Federation and Cloud Services

for the K12 Communityfor the K12 Community

Quilt/InCommon K12 Pilot Project Summary

Two Cases: Illinois and Nebraska

What is Envisioned, Experiences, and Challenges

Bernie Acs {acs1@illinois.edu}, Jim Peterson {jim@illinicloud.org}, Jason Radford {jradford@illinicloud.org}

Scott Isaacson {sisaacson@esucc.org}, Mike Danahy {mdanahy@esu2.org}

Illinois Shared Learning

EnvironmentEnvironment

The One-Slide Summary

Create, Find, Map, Use, and Visualize Data Linked to Content

and Standards enabling Personalized Learning and Career

Preparedness for All Illinois Learners (P-K12 & Life-Long).

Local School District

Collect,

Assemble,

& Propagate

Partner InstitutionsData CentersParticipating LEA:

2 SLC Pilot

35 RttT-3

~ 20% of Illinois Students

ED-FI Data Model

Data Store

Services

Application

Program

Interface

( API )

Illinois Shared Learning Environment – ISLE

Search & Registry

Index for Content

ConsumersProducers Content

Brokers

& Propagate

Ed-FI Data Model

GOMB

Learning Maps & Learning Content Ap

plic

atio

ns a

nd

Dash

bo

ard

s

Dyn

am

ic C

lou

d I

nfr

astr

uctu

re

Apps

Partners:

ISLE Grant DCEO -> NCSA/UIUC

ISLE-IGA: NCSA/UIUC -> NIU,SIU, & IC

~ 20% of Illinois Students

with RttT-3 SD, ~840 to go.

DB

Compute

Students, Educators, Parents, Researchers, Schools, Institutions

and Agencies empowered by the Middleware infrastructure

and Dynamic Self-Service Procurement Cloud Platform Services:

*Learning Maps *Applications *Dashboards*Portal Integration

*Databases *Collaboration Tools *Development Incubator

*Advanced Analytics*Shared Data Services*Enterprise Services

SLC (Service Agreement): ISBE/LEA

RttT-3 Grant : ISBE/LEA

RttT-Early Childhood : ISBE/LEA

Pathways/STEM LE : ISBE/DCEO

Create, Find, Map, Use, and Visualize Data Linked to Content

and Standards enabling Personalized Learning and Career

Preparedness for All Illinois Learners (P-K12 & Life-Long).

Learning Maps, Assemssments, & Learning Content

Ap

plic

atio

ns a

nd

Dash

bo

ard

s

Dyn

am

ic C

lou

d I

nfr

astr

uctu

re

Partner InstitutionsData Centers

ISLEK12 School Districts,

Partners, & Data Centers

Ap

plic

atio

ns a

nd

Dash

bo

ard

s

Dyn

am

ic C

lou

d I

nfr

astr

uctu

re

Apps

DB

Compute

Students, Educators, Parents, Researchers, Schools, Institutions

and Agencies empowered by the Middleware infrastructure and

Dynamic Self-Service Procurement Cloud Platform Services:

*Learning Maps *Applications *Dashboards*Portal Integration

*Databases *Collaboration Tools *Development Incubator

*Advanced Analytics*Shared Data Services*Enterprise Services

Partners:

Nebraska K12/P20W Pilot

Four Slide Summary

Nebraska

K-12 Federation

Learning Object

Repository

SIS DB

Ed-Fi

ODS

ET

LE

TL

Compute

Metrics

Basic Services

VM Hosting

Learning Management

Systems

Auto-provision & De-

District

IntegrationIdP Proxy

Authentication & Authorization

Ed-Fi Dashboards

Self-service

Portal

Auto-provision & De-

provision

Internet2

(K.C. GigaPop)

Courtesy of Tom Rolfes, Nebraska Office of the CIO

• Network Nebraska-Education CURRENT Partners (261)

– 223 public school districts

– 16 Educational Service Units

• Network Nebraska-Education POTENTIAL Partners (460+)

– 28 public school districts

– 1 Educational Service UnitUnits

– 10 public colleges

– 7 nonpublic colleges

– 2 tribal colleges

– 3 nonpublic schools

– 1 public library

Unit

– 7 nonpublic colleges

– 159 nonpublic schools

– 269 public libraries

Courtesy of Tom Rolfes, Nebraska Office of the CIO

K12 to P20

Vision Resources

• Compelling case for effective utilization of resources

– Might call this zero system administration.

– http://www.azed.gov/aelas/files/2013/10/aelas-business-case-v1.5.pdf

• Jack’s story is the vision of interoperability through standards– http://www.setda.org/wp-content/uploads/2013/11/Data-to-Information.pdf

• Data Quality Campaign infographic vision on using data • Data Quality Campaign infographic vision on using data – http://www2.dataqualitycampaign.org/files/Data-Rich%20Year%20Infographic.pdf

• Visionary Resources: A little on the techie side

– Learning Registry http://www.learningregistry.org

– Advanced Distributed Learning: http://www.adlnet.gov/

– SCORM http://scorm.com/scorm-explained/

– IMS Global: http://www.imsglobal.org/

– SETDA : http://www.setda.org

Illinois Shared Learning

EnvironmentEnvironment

Exploring the Learning Map Concept:

A Revolutionary Catalyst for the K12 Community and Pedagogy

What is a Learning Map?

1.) Visual Representation of a Series of Learning Objectives & Assessment of Mastery

1

Learning

Objective #1

Assessment

Measures #1

2

Learning

Objective #2

Assessment

Measures #2

N

Learning

Objective #N

Assessment

Measures #N

…

Learning

Objective #...

Assessment

Measures #...

3

Learning

Objective #3

Assessment

Measures #3

2b

2a

1

3b

3a

… N

• The visualization may be non-linear with branches and junctions having alternative paths.

Branch

Node

Junction

Node

multiple

Path

options

multiple

Paths

converge

2 3

How Does a Learning Map Work?

2.) Coded Alignment of Objectives and Measures enables Content to be Linked to a Map!

Objectives MeasuresLinked

Learning Modules

Aligned and Coded with

Linked

Assessment Bank Items

Aligned and Coded with

1 32 5 N…4

User Interface Options

(Hoover Over & Zoom Into)

Actions

(Clicks, Pop-up Options) Content

Aligned and Coded with

Objectives Empower:• Learners to explore proficiency tasks

• Mentors to find, create, and share

• Measures of effectiveness can be

quantified by community experience

and qualitative analysis of use.

Aligned and Coded with

Objectives Empower:• Learners to explore skill proficiency

• Mentors to find, create, and share

• Measures of effectiveness can be

quantified by community experience

and qualitative analysis of use.

Link Content Aligned by Codes (Tagging)

Create, Find, Use, and Shared–Experience Pooling

Objective Modules & Assessment Items

• Maps may be Presented using Interactive-Visual-Objects for each location marker along the path it shows

Map

Node

Why are Learning Maps Centrally Important?

3.) Learning Map Perspectives (or Views) of Learners Progression using Datain Alignment with Codified Objectives, Measures, & Content with variability in number of Learners & Time Scale

Objectives Measures

Learner Perspective • Where am I and what tasks are to do

• Find, create, use, and share content

• Peer & mentor collaboration

• Personalize pathway potential

Educator Perspective • All Educators are also Learners

• Find, create, use, and share content

• Professional Development Support

• Virtual Professional Peer Groups

1 32 5 N…4

Content

• Personalize pathway potential

• How do my peer compare with me

• Measures of effectiveness can be

quantified by community experience

with qualitative analytics capacity.

• Virtual Professional Peer Groups

• How do my peer compare with me

• Measures of effectiveness can be

quantified by community experience

with qualitative analytics capacity.

Apply Learner & Educator Perspectives of Progress

along the learning map pathways:

Perspectives: Role & Aggregation

The Learning Map Concept may be Presented using Role-Based-Visual-Objects

integrated with API Driven Dynamic-Data-Aggregation for a Variety of Role Perspectives

Workgroup Perspectives Workgroup Perspectives Guardian Perspectives Guardian Perspectives

Building PerspectivesBuilding Perspectives

Institutional Perspectives Institutional Perspectives

Real-Time PerspectivesReal-Time Perspectives

Future PerspectivesFuture Perspectives State & Local Education Authority PerspectivesState & Local Education Authority Perspectives

Map

Node

How can the Learning Map Concepts be Implemented ?

1 32 5 N…4

Content

Objectives MeasuresMap

Node

Learner Data

Identity Access

Management Services

(IDP/Proxy Hybrid: IAM)

Data Services (Authoritative Source systems, ETL

to SIF ZIS, and automated

propagation to other data

models).

What is Required to Implement Learning Map Concepts?

Parents &

Guardians

Parents &

Guardians

Learner

Progression & Achievement

Data

Learner

Progression & Achievement

Data

Mentors &

Interest Groups

Mentors &

Interest Groups

Learning Content

Repositories

Learning Content

RepositoriesLearning Registry

Network of Nodes

Learning Registry

Network of Nodes

Content Archives,

Libraries, and Museums

Content Archives,

Libraries, and Museums

Application Services

Multi-tenant Portal for

School Districts

LEA Curriculum

Workgroups &

Standards

LEA Curriculum

Workgroups &

Standards

SEA Curriculum

Guidance &

Standards

SEA Curriculum

Guidance &

Standards

Three Essential Pillars of Support:

A K12 Federation Model for the

Core Centralized Services & Operations:

Data, Identity, & Presentation

Illinois Shared Learning

EnvironmentEnvironment

The Platform’s Three Pillars of Support:

Data, Identity, & Appliction

The Core-Central K12 Federation Services

• IlliniCloud is a non-profit organization providing services for primarily for K12

school district all over the state of Illinois. Acting as a K12 federation operator and

service provider, the IlliniCloud is establishing three foundational service

dimensions for the K12 community:

• Data Services

• Identity Services

• Application Services

What Are The Three Service Pillars?

• Minimal threshold of Adoption: The implementation is focused on mitigating

integration requirements for K12 school districts adoption of services with little to

no modification of existing practices and procedures.

End-User Facing Interfaces

Tenants (School Districts)

Backend Interfaces & Services

Tenants (School Districts)

Illinois Shared Learning

Environment

The Platform’s First Pillar of Support:

Data Services

Environment

Operational

Data Store

Raw Source System Intermediate Data Product

Source 1

Source …

Source N

Any Data Model

Reports

Analytics

How Does The Data Service Work?

Raw Source System

Data Matrices

Intermediate

Data Model(s)

Data Product

Propagation

Collection Assemble Produce

District/LEAHow Does the Data Validation Service Work?

Data is collected in the ODS,

where the Data Validation

Rules Engine runs to check for

errors

Data is collected in the ODS,

where the Data Validation

Rules Engine runs to check for

errorsTeacher/Staff

Data

Student

Information

IlliniCloud

User corrects data and resubmits

NO ERRORS

ERRORS

Data Entry

28

If the data is rejected, an error message is generated to the user

Valid data is moved to

the Data Marts

Better Research

Leads to Better

Decisions

Analyze the data in

a spreadsheet

Prepare a report Create a

presentation

Data can now be

analyzed –longitudinal

data analysis can be

performedData is Stored in the

Longitudinal Data Warehouse

NO ERRORS

REAL TIME REPORTS

School District

ZIS

Source 1

Source …

Source N

Any DM

Reports

Analytics

Relational

Data Store

Ed FI API

How Does Data Service Propagation Work for Apps?

SIF/ZIS

Integration API

SP

SP

SP

SP

Ingest Data Validation

and Assembly

SIF 2.5 for each local district sites.

Implicitly enables use of

Application Programmatic Interfaces

(API)

Object

Data StoreInBloom API

Data Propagation

for

Alternative DataModels

SP

SP

SP

School District

Authoritative Source

Systems

SIS FS TR

Automate

Data Set

How Can Data Service Propagation Work for State Reporting?

Data Set

Assembly

and

Propagation

Illinois State

Board of

Education

Data Mart(s)

Propagate

Manage

Error

Resolution

Illinois Shared Learning

Environment

The Platform’s Second Pillar of Support:

Identity Services

Environment

3rd Party Service Providers & Other Federations

Proxy School Non-School

inCommon Google 4 EduOther Service

Providers

Workforce

Development

Users/Orgs

Federated

School District

Users/Orgs

SAML 2.0

OAuth

Trust

Trust

What is the Federated Identity Service?

Districts (1 .. N)

using

Active Directory

Districts (1 .. N)

using

eDirectory

Districts (1 .. N)

using

LDAP/Kerberos

Trust

Trust

Proxy

IDP/SP

School

District

Metadata

Non-School

District

Metadata

Read-Only

Query

Functionality

Central

Service

OAuth

OpenID

Native

Directory

Interface

Authentication Delegation to Authoritative Source

SP

SP

SPSP

IDP

Does not Forward

to Federated Idm

“Cloud Provider”

Google EDU

InC Net+

Apps

InCommon

Federation

Metadata

IDP

K12

Publish

Subscribe

SP

K12 Federation Service Providers

SSO Enabled

How Does the Federated Identity Service Work?

External Federations & Service Providers

K12

Federation

IDP Proxy

Metadata

SP

K12

Org 1

Directory

SP

SP

Authoritative

Directory Source

K12

Org …

K12

Org N

AD | LDAP | Kerberos | eDirectory

SSO Enabled

Not SSO Enabled

K12 Organization

Local Service Providers

School Districts have preexisting

directories and business procedures

that govern practices & processing

Centralized Idm (SAML2) provides local directory

mapping and profiles for federated service uses

Custom ISLE Applications

SP Custom District Applications

How Do Attribute/Value Assertions & Web SSO Sessions Work?

IDP

K12 Request

If No Session then

Prompt Fed-Login

else goto 4

Collects:

eduPersonPrincipleName

Manages the

Delegated Authentication

Challenge/Response

2

Advanced Configuration:

IDP/P + SPiTrust Federation Registry

03

SP

SP Attributes Needed & Parsing:

•eduPersonPrincipleName

•eduPersonAffiliation

•eduPersonOrgDN

•eduPersonEntitlement *(Agreed)

7 8

K12

Federation

IDP Proxy

RequestChallenge/Response

Collects & Assembles:

eduPersonAffiliation

Manages computing

eduPersonEtitlements

that are needed for SP.

Browser

Accesses

Protected

App Resource

1

4

Response

IDP Attribute Resolvers & Filters:

•eduPersonPrincipleName

•eduPersonAffiliation

•eduPersonOrgDN

•eduPersonEntitlement *(Agreed)

If Session then

Process Attribute

Assertions for SP

SPUser has

Navigated here

5 6

** May Have Distinct “Entitlements” for Individual Applications/Resources

How Does the IDP use Tenant User’s Profile?

Browser

Accesses

Protected

App Resource

(SP)

IDP

K12

Federation

IDP Proxy

Browser

Redirected to

IDP/Proxy

LOGIN Service

1. UserName

2. PassWord

3. OrgDN

Delegate

Authentication

Tenant’s

Authoritative

Directory

1. OrganizationDN

2. EPPN

3. Affiliation

4. SP/Entitlement

Tenant(s)

Authoritative

User Session

Profile

Populates

Tenant User

Profile Table

Shibboleth/IDP

DBMS Connected

AttributeResolver

Just-In-Time Provisioning OR Verification/Validation of Existing

<dc:Column columnName="given_name" attributeID="givenName" />

<dc:Column columnName="surname" attributeID="sn" />

<dc:Column columnName="edu_person_nickname" attributeID="eduPersonNickName" />

<dc:Column columnName="mail" attributeID="mail" />

<dc:Column columnName="organization_name" attributeID="organizationName" />

<dc:Column columnName="home_organization_type" attributeID="homeOrganizationType" />

<dc:Column columnName="edu_person_affiliation" attributeID="eduPersonAffiliationList" />

<dc:Column columnName="edu_person_primary_affiliation" attributeID="eduPersonPrimaryAffiliation" />

<dc:Column columnName="edu_person_scoped_affiliation" attributeID="eduPersonScopedAffiliation" />

<dc:Column columnName="edu_person_org_dn" attributeID="eduPersonOrgDN" />

<dc:Column columnName="edu_person_org_unit_dn" attributeID="eduPersonOrgUnitDNList" />

<dc:Column columnName="edu_person_primary_org_unit_dn" attributeID="eduPersonPrimaryOrgUnitDN" />

<dc:Column columnName="uid" attributeID="uid" />

<dc:Column columnName="edu_person_principal_name" attributeID="eduPersonPrincipalName" />

<dc:Column columnName="edu_person_targeted_id" attributeID="eduPersonTargetedID" />

<dc:Column columnName="edu_person_unique_id" attributeID="eduPersonUniqueID" />

<dc:Column columnName="edu_person_assurance" attributeID="eduPersonAssurance" />

<dc:Column columnName="edu_person_principal_name_prior" attributeID="eduPersonPrincipalNamePrior" />

<dc:Column columnName="edu_person_entitlement" attributeID="eduPersonEntitlement" />

<dc:Column columnName="member_of" attributeID="memberOfList" />

Shibboleth/IDP

AttributeFilters

SP/SP Groups

Using attribute/value

pairs available

propagate authorized

assertions to the SP

* given_name,

* surname,

edu_person_nickname,

* mail,

* organization_name,

* home_organization_type,

edu_person_affiliation,

edu_person_primary_affiliation,

edu_person_scoped_affiliation,

edu_person_org_dn,

edu_person_org_unit_dn,

edu_person_primary_org_unit_dn,

* uid,

edu_person_principal_name,

edu_person_targeted_id,

edu_person_unique_id,

edu_person_assurance,

edu_person_principal_name_prior,

edu_person_entitlement,

* member_of

How does eduPersonEntitlement Look Up-Close?

IDP Attribute Resolvers & Filters:

•eduPersonPrincipleName user@domain.ext

•eduPersonAffiliation Facualty, Staff, …, Library Walk-in

•eduPersonOrgDN dc=district, dc=ext

•eduPersonEntitlement *(Agreed) Any String as a UR(N,I,L)

Privilege Groups

Of Interest

SP Attributes Required Values When Group Member:

Needs fine grain privilege mapping to align to some

collection of cohort declarations the user is a member of in

the authoritative source system of reference.

“eduPersonEntitlement” Attribute value(s) to assert:http://ApplicationName.ext/role/ILDATA_Building_Adminstrator,

http://ApplicationName.ext/role/ILDATA_Sheridan_Announcement..,

http://ApplicationName.ext/role/ILDATA_Sheridan_Attendence

the authoritative source system of reference.

Because the Login User Has

Relative: “memberOf”

Attributes Associated

What is the “User Profile”?

IlliniCloud

IAM Service

App Login or Registration

External Identity Provider OAuthGoogle, Facebook, MSN, Yahoo, & Others

Known Person

Yes

Authenticate?Is External

Yes

Anonymous User

No Session

User’s Personal Preferences IDP Registration

Yes

School District

User’s IDP

Registration is

IAM

Identity-Repo

1

2

2a

2bPersonal Profile?Is User Registering?

No

Yes Yes

No No

Registered Public User

Session Okay

Registered Realm User

Session Okay

Yes

No

Anonymous User

No Session

No

No

Yes Yes

Registration is

automated

Identity-Repo

3

4

Is Fed-Realm

3a

4a4b

Is Managing Profile?

Is User AuthN? Fed-Realm? External AuthN?

Delegate AuthN

To District

Known

User, Profile

Persistent, &

Session4c

Has Profile

3bOrgDN Profile?

Yes

No

No No

Illinois Shared Learning

Environment

The Platform’s Third Pillar of Support:Application Services

Multiple Tenant Portal and Application Launcher

Environment

Presentation

Service

Unknown User

May see only

informational content

CASE 2: Federated IDP Other Than

IC IDP/P Authenticates User and

implicitly claims identity authority

for a user’s logical session.

Known User Known User

No Affiliation &

Organization Domain

may use public

Applications

CASE 1: Non-Authenticated Users, Anonymous

Who Will Use the Application Service?

Service

Data Identity

for a user’s logical session.

Known User with Affiliation

assigned may use

organizations informational

content, services, and

applications

CASE 3: Authenticated by IC IDP/P

implies defined Domain and Affiliation

with Authorities expressed in Entitlements

LEA Tenant

Visual Workspace:

What is the Application Service, a “Portal” ?

1.) Web Browser Based Visual Presentation & Workspace Much like the graphical user interface provided by a computer’s operating system (Windows, Macintosh, Tablets, & Smart-phones).

Header: * Optional: May include Active Controls

Buttons & Menus• Clickable Actions or Pop-up

• May Take Input

• May Grouped

• Visually

• Functionally

• Can be Combined with

• Visual Theme Portlet # 1 Floating Window

Portlet #2 Window w/no ControlsPortlet #2 Window w/no Controls

Portlet Workspace

Background Visual Attributes

are generally user definable

and persisted as Preferences

Portlets• Optional Visual Window

• May Contain

• Buttons

• Input/Forms

• Any Media Content

• May be an Application

• May be a Service

• May be Resized or Static

•Full Screen (WrkSpc)

Portal Leverages SSO Service

Horizontal (Button – Bar) S #1 S #2 S #... S #N Input:

Vertical

(Button – Bar)

Button # 1

Button # 2

Button #...

Button #N

Input: Footer: * Optional: May include Active Controls

Button

Icon

Symbol

• Visual Theme

• Preferences

• May be Locate Anywhere

Portlet # 1 Floating Window

Portlet WorkspacePortlet # 3 : Minimized Window

Portlet # .. : Minimized Window

Portlet # N: Invisible Win/Service

Portlet Attributes: are generally user definable and persisted as

Preferences (for each portlet) including size (min, max, full) &

relative workspace location and window state.

•Full Screen (WrkSpc)

• Floating Window

• Minimized (Visible)

• Layered

• May be Remote Service

• May be Local Service

• May be Support Any Media

• Shares Session Attributes

• User/Role

• Organization

• Access Rules

• Authorizations

Portal is the outer visual wrapper and user interface

• Manages User Identity for primary SSO/Sessions

• Shares Session State with Gadgets & Portlets

How Does the “Portal” Work for Users?

Login:

Tab Bar Info

Page

ISLE

Apps

Illinois Open

Education

Resource Search

Teacher@district87.org

Tab Bar ISLE

Apps

Illinois Open

Education

Resource Search

My

Page

District

Apps

Educator

Dashboard

Multi-Tenancy Application Launcher:

Individual school districts are “tenants”

Anonymous &Non-District Authenticated Users:

Public Apps & Informational Page(s)

Resource Search Resource Search

Teacher@unit5.org

Each tenant must be able to customize the appearance & content of the portal for its own needs. Users who log into

the portal get the appropriate experience for the tenant (district) to which they are connected.

Customization examples include logo, colors, header/footer text,

navigation (tabs), and content (portlets). Tenants, moreover, not

only need to manage these items, they also need to “manage

the managers” – they must be able to grant or deny access to

these management functions with regard to their own staff

Teacher@unit5.orgTeacher@unit5.org

Teacher@unit5.orgTeacher@unit5.org

Teacher@unit5.org

How Does the “Portal” Login Process Work?

Multi-Tenancy Global Login (IDP/Proxy):

“Get User & Organization”

A.) Input eduPersonPrincipleName

UserID: MyLoginID @ Domain Name List . 123

Login Name[@domainName.ext]

Populates “OrgDN” List

for Login Nameif more than one force a choice.

Login:

Tab Bar Tenant

Info

ISLE

Apps

Illinois Open

Education Resource

Search

Anonymous User Invokes Login Action

11

De

term

ine

Te

na

ncy

for

Au

the

nti

cati

on

if more than one force a choice.

B.) Derive: eduPersonOrgDN(/OrgUnitDN)

C.) Compute: eduPersonAffiliation

faculty

student

staff

alum

member

affiliate

employee

library-walk-in

Typical “Affiliation” List for Login

Name• if “Educator” then “faculty,member,employee”

•If “Staff Employee” then “staff,member,employee”

•If “Student” then “student, member”

•If “Parent/Gardian“ then “Affiliate”

•If “Externally AuthN then “library-walk-in”

Search

Authentication Service ActionMulti-Tenancy Global Login (IDP/Proxy):

“Delegate Authentication as Required”

D.) Compute: eduPersonEntitlement

https://uportal.illinicloud.org/role/tenancy -manager

https://uportal.illinicloud.org/role/isle-app -manager

https://uportal.illinicloud.org/role/portal-admin

https://uportal.illinicloud.org/role/portal-educator

https://uportal.illinicloud.org/role/portal-student

De

term

ine

Te

na

ncy

for

Au

the

nti

cati

on

22D

ete

rmin

e R

ole

Pri

vil

eg

es

Teacher@district87.org

Illinois Open

Education Educator

Dashboard

Tab

Bar

Isle

Apps

District

Apps

EC/PK

Apps

My

Page

Tea

che

r

General Purpose Login Process

User’s “Tenant & Role” are Manifested as a Result of Login

Tenant Portal-Manager Controls •Visual Attribute Customizations

•User Role Based Content Customizations

Education

Resource Search Dashboard

Tab

Bar

Isle

Apps

Tenant

Apps

Office

Apps

My

Page

Administrator@unit5.org

Illinois Open

Education

Resource Search

Educator

Dashboard

Tab

Bar

Isle

Apps

District

Apps

Admin

Tools

My

Page

Student@usd116.org

Tab

Bar

Isle

Apps

Grade 8

Apps

Office

Apps

My

PageStu

de

nt

Sta

ff

Tea

che

r

Ad

min

istr

ato

rStaff@illiniCloud.org

Illinois Shared Learning

EnvironmentThree Pillars of Support Married With

Application Programmatic Interfaces:

Offer Significant Potential for LEAs* to Realize the Promise Envisioned for the ISLE

Platform Operated as a K12 Federation for K12 by K12!

* Local Educational Authority

Environment

inBloom ServicesilliniCloud Services

Pro

vid

er

Re

gis

tra

tio

n

Application

Registry

Federated

SD001

SD002

inBloom

Data, Roles

and Identity

SD-Managed

Data-Store

Org SD

SD Staff

SD Edu

Edu KidinBloom

Data, Roles

and Identity

IAM

Integration

API

Service

to inBloomODS

SIF_2.5SIF_2.5

to

EDFI

Local System

to

SIF_2.5

SD001

SD002

SD …

SDNNN

Application ProvidersinCommon Services

inBloominBloom

Application

Providers

Pro

vid

er

Re

gis

tra

tio

n

Federated

IAM

Service

SD002

SD …

SDNNNinCommon

Data, Roles

and Identity

inCommon

Services and

Applications

inCommon

Federation

Federated

Services

Auth[N/Z]

Net+ and Affiliate

Services

Au

th[N

/Z]

Au

th[N

/Z]

inBloom

Applications

Directory

illiniCloud Services Application Providers

inBloom Services

inBloominBloom

Application

Providers

Pro

vid

er

Pro

vid

er

Re

gis

tra

tio

n

SD001

SD002

inBloom

Data, Roles

and Identity

Federated

Pe

rso

n R

ole

s

Data-Store

Org SD

SD Staff

SD Edu

Edu Kid

inBloom

Data, Roles

and Identity

API

ServiceData, Role & Id

ODS

SIF_2.5SIF_2.5

to

EDFI

Local System

to

SIF_2.5

SD001

SD002

SD …

SDNNN

inBloom OperatorinBloom Operator

API ServiceAPI Service

Au

th[N

/Z]

Da

ta,

Ro

le &

Id

Ro

les

& I

d

inCommon Services

Application

Registry

SD002

SD …

SDNNNinCommon

Data, Roles

and Identity

Federated

IAM

Service

inCommon

Services and

Applications

inCommon

Federation

Fe

d 2

Fe

d

Net+ and Affiliate

Services

Au

th[N

/Z]

Auth[N/Z] and Identity

IAM

Integration

IAM

Integration

inBloom

Applications

Directory

App/Key

Federated

Services

MD

Ag

rgtr

Application Providers

Third Party Third Party

Application

Providers

2

portal

lz

admin

api

dashboard

databrowser

Create Tenant-Adm

3

Tenant #1

Service Owner

How Does the iBMLSS Define a Tenant from the Top-Level?

inBloom Model

Local Service Stack

SLC Operator

Tenant Admin

Management New LDAP Entry

LDAP Entry

1

sidp

iBMLSS

LDAP

Good

Text ?

SN= ?

How the iBMLSS Works with SimpleIDP & DataStore Services?

sidp

iBMLSS

LDAP

lz

admin

api

https://github.com/inbloom/secure-data-service/blob/master/sli/simple-idp/src/main/java/org/slc/sli/sandbox/idp/service/UserService.java

Tenant User #1

lz

Email

Validation &

Approval

Process

Creates Logical

Data Store/LZ

Designate

AuthN Service

How Does the iBMLSS LDAP Service Work with SimpleIDP Service?

sidp

iBMLSS

LDAP

Tenant User #1

lz

admin

api

https://demo-1-sidp.demo.inbloom.org/simple-idp?realm=SLC-LDAP1

Email

Validation &

Approval

Process

Create Logical

LandingZone

Designate

AuthN Service

lz

How Does the iBMLSS Work with API User Roles & Dir-Groups?

sidp

iBMLSS

LDAP

lz

admin

api

Directory Groups Map

To Fixed-Role Privileges

(Manual )

LDAP

to

SAML

The image part with relationship ID rId2 was not found in the file.

Questions

& &

Comments

Bernie Acs {acs1@illinois.edu}, Jim Peterson {jim@illinicloud.org}, Jason Radford {jradford@illinicloud.org}

Scott Isaacson {sisaacson@esucc.org}, Mike Danahy {mdanahy@esu2.org}