Overview and High-Level Design
This document provides a high-level description of an infrastructure to support user provisioning for inter-campus applications within the University of California. Other documents will provide greater detail about components of this infrastructure, within the context of this overview.
For the purposes of this document, user provisioning is defined to be the processes, both human and automated, that authorize (and de-authorize) people to use application systems, when those application systems require information about their users at times other than when those users are currently using the system. This is distinguished from application systems that use a "pure" single sign-on infrastructure (e.g., the current UCTrust), authorizing anyone with a defined set of attributes that are provided at the start of a session.
The infrastructure described in this document will support the exchange of identity information from campus Identity and Access Management (IAM) systems to application systems, not the entire set of provisioning processes. The Roles and Responsibilities section below will identify those other provisioning processes.
Principles and Assumptions
- Campus identity and access management systems are authoritative for information about the members of their respective communities.
- The existing UCTrust agreements, policies, processes, and technology should be leveraged as much as possible.
- The design and implementation must make effective use of University resources. Where possible implementations should be shared and/or reused.