Skip to end of metadata
Go to start of metadata

Conference Dial-in Number: 1 (605) 475-4333
Participant Access Code: 133352
Date/Time: Tuesday, May 4th at Noon Pacific time

Topics for the first conference call

  1. What existing federated identity services are you using or looking at using?
    1. What specific populations of users require federation?
  2. What are your federated identity needs for your Kuali applications at your campus?
  3. Have you already done some work with Kuali applications and/or KIM to provide federated identity?
  4. What are the typical challenges institutions might expect to face in terms of federating access to their kuali-based systems.
  5. What possible enhancements or improvements could be made to KIM (or elsewhere) to better support federation?

Suggested reading prior to meeting (starting @ slide 37)

On Apr 12, 2010, at 2:09 PM, Westfall, Eric Curtis wrote:

The topic of federated identity came up in the Rice collaboration meeting today. Recently, Dan Seibert (from UCSD) and myself did a presentation on KIM and integrating it with other software at JA-SIG. There is some content in there related to integration with Shibboleth and federated identity which may be of interest. Here is a direct link to the download:



What existing federated identity services are you using or looking at using?

UC Davis: Tom Poage, David Walker, Curtis Bray

  • ANR - Handful of UC campuses
  • Sympa - Listserv for campus
  • UC Ready - Business continuity planning for UC campuses
  • AYSO - UCOP self-server payroll/benefits site
  • LMS - Employee training management system (external vendor)
  • Connexus - Travel booking (external vendor)

UWash - Jim Thompson

  • Most identity services based on Kerb and PubCookie

UCSB - Arlene Allen

  • Ditto for UCs

Dan Sibert - UCSD

  • UCTrust and collaborative effort with UCI
    • Online AP for academic reviews. Possibility using KSB. Both campuses use Shib.

UCR - Andrew Tristan

  • Also UCTrust - support same apps

UCOP - Dee Dee Truno

  • Listening in

Tim Carroll - U Illinois

  • Kuali workflow pilot
  • Homegrown web SSO - want to replace in coming years
    • Looking to Shib as one of options

Renee Shuey - Penn State

  • Exploring Kuali
    • Looking at Coesus
    • Student has bee mentioned as a possible replacement for current student system
  • Fed since 2002 - dozen service providers (First production Shib application)

Eric Westfall - Indiana U

  • Interested in what Rice can do to make federation easier.
  • Part of Incommon
    • Provide identity through CAS
  • Not used in current Enterprise apps at IU

Steve Carmody - Brown U

  • Shib to access varity of outsourced services (athletic ticketing, ADP, etc)
  • Replacing homegrown SSO with Shib as campus SSO
  • Eval KR (particularly KEW/KIM for simple local workflow based apps)
  • Run Mace grouper SW - Looking at KIM/Grouper
  • Run MIT Coeus -> Moving to KC in the future -> Poster child of federation use case (PI's collaborating on proposal)

Ron Splittgerber - ColoState

  • Coeus - Incommon Silver to access Biocontainment (looking at LOA 3)

Eric: Does UC federation just within UC or with other members?

  • David: UCTrust basic maps onto what Incommon Silver will represent. UCTrust is the UC sub-set of InCommon to

Thoughts around Kuali and Federation

  • How do users from federated sources make their way into KIM?
    • TomP: Back-channeling tons of users that may never use system may create 'identity leakage'. Need to identify populations that would need to be provisioned out of band.
  • Who gets to decide which users are shared?
    • Business processes and procedures to determine correct populations
  • Does SP hold on to all identity and permissions?


  • Within large university system, hosting school may accept dynamic provisioning given their other business processes
  • Identities have scope in a federated world - how would KIM support scoped identities?
    • Eric: Scoping KIM principals could help support federation
    • Curtis: KNS screens could show 'scope' information so the user knew where identity came from
    • David: Source/Destination of document might need to select which KEW instance processes the document


  • Beyond identity, what about permissions?
    • Curtis: If enough comes along through attributes, permissions could be dynamically assigned within KIM


  • Growing number of use cases about how to represent permissions
    • Focused around librarians
    • What are the LDAP/SAML mappings?
    • Only been ad-hoc efforts before today, but realize its worth coming up with a common effort


  • Could KIM prescribe attributes that IdP would provide to KIM enabled SP?
    • Steve: No documented standard or best practice - fair amount of flexibility.
      • Wire vs. system storage should be separated
      • Delegated vs.SP managed


  • Are Trust relationships built into Shib?
    • Steve:
      • Shib handles 'on the wire' trust
      • Business trust (e.g. grants management at Brown have trust in grants management at UC Davis to delegate permission management to them?)

Next Steps

Eric: Follow up with Derk @ Viatech RE: USC KIM/Shib implementation
Eric: Reach out to functional users of Kuali Apps to gauge interest in helping to define use cases
Eric/Curtis: Scoping identity within KIM - Work on design ideas
Steve: Send note to Keith to look at sharing Internet 2 space for collaborate use case collection
Curtis: Schedule another call when there is progress to report

  • No labels