objects for each location marker along the path it shows

Map Node

Why are Learning Maps Centrally Important?

3.) Learning Map Perspectives (or Views) of Learners Progression using Data

in Alignment with Codified Objectives, Measures, & Content with variability in number of Learners & Time Scale

Objectives Measures

Learner Perspective

•Where am I and what tasks are to do

•Find, create, use, and share content

•Peer & mentor collaboration

•Personalize pathway potential

Educator Perspective

•All Educators are also Learners

•Find, create, use, and share content

•Professional Development Support

•Virtual Professional Peer Groups

1 2 3 4 5 … N

Content

•Personalize pathway potential

•How do my peer compare with me

•Measures of effectiveness can be quantified by community experience with qualitative analytics capacity.

•Virtual Professional Peer Groups

•How do my peer compare with me

•Measures of effectiveness can be quantified by community experience with qualitative analytics capacity.

Apply Learner & Educator Perspectives of Progress

along the learning map pathways:

Perspectives: Role & Aggregation

The Learning Map Concept may be Presented using Role-Based-Visual-Objects

integrated with API Driven Dynamic-Data-Aggregation for a Variety of Role Perspectives

Workgroup Perspectives

Workgroup Perspectives

Guardian Perspectives

Guardian Perspectives

Building Perspectives

Building Perspectives

Institutional Perspectives

Institutional Perspectives

Real-Time Perspectives

Real-Time Perspectives

Future Perspectives

Future Perspectives

State & Local Education Authority Perspectives

State & Local Education Authority Perspectives

Map Node

How can the Learning Map Concepts be Implemented ?

1 2 3 4 5 … N

Content

Objectives Map Measures

Node

Identity Access

Management Services

(IDP/Proxy Hybrid: IAM)

Data Services

(Authoritative Source systems, ETL

to SIF ZIS, and automated

propagation to other data

models).

What is Required to Implement Learning Map Concepts?

Parents &

Guardians

Parents &

Guardians

Learner

Progression & Achievement

Data

Learner

Progression & Achievement

Data

Mentors &

Interest Groups

Mentors &

Interest Groups

Learning Content

Repositories

Learning Content

Repositories

Network of Nodes

Network of Nodes

Learning Registry

Learning Registry

Content Archives,

Libraries, and Museums

Content Archives,

Libraries, and Museums

Application Services

Multi-tenant Portal for

School Districts

LEA Curriculum

Workgroups &

Standards

LEA Curriculum

Workgroups &

Standards

SEA Curriculum

Guidance &

Standards

SEA Curriculum

Guidance &

Standards

Three Essential Pillars of Support:

A K12 Federation Model for the

Core Centralized Services & Operations:

Illinois Shared Learning

Environment

Environment

The Platform’s Three Pillars of Support:

Data, Identity, & Appliction

•

IlliniCloud is a non-profit organization providing services for primarily for K12

school district all over the state of Illinois. Acting as a K12 federation operator and

service provider, the IlliniCloud is establishing three foundational service

dimensions for the K12 community:

•

Data Services

•

Identity Services

•

Application Services

What Are The Three Service Pillars?

•

Minimal threshold of Adoption:

The implementation is focused on mitigating

integration requirements for K12 school districts adoption of services with little to

no modification of existing practices and procedures.

End-User Facing Interfaces

Tenants (School Districts)

Backend Interfaces & Services

Illinois Shared Learning

Environment

The Platform’s First Pillar of Support:

Data Services

Operational

Data Store

Raw Source System

Intermediate

Data Product

Source 1

Source …

Source N

Any Data Model

Reports

Analytics

How Does The Data Service Work?

Raw Source System

Data Matrices

Intermediate

Data Model(s)

Data Product

Propagation

District/LEA

How Does the Data Validation Service Work?

Data is collected in the ODS, where the Data Validation Rules Engine runs to check for

errors

Data is collected in the ODS, where the Data Validation Rules Engine runs to check for

errors Teacher/Staff Data Student Information

IlliniCloud

User corrects

data and

resubmits

NO ERRORS

ERRORS

Data Entry

28

If the data is rejected,

an error message is

generated to the user

Valid data is moved to

the Data Marts

Better Research Leads to Better

Decisions Analyze the data in

a spreadsheet

Prepare a report Create a presentation Data can now be analyzed –longitudinal

data analysis can be

performed

Data is Stored in the

Longitudinal Data Warehouse

NO ERRORS

School District ZIS Source 1 Source … Source N Any DM Reports Analytics Relational Data Store

Ed FI API

How Does Data Service Propagation Work for Apps?

SIF/ZIS

Integration API

SP SP SP SP

Ingest Data Validation

and Assembly

SIF 2.5 for each local district sites.

Implicitly enables use of

Application Programmatic Interfaces

(API)

Object

Data Store

InBloom API

Data Propagation

for

Alternative DataModels

SP SP SP

School District

Authoritative Source

Systems

SIS FS TR

Automate

Data Set

How Can Data Service Propagation Work for State Reporting?

Data Set

Assembly

and

Propagation

Illinois State

Board of

Education

Data Mart(s)

Propagate

Manage

Error

Resolution

Illinois Shared Learning

Environment

The Platform’s Second Pillar of Support:

Identity Services

3

rd

Party Service Providers & Other Federations

Proxy

School

Non-School

inCommon

Google 4 Edu

Other Service

Providers

Workforce

Development

Users/Orgs

Federated

School District

Users/Orgs

SAML 2.0

OAuth

Tr

u

st

Tr

u

st

What is the Federated Identity Service?

Districts (1 .. N)

using

Active Directory

Districts (1 .. N)

using

eDirectory

Districts (1 .. N)

using

LDAP/Kerberos

Tr

u

st

Tr

u

st

Proxy

IDP/SP

School

District

Metadata

Non-School

District

Metadata

Read-Only

Query

Functionality

Central

Service

OAuth

OpenID

Native

Directory

Interface

Authentication Delegation to Authoritative Source

SP

SP

SP

SP IDP

Does not Forward to Federated Idm “Cloud Provider” Google EDU InC Net+ Apps InCommon Federation Metadata

IDP

K12

Publish

Subscribe

SP

K12 Federation Service Providers

SSO Enabled

How Does the Federated Identity Service Work?

External Federations & Service Providers

K12 Federation IDP Proxy Metadata SP K12 Org 1 Directory SP SP Authoritative Directory Source K12 Org … K12 Org N

AD | LDAP | Kerberos | eDirectory

SSO Enabled

Not SSO Enabled

K12 Organization

Local Service Providers

School Districts have preexisting directories and business procedures that govern practices & processing Centralized Idm (SAML2) provides local directory

mapping and profiles for federated service uses

Custom ISLE Applications

How Do Attribute/Value Assertions & Web SSO Sessions Work?

IDP

K12 Request

If No Session then

Prompt Fed-Login

else goto 4

Collects:

eduPersonPrincipleName

Manages the

Delegated Authentication

Challenge/Response

2

Advanced Configuration:

IDP/P + SP

iTrust Federation Registry

0

3

SP

SP Attributes Needed & Parsing:

•

eduPersonPrincipleName

•

eduPersonAffiliation

•

eduPersonOrgDN

•

eduPersonEntitlement *(Agreed)

7

8

K12 Federation IDP Proxy Request

Challenge/Response

Collects & Assembles:

eduPersonAffiliation

Manages computing

eduPersonEtitlements

that are needed for SP.

Browser Accesses Protected App Resource

1

4

Response

IDP Attribute Resolvers & Filters:

•

eduPersonPrincipleName

•

eduPersonAffiliation

•

eduPersonOrgDN

•

eduPersonEntitlement *(Agreed)

If Session then

Process Attribute

Assertions for SP

SP

User has Navigated here

5

6

How Does the IDP use Tenant User’s Profile?

Browser Accesses Protected App Resource (SP)

IDP

K12 Federation IDP Proxy Browser Redirected to IDP/Proxy LOGIN Service 1. UserName 2. PassWord 3. OrgDN Delegate Authentication Tenant’s Authoritative Directory 1. OrganizationDN 2. EPPN 3. Affiliation 4. SP/Entitlement Tenant(s) Authoritative User Session Profile Populates Tenant User Profile Table Shibboleth/IDP DBMS Connected AttributeResolver

Just-In-Time Provisioning OR Verification/Validation of Existing

<dc:Column columnName="given_name" attributeID="givenName" /> <dc:Column columnName="surname" attributeID="sn" />

<dc:Column columnName="edu_person_nickname" attributeID="eduPersonNickName" /> <dc:Column columnName="mail" attributeID="mail" />

<dc:Column columnName="organization_name" attributeID="organizationName" />

<dc:Column columnName="home_organization_type" attributeID="homeOrganizationType" /> <dc:Column columnName="edu_person_affiliation" attributeID="eduPersonAffiliationList" />

<dc:Column columnName="edu_person_primary_affiliation" attributeID="eduPersonPrimaryAffiliation" /> <dc:Column columnName="edu_person_scoped_affiliation" attributeID="eduPersonScopedAffiliation" /> <dc:Column columnName="edu_person_org_dn" attributeID="eduPersonOrgDN" />

<dc:Column columnName="edu_person_org_unit_dn" attributeID="eduPersonOrgUnitDNList" />

<dc:Column columnName="edu_person_primary_org_unit_dn" attributeID="eduPersonPrimaryOrgUnitDN" /> <dc:Column columnName="uid" attributeID="uid" />

<dc:Column columnName="edu_person_principal_name" attributeID="eduPersonPrincipalName" /> <dc:Column columnName="edu_person_targeted_id" attributeID="eduPersonTargetedID" /> <dc:Column columnName="edu_person_unique_id" attributeID="eduPersonUniqueID" /> <dc:Column columnName="edu_person_assurance" attributeID="eduPersonAssurance" />

<dc:Column columnName="edu_person_principal_name_prior" attributeID="eduPersonPrincipalNamePrior" /> <dc:Column columnName="edu_person_entitlement" attributeID="eduPersonEntitlement" />

<dc:Column columnName="member_of" attributeID="memberOfList" />

Shibboleth/IDP AttributeFilters SP/SP Groups Using attribute/value pairs available propagate authorized assertions to the SP * given_name, * surname, edu_person_nickname, * mail, * organization_name, * home_organization_type, edu_person_affiliation, edu_person_primary_affiliation, edu_person_scoped_affiliation, edu_person_org_dn, edu_person_org_unit_dn, edu_person_primary_org_unit_dn, * uid, edu_person_principal_name, edu_person_targeted_id, edu_person_unique_id, edu_person_assurance, edu_person_principal_name_prior, edu_person_entitlement, * member_of

How does eduPersonEntitlement Look Up-Close?

IDP Attribute Resolvers & Filters:

•

eduPersonPrincipleName

[email protected]

•

eduPersonAffiliation

Facualty, Staff, …, Library Walk-in

•

eduPersonOrgDN

dc=district, dc=ext

•

eduPersonEntitlement *(Agreed)

Any String as a UR(N,I,L)

Privilege Groups

Of Interest

SP Attributes Required Values When Group Member:

Needs fine grain privilege mapping to align to some

collection of cohort declarations the user is a member of in

the authoritative source system of reference

.

“eduPersonEntitlement” Attribute value(s) to assert

:

http://ApplicationName.ext/role/ILDATA_Building_Adminstrator

,

http://ApplicationName.ext/role/ILDATA_Sheridan_Announcement

..,

http://ApplicationName.ext/role/ILDATA_Sheridan_Attendence

the authoritative source system of reference

.

Because the Login User Has

Relative: “memberOf”

What is the “User Profile”?

IlliniCloud

IAM Service

App Login or Registration

External Identity Provider OAuth

Google, Facebook, MSN, Yahoo, & Others

Known Person Yes Authenticate? Is External Yes Anonymous User No Session

User’s Personal Preferences IDP Registration

Yes

School District

User’s IDP

Registration is

IAM

Identity-Repo

1

2

2a

2b

Personal Profile? Is User Registering? No Yes Yes No No

Registered Public User Session Okay

Registered Realm User Session Okay Yes No Anonymous User No Session No No Yes _Yes

Registration is

automated

Identity-Repo

3

4

Is Fed-Realm

3a

4a

4b

Is Managing Profile?

Is User AuthN? Fed-Realm? External AuthN?

Delegate AuthN To District

Known

User, Profile

Persistent, &

Session

4c

Has Profile

3b

OrgDN Profile? Yes No No No

Illinois Shared Learning

Environment

The Platform’s Third Pillar of Support:

Application Services

Multiple Tenant Portal and Application Launcher

Presentation

Service

Unknown User

May see only

informational content

CASE 2

: Federated IDP Other Than

IC IDP/P Authenticates User and

implicitly claims identity authority

for a user’s logical session.

Known User

Known User

No Affiliation &

Organization Domain

may use public

Applications

CASE 1

: Non-Authenticated Users, Anonymous

Who Will Use the Application Service?

Service

Data

Identity

for a user’s logical session.

Known User with Affiliation

assigned may use

organizations informational

content, services, and

applications

CASE 3

: Authenticated by IC IDP/P

implies defined Domain and Affiliation

with Authorities expressed in Entitlements

Visual Workspace:

What is the Application Service, a “Portal” ?

1.) Web Browser Based Visual Presentation & Workspace

Much like the graphical user interface provided by a computer’s operating system (Windows, Macintosh, Tablets, & Smart-phones).

Header:

* Optional: May include Active Controls

Buttons & Menus

•Clickable Actions or Pop-up

•May Take Input

•May Grouped

•Visually

•Functionally

•Can be Combined with

•Visual Theme Portlet # 1 Floating Window

Portlet #2 Window w/no Controls Portlet #2 Window w/no Controls

Portlet Workspace

Background Visual Attributes

are generally user definable and persisted as Preferences

Portlets

•Optional Visual Window

•May Contain

•Buttons

•Input/Forms

•Any Media Content

•May be an Application

•May be a Service

•May be Resized or Static

•Full Screen (WrkSpc) Portal Leverages SSO Service

Horizontal (Button – Bar) S #1 S #2 S #... S #N Input:

Vertical (Button – Bar) Button # 1 Button # 2 Button #... Button #N Input:

Footer:

* Optional: May include Active Controls

Button

Icon

Symbol

•Visual Theme

•Preferences

•May be Locate Anywhere

Portlet # 1 Floating Window

Portlet Workspace

Portlet # 3 : Minimized Window Portlet # .. : Minimized Window Portlet # N: Invisible Win/Service

Portlet Attributes: are generally user definable and persisted as

Preferences (for each portlet) including size (min, max, full) & relative workspacelocationand window state.

•Full Screen (WrkSpc)

•Floating Window

•Minimized (Visible)

•Layered

•May be Remote Service

•May be Local Service

•May be Support Any Media

•Shares Session Attributes

•User/Role

•Organization

•Access Rules

•Authorizations

Portal is the outer visual wrapper and user interface

•Manages User Identity for primary SSO/Sessions

How Does the “Portal” Work for Users?

Login: Tab Bar Info Page ISLE Apps Illinois Open Education Resource Search [email protected] Tab Bar ISLE Apps Illinois Open Education Resource Search My Page District Apps Educator Dashboard Multi-Tenancy Application Launcher:

Individual school districts are “tenants”

Anonymous &Non-District Authenticated Users: Public Apps & Informational Page(s)

Resource Search Resource Search

[email protected]

Each tenant must be able to customize the appearance & content of the portal for its own needs. Users who log into

the portal get the appropriate experience for the tenant (district) to which they are connected.

Customization examples include logo, colors, header/footer text,

navigation (tabs), and content (portlets). Tenants, moreover, not

only need to manage these items, they also need to “manage

the managers” – they must be able to grant or deny access to

these management functions with regard to their own staff

[email protected] [email protected]

[email protected] [email protected]

How Does the “Portal” Login Process Work?

Multi-Tenancy Global Login (IDP/Proxy): “Get User & Organization”

A.) Input

eduPersonPrincipleName

UserID: MyLoginID @ Domain Name List . 123

Login Name

[@domainName.ext]

Populates “OrgDN” List

for Login Name

if more than one force a choice.

Login: Tab Bar Tenant Info ISLE Apps Illinois Open Education Resource Search

Anonymous User Invokes Login Action

1

1

D

e

te

rm

in

e

T

e

n

a

n

cy

fo

r

A

u

th

e

n

ti

ca

ti

o

n

if more than one force a choice.

B.) Derive:

eduPersonOrgDN(/OrgUnitDN)

C.) Compute:

eduPersonAffiliation

faculty student staff alum member affiliate employee library-walk-in

Typical “Affiliation” List for Login

Name

•if “Educator” then “faculty,member,employee”

•If “Staff Employee” then “staff,member,employee”

•If “Student” then “student, member”

•If “Parent/Gardian“ then “Affiliate”

•If “Externally AuthN then “library-walk-in”

Search

Authentication Service Action Multi-Tenancy Global Login (IDP/Proxy)_{“Delegate Authentication as Required”} :

D.) Compute:

eduPersonEntitlement

https://uportal.illinicloud.org/role/tenancy -manager https://uportal.illinicloud.org/role/isle-app -manager https://uportal.illinicloud.org/role/portal-admin https://uportal.illinicloud.org/role/portal-educator https://uportal.illinicloud.org/role/portal-student

D

e

te

rm

in

e

T

e

n

a

n

cy

fo

r

A

u

th

e

n

ti

ca

ti

o

n

2

2

D

e

te

rm

in

e

R

o

le

P

ri

v

il

e

g

e

s

[email protected] Illinois Open Education Educator Dashboard Tab Bar Isle Apps District Apps EC/PK Apps My Page

Te

a

ch

e

r

General Purpose Login Process

User’s “Tenant & Role” are Manifested as a Result of Login

Tenant Portal-Manager Controls

•

Visual Attribute Customizations

•

User Role Based Content Customizations

Education

Resource Search Dashboard

Tab Bar Isle Apps Tenant Apps Office Apps My Page [email protected] Illinois Open Education Resource Search Educator Dashboard Tab Bar Isle Apps District Apps Admin Tools My Page [email protected] Tab Bar Isle Apps Grade 8 Apps Office Apps My Page

S

tu

d

e

n

t

S

ta

ff

Te

a

ch

e

r

A

d

m

in

is

tr

a

to

r

[email protected]

Illinois Shared Learning

Environment

Three Pillars of Support Married With

Application Programmatic Interfaces:

Offer Significant Potential for LEAs* to

Realize the Promise Envisioned for the ISLE

Platform Operated as a

K12 Federation for K12 by K12

!

* Local Educational Authority

inBloom Services

illiniCloud Services

P

ro

vi

d

e

r

R

e

g

is

tr

a

ti

o

n

Application

Registry

Federated SD001 SD002 inBloom Data, Roles and Identity

SD-Managed

Data-Store

Org SD SD Staff SD Edu Edu Kid inBloom Data, Roles and Identity

IAM

Integration

API Service

to inBloom

ODS

SIF_2.5 SIF_2.5 to EDFI Local System to SIF_2.5 SD001 SD002 SD … SDNNN

Application Providers

inCommon Services

inBloom

inBloom

Application

Providers

P

ro

vi

d

e

r

R

e

g

is

tr

a

ti

o

n

Federated IAM Service SD002 SD … SDNNN inCommon Data, Roles and Identity

inCommon

Services and

Applications

inCommon

Federation

Federated Services Auth[N/Z]

Net+ and Affiliate Services A u th [N /Z ] A u th [N /Z ] inBloom Applications Directory

illiniCloud Services

Application Providers

inBloom Services

inBloom

inBloom

Application

Providers

P

ro

vi

d

e

r

P

ro

vi

d

e

r

R

e

g

is

tr

a

ti

o

n

SD001 SD002 inBloom Data, Roles and Identity Federated P e rs o n R o le s

Data-Store

Org SD SD Staff SD Edu Edu Kid inBloom Data, Roles and Identity API Service

Data, Role & Id

ODS

SIF_2.5 SIF_2.5 to EDFI Local System to SIF_2.5 SD001 SD002 SD … SDNNN inBloomOperator inBloomOperator API Service API Service A u th [N /Z ] D a ta , R o le & I d R o le s & I d

inCommon Services

Application Registry SD002 SD … SDNNN inCommon Data, Roles and Identity Federated IAM Service

inCommon

Services and

Applications

inCommon

Federation

F e d 2 F e d

Net+ and Affiliate Services A u th [N /Z ] Auth[N/Z] and Identity

IAM

Integration

IAM

Integration

inBloom Applications Directory App/Key Federated Services M D A g rg tr

Application Providers

Third Party

Third Party

Application

Providers

2

portal lz admin api dashboard databrowser

Create Tenant-Adm

3

Tenant #1

Service Owner

How Does the

iBMLSS

Define a Tenant from the Top-Level?

i

n

B

loom

M

odel

L

ocal

S

ervice

S

tack

SLC Operator

Tenant Admin

Management

New LDAP Entry

LDAP Entry

1

sidp iBMLSS LDAP Good Text ? SN= ?

How the

iBMLSS

Works with SimpleIDP & DataStore Services?

sidp iBMLSS LDAP lz admin api https://github.com/inbloom/secure-data-service/blob/master/sli/simple-idp/src/main/java/org/slc/sli/sandbox/idp/service/UserService.java

Tenant User #1

lz Email Validation & Approval Process

Creates Logical

Data Store/LZ

Designate

AuthN Service

How Does the

iBMLSS

LDAP Service Work with SimpleIDP Service?

sidp iBMLSS LDAP

Tenant User #1

lz admin api https://demo-1-sidp.demo.inbloom.org/simple-idp?realm=SLC-LDAP1 Email Validation & Approval Process

Create Logical

LandingZone

Designate

AuthN Service

lz

How Does the

iBMLSS

Work with API User Roles & Dir-Groups?

sidp iBMLSS LDAP lz admin api

Directory Groups Map

To Fixed-Role Privileges

(Manual )

LDAP to SAML

Questions

&

&

Comments

Bernie Acs{[email protected]}, Jim Peterson {[email protected]}, Jason Radford {[email protected]}