One of our next big steps for the IAM project is to work on building an on-line community.  We have looked at a few hosted sites like ning.com and so on.  But none of them met our requirements.  Being that our project is all about identity, our most important requirement is any solution we select, must be able to use our Penn State credentials.  We also want something that is open, so that members of other Universities can join the community. 

Yesterday at our IAM TAG (Technical Architect Group) meeting we had a guest speaker, Cole Camplese.  Cole gave us a number of good ideas on how to build a community.  Right now we are looking at two software solutions, elgg and Drupal + Social Networking Modules.  elgg looks interesting, but it does not look easy to integrate with WebAccess.  However I did not spend much time investigating that.  We do have Drupal up and are continuing to investigate that also.  So far that is looking to very interesting.  If anyone out there has other solutions that could meet our requirement, please comment on this post.

Ah the last day of CAMP, it was a half day and it was very busy with good topics.  The main focus of this morning was a wrap up of CAMP in general.  We reviewed a couple of projects during some lighting talks.  One of interest to us was OpenRegistry.  OpenRegistry is an open source Identity Management System (IDMS).  It provide a place for data about all of the people in your identity system.  In terms that we use in the IAM project it is a Central Person Registry.  The presenter was Benn Oshrin from Rutgers.  We (Renee Shuey and I) talked to Benn and a couple of other schools about the whole concept of a person registry last year.  They along with a few other schools have gone off and done the design work for OpenRegistry.  With any data store the most important part will be the data model.  How will you be representing data about the individuals? 

For a very long time now I have been involved in the Access Project, a.k.a CACTUS.  CACTUS is close to being a person registry, but its not very central.  When we started development of CACTUS, we spent a large time working on the data model.  The only problem was, we tried to force fit the existing data that lived on the mainframe into a relational database.  It came out somewhat OK in the end, but its definitely not a central person registry.  The addition of things like billing for services really have nothing to do with the management of identity for example. 

So wrapping this up, we the Central Person Registry team (Ed Hayes, Bob Walters and myself) are going to take a very detailed look at the work that is being done in the OpenRegistry space.

Was CAMP worth it?  You bet it was.  With our starting the IAM project yesterday, CAMP gave us some really good ideas and updates on some important projects.

Day number four of CAMP was the first full day of Advanced CAMP.  Attendance at this session was much higher, since a large number of the Internet2 major players attended.  That day we learned about a number of the major projects that are underway. 

I will start with Kauli first.  The Kuali Foundation is a non-profit organization responsible for sustaining and evolving administrative software that meets the needs of all Carnegie Class institutions.  Here is a link to the project organization.  The part that we were interested in was KIM (Kuali Identity Management).  Some of its supported concepts include: entities, groups, roles, responsibilities, and authentication.  All of the Kuali projects are written in Java, and have GUI interfaces to maintain data.  It supports permission assignments for roles and groups.  This will be another project that the Penn State IAM team will be looking at.

Next up was the uPortal folks.  Being that I spent a large part of my life designing and implementing the Penn State Portal, I was really interested in hearing about where things were at with uPortal.  Back in the day, we looked at uPortal for Penn State, but like most efforts, its just was not really ready for us to use.  However I was quite impressed with where things have ended up.  uPortal is still written in Java and supports JSR 168 portlets.  A portlet supports, authentication, user attributes, roles access control, hosting and provisioning and skinning.

Sakai was the next topic.  The presenter was Ray Davis from UCB.  Sakai is an LMS that has pluggable modules.  Its provides a framework, that is Java-based, open source and very extensible via plug-ins.  Over 100 different aplications and services can be plugged into it.  Sakai 2 was based on Tomcat and Spring.  The new version Sakai 3 will use Apache Sling.

Day four had some other interesting lighting sessions that if I have time later, I may blog about.  Right now, I wanted to put out some information about some of the major sessions.

This was our last day of Basic CAMP.  It was a half day session that was a wrap up of CAMP.  Once again one of the most interesting parts were the lighting talks.  The first talk was from Chris Hyzer from University of Pennsylvania.  His topic was Grouper attributes and privileges.  This was a very interesting one, at point I was looking at Grouper for our groups solution.  At the time, the software was at the early stages, and we just moved forward with what we have today using LDAP.  Things have really improved in my opinion.  Grouper is about 5 years old, written in Java and can utilize multiple databases.  All of your groups, and their membership reside in a database and then they are provisioned to LDAP.  This is a very attractive solution as opposed to what we have today where all of the groups only exist in LDAP. This is one of the projects that the Penn State IAM team will be reviewing.

Next up was Kent Frong, University of British Columbia to talk about their IdM program. UBC is a decentralized campus, they have a major challenge with resources.  Hum, I think I have heard that before.  They do not have fully dedicated personnel working on IdM.  They are striving to make IdM a more collaborative environment.  This is one of the goals of our IAM project too.

And finally we heard from Jim Beard, University of Oregon.  His topic was IdM implementation from the rear view window.  Their school currently uses Identity Manager from Sun.  They had a very short timeline for their implementation phase.  Like any system, they have realized that the number of people looking at their administrative site has grown in ways they were not anticipating.  A lot of these schools use Banner for provisioning their accounts.  One of their main goals was to be able to communicate with their incoming students earlier than in the past. Most of them have their accounts set up before they come to campus.  Jim touted auditability  as a real big bonus of their IdM system.  Their security team has been pretty much hands off during the entire implementation.  Their advice was sought out at various stages of implementation.  Identity  proofing for them is done through the registration process.  That data is used for the account claiming process.  That information goes out to the students in a mailer.

I think I left Basic CAMP with a really good understanding of what's going on out there, which was one the main reasons we went.  This is information that is going to help us (Penn State IAM team) go forward with our design and implementation.

So last week, I was one of the lucky ones to be able to procure a new iPhone 3GS at the local AT&T store.  Definitely impressed with its features, mainly since its my first iPhone.  So I set up my GMail and Penn State IMAP which was pretty easy to do.  Then, I started looking at my calendar options for Oracle Calendar syncing.  I surveyed what was out there, Synthesis and SyncJE.  Both of these products are pay only, and I wanted a free solution.  I kept reading and then I came across a blog posting from google.  The full post found here, discussed how to make your calendar available on your iPhone.  So all I needed to do was to get my Oracle Calendar data to Google's calendar.  That seemed easy enough, Oracle has an export feature.  So I exported an iCalendar file using (a period of previous 1 week to 1 month).  I then loaded that into Google's calendar.  I noticed that most of my events were there, but not all of them.  What was missing were the repeating events.  I ran into this problem in the past with the Portal and Oracle calendar, my solution at the time was to use the vCalendar format.  So I did that, and low and behold all of my events just showed up in my calendar.  Then to access them from my iPhone, I pointed Safari to: google.com/calendar/gp and entered my credentials.  Then I was presented with a new interface to my calendar.  The only cavaet I can see is that the google calendar will only allow up to import at most 50 events.  For me that does not seem to be an issue.  Since my calendar is pretty static, doing an upload when I need it does not seem to be an inconvenience. 

The second day of CAMP was a full day.  We started the first session off with a presentation from Steve Carmody (Brown), Liz Salley (UMich Ann Arbor) and Caleb Racey (Newcastle University).  The topic was Describing the Solution Patterns and Real World Examples.  Liz is from Administrative Computing.  She talked a bit about Yahoo's Pattern Library.  When dealing with solution problems it is all about finding the vision for what the optimal solution will be.  Its pretty much an interative process where you "toss" around the problems for a while and see which ones work and the ones that do not.

                Analysis
Use Case         Taxomony
                Solution

Start at Analysis -> Taxomony -> Solution -> Use Case -> Analysis.

After that presentation, we had another a series of lighting talks.  The one that interested me the most was from Astrid Fingerhut (University of Chicago).  The topic was on their Trusted Agent Program.  The problem is how to gain early access to digital resources for new faculty and staff.  So that when they start on their first day, they have all of the necessary access to do their job.  This is a pretty common problem in IAM and one that we have ourselves.  Their solution is to use what they call "Distributed Authorization", which in effect is delegated registration authorities.  They create temporary accounts for these people which last for up to one year before they receive their permanent accounts.  As soon as they appear in the payroll feed they gain full access.  They have to do a lot of training and hands on for this program.  This will be part of our IAM education program.  How we implement our solution to this problem is TBD.

After lunch we had a sesson titled, "Environment Scan - What tools work (and don't work).  This was a pretty good session too.  The part that interested me the most was the presentation from Bob Baily about openLDAP.  Being a person who deals with LDAP daily, I was really anixous to hear what was being done with openLDAP.  Needless to say there are a number of features that our current LDAP server does not support that openLDAP does.  The only problem is we need to balance that with our size.  Bob's school has about 5000 people at it.  He wasn't sure how it would scale to the size and complexity we need.

Our next session was on policy, what works and what doesn't work.  Renee Shuey (Penn State),  Liz Salley (UMich), and Andrea Bessing (Cornel).  Gave great overviews of what their schools are doing in the policy arena.  Here is a link to their presentations.

The final session for the day was a break out session where we were given an opportunity to meet with our peers and discuss some of the problems we are dealing with. 

Our first day of middleware CAMP was a short one, only a half day.  Needless to say that half day was a very good one.   Tom Dopirak, CMU began the first session with a presentation on Access Management Building Blocks.  The abstract for the session was:

The CAMP program provides an approach to analyzing, designing, and implementing access management solutions. In this session, we will present an overview of the building blocks we'll be using in the workshop, define a few terms, and look at how these blocks can be used to help you address access management challenges.

As you can tell from the abstract, the bulk of the presentation focused on terminology that would be used later throughout CAMP.  He did dive a little bit into the policy process at CMU, which is a multi-step one.  More information about it can be found here.

The next session was presented by Rob Carter (Duke) and Scott Fullerton (U of Wisconsin at Madison).  Its focus was on categorizing access management challenges.  They proposed a categorization scheme for categorizing the various use cases that exist in the IAM realm.  The result of some of their work can be found here. I found this a very interesting session, because our IAM group is starting to accumulate use cases and at a some point we will be going through the exercise of categorizing them and trying to determine the similarities that exist amoung them.  Oh yeah at some point, we will have a space set up so that use cases can be submitted to us.

The final session for the day were the lighting talks.  A person had 5 minutes to present a topic and 5 minutes for questions.  The list of topics can be found here.  I presented a topic on Workflow at Penn State.  I gave an overview of the problem related to what the Workflow project is solving and then talked about the IAM things (like roles).  I was lucky that I talked fast to make my presentation.  A number of the other talks were really good too.  Jim Beard's talk about password challenges is pretty much what we are dealing with right now.  They are going down the path of a one-time use password with questions.  This is going to be a thorny problem for us (IAM and Penn State), right now our process for password resets needs some work.

So last week a number of us, attended Summer CAMP in Philadelphia.  Hum, your mind must be wondering about a camp in Philly.  Well it was not that kind of camp.  CAMP stands for Campus Architecture and Middleware Planning.  The focus of CAMP this time was on all things Identity and Access Management, otherwise known as IAM.  Want to learn more about IAM visit the current IAM home page.  Camp was divided into two parts the first two and a half days were called Basic CAMP, and the final day and a half was focused on Advanced topics.  In the next posts to follow, I plan on diving into some of the material that was presented at CAMP.  On a side note, our original plan to get to Philadelphia was going to be by car.  But we changed that around and took the Amtrak out of Harrisburg.  Being the train nut that I am, that was the perfect way to arrive and leave the city.

Interesting question isn't it?  People use facebook for different things; networking, dating, complaining, you name it.  Just yesterday my step-daughter Courtney sent me an invite for something call Dogbook.  Yes, it seems that within facebook you can build a network for your pet, in this case my dog.  Oh yeah, it also includes cats too.  So I gave it a try, we have three dogs, a min pin, a yorkie and a big question mark.  I set up a dogbook for our min pin, felony, fel for short.  I was able to set up information about him, favorite things to do, and then build a network of friends for him.  So what's the value?  I'm not sure yet.  I was able to find groups to joins for other min pins.  So there could be something there.  But right now, I am just not sold.  It definitely does show that social networking is exploding into other directions that I would have never guessed.  And yes, I do update fel's status when he does something new.

Like most of you out there in blog land, I read a lot of tech news and views from a variety of sources.  Some of my favorites are digg.com, lifehacker.com and slashdot.org.  Just recently I came across a post about a news aggregator site called newser.com.  newser was mentioned as being the future of on-line newspapers, and I agree.  Last night on Fox Business, I heard that most of the stock prices of the major newspapers are actually less than the price of the paper itself.   I receive the CDT at home, but with a site like newser, I could be convinced to cancel my subscription.