IAM
Service
Catalog
–
version
1.1
Table
of
Contents
Contents
Service Catalog – Introduction ... 1
Service Model ... 2
Service Category Detail ... 4
Service Catalog List ... 7
Service Catalog Detail ... 9
Terminology ... 19
Contact Information ... 23
Service
Catalog
–
Introduction
The purpose of this document is to identify the Identity and Access Management services that are under
development or proposed for development. Additional services will be defined as the project matures.
The initial set of IAM services will be centered on the Central Person Registry and will include:
Applications and systems access to the CPR information.
Management services for maintaining:
o
Identities
o
Contact information
oAffiliations
o
PSU IDs
o
Penn State Access Account user IDs
oSponsored Accounts
o
Identity Assurance Profiles
Matching services (with the goal of minimizing duplicate identities in central systems).
Address validation services.
Batch interfaces for maintenance of the CPR data from other entities.
Management services for assignment of affiliations from systems of records.
In the pages to follow, we provide a summary of the IAM services that are currently being developed, scheduled
for development and/or under consideration. We’ve also included a detailed listing of the services.
Service
Model
The following page provides a high level model of the IAM Services.
SPONSORED ACCOUNTS …
PSU ID…
CONTACT & IDENTITY INFO ...
IDENTITY ASSURANCE PROFILE ... AFFILIATION …
MATCHING …
ADDRESS VALIDATION…
BATCH INTERFACES ...
This is a high level overview of the IAM services. December 3, 2010
ServiceModelDiagram.vsd
IAM SERVICE MODEL
Message Services:
Get/Find
Add
Update
Delete
Service Provider Registration Authority SERVICE MODEL IAM Systems of RecordCENTRAL PERSON REGISTRY
GENERALIZED INTERFACE
CENTRAL PERSON REGISTRY CENTRAL PERSON REGISTRY
CENTRAL PERSON REGISTRY
CENTRAL PERSON REGISTRY
CENTRAL PERSON REGISTRY
Service
Category
Detail
The following pages provide a high level description of the IAM Services by Category.
ServiceCategory
‐
Detail
ServiceCategory Category Description
Affiliation This collection of services enables an authorized registration authority to add, delete, or update
an affiliation type and modifier for a person.
Registration authorities and authorized principals also have the capability to retrieve
information about a person’s internal affiliation (PSU affiliates) and external affiliations (e.g.
affiliates from another university or federation e.g eduPerson).
Codeset This collection of services retrieve information about an Integrated Business Information
Systems (IBIS) or Student Information Systems (ISIS) codeset. These services are provided by the
Generalized Interface and will be called by the Central Person Registry system.
Contact Info The contact information about a person maintained in the Central Person Registry includes: •Name
•Address (multiple addresses)
•E‐mail •Phone •Photo (ID+)
This collection of services enables an authorized registration authority to add, delete, or update
contact information for a person.
Registration authorities and authorized principals also have the capability to retrieve contact
information about a person.
Interfaces to service providers will include messaging (e.g. an address has changed, etc.). Validation services are included that will process data elements as input and 1) standardization
of content 2) validate if address exists.
The next release of the Central Person Registry will include services that:
•provide for “blocking” and ”un‐blocking” a person from the registry. E.g. to block their wireless •provide for “enabling” and “disabling” a person in the registry. E.g. for authentication.
•include a collection of ID+ picture services that will obtain the photo via a) data view b) web
service or c) LDAP jpeg photo.
•will provide the ability to flip address types of persons (e.g summer, winter, fall, temporary,
etc.)
•logging of email
Departmental Identity A future collection of services related to university organizational units. For example,
Information Technology Services, Adinistrative Information Services, Outreach, World Campus,
University Budget Office, etc..
IAP This collection of services enables authorized principles to retrieve Identity Assurance Profiles
for Penn State persons and persons external to Penn State.
The next release of the Central Person Registry will include services that will update the Identity
Assurance Profile level and retrieve data associated with a registration event.
Location A future collection of services related to university locations. For example, Room 223 Computer
ServiceCategory Category Description
Matching This collection of services will allow an authorized principal to locate persons within the Central
Person Registry via various combinations of data.
PSUID This collection of services enables a registration authority and authorized principals the
capability to assign a PSU ID to a person in the Central Person Registry, as well as the capability
to retrieve, delete and update the PSU ID for a person.
The next release of the Central Person Registry will include services that will provide the ability
to update CIDR with the PSU ID.
Registration Authority The next release of the Central Person Registry will include services that will enable authorized
principals to add, delete, suspend and retrieve data for registration authorities.
In addition, services will be developed around the collection of registration and proofing data for
a person.
Sponsored Account The second release of IAM services will include services to enable authorized principals to add,
delete, disable and retrieve data for sponsored accounts.
USERID This collection of services enables an authorized principal to add, delete, update and retrieve
information for persons USER ID.
Service
Catalog
List
ServiceCatalog
‐
List
Note: An "F" next to the service name indicates a "Future" service. (e.g. not part of the first release)Service Category / Service Name
AFFILIATION
Get Internal Affiliations
Add Affiliation
Update Affiliation
Delete Affiliation
Get User Affiliations
F
Get External Affiliations
CODESET
Get ISIS Codeset
Get IBIS Codeset
CONTACT INFO
Update Person
Update Address Type
F Log Email F Unblock Person F Block Person F Disable Person F Get Phone
Get Photo ID Plus
F
Set Primary Email Address
Add Phone
Add Address
Validate Address
Get Person Service
Enable Person F Get Email Delete Address Add Name CONTACT INFO Delete Name Get Name Update Name Update Address Delete Email Add Person Update Email Delete Phone Get Address Update Phone Delete Person Add Email DEPARTMENTAL Departmental Identity F IAP
Get Registration Events IAP
F
Update IAP
F
Get External Identity Assurance Profile
Get PSU Identity Assurance Profile
LOCATION
Location F
MATCHING
Get Match Codes
Find User PSUID Get PSU ID PSUID Get PSU ID by SSN Update PSU ID F Delete PSU ID F
Update CIDR PSU ID
F
Get Next PSU Id
Add PSU ID
REGISTRATION AUTHORITY
Add Registration Authority Agent
F
Suspend Registration Authority Agent
F
Get Registration Authority Status
F
Proof User
F
Register User
F
Delete Registration Authority Agent
F
SPONSORED ACCOUNT
Add Sponsored Account
F
Update Sponsored Account
F
Disable Sponsored Account
F
Enable Sponsored Account
F SSN Update CIDR SSN F USERID Update UserID F Delete UserID F Get Userid Add Userid
Service
Catalog
Detail
Service
Catalog
‐
Detail
Service Name Description Requestor Provider
Id
Future / Dependent Service
AFFILIATION
Category:
Add Affiliation This service enables an authorized Registration Authority to add an
affiliation (type and modifier) for a user. The calling parameters to the
service specify the affiliation type and its associated modifier. If the
type and modifier do not represent a valid affiliation, the service
returns an error. If user has no affiliation relationship one is created. If
an affiliation relationship exists and the current and new match, return
success. If the affiliations do not match and the affiliation transition is
valid, expire current affiliation and create new affiliation relationship.
Otherwise return exception. The service returns either an exception
(reason the add didn't happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
6 No / No
Delete Affiliation This service enables an authorized Registration Authority to delete
(archive) an affiliation for a user. The calling parameters to the service
specify the affiliation type and affiliation modifier. If the user has the
specified affiliation, it will be archived. The service returns either an
exception (reason the remove didn't happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
9 No / No
Get External Affiliations This service enables all authorized principals to retrieve external
affiliations, i.e. eduPerson for a user. The service returns either an
exception (reason the retrieve didn't happen) or success.
Registration Authority/Central
Person Registry/Ser
Central Person
Registry
15 No / No
Get Internal Affiliations This services allow authorized principals to retrieve Penn State
affiliations for a user. This service returns either an exception (reason
retrieve didn't happen) or success.
Registration Authority/Central
Person Registry/Ser
Central Person
Registry
12 No / No
Get User Affiliations A service to be developed in the next release that will obtain all of the
user's that have a particular affiliation.
to be determined Central Person
Registry
43 Yes / No
Update Affiliation This service enables an authorized Registration Authority to update an
affiliation for a user. The calling parameters to the service specify the
affiliation type and modifier. If user has no affiliation relationship one
is created. If an affiliation relationship exists and the current and new
match return success. If the affiliations do not match and the affiliation
transition is valid, expire current affiliation and create new affiliation
relationship. Otherwise return exception. The service returns either
an exception (reason the update didn't happen) or success.
Registration Authority/Central Person Registry Central Person Registry 16 No / No CODESET Category:
Service Name Description Requestor Provider Id Future / Dependent Service CODESET Category:
Get IBIS Codeset Retrieves information about an IBIS Codeset code. Retrieves an IBIS
codeset. The response size arrays are 1:? Indicating the returned array
will be the sized to fit the number of values in the codeset. This is
available from the Generalized Interface
https://es.ais.psu.edu/gitools/controller?page=serviceInfo&lookupId=g etIbisCodeset .
Central Person Registry Generalized Interface
71 No / Yes
Get ISIS Codeset Retrieves an ISIS codeset. The response size arrays are 1‐? Indicating
the returned array will be the sized to fit the number of values in the
codeset. This is available from the Generalized Interface
https://es.ais.psu.edu/gitools/controller?page=serviceInfo&lookupId=g etIsisCodeset .
Central Person Registry Generalized Interface
72 No / Yes
CONTACT INFO
Category:
Add Address This service will enable an authorized registration authority to be able
to add an address for a user. The calling parameters to the service will
specify the address along with the address type. If the user already has
an address of the type specified, it will be expired prior to the new
address being added. In addition, since we are dealing with an address
it will cause new match codes to be generated and interfacing with
service providers to let them know of the new address change. The
service will either return an exception (with the reason the add did not
happen) or success. Registration Authority/Central Person Registry Central Person Registry 1 No / No
Add Email This service will enable an authorized registration authority to be able
to add an e‐mail address for a user. The calling parameters to the
service will specify the e‐mail address along with the e‐mail address
type. If the user already has an e‐mail address of the type specified, it
will be expired prior to the new e‐mail address being added. The
service will either return an exception (with the reason the add did not
happen) or success. Registration Authority/Central Person Registry Central Person Registry 10 No / No
Add Name This service will enable an authorized registration authority to be able
to add a name for a user. The calling parameters to the service will
specify the name along with the name type. If the user already has a
name of the type specified, it will be expired prior to the new name
being added. The service will either return an exception (with the
reason the add did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
Service Name Description Requestor Provider Id Future / Dependent Service CONTACT INFO Category:
Add Person This service will enable an authorized registration authority to be able
to add a person to the registry. The calling parameters to the service
will specify a minimal amount of data necessary for matching. If the
user already exists in the registry, an exception will be returned to the
user to indicate that along with the pertinent data. Otherwise, the user
will be added to the registry and the service providers will be notified
of the new person. The service will either return an exception (with
the reason the add did not happen) or success.
Registration Authority Central Person
Registry
30 No / No
Add Phone This service will enable an authorized registration authority to be able
to add an phone number for a user. The calling parameters to the
service will specify the phone along with the phone type. If the user
already has a phone of the type specified, it will be expired prior to the
new phone being added. The service will either return an exception
(with the reason the add did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
22 No / No
Block Person A service to be developed in the next release will enable an
authorized registration authority to be able to block a person to the
registry (for wireless).
Registration Authority Central Person
Registry
47 Yes / No
Delete Address This service will enable an authorized registration authority to be able
to delete (archive) an address for a user. The calling parameters to this
service will specify which address to archive. Since address is used by
service providers, they will be notified of the archival. The service will
either return an exception (with the reason the add did not happen) or
success. Registration Authority/Central Person Registry Central Person Registry 3 No / No
Delete Email This service will enable an authorized registration authority to be able
to delete (archive) an e‐mail address for a user. The calling parameters
to this service will specify which e‐mail address to archive. Since name
is used by service providers, they will be notified of the archival. The
service will either return an exception (with the reason the archive did
not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
11 No / No
Delete Name This service will enable an authorized registration authority to be able
to delete (archive) a name for a user. The calling parameters to this
service will specify which name to archive. Since name is used by
service providers, they will be notified of the archival. The service will
either return an exception (with the reason the archive did not happen)
or success. Registration Authority/Central Person Registry Central Person Registry 5 No / No
Service Name Description Requestor Provider Id Future / Dependent Service CONTACT INFO Category:
Delete Person This service will enable an authorized registration authority to be able
to delete a person to the registry. In the case of a delete, the user data
will not be removed, it will be archived. However data that exists on
the various service providers could be deleted. That decision is up to
the service provider. The service will either return an exception (with
the reason the add did not happen) or success.
Registration Authority/Other
authorized entity
Central Person
Registry
32 No / No
Delete Phone This service will enable an authorized registration authority to be able
to delete (archive) an phone number for a user. The calling parameters
to this service will specify which phone number type to archive. Since
phone number is used by service providers, they will be notified of the
archival. The service will either return an exception (with the reason
the add did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
24 No / No
Disable Person A service to be developed in the next release will enable an authorized
registration authority to be able to disable a person to the registry (for
authentication).
Registration Authority Central Person
Registry
46 Yes / No
Enable Person A service to be developed in the next release will enable an authorized
registration authority to be able to enable a person to the registry (for
authentication).
Registration Authority Central Person
Registry
45 Yes / No
Get Address This service will enable an authorized agent to obtain address
information for a user in the CPR. The service will either return an
exception (with the reason the get did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
21 No / No
Get Email This service will enable an authorized agent to obtain email address
information for a user in the CPR. The service will either return an
exception (with the reason the get did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
13 No / No
Get Name This service will enable an authorized agent to obtain name
information for a user in the CPR. The service will either return an
exception (with the reason the get did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
7 No / No
Get Person Service This service will enable an authorized registration authority to be able
to obtain information about a person in the CPR. The service will either
return an exception (with the reason the get did not happen) or
success. Registration Authority/Other authorized entity Central Person Registry 33 No / No
Get Phone This service will enable an authorized agent to obtain phone
information for a user in the CPR. The service will either return an
exception (with the reason the get did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
Service Name Description Requestor Provider Id Future / Dependent Service CONTACT INFO Category:
Get Photo ID Plus A service to be developed in the next release refers to a collection of
services needed for the ID+ Photo: a) Obtain the photo via a data view
b) Obtain the photo via a service or c) obtain the photo via LDAP
jpegPhoto
to be determined Central Person
Registry
44 Yes / No
Log Email A service to be developed in the next release to be defined around
logging of email. Registration Authority/Central Person Registry Central Person Registry 49 Yes / No
Set Primary Email
Address
This service will enable an authorized registration authority to be able
to set an e‐mail address as the primary address for a user. The calling
parameters to the service will specify the e‐mail address type. If the
user already has a primary e‐mail address specified, it will be unset as
primary prior to the new e‐mail address type being set as primary. The
service will either return an exception (with the reason the set did not
happen) or success. Registration Authority/Central Person Registry Central Person Registry 75 No / No
Unblock Person A service to be developed in the next release will enable an authorized
registration authority to be able to unblock a person to the registry
(for wireless).
Registration Authority Central Person
Registry
48 Yes / No
Update Address This service will enable an authorized registration authority to be able
to update an address for a user. The calling parameters to the service
will specify the address along with the address type. Since an update is
being performed, the existing address will be prior to adding the new
address. In addition, since we are dealing with an address it will cause
new match codes to be generated and interfacing with service
providers to let them know of the address change. The service will
either return an exception (with the reason the add did not happen) or
success. Registration Authority/Central Person Registry Central Person Registry 20 No / No
Update Address Type A service to be developed in the next release that will provide the
ability to filp address types of persons. E.g. summer address, winter
address, temporary address, etc.
Registration Authority/Central
Person Registry
Central Person
Registry
50 Yes / No
Update Email This service will enable an authorized registration authority to be able
to update an e‐mail address for a user. The calling parameters to the
service will specify the e‐mail address along with the type. If the user
already has an e‐mail address of the type specified, it will be expired
prior to the new e‐mail address being added. The service will either
return an exception (with the reason the update did not happen) or
success. Registration Authority/Central Person Registry Central Person Registry 14 No / No
Service Name Description Requestor Provider Id Future / Dependent Service CONTACT INFO Category:
Update Name This service will enable an authorized registration authority to be able
to update a name for a user. The calling parameters to the service will
specify the name along with the name type. If the user already has a
name of the type specified, it will be expired prior to the new name
being added. The service will either return an exception (with the
reason the update did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
8 No / No
Update Person This service will enable an authorized registration authority to be able
to update information about a person in the registry. The service will
either return an exception (with the reason the update did not happen)
or success.
Registration Authority Central Person
Registry
31 No / No
Update Phone This service will enable an authorized registration authority to update a
phone number for a user. The calling parameters to the service will
specify the phone along with the phone type. If the user already has a
phone of the type specified, it will be expired prior to the new phone
being added. The service will either return an exception (with the
reason the update did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
23 No / No
Validate Address This service will receive address data elements as input and perform
two operations. The service will perform standardization of the
address data elements and determine whether the address exists. The
capability for testing whether an address exists will depend on the final
selection of address validation database. There will likely be three
conditions for the existence of an address (found, not found and
unknown). A status of unknown would result if the coverage of the
address database does not include the country of the input address.
The inputs and outputs of the service are also dependent on the the
final selection of address validation software.
Central Person Registry,
Registration Authorities Central Person Registry 40 No / No DEPARTMENTAL Category:
Departmental Identity A service to be developed in a future release s related to linkage and
university organizational units
Registration Authorities/Central Person Registr Central Person Registry 51 Yes / No IAP Category:
Get External Identity
Assurance Profile
This service enables authorized services to retrieve External Identity
Assurance Profiles Registration Authority/Central Person Registry/Ser Central Person Registry 18 No / No
Get PSU Identity
Assurance Profile
This service enables authorized services to retrieve PSU Identity
Assurance Profile. Registration Authority/Central Person Registry/Ser Central Person Registry 17 No / No
Service Name Description Requestor Provider Id Future / Dependent Service IAP Category:
Get Registration Events
IAP
A service to be developed in the next release that will get data
associated with a registration event
Registration Authorities/Central Person Registr Central Person Registry 52 Yes / No
Update IAP A service to be developed in the next release that will update the
Identity Assurance Profile level.
Registration Authorities/Central Person Registr Central Person Registry 53 Yes / No LOCATION Category:
Location A service to be developed in a future release related to linkage and
physical locations. Registration Authorities/Central Person Registr Central Person Registry 76 Yes / No MATCHING Category:
Find User This service allows a requester to find a person within the CPR using
various combinations of input data.
Registration Authority/Central
Person Registry
Central Person
Repository
42 No / No
Get Match Codes Accepts up to ten name name/value pairs and returns match codes for
the DFI Blue Fusion server. The input for this service is an array of up
to sub‐arrays. Each sub‐array consists of two elements, the name of a
match code type, and the value for which a match code is needed. The
possible names of match code types are: NAME, ADDR, CITY, STATE,
ZIP. This is a Generalized Interface service at
https://es.ais.psu.edu/gitools/controller?page=serviceInfo&lookupId=g etMatchCodes .
Central Person Registry Generalized Interface
74 No / Yes
PSUID
Category:
Add PSU ID This service will enable an authorized registration authority to be able
to request the assignment of a PSU ID to a person in the CPR. The
service will either return an exception (with the reason the add did not
happen) or success. Registration Authority/Central Person Registry Central Person Registry 26 No / No
Delete PSU ID A service to be developed in the next release will enable an authorized
registration authority to be able to delete the assignment of a PSU ID to
a person in the CPR. Registration Authority/Central Person Registry Central Person Registry 56 Yes / No
Service Name Description Requestor Provider Id Future / Dependent Service PSUID Category:
Get Next PSU Id This service will choose the next available Penn State Id number for
assignment. The next id number is selected at random from a pool of
unused Penn State id numbers. Random means that there should be no
way to predict the value of the next Penn State id to be selected. The
service will place the selected id number in a pending status
temporarily so the number will not be reused. For the pilot
deployment, available Penn State ids will begin with a letter
Central Person
Registry/Registration Authority
Central Person
Registry
41 No / No
Get PSU ID This service will enable an authorized agent to obtain PSU ID
information for a user in the CPR. The service will either return an
exception (with the reason the get did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
27 No / No
Get PSU ID by SSN This service will receive a SSN and will return the individual`s PSU‐ID.
This is available from the Generalized Interface
https://es.ais.psu.edu/gitools/controller?page=serviceInfo&lookupId=g etPSU IDBySsn .
Central Person Registry Generalized Interface
73 No / Yes
Update CIDR PSU ID A service to be developed in the next release that will provide the
ability to update CIDR with PSU ID
Central Person Registry Central Person
Registry
57 Yes / No
Update PSU ID A service to be developed in the next release will enable an authorized
registration authority to be able to request the assignment of a PSU ID
to a person in the CPR. Registration Authority/Central Person Registry Central Person Registry 55 Yes / No REGISTRATION AUTHORITY Category: Add Registration Authority Agent
A service to be developed in the next release that will add a
Registration Authority Agent.
Registration Authority/Central Person Registry Central Person Registry 61 Yes / No Delete Registration Authority Agent
A service to be developed in the next release that will delete a
Registration Authority agent.
Registration Authority/Central Person Registry Central Person Registry 63 Yes / No Get Registration Authority Status
A service to be developed in the next release that will return the status
of a Registration Authority. Registration Authority/Central Person Registry Central Person Registry 62 Yes / No
Proof User A service to be developed in the next release that will collect and store
proofing data from a user (e.g. existing user, password reset, lost
password, etc. )
Central Person Registry Central Person
Registry
60 Yes / No
Register User A service to be developed in the next release that will collect and store
registration data from a user (for the purpose of establishing behind
the scenes LOA/IAP)
Central Person Registry Central Person
Registry
59 Yes / No
Suspend Registration
Authority Agent
A service to be developed in the next release that will suspend a
Registration Authority agent.
Registration Authority/Central
Person Registry
Central Person
Registry
Service Name Description Requestor Provider Id Future / Dependent Service SPONSORED ACCOUNT Category:
Add Sponsored Account A service to be developed in the next release that will allow an
authorized user to add a Sponsored Account.
Registration Authority/Central Person Registry Central Person Registry 65 Yes / No Disable Sponsored Account
A service to be developed in the next release that will allow an
authorized user to disable a Sponsored Account.
Registration Authority/Central Person Registry Central Person Registry 67 Yes / No Enable Sponsored Account
A service to be developed in the next release that will allow an
authorized user to enable a Sponsored Account.
Registration Authority/Central Person Registry Central Person Registry 68 Yes / No Update Sponsored Account
A service to be developed in the next release that will allow an
authorized user to update a Sponsored Account.
Registration Authority/Central Person Registry Central Person Registry 66 Yes / No SSN Category:
Update CIDR SSN A service to be developed in the next release that will provide the
ability to update CIDR with SSN
Central Person Registry Central Person
Registry
58 Yes / No
USERID
Category:
Add Userid This service will enable an authorized registration authority to be able
to add a network id to a user. The calling parameters to the service will
specify the person identifier. The service will either return an
exception (with the reason the add did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
28 No / No
Delete UserID A service to be developed in the next release that will allow an
authorized user to delete the list of all user ids associated with a person
id number. Registration Authority/Central Person Registry Central Person Registry 70 Yes / No
Get Userid This service will enable an authorized agent to obtain userid
information for a user in the CPR. The service will either return an
exception (with the reason the get did not happen) or success.
Registration Authority/Central
Person Registry
Central Person
Registry
29 No / No
Update UserID A service to be developed in the next release that will allow an
authorized user to update the list of all user ids associated with a
person id number. Registration Authority/Central Person Registry Central Person Registry 69 Yes / No
Terminology
Terminology
Definition
Affiliation
Affiliation is the combination of one's relationship with Penn State
(which may allow access to electronic services) and some form of
trusted (may not be Penn State) identity. At Penn State, affiliations
are not roles; they are never deleted. One may have zero, one or
many active relationships. Zero occurs if all relationships have been
deactivated; the affiliation is active if one has one or more active
relationships. When the affiliation is active, there is a single
"dominant" relationship.
Identity and
Access
Management
Identity Management is multidisciplinary and covers multiple
dimensions:
Penn State: The alignment of University business processes,
policies, and technologies that manage identities to support the
delivery of rich and diverse array of online services for faculty, staff,
and students.
Administrative: An administrative process coupled with a
technological solution that validates the identity of individuals and
allows owners of data, applications, and systems to either maintain
centrally or distribute responsibility for granting access to their
respective resources to anyone participating within the IAM
framework.
Technical: With identity management systems (identification,
implementation, administration and termination of identities with
access to information systems, buildings and data within an
organization).
Legal: Such as legislation for data protection.
Police. For instance for dealing with identity theft.
Social: Dealing with issues such as privacy.
Security. With elements such as access control.
See the IAM Final Report and Recommendations for concepts, goals
and strategic recommendations related to Penn State's IAM
initiatives.
For example: At Penn State, a cohesive IAM strategy and
Terminology
Definition
services.
Level of
Assurance (LOA)
The degree of confidence in the vetting and proofing processes used
to establish the identity of the individual to whom the credential is
issued. Levels of Assurance also consider the degree of confidence
that the individual who uses the credential is the individual to whom
the credential was issued. See "Assurance Levels" for related
information.
Access Account
(Penn State)
A Penn State Access Account is a user ID and password that enables
Penn State students, faculty, and staff to use the full range of the
University's Internet services, on or off campus, at computer labs or
on personal computers. Once a user's Access Account is active, it
provisions for authentication (user ID/password), an entry in Penn
State's Directory Services, e-mail service and file storage space
known as Penn State Access Storage Space (PASS). These
entitlements are associated with a full Access Account. Slim Access
Accounts may also be issued, which provide only for authentication
and an entry in Directory Services. Penn State Personal Web space
may also be obtained by taking and passing a short quiz (upon
successful completion of the quiz, Web space is created within one's
PASS folder). Currently the Kerberos realm name for Access Accounts
is dce.psu.edu.
For example: xyz5000 (a sample user ID) plus a password equals an
Access Account.
Registration
Authority
A University entity that has the authority to verify user information
and issue credentials.
For example, Penn State World Campus is a Registration Authority for
World Campus students.
Identity Provider
Commonly referred to as IdP, it is the originating location for a user.
For InCommon, an IdP is a campus or other organization that
operates and manages an identity management system and offers
information about members to other InCommon participants.
For example: Information Technology Services (ITS) is an IdP for
Penn State (Penn State's IdP is established as Penn State University).
Affiliate
A person who has some connection to the University.
For example: A student, faculty, staff, vendor, spouse, alumni,
donors, guests, etc.
Central Person
Registry
A centralized person registry is a single data store that combines and
consolidates identity information currently stored in separate and
Terminology
Definition
non-integrated sources throughout the University.
At its simplest form, a person registry is a data store of user
information
For Example:
Central ID Repository (CIDR)
Friends of Penn State (FPS)
Central Accounts Coordination Tracking of User Services
(CACTUS)
Integrated Student Information System (ISIS)
Integrated Business Information System (IBIS)
