3.9 Identity Management Project Team

Local Education Authorities (LEAs) across the globe are dealing with the issues of managing users across a rapidly increasing number of applications. Many of these applications within the educational enterprise interface directly with learners, parents, and teachers. Each new application requires digital identity and profile data for operational purposes. A significant burden is placed on individual users to manage and secure their login credentials across applications. In many instances, users end up having to remember many user names and passwords and deal with profile information that is not consistent or up to date across the various applications that they access.

There is a great need to provide a standards-based solution for identity management and role-based security within the education industry. While many standards have been developed to solve this problem, there is no common profile within education that suppliers and end users can adopt. The SIFA has been solving issues of interoperability like this for many years. Educational applications built to support the SIF standard can also benefit from a set of profiles developed by SIFA that are targeted at solving the needs of sharing and using digital identities within an educational enterprise.

3.9.1 IdMApplication

A software application or system for which access is controlled through the identity management system.

SIF_Events are reported for this object.

IdMApplication
Figure 3.9.1-1: IdMApplication IdMApplication RefId Name URI DefaultFunction FunctionList DefaultIdentityProvider IdentityProviderList StartDate EndDate SIF_Metadata SIF_ExtendedElements
 Element/@AttributeCharCEDS Id/URLDescriptionType
 IdMApplication 

A software application or system for which access is controlled through the identity management system.

 
 
@
key
RefIdM

GUID that uniquely identifies an instance of this object.

 
RefIdType
 NameM

A short name for the application

 
xs:token
 URIM

The URI of the application.

 
xs:anyURI
 DefaultFunctionM

A short description of the default or main function of the application.

 
xs:token
 FunctionListO

A list of short descriptions of other functions the application performs.

 
FunctionListType
 DefaultIdentityProviderM

The RefID of the application that is used as the Identity Provider (i.e., authentication provider) for the framework.

 
IdRefType
 IdentityProviderListO

If the application can use multiple Identity Providers (authentication providers) to authenticate the user, for example Google directory service, LDAP, AD, etc., there could be multiple such providers in this list.

 
IdentityProviderListType
 StartDateO

Start date of the association of this application to the Identity Provider application.

 
xs:date
 EndDateO

End date of the association of this application to the Identity Provider application.

 
xs:date
 SIF_MetadataO
 SIF_MetadataType
 SIF_ExtendedElementsO
 SIF_ExtendedElementsType
Table 3.9.1-1: IdMApplication
{ "IdMApplication": { "RefId": "FE1078BA3261545A31905937B265CE01", "Name": "myApplication", "URI": "http://myApplication.com", "DefaultFunction": "Student Information", "DefaultIdentityProvider": "DE1078BA3261545A31905937B265CE47", "StartDate": "2001-09-05" } }
<IdMApplication RefId="FE1078BA3261545A31905937B265CE01"> <Name>myApplication</Name> <URI>http://myApplication.com</URI> <DefaultFunction>Student Information</DefaultFunction> <DefaultIdentityProvider>DE1078BA3261545A31905937B265CE47</DefaultIdentityProvider> <StartDate>2001-09-05</StartDate> </IdMApplication>
Example 3.9.1-1: IdMApplication

3.9.2 IdMAuthentication

This object establishes an authentication map between the Organization-User and the Identity Provider (IDP) LoginId. The profile will be used primarily to provision/deprovision users from the SIS/HR systems to the IDP.

SIF_Events are reported for this object.

IdMAuthentication
Figure 3.9.2-1: IdMAuthentication IdMAuthentication RefId UserOrganizationAssociationRefId ApplicationRefId IdentityProviderLoginId IdentityProviderType Codeset AuthoritativeSourceId StartDate EndDate SIF_Metadata SIF_ExtendedElements
 Element/@AttributeCharCEDS Id/URLDescriptionType
 IdMAuthentication 

This object establishes an authentication map between the Organization-User and the Identity Provider (IDP) LoginId. The profile will be used primarily to provision/deprovision users from the SIS/HR systems to the IDP.

 
 
@
key
RefIdM

GUID that uniquely identifies an instance of this object.

 
RefIdType
 UserOrganizationAssociationRefIdM

The RefId for the UserOrganizationAssociation SIF object if the authentication returns “true”.

 
IdRefType
 ApplicationRefIdM

RefId of the Identity Provider application.

 
IdRefType
 IdentityProviderLoginIdM

The login for the Organization-User within the Identity Provider application.

 
xs:token
 IdentityProviderTypeO

An enumeration that defines how the authentication can be performed and exchanged.

 
xs:token
@CodesetO

A unique indicator (usually a URL) that points to the codeset used.

 
xs:token
 AuthoritativeSourceIdO

The RefID of the Authoritative Application creating this association.

 
IdRefType
 StartDateO

Start date of the association of this authentication instance to the Identity Provider application.

 
xs:date
 EndDateO

End date of the association of this authentication instance to the Identity Provider application.

 
xs:date
 SIF_MetadataO
 SIF_MetadataType
 SIF_ExtendedElementsO
 SIF_ExtendedElementsType
Table 3.9.2-1: IdMAuthentication
{ "IdMAuthentication": { "RefId": "FE1078BA3261545A31905937B265CE01", "UserOrganizationAssociationRefId": "AC3078BA3261545A31905937B265CE02", "ApplicationRefId": "AC3089BA3261545A31905937B265CE02", "IdentityProviderLoginId": "myId", "StartDate": "2001-09-05" } }
<IdMAuthentication RefId="FE1078BA3261545A31905937B265CE01"> <UserOrganizationAssociationRefId>AC3078BA3261545A31905937B265CE02</UserOrganizationAssociationRefId> <ApplicationRefId>AC3089BA3261545A31905937B265CE02</ApplicationRefId> <IdentityProviderLoginId>myId</IdentityProviderLoginId> <StartDate>2001-09-05</StartDate> </IdMAuthentication>
Example 3.9.2-1: IdMAuthentication

3.9.3 IdMAuthorization

This object establishes a role/permission map between the Organization-User and the downstream applications’ roles and permissions. This will be used primarily to provision/deprovision users from the SIS/HR systems to other applications.

SIF_Events are reported for this object.

IdMAuthorization
Figure 3.9.3-1: IdMAuthorization IdMAuthorization RefId UserOrganizationAssociationRefId ApplicationRefId ApplicationFunction AuthoritativeSourceId StartDate EndDate SIF_Metadata SIF_ExtendedElements
 Element/@AttributeCharCEDS Id/URLDescriptionType
 IdMAuthorization 

This object establishes a role/permission map between the Organization-User and the downstream applications’ roles and permissions. This will be used primarily to provision/deprovision users from the SIS/HR systems to other applications.

 
 
@
key
RefIdM

GUID that uniquely identifies an instance of this object.

 
RefIdType
 UserOrganizationAssociationRefIdM

The RefId for the SIF UserOrganizationAssociation object which defines the Organization-User to be authorized.

 
IdRefType
 ApplicationRefIdM

RefId of the Identity Provider application.

 
IdRefType
 ApplicationFunctionO

The role for the OrganizationUser to be assigned for the target application. The consuming application must be able to honor such role.

 
xs:token
 AuthoritativeSourceIdO

The RefID of the Authoritative Application creating this association.

 
IdRefType
 StartDateO

Start date of the association of this authorization instance to the Identity Provider application.

 
xs:date
 EndDateO

End date of the association of this authorization instance to the Identity Provider application.

 
xs:date
 SIF_MetadataO
 SIF_MetadataType
 SIF_ExtendedElementsO
 SIF_ExtendedElementsType
Table 3.9.3-1: IdMAuthorization
{ "IdMAuthorization": { "RefId": "FE1078BA3261545A31905937B265CE01", "UserOrganizationAssociationRefId": "AC3078BA3261545A31905937B265CE02", "ApplicationRefId": "AC3089BA3261545A31905937B265CE02", "StartDate": "2001-09-05" } }
<IdMAuthorization RefId="FE1078BA3261545A31905937B265CE01"> <UserOrganizationAssociationRefId>AC3078BA3261545A31905937B265CE02</UserOrganizationAssociationRefId> <ApplicationRefId>AC3089BA3261545A31905937B265CE02</ApplicationRefId> <StartDate>2001-09-05</StartDate> </IdMAuthorization>
Example 3.9.3-1: IdMAuthorization

3.9.4 UserOrganizationAssociation

This object associates a user of computer software applications to an organization.

SIF_Events are reported for this object.

UserOrganizationAssociation
Figure 3.9.4-1: UserOrganizationAssociation UserOrganizationAssociation RefId PersonRefId OrganizationRefId SIF_Object AssociationType AuthoritativeSourceId StartDate EndDate SIF_Metadata SIF_ExtendedElements
 Element/@AttributeCharCEDS Id/URLDescriptionType
 UserOrganizationAssociation 

This object associates a user of computer software applications to an organization.

 
 
@
key
RefIdM

GUID that uniquely identifies an instance of this object.

 
RefIdType
 PersonRefIdO
 UserOrganizationAssociationPersonRefIdType
 OrganizationRefIdM

RefId of the organization.

 
IdRefType
@SIF_ObjectM

The name of the SIF object that is being referenced by the payload of this element.

 
 
 AssociationTypeM

The type of association. For example, if the user is a member of the organization then the type would be Member.

 
xs:token
 AuthoritativeSourceIdO

The RefID of the Authoritative Application creating this association

 
RefIdType
 StartDateO

Start date of the association.

 
xs:date
 EndDateO

End date of the association.

 
xs:date
 SIF_MetadataO
 SIF_MetadataType
 SIF_ExtendedElementsO
 SIF_ExtendedElementsType
Table 3.9.4-1: UserOrganizationAssociation
{ "UserOrganizationAssociation": { "RefId": "FE1078BA3261545A31905937B265CE01", "PersonRefId": { "SIF_Object": "StaffPersonal", "value": "AE1078BA3261545A31905937B265CE01" }, "OrganizationRefId": { "SIF_Object": "SchoolInfo", "value": "BE1078BA3261545A31905937B265CE01" }, "AssociationType": "Associate Member", "StartDate": "2001-09-05" } }
<UserOrganizationAssociation RefId="FE1078BA3261545A31905937B265CE01"> <PersonRefId SIF_Object="StaffPersonal">AE1078BA3261545A31905937B265CE01</PersonRefId> <OrganizationRefId SIF_Object="SchoolInfo">BE1078BA3261545A31905937B265CE01</OrganizationRefId> <AssociationType>Associate Member</AssociationType> <StartDate>2001-09-05</StartDate> </UserOrganizationAssociation>
Example 3.9.4-1: UserOrganizationAssociation

Valid XHTML 1.0 Transitional