Kuali Identity Management - Introduction And Implementation Options

2,929 views

Published on

A presentation including a quick introduction to the Kuali Identity Management module of Kuali Rice followed by a discussion on integrating KIM with various other pieces of software.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,929
On SlideShare
0
From Embeds
0
Number of Embeds
25
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Welcome. This session is “Implementing Kuali Identity Management at your Institution” and is a pre-conference workshop that runs for three hours. We’ll be covering quite a bit of ground this morning, looking at both technical and financial aspects. We will take a short break about halfway through the workshop.
  • The presenters are Eric Westfall from Indiana University and Dan Seibert from UC San Diego
  • Now, while KIM is partially a service layer, it does have a complex system for managing roles within an organization. Now so much in the provisioning of those roles, but in the checking the applicability of the roles in a given situation.
  • There are many different identity and role management systems out there. There are several commercial offerings and even more home-grown systems developed over the years. For the Kuali applications, and any applications developed on top of the Rice framework, it provides a layer of abstraction to insulate the application from needing to know the details of those systems. For KFS, this allows the implementation of the identity, group, and role definitions to be changed out without code changes on the part of the application. Prior to KIM, you would have to load the user table through a batch process, which would then need to be kept in sync as necessary. With the KIM service layer, you can leave the data in your system-of-record. KIM also provides a set of user interfaces. These are mainly useful when using the reference implementation although some aspects of the main person UI have been designed to work with external systems.
  • KIM’s default implementation is more of a data storage system than a provisioning system. It does not have any built-in code to scan other systems for identity/role information. Those hooks would have to be built by your institutions. One of the things that some other systems (like the proposed JA-SIG Open Registry and Microsoft’s Identity Lifecycle Management) provide tools for aggregating identity data from multiple sources (HR system, Student system, etc.).  So we may want to mention that KIM is not an identity aggregation system.
  • When Kuali started, we had a single focus: KFS. About two years in, the KRA component started and we realized that we had build an infrastructure upon which we could build multiple systems but that infrastructure was embedded in KFS. From that, the Rice project was created and extracted. User maintenance was part of rice, but not in a way which would be usable between multiple enterprise-level systems. About two years ago, members from the Kuali projects met to discuss what would be needed for the projects to be able to use the Rice framework as a core going forward. In addition, a number of the original institutions were indicating interest in implementing both KFS and KRA. From those discussions, it was decided that a unified identity/roles/permissions system would be needed to prevent every Kuali application from going their own way as well as to simplify the implementation of multiple Kuali applications within a single institution. These also have to do with Rice as a whole. A challenge we had within the KFS in early versions was that the authorization component was very loose. We hadn’t defined all the ways in which we would need to apply authorization. And, as such, it was done in a myriad of ways. KIM unified our permission checking in KFS.
  • When KIM was being designed, it was recognized that there were other entries in the market, many of which had been around for some time and had robust feature sets. We also knew that many institutions would not adopt a system which would require a change to their user maintenance infrastructure. So, KIM was defined as a set of services with fairly well delineated boundaries. This would allow institutions to use or override coherent portions of the system without having to understand the whole of KIM.
  • KIM consists of a set of service definitions, available over the Kuali Service Bus, or more generically through SOAP web service calls for non-Kuali applications. A default implementation using the capabilities of the Kuali Nervous system for data persistence and UIs.
  • Authentication Service Extremely simple client-only service. This service will never be remoted on the KSB. Just returns the principal name from the authentication system. Default works for most authentication systems that use the REMOTE_USER header. You may want to override this if you need to perform some translation on what your authentication method returns if it is not what you use in your identity system. Identity Service This service is responsible for nothing more than the lookup and retrieval of entity information. It’s unaware of any of the other services. All the other services use this one for retrieval of entity/principal information when needed. Group Service Role Service This one is not often used directly. All the checking within the application is done in terms of permissions. The permissions are then linked to roles which the permission service accesses. Permission Service This is the most heavily used service in the KNS. It’s API methods are centered around running authorization checks. Responsibility Service Used almost exclusively by the workflow engine for determination of routing.
  • Identity Management Service This service is a wrapper around the identity, group, permission, and responsibility services. It is intended to run locally within the Rice client application. It will access the other services off the Kuali Service Bus as needed. It provides caching of results locally to prevent expensive network access. It also has some API methods to purge portions of the cache as needed. Roles are not in this service mainly to enforce the nature of permission checks. (Previously, many “permission” checks were done by checking the user’s membership in a group (pre-KIM). This separation was made so that explicit role checks must be a conscious decision on the part of the developer. Role Management Service This service is to roles what the IdM service is to the other four services. Person Service The person service provides an abstraction and simplification of the KIM data model for use by the core KNS components. Most usage of person/entity data is covered by the data attributes on the person object. It takes the default information from the Entity/Principal and mostly flattens it into a simpler object. Within the KNS, in most cases, only the Person object is used. Identity Archive Service This optional service sits behind the identity service. It’s purpose is to archive a very limited subset of the most current data on each principal that it sees. If the user is ever removed from the identity management system completely, the data will be pulled from this service so that information like principal name, entity name, and email address can still be displayed on old document route logs.
  • Identity Management Service This service is a wrapper around the identity, group, permission, and responsibility services. It is intended to run locally within the Rice client application. It will access the other services off the Kuali Service Bus as needed. It provides caching of results locally to prevent expensive network access. It also has some API methods to purge portions of the cache as needed. Roles are not in this service mainly to enforce the nature of permission checks. (Previously, many “permission” checks were done by checking the user’s membership in a group (pre-KIM). This separation was made so that explicit role checks must be a conscious decision on the part of the developer. Role Management Service This service is to roles what the IdM service is to the other four services. Person Service The person service provides an abstraction and simplification of the KIM data model for use by the core KNS components. Most usage of person/entity data is covered by the data attributes on the person object. It takes the default information from the Entity/Principal and mostly flattens it into a simpler object. Within the KNS, in most cases, only the Person object is used. Identity Archive Service This optional service sits behind the identity service. It’s purpose is to archive a very limited subset of the most current data on each principal that it sees. If the user is ever removed from the identity management system completely, the data will be pulled from this service so that information like principal name, entity name, and email address can still be displayed on old document route logs.
  • Now, while KIM is partially a service layer, it does have a complex system for managing roles within an organization. Now so much in the provisioning of those roles, but in the checking the applicability of the roles in a given situation.
  • However, they are using multiple authentication mechanisms – native Active Directory, Shibboleth, and Central Authentication Service. In order to implement KIM, even in this relatively simple but non-Kuali case, custom connectors will have to be written to pull data from PeopleSoft. Additional work will need to be done on the Active Directory side. Fortunately, Indiana has already completed or is in the process of completing most of this work. Eric will talk about this in more detail when we get to the case studies near the end of the workshop.
  • It’s also possible to integrate Kim with your institutions LDAP server. A few institutions have already done this. Including UofA, SJDC, and UCDavis. Another approach would be to use CAS and configure CAS to connect to LDAP datasource Let’s take a closer look as UofA’s implementation
  • To ease their implementation, they chose to use the Spring LDAP module. Spring LDAP is an adapter layer between Spring and LDAP datasources. The LdapTemplate class encapsulates all the plumbing work involved in traditional LDAP programming In addition, they used the Kim parameter service to map between KIM and their EDS system. By using these tools, most of the work is a configuration task. Some programming is still required: To implement and override the KIM Identity service In addition, they still wanted to use the Rice UI screens to add and update principals in the system, so they also overrode the UIDocumentService. This service is a layer below, the services we’ve discussed so far.
  • Modifications to the edu/arizona/kfs/sys/spring-sys.xml Modify the spring config files to define the following beans
  • Modifications to the edu/arizona/kfs/sys/spring-sys.xml
  • Spring LDAP is an adapter layer between Spring and LDAP datasources. The LdapTemplate class encapsulates all the plumbing work involved in traditional LDAP programming Setup Spring LDAP Implement/Override
  • loadEntityToPersonDoc is used to populate the IdentityManagementPersonDocument when the page loads from “edit” or “create new”. Even though entity information is not being stored in the database, it still needs to be present on persons. saveEntityPerson is used to store the information and actually update the person. It needed to modified to take into consider the check for the “ Modify Entity” permission. Normally, even if the permission isn’t present, the document will try to save entity information. By checking for this permission, the desired behavior takes place which is entities
  • Shibboleth can be used a few different ways to provide authentication and authorization functionality across or within institution boundaries. It allows sites to make informed auth decisions for protecting online resources. Some ways that Shibboleth could be used with a Kuali Rice application are: …
  • This slide illustrates the flow of a typical federated logic process using Shibboleth. I won’t go into too much detail here, but the process involves: - User attempt to access a Shibboleth protected site. The user is re-directed to a service which determines where the user is from, and then redirects them again to their home institutions authentication service. Once the user is authenticated, they are redirected back to their original site, there login credentials are passed to the site along with the request. The site then knows that the user has authenticated with a trusted resource, and can access the credential attributes to make authorization decisions.
  • Shib filters: for apache: mod_shib, mod_proxy_ajp - forwards HTTP request from the web server to the servlet container (tomcat) Shib config file: shibboleth2.xml <RequestMap> <Session Initiator> <WAYF> <ERRORS> Config settings: set behavior of filter – Auth Type, require, Implement AuthenticationService to retrieve the Shibboleth attributes and authenticate the user. You may need to implement some logic =
  • Name is the attribute name as provided by the identity provider Header is the name of the HTTP header, that will carry the attribute value Alias is a more convenient shorter name to be used in Apache configuration (see below) It is also possible, by using proper <SiteRule> and <Value> elements to restrict attributes to some origins (identity providers) or values only.
  • A different scenario is to use your KIM module to authenticate users for other applications.
  • We are all here, as representatives of educational institutions and their commercial affiliates, to address common problems related to computing services in higher education. Several communities and consortiums have developed various open source solutions. Kuali Rice and Internet2’s Grouper are examples of these. An interesting progression now, is how to take some of these solutions and use them together to create something richer than each provides on its own. Recently, the Kuali Rice team and the Internet2 Grouper team met and collaborated on how to delegate from Kuali Rice to Internet2 Grouper. Specifically, Chris Hyzer of University of Pennsylvania worked with the Kuali Rice Team to develop adaptors that integrate the Rice KIM module with Grouper.
  • Rice offers pluggable service interfaces. Grouper provides a thin client for remote communication. This project implements the Rice group services to delegate to the Grouper client.
  • Installation of the KIM/Grouper Adaptors is relatively simple, if you already have a Kuali Rice application and Grouper installed. Copy jars to the rice applications library directory. kr-dev/WEB-INF/lib copy the properties file to webapp directory …/WEB-INF/classes Edit the properties file to set the WS connect string to the Grouper WS at your institution. Also customize the grouperKIMConnector settings - Override the kim group and Identity services
  • To override a KIM service, simply modify the appropriate spring config file to create a new bean with the ID, and class. Collaborative efforts are what make Internet2 and Kuali work. Within higher education, many of the problems we each face are similar, both technical and financial. Collaborative efforts such as these, are vital to providing enterprise level software solutions to our institutions.
  • Current branding of this tool is “Forefront Identity Manager”
  • Kuali Identity Management - Introduction And Implementation Options

    1. 1. Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, 2010 8:30 am
    2. 2. Kuali Identity Management: Introduction and Implementation Options <ul><li>Eric Westfall </li></ul><ul><li>Indiana University </li></ul><ul><li>[email_address] </li></ul><ul><li>Dan Seibert </li></ul><ul><li>University of California, San Diego </li></ul><ul><li>[email_address] </li></ul>
    3. 3. KIM Introduction Implementing Kuali Identity Management at your Institution
    4. 4. What is KIM? <ul><li>A module of Kuali Rice </li></ul><ul><li>Common Interface and Service Layer </li></ul><ul><li>Integrated Reference Implementation </li></ul><ul><li>Set of User Interfaces </li></ul><ul><li>KIM is not just “Identity Management”, it’s also “Access Management” </li></ul>
    5. 5. What KIM is Not <ul><li>A Full-Fledged Identity Management System </li></ul><ul><ul><li>Provisioning </li></ul></ul><ul><ul><li>Hooks to update other systems </li></ul></ul><ul><ul><li>Duplication Management </li></ul></ul><ul><li>An Identity Aggregator </li></ul><ul><li>An Authentication Implementation </li></ul>
    6. 6. Why Did We Create KIM?
    7. 7. Motivations <ul><li>Expansion of Kuali </li></ul><ul><li>Common Identity Management API </li></ul><ul><li>Consistent Authorization Implementation </li></ul>
    8. 8. What we did not want KFS KC KS IDM IDM IDM
    9. 9. What we did want KFS KC KS KIM
    10. 10. Design Considerations <ul><li>Existence of Other IdM Solutions </li></ul><ul><li>Legacy/Existing Implementations </li></ul><ul><li>Replaceable Services </li></ul><ul><li>Separation of Concerns </li></ul><ul><li>Service Bus </li></ul><ul><li>Maintenance GUIs </li></ul>
    11. 11. KIM Terminology
    12. 12. KIM Terminology <ul><li>Namespace </li></ul><ul><li>Entity </li></ul><ul><li>Principal </li></ul><ul><ul><li>Principal ID </li></ul></ul><ul><ul><li>Principal Name </li></ul></ul><ul><li>Person </li></ul><ul><li>Entity Type </li></ul>
    13. 13. KIM Terminology <ul><li>Group </li></ul><ul><li>Role </li></ul><ul><ul><li>Qualifier </li></ul></ul><ul><li>Permission / Permission Template </li></ul><ul><li>Responsibility / Responsibility Template </li></ul>
    14. 14. KIM Services
    15. 15. Components <ul><li>Service Interface API </li></ul><ul><li>Reference Implementation </li></ul><ul><li>Functional Maintenance User Interfaces </li></ul>
    16. 16. KIM Core Services <ul><li>Identity Service </li></ul><ul><li>Group Service </li></ul><ul><li>Role Service </li></ul><ul><li>Permission Service </li></ul><ul><li>Responsibility Service </li></ul><ul><li>“ Authentication” Service </li></ul>
    17. 17. Other KIM Services <ul><li>Identity Management Service </li></ul><ul><li>Role Management Service </li></ul><ul><li>Person Service </li></ul><ul><li>Identity Archive Service </li></ul><ul><li>“ Update” Services </li></ul>
    18. 18. KIM Service Architecture
    19. 19. Remember… <ul><li>The primary goal of KIM was to build a service-oriented abstraction layer for Identity and Access Management </li></ul><ul><li>Integration with other IDM services was acknowledged, expected, and designed for! </li></ul>
    20. 20. KIM Integration Rice Database Reference Implementations OpenRegistry? Identity Service Responsibility Service Permission Service Group Service Role Service KIM Service Layer
    21. 21. Integrating KIM with other IdM products <ul><li>Implementing Kuali Identity Management at your Institution </li></ul>
    22. 22. KIM Integration Integration with various Identity Management Systems
    23. 23. with <ul><li>CAS – Authentication system for Single Sign On (SSO) </li></ul><ul><li>Two ways to integrate: </li></ul><ul><ul><li>CAS Server </li></ul></ul><ul><ul><li>Rice Client Application </li></ul></ul><ul><li>Integration with Rice Client application will be the most likely integration scenario </li></ul>
    24. 24. CAS – Server Integration <ul><li>Implement a custom CAS AuthenticationHandler which interfaces with the KIM services or database </li></ul><ul><li>Kuali already provides such an implementation in it’s Subversion repository </li></ul><ul><li>kuali-cas project </li></ul>
    25. 25. CAS – Rice Client Integration <ul><li>Integrate the CAS client with: </li></ul><ul><ul><li>Kuali Rice Standalone Server </li></ul></ul><ul><ul><li>A Kuali Rice client application </li></ul></ul><ul><li>KIM provides an “ AuthenticationService ” which is used to inform the Rice framework about the authenticated principal </li></ul><ul><li>Default implementation simply reads REMOTE_USER </li></ul><ul><ul><li>Sufficient for CAS integration </li></ul></ul>
    26. 26. CAS – Setup <ul><li>Simply configure the standard CAS servlet filters in your web.xml as you would normally </li></ul><ul><ul><li>AuthenticationFilter </li></ul></ul><ul><ul><li>Cas20ProxyReceivingTicketValidationFilter </li></ul></ul><ul><ul><li>HttpServletRequestWrapperFilter </li></ul></ul><ul><li>The usernames entered into the CAS login must match the principal names in your KIM implementation </li></ul>
    27. 27. with <ul><li>Microsoft Active Directory provides “LDAP-like” directory services among other network services </li></ul><ul><li>We will concentrate on groups defined in ADS and how they can be integrated with the KIM GroupService </li></ul><ul><li>This particular usage has been implemented at Indiana University </li></ul>
    28. 28. ADS – KIM Group Requirements <ul><li>Should be able to use ADS groups in addition to the out-of-the-box KIM group store </li></ul><ul><li>Groups must have a unique ID </li></ul><ul><li>Groups are also uniquely identified by a combination of Namespace and Name </li></ul><ul><li>Group membership can be nested </li></ul>
    29. 29. ADS Group Integration – Implementation <ul><li>ADS groups are assigned a namespace of “ADS” which allows the GroupService to determine how to load the Group </li></ul><ul><li>ADS groups have an ID assigned to them consisting of “ADS” and the group name </li></ul><ul><ul><li>i.e. ADS:MyAdsGroupName </li></ul></ul>
    30. 30. ADS Group Integration – GroupService <ul><li>Override the GroupService so that it loads groups from both ADS (via LDAP) and the KIM database </li></ul><ul><ul><li>IF - id starts with “ADS” or namespace equals “ADS”, query ADS </li></ul></ul><ul><ul><li>ELSE - delegate to reference implementation </li></ul></ul><ul><li>Various operations need to be customized including operations to load GroupInfo objects as well as checking Group membership </li></ul><ul><li>Also customize the Group Lookup screen so that it can search for Groups in ADS </li></ul>
    31. 31. Integrating KIM with LDAP <ul><li>LDAP Integration Efforts </li></ul><ul><ul><li>University of Arizona </li></ul></ul><ul><ul><li>San Joaquin Delta College </li></ul></ul><ul><ul><li>UC Davis </li></ul></ul><ul><li>Using CAS to connect to LDAP </li></ul>
    32. 32. KIM with LDAP (UofA example) <ul><li>Identity information is available in UA’s Enterprise Directory Service (EDS) </li></ul><ul><li>Uses Spring LDAP as an adapter layer between Spring and LDAP datasource </li></ul><ul><li>Uses KIM ParameterService to map between KIM and LDAP attributes </li></ul><ul><li>Implement / Override KIM IdentityService </li></ul><ul><li>In order to use the KIM GUI’s properly, the UIDocumentService is also overridden </li></ul>
    33. 33. KIM with LDAP (UofA example) <ul><li>Setup Spring LDAP module </li></ul><ul><ul><li><bean id=”contextSource” … </li></ul></ul><ul><ul><li><bean id=”authenticationSource” … </li></ul></ul><ul><ul><li><bean id=”springSecurityAuthenticationSource ” … </li></ul></ul><ul><ul><li><bean id=”ldapTemplate ” … </li></ul></ul>
    34. 34. KIM with LDAP (UofA example) <ul><li>Rice ParameterService maps EDS attributes to KIM </li></ul>KIM Class Attribute Name EDS Attribute Name KimPrincipalInfo principalId uaid KimPrincipalInfo entityId uaid KimPrincipalInfo principalName uid KimEntityNameInfo lastName sn KimEntityNameInfo firstName givenName KimEntityEmployementInformationInfo employeeId employeeId KimEntityEmployementInformationInfo email employeeEmail …
    35. 35. KIM with LDAP (UofA example) <ul><li>The Spring LDAP integration and Kuali Rice ParameterService are injected into the EdsPrincipalDaoImpl instance. </li></ul><ul><li><bean id=”edsPrincipalDao” </li></ul><ul><li>class=”edu.arizona.kim. dataaccess.impl.EdsPrincipalDaoImpl” > </li></ul><ul><li><property name=”ldapTemplate” ref=”ldapTemplate ” /> </li></ul><ul><li><property name=”parameterService” ref=”parameterService” / > </li></ul><ul><li><property name=”kimConstants” ref=”azKimConstants ” /> </li></ul><ul><li></bean> </li></ul><ul><li>The EdsPrincipalDaoImpl is an implementation of PrincipalDao which </li></ul><ul><li>connects to EDS and maps the principal and entity information into KIM </li></ul><ul><li>domain objects. </li></ul>
    36. 36. KIM with LDAP (UofA example) <ul><li>Implement and Override KIM Services </li></ul><ul><li>kimIdentityService </li></ul><ul><ul><li>getPrincipal() </li></ul></ul><ul><ul><li>getPrincipalByPrincipalName() </li></ul></ul><ul><ul><li>lookupEntities() </li></ul></ul><ul><ul><li>GetEntityDefaultInfo() </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>UiDocumentService </li></ul><ul><ul><li>loadEntityToPersonDoc() </li></ul></ul><ul><ul><li>saveEntityPerson() </li></ul></ul>
    37. 37. with <ul><li>Intra-campus Web SSO </li></ul><ul><li>Federated Access to a Rice application </li></ul><ul><li>KIM as an Identity Provider (IdP) </li></ul><ul><li>Using Shibboleth Attributes for KIM authorization </li></ul>
    38. 38. with Federated Authentication Shibboleth Login Process
    39. 39. with Federated Authentication <ul><li>Protecting a Rice application as a Service Provider (SP) </li></ul><ul><li>A web server and openssl must be available first </li></ul><ul><li>Add Shibboleth filters to the web server. </li></ul><ul><li>Metadata defines the attributes to be passed between the Identity Provider and Service Provider. </li></ul><ul><li>Override KIM Authentication Service </li></ul>
    40. 40. with Federated Authentication <ul><li>Metadata Example: </li></ul><ul><li><AttributeRule </li></ul><ul><li>Name=“urn:mace:dir:attribute-def:eduPersonPrincipalName” </li></ul><ul><li>Header=“REMOTE_USER” </li></ul><ul><li>Alias=“eppn”> </li></ul><ul><li><AnySite> </li></ul><ul><li> <AnyValue/> </li></ul><ul><li></AnySite> </li></ul><ul><li></AttributeRule> </li></ul>
    41. 41. with <ul><li>KIM as an Identity Provider </li></ul><ul><li>Prerequisites: SSL certificate, source of SAML Metadata </li></ul><ul><li>Install Shibboleth IdP </li></ul><ul><li>Load SAML Metadata </li></ul><ul><li>Configure KIM as the User Authentication Mechanism </li></ul><ul><li>Implement kimAuthenticationService to authenticate the user and provide the appropriate attributes. </li></ul>
    42. 42. with Authorization Attributes <ul><li>Using Shibboleth Attributes </li></ul><ul><li>for KIM Authorization </li></ul><ul><li>Entity Attributes </li></ul><ul><li>Group </li></ul><ul><li>Roles </li></ul><ul><li>Permissions / Responsibilities </li></ul>
    43. 43. with <ul><li>KIM / Grouper Collaboration </li></ul>
    44. 44. with <ul><li>Adapter Overview </li></ul><ul><li>Custom Implementation of KIM Services using Grouper Client API </li></ul><ul><ul><ul><li>GroupService </li></ul></ul></ul><ul><ul><ul><li>GroupUpdateService </li></ul></ul></ul><ul><ul><ul><li>IdentityService </li></ul></ul></ul>
    45. 45. with <ul><li>Installation </li></ul><ul><li>grouperClient.jar </li></ul><ul><li>grouperKimConnector.jar </li></ul><ul><li>grouper.client.properties </li></ul><ul><li>Override kimGroupService and kimIdentityService </li></ul>
    46. 46. with <ul><li>How to override a KIM service </li></ul><ul><li><beans xmlns=http://www.springframework.org/schema/beans </li></ul><ul><li>… </li></ul><ul><li><bean id=&quot; kimGroupService &quot; class=&quot; edu.internet2.middleware.grouperKimConnector.group.GrouperKimGroupServiceImpl &quot;/> </li></ul><ul><li></beans> </li></ul>
    47. 47. with <ul><li>Recall… </li></ul><ul><ul><li>Earlier we stated that KIM is NOT an identity aggregator </li></ul></ul><ul><ul><li>Well, Microsoft Identity Lifecycle Manager (ILM) is! </li></ul></ul><ul><li>Current branding of this tool is Forefront Identity Manager </li></ul><ul><li>Indiana University has used this tool as part of our Kuali Identity Management implementation </li></ul><ul><li>Essentially synchronizes identities from multiple sources into our KIM database </li></ul>
    48. 48. Microsoft Identity Lifecycle Management

    ×