Federation and Cloud Services

Transcription

1 Federation and Cloud Services for the K12 Community Quilt/InCommon K12 Pilot Project Summary Two Cases: Illinois and Nebraska What is Envisioned, Experiences, and Challenges Bernie Jim Peterson Jason Radford Scott Isaacson Mike

2 Illinois Shared Learning Environment The One-Slide Summary

3 Producers ED-FI Data Model Data Store Services Content Brokers Consumers Application Program Interface ( API ) Search & Registry Index for Content Illinois Shared Learning Environment ISLE SLC (Service Agreement): ISBE/LEA RttT-3 Grant : ISBE/LEA RttT-Early Childhood : ISBE/LEA Pathways/STEM LE : ISBE/DCEO GOMB ISLE Grant ISLE-IGA: Partners: DCEO -> NCSA/UIUC NCSA/UIUC -> NIU,SIU, & IC Partner Institutions Data Centers Create, Find, Map, Use, and Visualize Data Linked to Content and Standards enabling Personalized Learning and Career Preparedness for All Illinois Learners (P-K12 & Life-Long). Learning Maps & Learning Content Apps DB Compute Applications and Dashboards Collect, Assemble, & Propagate Ed-FI Data Model Participating LEA: 2 SLC Pilot 35 RttT-3 ~ 20% of Illinois Students with RttT-3 SD, ~840 to go. Dynamic Cloud Infrastructure Local School District Students, Educators, Parents, Researchers, Schools, Institutions and Agencies empowered by the Middleware infrastructure and Dynamic Self-Service Procurement Cloud Platform Services: *Learning Maps *Applications *Dashboards*Portal Integration *Databases *Collaboration Tools *Development Incubator *Advanced Analytics*Shared Data Services*Enterprise Services

4 ISLE K12 School Districts, Partners, & Data Centers Create, Find, Map, Use, and Visualize Data Linked to Content and Standards enabling Personalized Learning and Career Preparedness for All Illinois Learners (P-K12 & Life-Long). Learning Maps, Assemssments, & Learning Content Partner Institutions Data Centers Dynamic Cloud Infrastructure Apps DB Applications and Dashboards Compute Partners: Students, Educators, Parents, Researchers, Schools, Institutions and Agencies empowered by the Middleware infrastructure and Dynamic Self-Service Procurement Cloud Platform Services: *Learning Maps *Applications *Dashboards*Portal Integration *Databases *Collaboration Tools *Development Incubator *Advanced Analytics*Shared Data Services*Enterprise Services

5 Nebraska K12/P20W Pilot Four Slide Summary

6 Basic Services VM Hosting SIS DB ETL Nebraska K-12 Federation Learning Object Repository Ed-Fi ODS Compute Metrics Learning Management Systems Auto-provision & Deprovision Ed-Fi Dashboards District Integration Authentication & Authorization IdP Proxy Self-service Portal

7

8 Courtesy of Tom Rolfes, Nebraska Office of the CIO Internet2 (K.C. GigaPop)

9 Network Nebraska- Education CURRENT Partners (261) 223 public school districts 16 Educational Service Units 10 public colleges 7 nonpublic colleges 2 tribal colleges 3 nonpublic schools 1 public library Network Nebraska- Education POTENTIAL Partners (460+) 28 public school districts 1 Educational Service Unit 7 nonpublic colleges 159 nonpublic schools 269 public libraries Courtesy of Tom Rolfes, Nebraska Office of the CIO

10 K12 to P20 Vision Resources Compelling case for effective utilization of resources Might call this zero system administration. Jack s story is the vision of interoperability through standards Data Quality Campaign infographicvision on using data Visionary Resources: A little on the techie side Learning Registry Advanced Distributed Learning: SCORM IMS Global: SETDA :

11 Illinois Shared Learning Environment Exploring the Learning Map Concept: A Revolutionary Catalyst for the K12 Community and Pedagogy

12 What is a Learning Map? 1.) Visual Representation of a Series of Learning Objectives & Assessment of Mastery Learning Objective #1 Learning Objective #2 Learning Objective #3 Learning Objective #... Learning Objective #N N Assessment Measures #1 Assessment Measures #2 Assessment Measures #3 Assessment Measures #... Assessment Measures #N The visualization may be non-linear with branches and junctions having alternative paths. Branch Node 2a 3a Junction Node N multiple Path options 2b 3b multiple Paths converge

13 How Does a Learning Map Work? 2.) Coded Alignment of Objectives and Measures enables Content to be Linked to a Map! N Actions (Clicks, Pop-up Options) Content User Interface Options (Hoover Over & Zoom Into) Linked Learning Modules Aligned and Coded with Objectives Empower: Learners to explore proficiency tasks Mentors to find, create, and share Measures of effectiveness can be quantified by community experience and qualitative analysis of use. Objectives Map Node Measures Linked Assessment Bank Items Aligned and Coded with Objectives Empower: Learners to explore skill proficiency Mentors to find, create, and share Measures of effectiveness can be quantified by community experience and qualitative analysis of use. Link Content Aligned by Codes (Tagging) Create, Find, Use, and Shared Experience Pooling Objective Modules & Assessment Items Maps may be Presented using Interactive-Visual-Objects for each location marker along the path it shows

14 Why are Learning Maps Centrally Important? 3.) Learning Map Perspectives (or Views) of Learners Progression using Data in Alignment with Codified Objectives, Measures, & Content with variability in number of Learners & Time Scale N Learner Perspective Where am I and what tasks are to do Find, create, use, and share content Peer& mentor collaboration Personalize pathway potential How do my peer compare with me Measures of effectiveness can be quantified by community experience with qualitative analytics capacity. Objectives Content Map Node Measures Educator Perspective All Educators are also Learners Find, create, use, and share content Professional Development Support Virtual Professional Peer Groups How do my peer compare with me Measures of effectiveness can be quantified by community experience with qualitative analytics capacity. Guardian Perspectives The Learning Map Concept may be Presented using Role-Based-Visual-Objects integrated with API Driven Dynamic-Data-Aggregation for a Variety of Role Perspectives Apply Learner & Educator Perspectives of Progress along the learning map pathways: Workgroup Perspectives Real-Time Perspectives Future Perspectives Perspectives: Role & Aggregation State & Local Education Authority Perspectives Building Perspectives Institutional Perspectives

15 How can the Learning Map Concepts be Implemented? Content Objectives Map Node Learner Data Measures N

16 What is Required to Implement Learning Map Concepts? Parents & Guardians Learner Progression & Achievement Data Mentors & Interest Groups SEA Curriculum Guidance & Standards Learning Content Repositories Identity Access Management Services (IDP/Proxy Hybrid: IAM) Three Essential Pillars of Support: A K12 Federation Model for the Core Centralized Services & Operations: Data, Identity, & Presentation Application Services Multi-tenant Portal for School Districts Content Archives, Libraries, and Museums Data Services (Authoritative Source systems, ETL to SIF ZIS, and automated propagation to other data models). LEA Curriculum Workgroups & Standards Learning Registry Network of Nodes

17 Illinois Shared Learning Environment The Platform s Three Pillars of Support: Data, Identity, & Appliction The Core-Central K12 Federation Services

18 What Are The Three Service Pillars? IlliniCloudis a non-profit organization providing services for primarily for K12 school district all over the state of Illinois. Acting as a K12 federation operator and service provider, the IlliniCloudis establishing three foundational service dimensions for the K12 community: Data Services Identity Services Application Services Minimal threshold of Adoption: The implementation is focused on mitigating integration requirements for K12 school districts adoption of services with little to no modification of existing practices and procedures. Backend Interfaces & Services Tenants (School Districts) End-User Facing Interfaces Tenants (School Districts)

19 Illinois Shared Learning Environment The Platform s First Pillar of Support: Data Services

20 How Does The Data Service Work? Source 1 Source Source N Operational Data Store Any Data Model Reports Analytics Raw Source System Intermediate Data Product Data Matrices Data Model(s) Propagation Collection Assemble Produce

21 District/LEA Data Entry How Does the Data Validation Service Work? IlliniCloud Student Information User corrects data and resubmits If the data is rejected, an error message is generated to the user Teacher/Staff Data ERRORS Data is collected in the ODS, where the Data Validation Rules Engine runs to check for errors NO ERRORS Valid data is moved to the Data Marts Analyze the data in a spreadsheet Prepare a report Create a presentation Better Research Leads to Better Decisions REAL TIME REPORTS Data can now be analyzed longitudinal data analysis can be performed Data is Stored in the Longitudinal Data Warehouse 28

22 How Does Data Service Propagation Work for Apps? SP SP SIF/ZIS Integration API Any DM Source 1 Source Source N School District ZIS Reports Analytics Relational Data Store Ed FI API SP SP Object Data Store InBloom API SP SP Ingest Data Validation and Assembly SIF 2.5 for each local district sites. Data Propagation for Alternative DataModels Implicitly enables use of Application Programmatic Interfaces (API)

23 How Can Data Service Propagation Work for State Reporting? SIS FS TR School District Authoritative Source Systems Propagate Manage Error Resolution Illinois State Board of Education Data Mart(s) Automate Data Set Assembly and Propagation

24 Illinois Shared Learning Environment The Platform s Second Pillar of Support: Identity Services

25 What is the Federated Identity Service? incommon Google 4 Edu Other Service Providers School District Users/Orgs Trust 3 rd Party Service Providers & Other Federations Workforce Development Users/Orgs Federated Central Service School District Metadata Proxy IDP/SP Non-School District Metadata SAML 2.0 OAuth OpenID Read-Only Query Functionality Authentication Delegation to Authoritative Source Trust Native Directory Interface Districts (1.. N) using Active Directory Districts (1.. N) using edirectory Districts (1.. N) using LDAP/Kerberos

26 How Does the Federated Identity Service Work? InCommon Federation SP Metadata InC Net+ SP Google EDU IDP Does not Forward to Federated Idm Cloud Provider External Federations & Service Providers IDP K12 Federation IDP Proxy Publish Subscribe Metadata SP SP Apps SP SP K12 Federation Service Providers SSO Enabled Custom ISLE Applications Centralized Idm(SAML2) provides local directory mapping and profiles for federated service uses SP Custom District Applications K12 Org 1 K12 Org K12 Org N SP Not SSO Enabled K12 Organization Local Service Providers Directory Authoritative Directory Source AD LDAP Kerberos edirectory SP SSO Enabled School Districts have preexisting directories and business procedures that govern practices & processing

27 How Do Attribute/Value Assertions & Web SSO Sessions Work? If No Session then Prompt Fed-Login else goto4 Collects: edupersonprinciplename Manages the Delegated Authentication Challenge/Response If Session then Process Attribute Assertions for SP Collects & Assembles: edupersonaffiliation Manages computing edupersonetitlements that are needed for SP. 3 4 Advanced Configuration: IDP/P + SP itrust Federation Registry IDP K12 Federation IDP Proxy 0 Request Response SP Attributes Needed & Parsing: edupersonprinciplename edupersonaffiliation edupersonorgdn edupersonentitlement*(agreed) SP User has Navigated here IDP Attribute Resolvers & Filters: edupersonprinciplename edupersonaffiliation edupersonorgdn edupersonentitlement*(agreed) 7 8 Browser Accesses Protected App Resource ** May Have Distinct Entitlements for Individual Applications/Resources 1

28 How Does the IDP use Tenant User s Profile? Browser Redirected to IDP/Proxy LOGIN Service 1. UserName 2. PassWord 3. OrgDN Delegate Authentication Tenant s Authoritative Directory 1. OrganizationDN 2. EPPN 3. Affiliation 4. SP/Entitlement Browser Accesses Protected App Resource (SP) IDP K12 Federation IDP Proxy Shibboleth/IDP DBMS Connected AttributeResolver Tenant(s) Authoritative User Session Profile Populates Tenant User Profile Table Just-In-Time Provisioning OR Verification/Validation of Existing Shibboleth/IDP AttributeFilters SP/SP Groups Using attribute/value pairs available propagate authorized assertions to the SP * given_name, <dc:column columnname="given_name" attributeid="givenname" /> * surname, <dc:column columnname="surname" attributeid="sn" /> edu_person_nickname, <dc:column columnname="edu_person_nickname" attributeid="edupersonnickname" * /> mail, <dc:column columnname="mail" attributeid="mail" /> * organization_name, <dc:column columnname="organization_name" attributeid="organizationname" /> * home_organization_type, <dc:column columnname="home_organization_type" attributeid="homeorganizationtype" edu_person_affiliation, /> <dc:column columnname="edu_person_affiliation" attributeid="edupersonaffiliationlist" edu_person_primary_affiliation, /> <dc:column columnname="edu_person_primary_affiliation" attributeid="edupersonprimaryaffiliation" edu_person_scoped_affiliation, /> <dc:column columnname="edu_person_scoped_affiliation" attributeid="edupersonscopedaffiliation" edu_person_org_dn, /> <dc:column columnname="edu_person_org_dn" attributeid="edupersonorgdn" /> edu_person_org_unit_dn, <dc:column columnname="edu_person_org_unit_dn" attributeid="edupersonorgunitdnlist" edu_person_primary_org_unit_dn, /> <dc:column columnname="edu_person_primary_org_unit_dn" attributeid="edupersonprimaryorgunitdn" * uid, /> <dc:column columnname="uid" attributeid="uid" /> edu_person_principal_name, <dc:column columnname="edu_person_principal_name" attributeid="edupersonprincipalname" edu_person_targeted_id, /> <dc:column columnname="edu_person_targeted_id" attributeid="edupersontargetedid" edu_person_unique_id, /> <dc:column columnname="edu_person_unique_id" attributeid="edupersonuniqueid" /> edu_person_assurance, <dc:column columnname="edu_person_assurance" attributeid="edupersonassurance" /> edu_person_principal_name_prior, <dc:column columnname="edu_person_principal_name_prior" attributeid="edupersonprincipalnameprior" edu_person_entitlement, /> <dc:column columnname="edu_person_entitlement" attributeid="edupersonentitlement" * member_of /> <dc:column columnname="member_of" attributeid="memberoflist" />

29 How does edupersonentitlement Look Up-Close? Privilege Groups Of Interest IDP Attribute Resolvers & Filters: edupersonprinciplename edupersonaffiliation edupersonorgdn edupersonentitlement*(agreed) Facualty, Staff,, Library Walk-in dc=district, dc=ext Any String as a UR(N,I,L) SP Attributes Required Values When Group Member: Needs fine grain privilege mapping to align to some collection of cohort declarations the user is a member of in the authoritative source system of reference. edupersonentitlement Attribute value(s) to assert: Because the Login User Has Relative: memberof Attributes Associated

30 What is the User Profile? 1 IlliniCloud IAM Service Anonymous User No Session 2a User s Personal Preferences IDP Registration External Identity Provider OAuth Google, Facebook, MSN, Yahoo, & Others App Login or Registration Is External Authenticate? Known Person Yes Yes Is User Registering? Personal Profile? 2b School District User s IDP Registration is automated No No No Yes Yes Is Managing Profile? OrgDN Profile? Is Fed-Realm No No No No Is User AuthN? Fed-Realm? External AuthN? Yes No Yes IAM Identity-Repo 3a Has Profile 3b No Anonymous User No Session 4a Yes Registered Realm User Session Okay Yes Delegate AuthN To District 4b Yes Registered Public User Session Okay 4c Known User, Profile Persistent, & Session

31 Illinois Shared Learning Environment The Platform s Third Pillar of Support: Application Services Multiple Tenant Portal and Application Launcher

32 Who Will Use the Application Service? CASE 1: Non-Authenticated Users, Anonymous Unknown User May see only informational content Presentation Service Data Identity CASE 3: Authenticated by IC IDP/P implies defined Domain and Affiliation with Authorities expressed in Entitlements Known User No Affiliation & Organization Domain may use public Applications CASE 2: Federated IDP Other Than IC IDP/P Authenticates User and implicitly claims identity authority for a user s logical session. LEA Tenant Known User with Affiliation assigned may use organizations informational content, services, and applications

33 What is the Application Service, a Portal? 1.) Web Browser Based Visual Presentation & Workspace Much like the graphical user interface provided by a computer s operating system (Windows, Macintosh, Tablets, & Smart-phones). Portal Leverages SSO Service Buttons & Menus Clickable Actions or Pop-up May Take Input May Grouped Visually Functionally Can be Combined with Visual Theme Preferences May be Locate Anywhere Vertical (Button Bar) Button # 1 Button # 2 Button #... Button #N Input: Button Icon Symbol Header: * Optional: May include Active Controls Background Visual Attributes are generally user definable and persisted as Preferences Portlet# 1 Floating Window Portlet Workspace Visual Workspace: Footer: * Optional: May include Active Controls Portlet#2 Window w/no Controls Portlet Workspace Portlet# 3 : Minimized Window Portlet#.. : Minimized Window Portlet# N: Invisible Win/Service PortletAttributes: are generally user definable and persisted as Preferences (for each portlet) including size (min, max, full) & relative workspacelocationand window state. Portlets Optional Visual Window May Contain Buttons Input/Forms Any Media Content May be an Application May be a Service May be Resized or Static Full Screen (WrkSpc) Floating Window Minimized (Visible) Layered May be Remote Service May be Local Service May be Support Any Media Shares Session Attributes User/Role Organization Access Rules Authorizations Horizontal (Button Bar) S #1 S #2 S #... S #N Input: Portal is the outer visual wrapper and user interface Manages User Identity for primary SSO/Sessions Shares Session State with Gadgets & Portlets

34 How Does the Portal Work for Users? Anonymous &Non-District Authenticated Users: Public Apps & Informational Page(s) Login: Multi-Tenancy Application Launcher: Individual school districts are tenants ISLE Apps Info Page Tab Bar ISLE Apps District Apps My Page Tab Bar Illinois Open Education Resource Search Illinois Open Education Resource Search Educator Dashboard Each tenant must be able to customize the appearance & content of the portal for its own needs. Users who log into the portal get the appropriate experience for the tenant (district) to which they are connected. Customization examples include logo, colors, header/footer text, navigation(tabs), and content(portlets). Tenants, moreover, not only need to manage these items, they also need to manage the managers they must be able to grant or deny access to these management functions with regard to their own staff

35 How Does the Portal Login Process Work? Multi-Tenancy Global Login (IDP/Proxy): Get User & Organization Anonymous User Invokes Login Action A.) Input edupersonprinciplename 1 Login: UserID: Domain Name List. 123 Login Name [@domainname.ext] Populates OrgDN List for Login Name if more than one force a choice. Determine Tenancy for Authentication ISLE Apps Tenant Info Illinois Open Education Resource Search Tab Bar B.) Derive: edupersonorgdn(/orgunitdn) Authentication Service Action Multi-Tenancy Global Login (IDP/Proxy): Delegate Authentication as Required C.) Compute: edupersonaffiliation faculty student staff alum member affiliate employee library-walk-in Typical Affiliation List for Login Name if Educator then faculty,member,employee If Staff Employee then staff,member,employee If Student then student, member If Parent/Gardian then Affiliate If Externally AuthN then library-walk-in 2 Determine Role Privileges D.) Compute: edupersonentitlement

36 User s Tenant & Role are Manifested as a Result of Login General Purpose Login Process Tenant Portal-Manager Controls Visual Attribute Customizations User Role Based Content Customizations Teacher@district87.org Isle Apps District Apps EC/PK Apps My Page Tab Bar Teacher Illinois Open Education Resource Search Educator Dashboard Administrator@unit5.org Staff@illiniCloud.org Student Isle Apps Isle Apps Tenant Apps Office Apps Grade 8 Apps Office Apps My Page Tab Bar Student@usd116.org My Page Staff Tab Bar Administrator Isle Apps District Apps Illinois Open Education Resource Search Admin Tools My Page Educator Dashboard Tab Bar

37 Illinois Shared Learning Environment Three Pillars of Support Married With Application Programmatic Interfaces: Offer Significant Potential for LEAs* to Realize the Promise Envisioned for the ISLE Platform Operated as a K12 Federation for K12 by K12! * Local Educational Authority

38 illinicloud Services SD001 SIF_2.5 to EDFI inbloom Services SD-Managed Org SD SD002 SD ODS to inbloom Data-Store SD Staff SD Edu Application Registry SDNNN Local System to SIF_2.5 inbloom Data, Roles and Identity Edu Kid SD001 SD002 SD SDNNN inbloom Data, Roles and Identity Directory incommon Data, Roles and Identity Federated IAM Service Auth[N/Z] IAM Integration inbloom Applications API Service Auth[N/Z] Provider Registration incommon Services incommon Services and Applications Auth[N/Z] Net+ and Affiliate Services Federated Services incommon Federation Application Providers inbloom Application Providers

39 illinicloud Services SD001 SD002 SD SDNNN SD001 SD002 SD SDNNN ODS Local System to SIF_2.5 inbloom Data, Roles and Identity Directory incommon Data, Roles and Identity incommon Services SIF_2.5 to EDFI Person Roles MD Agrgtr Federated IAM Service Auth[N/Z] Roles & Id Data-Store Fed 2Fed Auth[N/Z] inbloom Operator Data, Role & Id API Service IAM Integration Org SD SD Staff SD Edu Edu Kid Data, Role & Id Auth[N/Z] App/Key inbloom Services Application Providers inbloom Application Providers inbloom Data, Roles and Identity inbloom Applications Provider Registration API Service Application Registry Application Providers incommon Services and Applications Federated Services Net+ and Affiliate Services incommon Federation Third Party Third Party Application Providers

40 How Does the ibmlss Define a Tenant from the Top-Level? Service Owner Create Tenant-Adm SLC Operator admin api 3 inbloom Model Local Service Stack dashboard databrowser lz 2 Tenant #1 portal Tenant Admin Management ibmlss LDAP sidp 1 New LDAP Entry LDAP Entry Good SN=? Text?

41 How the ibmlss Works with SimpleIDP& DataStore Services? ibmlss LDAP sidp Tenant User #1 admin api lz Validation & Approval Process Designate AuthN Service Creates Logical Data Store/LZ

42 How Does the ibmlss LDAP Service Work with SimpleIDP Service? ibmlss LDAP sidp Tenant User #1 admin api lz Validation & Approval Process Designate AuthN Service Create Logical LandingZone

43 How Does the ibmlsswork with API User Roles & Dir-Groups? ibmlss LDAP sidp admin api lz Directory Groups Map To Fixed-Role Privileges (Manual ) LDAP to SAML

44 The image part with relationship ID rid2 was not found in the file.

45 Questions & Comments Bernie Jim Peterson Jason Radford Scott Isaacson Mike