COmanage Working Group at 2012 SMM
23-April-2012
Arlington, VA
http://events.internet2.edu/2012/spring-mm/agenda.cfm?go=session&id=10002314&event=1036
Agenda
Highlight of recent activities
Demos
- COmanage registry and enrollment flows
- COmange / Grouper integration (almost)
COmanage Roadmap
DISCUSSION
Heather Flanagan, Project Coordinator and Working Group Chair of the COmanage project, introduced the team involved in COmanage development:
- Benn Oshrin, Internet2
- Scott Koranda, University of Wisconsin, and LIGO
- Marie Huynh, University of Wisconsin, and LIGO
Overview of COmanage
- COmanage is a platform designed for virtual organizations (VOs)
- To provide a way for VOs to collaborate and handle identity and access control
- And to provide a way for the VOs to take advantage of federated identity where possible
- Major difference between VOs and campuses:
campuses generally have ERP systems to provide identity information
- VO's generally do not have ERP systems
- So VO's need to get a handle on many identity-related questions
- VOs develop their own business processes,
- much info is often handled via emails and spreadsheets
- The COmaange team has been talking to VOs about their business processes
- Using a Requirements Assessment: https://spaces.at.internet2.edu/display/COmanage/CO+Requirements+Assessment
Demo of the COmanage v. 0.5 Code
The code is available the SVN repository. http://anonsvn.internet2.edu/svn/comanage/
Flow diagram related to enrollment processes. https://spaces.at.internet2.edu/display/COmanage/Registry+Enrollment
- Concept of a self sign-up
- there is account linking (if someone's affiliation is changing or has changed)
- There are permission and config checks
- the term "petition" is used for an enrollment request
Demonstration showed:
- Log in
- Defining a new enrollment flow, giving it a name
- Configuring the enrollment flow
- Adding attributes that will be collected for a new member of the VO
- Configuring how attributes will show on the petition screen (labels, etc)
- Specifying whether attributes (e.g. name, preferred name, organizational identity data) are required or optional
- There are "stock" attribute bundles, but you can add others according to your needs (e.g. %FTE)
- Creating a petition to add a new member (Heather)
- Configurable so different people can execute different enrollment flows
- There is the concept of organizational identity versus collaborative organization (CO) identity
- In the future, much of the petition info may be filled by a SAML assertion
- Can specify when the membership in the VO ends
- There is an approve or deny process for the petition
- Heather gets approved
- Heather gets added to a group
- Heather logs in
- Demo also showed deprovisioning
Additional Info:
- Petition can be used as historical doc. to see how person was enrolled
- After approval, there will be step where you can add your own data, such as mobile phone #
- If you try to enroll someone who is already known, the UI will pre-fill their info for you
Grouper / COmanage Integration
- Scott Koranda has been working on Grouper / COmanage integration for the LIGO project
- This integration is not ready for 0.5 release, will be in next release.
- Scott demonstrated a bootstrapped process
- In Grouper, define a stem called comanage_datastore
- using CAKEphp framework
- schema in MYSQL will be used
- Define an administrator
- Administrator group called COmanage-Admin gets created
- Can see that COmanage-Admin group in Grouper
- Can manage attributes and permissions in the Grouper Lite UI
Scott:
- Looking forward to leveraging this work
- For a scientific VO like LIGO, this will dramatically alter how efficiently we can collaborate internally and externally
- that does much collaboration w astronomers and astrophysicists all over the world
- what used to take 3 or 4 weeks will now take a few clicks
======
Plans Moving Forward
COmanage Roadmaps is seen at https://bugs.internet2.edu/jira/browse/CO?selectedTab=com.atlassian.jira.plugin.system.project%3Aroadmap-panel
Roadmap highlights:
- Finish the COmanage/Grouper integration
- LDAP provisioning
- COmanage 0.7 -- work more on enrollment and different possible petitions
- COmanage 0.8 -- Kerberos provisioing ?
- COmanage 0.9 -- notifications and reporting
- COmange 1.0 -- the audit trails, CO person integration, making sure the UI scales to at least 1000 people
The team hopes to release a COmanage 1.0 release around the Internet2 Fall Member Meeting in Oct. 2012
======
Q: When will you be pulling organization data from SAML assertions?
A:. Could be in the COmanage 1.0 release. LIGO has a use case for this.
======
Q: If you define an extended attribute, how can you use it?
A: You can export it from the registry, could then use it as you see fit.
=====
Also of interest from Spring Member Meeting, slides from the "Collaboration is Happening" Session: http://www.internet2.edu/presentations/spring12/20120424-flanagan-collab.pdf
LINKS:
COmanage website: http://www.internet2.edu/comanage/
COmanage wiki: https://spaces.at.internet2.edu/display/COmanage/Home