federation and cloud services for the k12...
TRANSCRIPT
Federation and Cloud Services
for the K12 Communityfor the K12 Community
Quilt/InCommon K12 Pilot Project Summary
Two Cases: Illinois and Nebraska
What is Envisioned, Experiences, and Challenges
Bernie Acs {[email protected]}, Jim Peterson {[email protected]}, Jason Radford {[email protected]}
Scott Isaacson {[email protected]}, Mike Danahy {[email protected]}
Illinois Shared Learning
EnvironmentEnvironment
The One-Slide Summary
Create, Find, Map, Use, and Visualize Data Linked to Content
and Standards enabling Personalized Learning and Career
Preparedness for All Illinois Learners (P-K12 & Life-Long).
Local School District
Collect,
Assemble,
& Propagate
Partner InstitutionsData CentersParticipating LEA:
2 SLC Pilot
35 RttT-3
~ 20% of Illinois Students
ED-FI Data Model
Data Store
Services
Application
Program
Interface
( API )
Illinois Shared Learning Environment – ISLE
Search & Registry
Index for Content
ConsumersProducers Content
Brokers
& Propagate
Ed-FI Data Model
GOMB
Learning Maps & Learning Content Ap
plic
atio
ns a
nd
Dash
bo
ard
s
Dyn
am
ic C
lou
d I
nfr
astr
uctu
re
Apps
Partners:
ISLE Grant DCEO -> NCSA/UIUC
ISLE-IGA: NCSA/UIUC -> NIU,SIU, & IC
~ 20% of Illinois Students
with RttT-3 SD, ~840 to go.
DB
Compute
Students, Educators, Parents, Researchers, Schools, Institutions
and Agencies empowered by the Middleware infrastructure
and Dynamic Self-Service Procurement Cloud Platform Services:
*Learning Maps *Applications *Dashboards*Portal Integration
*Databases *Collaboration Tools *Development Incubator
*Advanced Analytics*Shared Data Services*Enterprise Services
SLC (Service Agreement): ISBE/LEA
RttT-3 Grant : ISBE/LEA
RttT-Early Childhood : ISBE/LEA
Pathways/STEM LE : ISBE/DCEO
Create, Find, Map, Use, and Visualize Data Linked to Content
and Standards enabling Personalized Learning and Career
Preparedness for All Illinois Learners (P-K12 & Life-Long).
Learning Maps, Assemssments, & Learning Content
Ap
plic
atio
ns a
nd
Dash
bo
ard
s
Dyn
am
ic C
lou
d I
nfr
astr
uctu
re
Partner InstitutionsData Centers
ISLEK12 School Districts,
Partners, & Data Centers
Ap
plic
atio
ns a
nd
Dash
bo
ard
s
Dyn
am
ic C
lou
d I
nfr
astr
uctu
re
Apps
DB
Compute
Students, Educators, Parents, Researchers, Schools, Institutions
and Agencies empowered by the Middleware infrastructure and
Dynamic Self-Service Procurement Cloud Platform Services:
*Learning Maps *Applications *Dashboards*Portal Integration
*Databases *Collaboration Tools *Development Incubator
*Advanced Analytics*Shared Data Services*Enterprise Services
Partners:
Nebraska K12/P20W Pilot
Four Slide Summary
Nebraska
K-12 Federation
Learning Object
Repository
SIS DB
Ed-Fi
ODS
ET
LE
TL
Compute
Metrics
Basic Services
VM Hosting
Learning Management
Systems
Auto-provision & De-
District
IntegrationIdP Proxy
Authentication & Authorization
Ed-Fi Dashboards
Self-service
Portal
Auto-provision & De-
provision
Internet2
(K.C. GigaPop)
Courtesy of Tom Rolfes, Nebraska Office of the CIO
• Network Nebraska-Education CURRENT Partners (261)
– 223 public school districts
– 16 Educational Service Units
• Network Nebraska-Education POTENTIAL Partners (460+)
– 28 public school districts
– 1 Educational Service UnitUnits
– 10 public colleges
– 7 nonpublic colleges
– 2 tribal colleges
– 3 nonpublic schools
– 1 public library
Unit
– 7 nonpublic colleges
– 159 nonpublic schools
– 269 public libraries
Courtesy of Tom Rolfes, Nebraska Office of the CIO
K12 to P20
Vision Resources
• Compelling case for effective utilization of resources
– Might call this zero system administration.
– http://www.azed.gov/aelas/files/2013/10/aelas-business-case-v1.5.pdf
• Jack’s story is the vision of interoperability through standards– http://www.setda.org/wp-content/uploads/2013/11/Data-to-Information.pdf
• Data Quality Campaign infographic vision on using data • Data Quality Campaign infographic vision on using data – http://www2.dataqualitycampaign.org/files/Data-Rich%20Year%20Infographic.pdf
• Visionary Resources: A little on the techie side
– Learning Registry http://www.learningregistry.org
– Advanced Distributed Learning: http://www.adlnet.gov/
– SCORM http://scorm.com/scorm-explained/
– IMS Global: http://www.imsglobal.org/
– SETDA : http://www.setda.org
Illinois Shared Learning
EnvironmentEnvironment
Exploring the Learning Map Concept:
A Revolutionary Catalyst for the K12 Community and Pedagogy
What is a Learning Map?
1.) Visual Representation of a Series of Learning Objectives & Assessment of Mastery
1
Learning
Objective #1
Assessment
Measures #1
2
Learning
Objective #2
Assessment
Measures #2
N
Learning
Objective #N
Assessment
Measures #N
…
Learning
Objective #...
Assessment
Measures #...
3
Learning
Objective #3
Assessment
Measures #3
2b
2a
1
3b
3a
… N
• The visualization may be non-linear with branches and junctions having alternative paths.
Branch
Node
Junction
Node
multiple
Path
options
multiple
Paths
converge
2 3
How Does a Learning Map Work?
2.) Coded Alignment of Objectives and Measures enables Content to be Linked to a Map!
Objectives MeasuresLinked
Learning Modules
Aligned and Coded with
Linked
Assessment Bank Items
Aligned and Coded with
1 32 5 N…4
User Interface Options
(Hoover Over & Zoom Into)
Actions
(Clicks, Pop-up Options) Content
Aligned and Coded with
Objectives Empower:• Learners to explore proficiency tasks
• Mentors to find, create, and share
• Measures of effectiveness can be
quantified by community experience
and qualitative analysis of use.
Aligned and Coded with
Objectives Empower:• Learners to explore skill proficiency
• Mentors to find, create, and share
• Measures of effectiveness can be
quantified by community experience
and qualitative analysis of use.
Link Content Aligned by Codes (Tagging)
Create, Find, Use, and Shared–Experience Pooling
Objective Modules & Assessment Items
• Maps may be Presented using Interactive-Visual-Objects for each location marker along the path it shows
Map
Node
Why are Learning Maps Centrally Important?
3.) Learning Map Perspectives (or Views) of Learners Progression using Datain Alignment with Codified Objectives, Measures, & Content with variability in number of Learners & Time Scale
Objectives Measures
Learner Perspective • Where am I and what tasks are to do
• Find, create, use, and share content
• Peer & mentor collaboration
• Personalize pathway potential
Educator Perspective • All Educators are also Learners
• Find, create, use, and share content
• Professional Development Support
• Virtual Professional Peer Groups
1 32 5 N…4
Content
• Personalize pathway potential
• How do my peer compare with me
• Measures of effectiveness can be
quantified by community experience
with qualitative analytics capacity.
• Virtual Professional Peer Groups
• How do my peer compare with me
• Measures of effectiveness can be
quantified by community experience
with qualitative analytics capacity.
Apply Learner & Educator Perspectives of Progress
along the learning map pathways:
Perspectives: Role & Aggregation
The Learning Map Concept may be Presented using Role-Based-Visual-Objects
integrated with API Driven Dynamic-Data-Aggregation for a Variety of Role Perspectives
Workgroup Perspectives Workgroup Perspectives Guardian Perspectives Guardian Perspectives
Building PerspectivesBuilding Perspectives
Institutional Perspectives Institutional Perspectives
Real-Time PerspectivesReal-Time Perspectives
Future PerspectivesFuture Perspectives State & Local Education Authority PerspectivesState & Local Education Authority Perspectives
Map
Node
How can the Learning Map Concepts be Implemented ?
1 32 5 N…4
Content
Objectives MeasuresMap
Node
Learner Data
Identity Access
Management Services
(IDP/Proxy Hybrid: IAM)
Data Services (Authoritative Source systems, ETL
to SIF ZIS, and automated
propagation to other data
models).
What is Required to Implement Learning Map Concepts?
Parents &
Guardians
Parents &
Guardians
Learner
Progression & Achievement
Data
Learner
Progression & Achievement
Data
Mentors &
Interest Groups
Mentors &
Interest Groups
Learning Content
Repositories
Learning Content
RepositoriesLearning Registry
Network of Nodes
Learning Registry
Network of Nodes
Content Archives,
Libraries, and Museums
Content Archives,
Libraries, and Museums
Application Services
Multi-tenant Portal for
School Districts
LEA Curriculum
Workgroups &
Standards
LEA Curriculum
Workgroups &
Standards
SEA Curriculum
Guidance &
Standards
SEA Curriculum
Guidance &
Standards
Three Essential Pillars of Support:
A K12 Federation Model for the
Core Centralized Services & Operations:
Data, Identity, & Presentation
Illinois Shared Learning
EnvironmentEnvironment
The Platform’s Three Pillars of Support:
Data, Identity, & Appliction
The Core-Central K12 Federation Services
• IlliniCloud is a non-profit organization providing services for primarily for K12
school district all over the state of Illinois. Acting as a K12 federation operator and
service provider, the IlliniCloud is establishing three foundational service
dimensions for the K12 community:
• Data Services
• Identity Services
• Application Services
What Are The Three Service Pillars?
• Minimal threshold of Adoption: The implementation is focused on mitigating
integration requirements for K12 school districts adoption of services with little to
no modification of existing practices and procedures.
End-User Facing Interfaces
Tenants (School Districts)
Backend Interfaces & Services
Tenants (School Districts)
Illinois Shared Learning
Environment
The Platform’s First Pillar of Support:
Data Services
Environment
Operational
Data Store
Raw Source System Intermediate Data Product
Source 1
Source …
Source N
Any Data Model
Reports
Analytics
How Does The Data Service Work?
Raw Source System
Data Matrices
Intermediate
Data Model(s)
Data Product
Propagation
Collection Assemble Produce
District/LEAHow Does the Data Validation Service Work?
Data is collected in the ODS,
where the Data Validation
Rules Engine runs to check for
errors
Data is collected in the ODS,
where the Data Validation
Rules Engine runs to check for
errorsTeacher/Staff
Data
Student
Information
IlliniCloud
User corrects data and resubmits
NO ERRORS
ERRORS
Data Entry
28
If the data is rejected, an error message is generated to the user
Valid data is moved to
the Data Marts
Better Research
Leads to Better
Decisions
Analyze the data in
a spreadsheet
Prepare a report Create a
presentation
Data can now be
analyzed –longitudinal
data analysis can be
performedData is Stored in the
Longitudinal Data Warehouse
NO ERRORS
REAL TIME REPORTS
School District
ZIS
Source 1
Source …
Source N
Any DM
Reports
Analytics
Relational
Data Store
Ed FI API
How Does Data Service Propagation Work for Apps?
SIF/ZIS
Integration API
SP
SP
SP
SP
Ingest Data Validation
and Assembly
SIF 2.5 for each local district sites.
Implicitly enables use of
Application Programmatic Interfaces
(API)
Object
Data StoreInBloom API
Data Propagation
for
Alternative DataModels
SP
SP
SP
School District
Authoritative Source
Systems
SIS FS TR
Automate
Data Set
How Can Data Service Propagation Work for State Reporting?
Data Set
Assembly
and
Propagation
Illinois State
Board of
Education
Data Mart(s)
Propagate
Manage
Error
Resolution
Illinois Shared Learning
Environment
The Platform’s Second Pillar of Support:
Identity Services
Environment
3rd Party Service Providers & Other Federations
Proxy School Non-School
inCommon Google 4 EduOther Service
Providers
Workforce
Development
Users/Orgs
Federated
School District
Users/Orgs
SAML 2.0
OAuth
Trust
Trust
What is the Federated Identity Service?
Districts (1 .. N)
using
Active Directory
Districts (1 .. N)
using
eDirectory
Districts (1 .. N)
using
LDAP/Kerberos
Trust
Trust
Proxy
IDP/SP
School
District
Metadata
Non-School
District
Metadata
Read-Only
Query
Functionality
Central
Service
OAuth
OpenID
Native
Directory
Interface
Authentication Delegation to Authoritative Source
SP
SP
SPSP
IDP
Does not Forward
to Federated Idm
“Cloud Provider”
Google EDU
InC Net+
Apps
InCommon
Federation
Metadata
IDP
K12
Publish
Subscribe
SP
K12 Federation Service Providers
SSO Enabled
How Does the Federated Identity Service Work?
External Federations & Service Providers
K12
Federation
IDP Proxy
Metadata
SP
K12
Org 1
Directory
SP
SP
Authoritative
Directory Source
K12
Org …
K12
Org N
AD | LDAP | Kerberos | eDirectory
SSO Enabled
Not SSO Enabled
K12 Organization
Local Service Providers
School Districts have preexisting
directories and business procedures
that govern practices & processing
Centralized Idm (SAML2) provides local directory
mapping and profiles for federated service uses
Custom ISLE Applications
SP Custom District Applications
How Do Attribute/Value Assertions & Web SSO Sessions Work?
IDP
K12 Request
If No Session then
Prompt Fed-Login
else goto 4
Collects:
eduPersonPrincipleName
Manages the
Delegated Authentication
Challenge/Response
2
Advanced Configuration:
IDP/P + SPiTrust Federation Registry
03
SP
SP Attributes Needed & Parsing:
•eduPersonPrincipleName
•eduPersonAffiliation
•eduPersonOrgDN
•eduPersonEntitlement *(Agreed)
7 8
K12
Federation
IDP Proxy
RequestChallenge/Response
Collects & Assembles:
eduPersonAffiliation
Manages computing
eduPersonEtitlements
that are needed for SP.
Browser
Accesses
Protected
App Resource
1
4
Response
IDP Attribute Resolvers & Filters:
•eduPersonPrincipleName
•eduPersonAffiliation
•eduPersonOrgDN
•eduPersonEntitlement *(Agreed)
If Session then
Process Attribute
Assertions for SP
SPUser has
Navigated here
5 6
** May Have Distinct “Entitlements” for Individual Applications/Resources
How Does the IDP use Tenant User’s Profile?
Browser
Accesses
Protected
App Resource
(SP)
IDP
K12
Federation
IDP Proxy
Browser
Redirected to
IDP/Proxy
LOGIN Service
1. UserName
2. PassWord
3. OrgDN
Delegate
Authentication
Tenant’s
Authoritative
Directory
1. OrganizationDN
2. EPPN
3. Affiliation
4. SP/Entitlement
Tenant(s)
Authoritative
User Session
Profile
Populates
Tenant User
Profile Table
Shibboleth/IDP
DBMS Connected
AttributeResolver
Just-In-Time Provisioning OR Verification/Validation of Existing
<dc:Column columnName="given_name" attributeID="givenName" />
<dc:Column columnName="surname" attributeID="sn" />
<dc:Column columnName="edu_person_nickname" attributeID="eduPersonNickName" />
<dc:Column columnName="mail" attributeID="mail" />
<dc:Column columnName="organization_name" attributeID="organizationName" />
<dc:Column columnName="home_organization_type" attributeID="homeOrganizationType" />
<dc:Column columnName="edu_person_affiliation" attributeID="eduPersonAffiliationList" />
<dc:Column columnName="edu_person_primary_affiliation" attributeID="eduPersonPrimaryAffiliation" />
<dc:Column columnName="edu_person_scoped_affiliation" attributeID="eduPersonScopedAffiliation" />
<dc:Column columnName="edu_person_org_dn" attributeID="eduPersonOrgDN" />
<dc:Column columnName="edu_person_org_unit_dn" attributeID="eduPersonOrgUnitDNList" />
<dc:Column columnName="edu_person_primary_org_unit_dn" attributeID="eduPersonPrimaryOrgUnitDN" />
<dc:Column columnName="uid" attributeID="uid" />
<dc:Column columnName="edu_person_principal_name" attributeID="eduPersonPrincipalName" />
<dc:Column columnName="edu_person_targeted_id" attributeID="eduPersonTargetedID" />
<dc:Column columnName="edu_person_unique_id" attributeID="eduPersonUniqueID" />
<dc:Column columnName="edu_person_assurance" attributeID="eduPersonAssurance" />
<dc:Column columnName="edu_person_principal_name_prior" attributeID="eduPersonPrincipalNamePrior" />
<dc:Column columnName="edu_person_entitlement" attributeID="eduPersonEntitlement" />
<dc:Column columnName="member_of" attributeID="memberOfList" />
Shibboleth/IDP
AttributeFilters
SP/SP Groups
Using attribute/value
pairs available
propagate authorized
assertions to the SP
* given_name,
* surname,
edu_person_nickname,
* mail,
* organization_name,
* home_organization_type,
edu_person_affiliation,
edu_person_primary_affiliation,
edu_person_scoped_affiliation,
edu_person_org_dn,
edu_person_org_unit_dn,
edu_person_primary_org_unit_dn,
* uid,
edu_person_principal_name,
edu_person_targeted_id,
edu_person_unique_id,
edu_person_assurance,
edu_person_principal_name_prior,
edu_person_entitlement,
* member_of
How does eduPersonEntitlement Look Up-Close?
IDP Attribute Resolvers & Filters:
•eduPersonPrincipleName [email protected]
•eduPersonAffiliation Facualty, Staff, …, Library Walk-in
•eduPersonOrgDN dc=district, dc=ext
•eduPersonEntitlement *(Agreed) Any String as a UR(N,I,L)
Privilege Groups
Of Interest
SP Attributes Required Values When Group Member:
Needs fine grain privilege mapping to align to some
collection of cohort declarations the user is a member of in
the authoritative source system of reference.
“eduPersonEntitlement” Attribute value(s) to assert:http://ApplicationName.ext/role/ILDATA_Building_Adminstrator,
http://ApplicationName.ext/role/ILDATA_Sheridan_Announcement..,
http://ApplicationName.ext/role/ILDATA_Sheridan_Attendence
the authoritative source system of reference.
Because the Login User Has
Relative: “memberOf”
Attributes Associated
What is the “User Profile”?
IlliniCloud
IAM Service
App Login or Registration
External Identity Provider OAuthGoogle, Facebook, MSN, Yahoo, & Others
Known Person
Yes
Authenticate?Is External
Yes
Anonymous User
No Session
User’s Personal Preferences IDP Registration
Yes
School District
User’s IDP
Registration is
IAM
Identity-Repo
1
2
2a
2bPersonal Profile?Is User Registering?
No
Yes Yes
No No
Registered Public User
Session Okay
Registered Realm User
Session Okay
Yes
No
Anonymous User
No Session
No
No
Yes Yes
Registration is
automated
Identity-Repo
3
4
Is Fed-Realm
3a
4a4b
Is Managing Profile?
Is User AuthN? Fed-Realm? External AuthN?
Delegate AuthN
To District
Known
User, Profile
Persistent, &
Session4c
Has Profile
3bOrgDN Profile?
Yes
No
No No
Illinois Shared Learning
Environment
The Platform’s Third Pillar of Support:Application Services
Multiple Tenant Portal and Application Launcher
Environment
Presentation
Service
Unknown User
May see only
informational content
CASE 2: Federated IDP Other Than
IC IDP/P Authenticates User and
implicitly claims identity authority
for a user’s logical session.
Known User Known User
No Affiliation &
Organization Domain
may use public
Applications
CASE 1: Non-Authenticated Users, Anonymous
Who Will Use the Application Service?
Service
Data Identity
for a user’s logical session.
Known User with Affiliation
assigned may use
organizations informational
content, services, and
applications
CASE 3: Authenticated by IC IDP/P
implies defined Domain and Affiliation
with Authorities expressed in Entitlements
LEA Tenant
Visual Workspace:
What is the Application Service, a “Portal” ?
1.) Web Browser Based Visual Presentation & Workspace Much like the graphical user interface provided by a computer’s operating system (Windows, Macintosh, Tablets, & Smart-phones).
Header: * Optional: May include Active Controls
Buttons & Menus• Clickable Actions or Pop-up
• May Take Input
• May Grouped
• Visually
• Functionally
• Can be Combined with
• Visual Theme Portlet # 1 Floating Window
Portlet #2 Window w/no ControlsPortlet #2 Window w/no Controls
Portlet Workspace
Background Visual Attributes
are generally user definable
and persisted as Preferences
Portlets• Optional Visual Window
• May Contain
• Buttons
• Input/Forms
• Any Media Content
• May be an Application
• May be a Service
• May be Resized or Static
•Full Screen (WrkSpc)
Portal Leverages SSO Service
Horizontal (Button – Bar) S #1 S #2 S #... S #N Input:
Vertical
(Button – Bar)
Button # 1
Button # 2
Button #...
Button #N
Input: Footer: * Optional: May include Active Controls
Button
Icon
Symbol
• Visual Theme
• Preferences
• May be Locate Anywhere
Portlet # 1 Floating Window
Portlet WorkspacePortlet # 3 : Minimized Window
Portlet # .. : Minimized Window
Portlet # N: Invisible Win/Service
Portlet Attributes: are generally user definable and persisted as
Preferences (for each portlet) including size (min, max, full) &
relative workspace location and window state.
•Full Screen (WrkSpc)
• Floating Window
• Minimized (Visible)
• Layered
• May be Remote Service
• May be Local Service
• May be Support Any Media
• Shares Session Attributes
• User/Role
• Organization
• Access Rules
• Authorizations
Portal is the outer visual wrapper and user interface
• Manages User Identity for primary SSO/Sessions
• Shares Session State with Gadgets & Portlets
How Does the “Portal” Work for Users?
Login:
Tab Bar Info
Page
ISLE
Apps
Illinois Open
Education
Resource Search
Tab Bar ISLE
Apps
Illinois Open
Education
Resource Search
My
Page
District
Apps
Educator
Dashboard
Multi-Tenancy Application Launcher:
Individual school districts are “tenants”
Anonymous &Non-District Authenticated Users:
Public Apps & Informational Page(s)
Resource Search Resource Search
Each tenant must be able to customize the appearance & content of the portal for its own needs. Users who log into
the portal get the appropriate experience for the tenant (district) to which they are connected.
Customization examples include logo, colors, header/footer text,
navigation (tabs), and content (portlets). Tenants, moreover, not
only need to manage these items, they also need to “manage
the managers” – they must be able to grant or deny access to
these management functions with regard to their own staff
[email protected]@unit5.org
[email protected]@unit5.org
How Does the “Portal” Login Process Work?
Multi-Tenancy Global Login (IDP/Proxy):
“Get User & Organization”
A.) Input eduPersonPrincipleName
UserID: MyLoginID @ Domain Name List . 123
Login Name[@domainName.ext]
Populates “OrgDN” List
for Login Nameif more than one force a choice.
Login:
Tab Bar Tenant
Info
ISLE
Apps
Illinois Open
Education Resource
Search
Anonymous User Invokes Login Action
11
De
term
ine
Te
na
ncy
for
Au
the
nti
cati
on
if more than one force a choice.
B.) Derive: eduPersonOrgDN(/OrgUnitDN)
C.) Compute: eduPersonAffiliation
faculty
student
staff
alum
member
affiliate
employee
library-walk-in
Typical “Affiliation” List for Login
Name• if “Educator” then “faculty,member,employee”
•If “Staff Employee” then “staff,member,employee”
•If “Student” then “student, member”
•If “Parent/Gardian“ then “Affiliate”
•If “Externally AuthN then “library-walk-in”
Search
Authentication Service ActionMulti-Tenancy Global Login (IDP/Proxy):
“Delegate Authentication as Required”
D.) Compute: eduPersonEntitlement
https://uportal.illinicloud.org/role/tenancy -manager
https://uportal.illinicloud.org/role/isle-app -manager
https://uportal.illinicloud.org/role/portal-admin
https://uportal.illinicloud.org/role/portal-educator
https://uportal.illinicloud.org/role/portal-student
De
term
ine
Te
na
ncy
for
Au
the
nti
cati
on
22D
ete
rmin
e R
ole
Pri
vil
eg
es
Illinois Open
Education Educator
Dashboard
Tab
Bar
Isle
Apps
District
Apps
EC/PK
Apps
My
Page
Tea
che
r
General Purpose Login Process
User’s “Tenant & Role” are Manifested as a Result of Login
Tenant Portal-Manager Controls •Visual Attribute Customizations
•User Role Based Content Customizations
Education
Resource Search Dashboard
Tab
Bar
Isle
Apps
Tenant
Apps
Office
Apps
My
Page
Illinois Open
Education
Resource Search
Educator
Dashboard
Tab
Bar
Isle
Apps
District
Apps
Admin
Tools
My
Page
Tab
Bar
Isle
Apps
Grade 8
Apps
Office
Apps
My
PageStu
de
nt
Sta
ff
Tea
che
r
Ad
min
istr
ato
Illinois Shared Learning
EnvironmentThree Pillars of Support Married With
Application Programmatic Interfaces:
Offer Significant Potential for LEAs* to Realize the Promise Envisioned for the ISLE
Platform Operated as a K12 Federation for K12 by K12!
* Local Educational Authority
Environment
inBloom ServicesilliniCloud Services
Pro
vid
er
Re
gis
tra
tio
n
Application
Registry
Federated
SD001
SD002
inBloom
Data, Roles
and Identity
SD-Managed
Data-Store
Org SD
SD Staff
SD Edu
Edu KidinBloom
Data, Roles
and Identity
IAM
Integration
API
Service
to inBloomODS
SIF_2.5SIF_2.5
to
EDFI
Local System
to
SIF_2.5
SD001
SD002
SD …
SDNNN
Application ProvidersinCommon Services
inBloominBloom
Application
Providers
Pro
vid
er
Re
gis
tra
tio
n
Federated
IAM
Service
SD002
SD …
SDNNNinCommon
Data, Roles
and Identity
inCommon
Services and
Applications
inCommon
Federation
Federated
Services
Auth[N/Z]
Net+ and Affiliate
Services
Au
th[N
/Z]
Au
th[N
/Z]
inBloom
Applications
Directory
illiniCloud Services Application Providers
inBloom Services
inBloominBloom
Application
Providers
Pro
vid
er
Pro
vid
er
Re
gis
tra
tio
n
SD001
SD002
inBloom
Data, Roles
and Identity
Federated
Pe
rso
n R
ole
s
Data-Store
Org SD
SD Staff
SD Edu
Edu Kid
inBloom
Data, Roles
and Identity
API
ServiceData, Role & Id
ODS
SIF_2.5SIF_2.5
to
EDFI
Local System
to
SIF_2.5
SD001
SD002
SD …
SDNNN
inBloom OperatorinBloom Operator
API ServiceAPI Service
Au
th[N
/Z]
Da
ta,
Ro
le &
Id
Ro
les
& I
d
inCommon Services
Application
Registry
SD002
SD …
SDNNNinCommon
Data, Roles
and Identity
Federated
IAM
Service
inCommon
Services and
Applications
inCommon
Federation
Fe
d 2
Fe
d
Net+ and Affiliate
Services
Au
th[N
/Z]
Auth[N/Z] and Identity
IAM
Integration
IAM
Integration
inBloom
Applications
Directory
App/Key
Federated
Services
MD
Ag
rgtr
Application Providers
Third Party Third Party
Application
Providers
2
portal
lz
admin
api
dashboard
databrowser
Create Tenant-Adm
3
Tenant #1
Service Owner
How Does the iBMLSS Define a Tenant from the Top-Level?
inBloom Model
Local Service Stack
SLC Operator
Tenant Admin
Management New LDAP Entry
LDAP Entry
1
sidp
iBMLSS
LDAP
Good
Text ?
SN= ?
How the iBMLSS Works with SimpleIDP & DataStore Services?
sidp
iBMLSS
LDAP
lz
admin
api
https://github.com/inbloom/secure-data-service/blob/master/sli/simple-idp/src/main/java/org/slc/sli/sandbox/idp/service/UserService.java
Tenant User #1
lz
Validation &
Approval
Process
Creates Logical
Data Store/LZ
Designate
AuthN Service
How Does the iBMLSS LDAP Service Work with SimpleIDP Service?
sidp
iBMLSS
LDAP
Tenant User #1
lz
admin
api
https://demo-1-sidp.demo.inbloom.org/simple-idp?realm=SLC-LDAP1
Validation &
Approval
Process
Create Logical
LandingZone
Designate
AuthN Service
lz
How Does the iBMLSS Work with API User Roles & Dir-Groups?
sidp
iBMLSS
LDAP
lz
admin
api
Directory Groups Map
To Fixed-Role Privileges
(Manual )
LDAP
to
SAML
The image part with relationship ID rId2 was not found in the file.
Questions
& &
Comments
Bernie Acs {[email protected]}, Jim Peterson {[email protected]}, Jason Radford {[email protected]}
Scott Isaacson {[email protected]}, Mike Danahy {[email protected]}