SIF Implementation Specification Unity - Identity Management Project Team

3.9 Identity Management Project Team

Local Education Authorities (LEAs) across the globe are dealing with the issues of managing users across a rapidly increasing number of applications. Many of these applications within the educational enterprise interface directly with learners, parents, and teachers. Each new application requires digital identity and profile data for operational purposes. A significant burden is placed on individual users to manage and secure their login credentials across applications. In many instances, users end up having to remember many user names and passwords and deal with profile information that is not consistent or up to date across the various applications that they access.

There is a great need to provide a standards-based solution for identity management and role-based security within the education industry. While many standards have been developed to solve this problem, there is no common profile within education that suppliers and end users can adopt. The SIFA has been solving issues of interoperability like this for many years. Educational applications built to support the SIF standard can also benefit from a set of profiles developed by SIFA that are targeted at solving the needs of sharing and using digital identities within an educational enterprise.

3.9.1 IdMApplication

A software application or system for which access is controlled through the identity management system.

SIF_Events are reported for this object.

Figure 3.9.1-1: IdMApplication

	Element/@Attribute	Char	Description	Type
	IdMApplication		A software application or system for which access is controlled through the identity management system.
@	RefId	M	GUID that uniquely identifies an instance of this object.	RefIdType
	Name	M	A short name for the application	xs:token
	URI	M	The URI of the application.	xs:anyURI
	DefaultFunction	M	A short description of the default or main function of the application.	xs:token
	FunctionList	O	A list of short descriptions of other functions the application performs.	FunctionListType
	DefaultIdentityProvider	M	The RefID of the application that is used as the Identity Provider (i.e., authentication provider) for the framework.	IdRefType
	IdentityProviderList	O	If the application can use multiple Identity Providers (authentication providers) to authenticate the user, for example Google directory service, LDAP, AD, etc., there could be multiple such providers in this list.	IdentityProviderListType
	StartDate	O	Start date of the association of this application to the Identity Provider application.	xs:date
	EndDate	O	End date of the association of this application to the Identity Provider application.	xs:date
	SIF_Metadata	O		SIF_MetadataType
	SIF_ExtendedElements	O		SIF_ExtendedElementsType

Table 3.9.1-1: IdMApplication

JSON

[ { "IdMApplication": { "RefId": "FE1078BA3261545A31905937B265CE01", "Name": "myApplication", "URI": "http://myApplication.com", "DefaultFunction": "Student Information", "DefaultIdentityProvider": "DE1078BA3261545A31905937B265CE47", "StartDate": "2001-09-05" } } ]

XML

<IdMApplication RefId="FE1078BA3261545A31905937B265CE01"> <Name>myApplication</Name> <URI>http://myApplication.com</URI> <DefaultFunction>Student Information</DefaultFunction> <DefaultIdentityProvider>DE1078BA3261545A31905937B265CE47</DefaultIdentityProvider> <StartDate>2001-09-05</StartDate> </IdMApplication>

Example 3.9.1-1: IdMApplication

3.9.2 IdMAuthentication

This object establishes an authentication map between the Organization-User and the Identity Provider (IDP) LoginId. The profile will be used primarily to provision/deprovision users from the SIS/HR systems to the IDP.

SIF_Events are reported for this object.

Figure 3.9.2-1: IdMAuthentication

	Element/@Attribute	Char	Description	Type
	IdMAuthentication		This object establishes an authentication map between the Organization-User and the Identity Provider (IDP) LoginId. The profile will be used primarily to provision/deprovision users from the SIS/HR systems to the IDP.
@	RefId	M	GUID that uniquely identifies an instance of this object.	RefIdType
	UserOrganizationAssociationRefId	M	The RefId for the UserOrganizationAssociation SIF object if the authentication returns “true”.	IdRefType
	ApplicationRefId	M	RefId of the Identity Provider application.	IdRefType
	IdentityProviderLoginId	M	The login for the Organization-User within the Identity Provider application.	xs:token
	IdentityProviderType	O	An enumeration that defines how the authentication can be performed and exchanged.	xs:token
@	Codeset	O	A unique indicator (usually a URL) that points to the codeset used.	xs:token
	AuthoritativeSourceId	O	The RefID of the Authoritative Application creating this association.	IdRefType
	StartDate	O	Start date of the association of this authentication instance to the Identity Provider application.	xs:date
	EndDate	O	End date of the association of this authentication instance to the Identity Provider application.	xs:date
	SIF_Metadata	O		SIF_MetadataType
	SIF_ExtendedElements	O		SIF_ExtendedElementsType

Table 3.9.2-1: IdMAuthentication

JSON

[ { "IdMAuthentication": { "RefId": "FE1078BA3261545A31905937B265CE01", "UserOrganizationAssociationRefId": "AC3078BA3261545A31905937B265CE02", "ApplicationRefId": "AC3089BA3261545A31905937B265CE02", "IdentityProviderLoginId": "myId", "StartDate": "2001-09-05" } } ]

XML

Example 3.9.2-1: IdMAuthentication

3.9.3 IdMAuthorization

This object establishes a role/permission map between the Organization-User and the downstream applications’ roles and permissions. This will be used primarily to provision/deprovision users from the SIS/HR systems to other applications.

SIF_Events are reported for this object.

Figure 3.9.3-1: IdMAuthorization

	Element/@Attribute	Char	Description	Type
	IdMAuthorization		This object establishes a role/permission map between the Organization-User and the downstream applications’ roles and permissions. This will be used primarily to provision/deprovision users from the SIS/HR systems to other applications.
@	RefId	M	GUID that uniquely identifies an instance of this object.	RefIdType
	UserOrganizationAssociationRefId	M	The RefId for the SIF UserOrganizationAssociation object which defines the Organization-User to be authorized.	IdRefType
	ApplicationRefId	M	RefId of the Identity Provider application.	IdRefType
	ApplicationFunction	O	The role for the OrganizationUser to be assigned for the target application. The consuming application must be able to honor such role.	xs:token
	AuthoritativeSourceId	O	The RefID of the Authoritative Application creating this association.	IdRefType
	StartDate	O	Start date of the association of this authorization instance to the Identity Provider application.	xs:date
	EndDate	O	End date of the association of this authorization instance to the Identity Provider application.	xs:date
	SIF_Metadata	O		SIF_MetadataType
	SIF_ExtendedElements	O		SIF_ExtendedElementsType

Table 3.9.3-1: IdMAuthorization

JSON

[ { "IdMAuthorization": { "RefId": "FE1078BA3261545A31905937B265CE01", "UserOrganizationAssociationRefId": "AC3078BA3261545A31905937B265CE02", "ApplicationRefId": "AC3089BA3261545A31905937B265CE02", "StartDate": "2001-09-05" } } ]

XML

Example 3.9.3-1: IdMAuthorization

3.9.4 UserOrganizationAssociation

This object associates a user of computer software applications to an organization.

SIF_Events are reported for this object.

Figure 3.9.4-1: UserOrganizationAssociation

	Element/@Attribute	Char	Description	Type
	UserOrganizationAssociation		This object associates a user of computer software applications to an organization.
@	RefId	M	GUID that uniquely identifies an instance of this object.	RefIdType
	PersonRefId	M	RefId of the person or any other SIF role object instance (e.g., student) of the person.	IdRefType
@	SIF_Object	M	The name of the SIF object that is being referenced by the payload of this element.
	OrganizationRefId	M	RefId of the organization.	IdRefType
@	SIF_Object	M	The name of the SIF object that is being referenced by the payload of this element.
	AssociationType	M	The type of association. For example, if the user is a member of the organization then the type would be Member.	xs:token
	AuthoritativeSourceId	O	The RefID of the Authoritative Application creating this association	RefIdType
	StartDate	O	Start date of the association.	xs:date
	EndDate	O	End date of the association.	xs:date
	SIF_Metadata	O		SIF_MetadataType
	SIF_ExtendedElements	O		SIF_ExtendedElementsType

Table 3.9.4-1: UserOrganizationAssociation

JSON

[ { "UserOrganizationAssociation": { "RefId": "FE1078BA3261545A31905937B265CE01", "PersonRefId": { "SIF_Object": "StaffPersonal", "value": "AE1078BA3261545A31905937B265CE01" }, "OrganizationRefId": { "SIF_Object": "SchoolInfo", "value": "BE1078BA3261545A31905937B265CE01" }, "AssociationType": "Associate Member", "StartDate": "2001-09-05" } } ]

XML

<UserOrganizationAssociation RefId="FE1078BA3261545A31905937B265CE01"> <PersonRefId SIF_Object="StaffPersonal">AE1078BA3261545A31905937B265CE01</PersonRefId> <OrganizationRefId SIF_Object="SchoolInfo">BE1078BA3261545A31905937B265CE01</OrganizationRefId> <AssociationType>Associate Member</AssociationType> <StartDate>2001-09-05</StartDate> </UserOrganizationAssociation>

Example 3.9.4-1: UserOrganizationAssociation