Email message to EDUCAUSE IdM list, to be forwarded and repurposed as needed for other audiences:
Subject: Collaboration on open-source IAM software
Folks on the EDUCAUSE IdM list may have heard rumors about discussions regarding ambitious plans for building out new capabilities in open-source IAM products for higher education and research. Discussions have indeed been happening; those of us involved figure that now is a good time to let the community know what's going on and what we intend to happen next.
This note is the short version. For more of the story go to https://spaces.at.internet2.edu/display/OSIdM4HE/Home .
There are several motivations that led to these discussions: (1) new requirements on campus IAM systems, including new populations, cloud integration, assurance, compliance, privacy, federation, etc.; (2) dissatisfaction of many campuses with current commercial IAM products; (3) the fact that popular open-source IAM software does not form a coherent IAM suite; (4) new requirements on Kuali Rice, from the major Kuali applications and other sources, motivating more "enterprise" capabilities for the Kuali Identity Management (KIM) component of Rice. Regular readers of the EDUCAUSE IdM list will be familiar with many of these drivers.
A small group met at the colocated Jasig / InCommon ACAMP meetings in Denver in May 2011 and determined that there was interest from several organizations in working together. The next step was a workshop last week in Chicago to further build consensus and analyze the problem space. 15 people, representing the Kuali Foundation, Internet2/InCommon, Jasig, and several universities, met for two days.
This group first divided the IAM space into functional areas, identifying gaps and overlaps in the current HE open-source product scene. Subgroups were chartered to dive deeply into the requirements in several of these areas and to create recommendations to align current efforts and propose initiatives to fill existing gaps. Another subgroup was chartered with developing the organizational structure needed to oversee the initiative. Charged to report back by mid-September, these subgroups will create well-defined proposals to submit to constituent organizations and universities for resourcing.
We know that many people are likely to be interested in this activity, and want to follow it more closely or even participate. But for now, it remains invitation-only while the core group plans the next steps. Also please note that at this time it is just a planning activity; progress on actually building things is subject to investment decisions from many players.
If you have questions you can contact the group at osidm4he-info@internet2.edu . Discussion on the EDUCAUSE IdM list is fine.
OSIdM4HE wiki page:
OSIdM4HE activity
Summary: Participants from a number of organizations have been collaborating on creating a coherent set of open-source Identity and Access Management (IAM) software packages to meet the needs of Higher Education and Research. The activity arose in response to concerns raised by many institutions that current products, both open-source and commercial, are not meeting their IAM needs effectively and affordably. A recent workshop resulted in a clearer understanding of the current state of affairs and commitments from all participants to work intensively to develop proposals for well-defined, fundable projects and collaboration vehicles. Next-phase reports are due by mid-September 2011. For now the activity remains invitation-only.
The longer story:
If you've followed the research and higher-education (R&HE) IT scene in recent years you know that there is a lot of concern about the state of institutional Identity and Access Management (IAM) systems. IAM services are increasingly recognized as key to institutional security and efficiency, but building comprehensive systems from either commercial or open-source offerings is complicated and expensive. Many new requirements are creating pressure on currently deployed systems:
- new populations, new institutional relationships
- more applications requiring enterprise access management, with greater risks
- outsourcing, cloud services integration
- federated authentication, social identities, support for multi-institutional research collaborations
- assurance, identity lifecycle management, compliance, access certification
- enterprise-scale IAM enablement: service orientation, workflow, event-driven, notification, reporting, user self-service, etc.
- and many more ...
Many open-source software packages are widely used, but generally these are just parts of the overall system: CAS, Shibboleth, simpleSAMLphp, Grouper, Kerberos, OpenLDAP, etc. Other packages are promising but not yet ready: OpenRegistry is one example. Kuali Identity Management (KIM) covers many aspects of the IAM space but most of its services are not yet ready to extend beyond the needs of Kuali applications.
Commercial products are widely deployed in R&HE, but some popular ones have changed their spots recently, making many sites unhappy. These products are usually expensive, and are often monolithic, hard to integrate with homegrown or open-source services.
Conversations among R&HE IAM managers and architects in many venues have made it clear that lots of institutions need to take action soon, and that their requirements are very similar. At the same time, in the Kuali Rice project drivers have been identified from both new Kuali applications and those deploying Rice as institutional infrastructure to scale up KIM to meet enterprise IAM needs. These threads of interest came together at the joint Jasig / InCommon ACAMP meetings in Denver in May 2011, where a core group met to think big about how to address these issues. There was agreement that there is a real opportunity here; there is a lot of work to do and problems to overcome; and success is most likely if the resources of a number of organizations can be harnessed.
A workshop was organized in Chicago August 9-10 2011 to bring together more key players to further explore the problem space and build consensus on a path forward. 15 people attended, representing the Kuali Foundation, Internet2/InCommon, Jasig, and several universities.
This group first divided the IAM space into functional areas, identifying gaps and overlaps in the current HE open-source product scene. It then zeroed in on three key elements – identity registries, provisioning, and access management. Subgroups were chartered to dive deeply into the requirements in each of these areas, to create recommendations to align current efforts and propose initiatives to fill existing gaps. A fourth subgroup was chartered with developing the organizational and branding structure for the initiative. Charged to report back by mid-September, these subgroups will create well-defined proposals to submit to constituent organizations and universities for resourcing.
Currently this activity is invitation-only while in the planning stage. We're hopeful that the projects will move forward and that a large community will want to participate.
If you want more information contact osidm4he-info@internet2.edu .