论文信息 - Provisioning scenarios in identity federations

Provisioning scenarios in identity federations

: v1.0, final Summary Supplying information for applications and services, related to a user account within a federation is called provisioning. Deprovisioning is the opposite process. In identity federations (de)provisioning is not trivial as it involves cross-domain identity communication. Moreover, though mostly the identity information can be provided during authentication, there are applications that need to be provisioned before the user logs in. Examples of such applications are dynamic group management services that are common to e-Science. The fact that standardised support for provisioning is far from ideal for federated environments makes it even harder to implement. This report gives a state-of-the-art analysis of provisioning products and standards and of the, still ongoing, federated provisioning debate. It classifies different types of applications and different types of provisioning scenarios in order to come up with a framework, which is helpful when selecting a strategy for dealing with federated provisioning. The results are validated by exploring (at a suitable level of

Niels van Dijk | Hans Zandbelt | Martijn Oostdijk | Bob Hulsebosch | Roland van Rijswijk

[1] whITe PaPer. Federated Provisioning : The Synergy of Identity Federation and User Provisioning whITe PaPer , 2008 .

[2] Kurt D. Zeilenga. Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map , 2006, RFC.