Skip to end of metadata
Go to start of metadata

Document Status

This brick is due for a review. New options like groups event notifications via AWS are missing.

Description

Groups integration allows applications to reference and use groups data mastered in the UW groups service.

Status Table

The following table categorizes related technologies according to their current lifecycle status.

Emerging
(Trends to watch)
Strategic
(Future)
Tactical
(Limited support)
Baseline
(Full support)
Containment
(Reduced support)
Retirement
(Scheduled for retirement)

Software:


Protocols:

  • SCIM 2.0
  • OpenID Connect (et al.)

Technical Services:

  • Windows Azure Shared Access Signature
  • UWWI Window Azure Active Directory (AAD)

Software:

Protocols:

Technical Services:

Software:

  • Kuali Rice KIM
  • Windows Identity Foundation (WIF)
  • WIF Extension for the SAML 2.0 Protocol CTP

Protocols:

  • WS-Federation (memberOf claim via Passive Requestor Profile)
  • WS-Trust

Technical Services:

  • Group Data Import Service (tegea)
  • UWWI Active Directory Federation Service (ADFS)
  • Amazon Web Services (SQS/SNS)

Software:

  • Shibboleth Service Provider (isMemberOf and eduPersonEntitlement attributes)

Protocols:

  • SAML 2.0 (Web Browser SSO Profile)
  • Groups REST API
  • LDAPv3 (group objects in Active Directory)
  • Windows integration

Technical Services:

  • Groups Web Service (GWS)
  • UWWI Active Directory

Software:

  • mod_gws
  • Apache ActiveMQ (client)

Protocols:

  • LDAPv3 (memberOf attribute on user objects in Active Directory)
  • LDAPv3 (GDS)
  • Advanced Message Queuing Protocol (AMQP)

Technical Services:

  • Groups Directory Service (GDS)
  • UW-IT Message Bus (Apache ActiveMQ)

Software:

  • mod_uwa
  • son of ldapcom (ldapcom.dll)

Protocols:

  • SAML 1.1
  • LDAPv3 (Active Directory without SSL)

Technical Services:

Note: Refer to the IAM Brick Reference for complete descriptions of the six status designations and common lifecycle patterns.

Comments

  • Emerging
    1. System for Cloud Identity Management (SCIM) 2.0 provides a standard way to represent users and groups. This IETF standard has not been evaluated for strategic fit.
    2. OpenID Connect or other social identity protocols may allow cloud applications to integrate with groups. They have not been evaluated for strategic fit for this purpose.
    3. UWWI Windows Azure Active Directory (AAD) may allow applications to integrate with groups data. They have not been evaluated for strategic fit.
    4. If using Azure Service Bus to provide access to groups data, one could use Shared Access Signature (recommended vs. previous emerging trend Access Control service).
  • Strategic
    1. No technologies have been evaluated for the strategic designation.
  • Tactical
    1. Kuali Rice KIM (Kuali Identity Management) supports groups integration with Kuali applications. Support is limited to development teams working on Kuali applications.
    2. Windows Identity Foundation (WIF), WS-Federation, WS-Trust, and UWWI ADFS are under "tactical" status due to their adoption within strategic projects in UW-IT (e.g. Office 365, Dynamics CRM). These technologies may emerge as a baseline options if demand and strategic differentiation from other baseline technologies warrant additional investment and support.
    3. WIF Extension for the SAML 2.0 Protocol CTP software will remain as a tactical technology until its replacement or retirement status is known. It has proved semi-useful for at least one strategic customer project.
    4. Group Data Import Service (tegea) is used tactically to import and reconcile institutional groups based on master data feeds from other institutional systems of record.
    5. Amazon Web Services (AWS) Simple Queue Service and/or Simple Notification Service have been used for tactical use within the UW groups service for event messaging. They may replace and expand the contained uses of Apache ActiveMQ
  • Baseline
    1. Windows integration is baseline status because it is a de facto standard solution for integrating applications that rely on the Microsoft Windows platform to reference Active Directory groups.
    2. Shibboleth Service Provider (SP) software is baseline status because it is based on industry-standards and is the software recommended and used the most within the InCommon community for identity federation, including standard isMemberOf and eduPersonEntitlement attributes for asserting group membership.
    3. SAML 2.0 (Web Browser SSO Profile) protocol is baseline status because it is a widely deployed industry-standard and is the protocol recommended within the InCommon federation.
    4. Groups REST API is baseline status because it aligns with the de facto standard of RESTful resource oriented architecture at the UW. It is the only baseline option for full "CRUD" (read/write) operations on groups data.
    5. LDAPv3 is a baseline protocol for integrating with group objects in UWWI Active Directory. 
  • Containment
    1. mod_gws is under containment status because it duplicates functionality provided by Shibboleth SP software. Support is limited. Further investment must be justified by differentiation against current baseline technologies.
    2. Group event messaging based on Apache ActiveMQ and the AMQP protocol is under containment status. Use is limited to clients in UW-IT Computing Infrastructure, and will be retired. AWS SNS/SQS may emerge as event messaging for groups.
    3. LDAPv3 access to the memberOf attribute on user objects in Active Directory is under containment due to design constraints and related information security risks.
    4. LDAPv3 integration with the Groups Directory Service is under containment status due to duplicated effort, design constraints, feature limitations, complexity, lack of versioning, and limited consulting support.
  • Retirement
    1. mod_uwa is under retirement status, but the end-of-life date is unknown. Use has been limited, with only a few customers outside of UW-IT. Shibboleth SP software (mod_shib) offers equivalent access control capabilities.
    2. The son of ldapcom (ldapcom.dll) is under retirement status. It is no longer supported, like its predecessor.
    3. SAML 1.1 protocol is deprecated and unsupported. The end-of-life date for protocol support is unknown.
    4. LDAPv3 integration via Active Directory without SSL is deprecated. The End of Life date for this option is unknown.

References

  • link
  • link
  • link

See Also

Last Review Date

April 1, 2013