DRAFT DRAFT DRAFT
TIER Registry and DATA and API workgroups have provided an the TIER Entity Registry - Identity Onboarding Flow Architecture during December 2017 and January of 2018. Additional decomposition and advice related to components of this flow are defined to assist institutions implementing TIER components and Identity Service Applications.
An architecture flow and event document for TIER ENTITY REGISTRY - Identity OnBoarding can be found at
The intent of this entry is to provide a guide at a high level for integrating flows for Credential management into the Onboarding process. It is intended to describe a pattern for institutions to use when building a Registry Onboarding process.
Institutions may elect to utilize existing Credential management components and UIs or to retool using Midpoint or other tools.
A simple manner to think about your identity system data flows can be considered in two fundamental flows, Identity Onboarding and Identity Provisioning and Authorization. Simply processes to get data into the ecosystem and processes to get data downstream or out to the applications relying on the access management services.
From workgroup input ( in progress:)
Individuals have multiple sets of credentials
What is our terminology for ‘username’, ‘NetID’ vs ‘credential sets’ vs ‘accounts’
Users may have multiple Accounts (whether or not the user has associated credentials associated with the account)
“NetID” is identifier associated with the institutionally-assigned main user account
Profile (the core digital identity for a person) then they have 1 or more additional accounts, some local, some external
User maintains some attributes of their own Profile: Preferred name, etc.
midPoint documentation uses “User” for what we’re calling “Profile”
“My policy maps a given Profile to (1 or more) Accounts”
Not all Profiles include a NetID. E.g. Student Applicants bring their own credentials. External identity encompasses federated and ‘social’ identities; ‘social’ scares concerns people
We commit to consistently using (possible edited versions) of these terms
Determine your Credential management control processes in your entity registry.
Other considerations for managing the IdMatch service.
Data that may be of interest to save related to user name and credential management
All strings case insensitive, all indexed
Identifiers
RegistryID or RID (either name) (TIER INSTITUTIONAL ID)
128 string
Req’d Uniq
Primary key component
Principal (username)
256 string
Req’d, Not uniq
Primary Key component
LinkedID or LID (either name)
128 string
Not Uniq, Not req'd
SOR ID
128 string
Not req’d, not uniq
Principal Resource Type TIER
64 String
Not Uniq – REQD – From Table of Values ( Person, Group, Application, Email Alias,…)
TIER FriendlyName
128 String
Not Uniq – REQD –
TIER Name (used with Person resource type)
honorificPrefix String 32
Givenname String 64
Middlename String 64
Familyname String 64
honorificSuffix String 32
Formatted String 256 (created by combining the 5 name part above in sequence shown)
These are not Not required, not unique,
TIER email value
Not unique, Not required
TIER phonenumber value
TIER phonenumber type
Not unique, Not required, Type required with number, (cell, landline),
Datecreated
Not unique,Required, datetimestamp
Dateinactivated
Not unique, Not required, datatimestamp
Endtimestamp
Not unique, Not required, datetimestamp
TIER Status (active, inactive, …others being defined)
Not unique, Required, String 16
This is used to track the lifecycle of an entity through a series of states.
TIER Updating Entity ID
Not unique, Required, string 256
TIER Updating SOR
Not unique, Required, string 128
TIER Protect
Not unique Required, Boolean (true, false)
There are more steps (1 thru 5 and 10 thru 11 from the identity onboarding flow architecture) to consider related to the Identity Onboarding, however since this document is focusing on the Credential Management Controller they are not covered here. The Registry Update Controller and the Groups Update Controller are treated in separate confluence documents.
You may also want to use visual panels to communicate related information, tips or things users need to be aware of. |
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.
|