Versions Compared

Old Version 5

changes.mady.by.user Keith Hazelton (internet2.edu)

Saved on

compared with

New Version 6

changes.mady.by.user Keith Hazelton (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This glossary describes the functional components of the TIER TAP Reference Architecture.

Identity Sources

While not a part of the TIER TAP Architecture, identity sources provide person-related data into the TIER TAP architecture. This data likely includes the following types of information:

...

Identity source information flows into the TIER TAP architecture and allows TIER TAP to create the appropriate accounts, groupings and other data structures to enable rule-based provisioning and access control.

...

Student Information Systems, Human Resources Systems and other institutional data systems are frequent repositories of person-related information. These systems provide the TIER TAP architecture with information about the people contained within. In addition to basic demographic information, these systems contribute affiliation information that help to form a complete picture about an individual’s relationship with the institution.

...

In addition to Campus Information Systems, many institutions provide a mechanism for people to self-register in order to access certain campus services. Visitors may self-register for wireless access, or prospects may self-register for a campus tour. This user-initiated process provides another registration path into the TIER TAP architecture.

Invitation Service

...

Entity Registry Components

The TIER TAP Entity Registry is principally responsible for supplying person-related information to the other TIER TAP architectural components. The Entity Registry has several key responsibilities:

  • Aggregate person information from multiple data sources,
  • De-duplicate information from multiple sources in order to present a single representation of a person and their various relationships to the institution, and
  • Standardize person information for consumption by downstream components in the TIER TAP architecture.


Within the Entity Registry, there are several components that work together to establish a structured repository of identity data. These components include:

...

This component provides the interface between identity sources and the rest of the TIER TAP architecture. The Person Registration and Update Service provides API and messaging interfaces for identity sources to register and update identity data within the Entity Registry.

...

The Master Person Store is the persistent storage repository for Entity Registry data. The Master Person Store contains demographic, affiliation, contact and account data relating to Entity Registry subjects. This data is accessible to other TIER TAP components through both messaging and API interfaces. Data within the Master Person Store is used to drive grouping, provisioning and attribute release to service providers.

The Master Person Store may be implemented as a standalone data repository that serves the TIER TAP architecture, but may also be implemented as an interface to an existing institutional Person Store (e.g. LDAP, AD or other institutional repository) that serves a similar purpose.

...

The Groups Data Store is the persistent store of information provided by the Groups Service. This component provides both API and messaging-based interfaces for other TIER TAP components to receive information about an identity subject’s group memberships.

...

The Provisioning Service component provides the TIER TAP architecture with a mechanism to take action to provision accounts and access either dynamically based on affiliation data changes, or manually based on a request and approval workflow. Likewise, the Provisioning Service works to dynamically deprovision services and remove access when data events occur that impact institutionally defined provisioning rules (e.g. employee termination).

...

Authentication and Federation Services provide a means to interface service providers with the TIER TAP architecture to perform single-signon, federated authentication and authorization and to deliver attribute information for consumption by applications.

...

The Attribute Resolver component translates between the internal data structures in the TIER TAP architecture and the attributes that are delivered to service providers. The attribute resolver maps specific internal data constructs to normalized attributes so that service providers do not need to be aware of the inner workings of the TIER TAP architecture to consume attribute information about users that are accessing their services.