US Federations Discussion

[Joseph Giroux <>]

Thanks, David.  That gets us much closer.  I'll look for this in the IdP documentation.  Do you know anybody who has done this?

We need a central IdP because in some cases students will not yet be - or no longer be - enrolled at a particular institution.  Yes, it is potentially a little confusing but for most services the student doesn't need a college affiliation (eg. application to college).  We want to streamline the user experience by providing it at the college.  However, for a few they will need college affiliation (e.g. assessment - but in this case they might not even find the service without first being logged in through a college.)

Staff are a different matter.  For services in their role as staff members (they might also be students) we will require college affiliation.

-Joseph

On 4/5/2010 2:03 PM, David Walker wrote:

" type="cite"> Joseph,

The Shibboleth IdP allows you to specify Java code to retrieve an attribute.  That code could check to see if the CCCID already exists locally and would invoke ProvideCCCID (presumably a web service) when needed.

Do you really need a central IdP, or could you just use campus IdPs?  It could be confusing to users, if they need to know which IdP to use for different services.

David

On Mon, 2010-04-05 at 13:06 -0700, Joseph Giroux wrote:

From a telephone conversation with David Walker (UC-Davis) last Friday I've sketched out a process flow for issuing a unique statewide ID number and passing it to a local IdP.  However, I have a couple of questions about how this would work in practice.  You'll see a simplified process flow below and then three questions.  I'd appreciate any help you can provide in either answering the questions or giving me the name of someone who might be able to answer them.  Ideally we'd like to locate someone who has done this previously.

Thanks for your consideration.
Joseph Giroux
California Community Colleges



Process Flow for updating local IdP with CCCID from central IdP

CCCID is a statewide user id number that is unique and persistent.  A Central IdP will have accounts for all statewide users (ie. all CCCIDs). College IdPs will only contain accounts for college users and may need to store the statewide CCCID for each. 

 

PreCondition: An account for the user has been established at the local college’s IdP but there is currently no associated CCCID.

 

1.      User logs into a college portal using his local college account.

2.      User selects a statewide web service link (WS1) that requires a CCCID

3.      WS1 receives User@College and so requests the user’s CCCID from College IdP.

4.      College IdP does not find a CCCID for User so invokes local process to obtain a CCCID (GetCCCID).

5.      The GetCCCID process calls a central web service (ProvideCCCID) passing some available user id info (Name, Birthdate, Zip, etc) that might be relevant for an ID match or account set up.

(Branch 1)

6.      ProvideCCCID assigns a CCCID (and creates an account on the Central IdP).  (This is simplified.  There will  need to be some additional interaction with the User to establish challenge questions or obtain additional information.)

7.      ProvideCCCID returns User’s CCCID to GetCCCID.

8.      GetCCCID populates the College1 IDP with the User’s CCCID and returns control to the local IdP.

9.      Local IdP forwards User’s CCCID to WS1.

10.  WS1 authorizes the User session.

 

Questions

1.      How do we make the IdP call GetCCCID when it doesn’t have a requested CCCID? 


2.      What is the nature of the GetCCCID process?  (a web service?  a java process within the IdP?)

3.      Who has already done something similar to this?