Welcome to the ilios 2 curriculum management project forum! Over the next few weeks, we here at ilios central will be populating the project site with up to date information and files for the project.
If you have particular questions or interests that are not addressed moving forward, please do not hesitate to contact us, and get involved.
As a new product with a new vision to the management of health profession curricular data, ilios 2 is very much a living work in progress. We look forward to growing with the community, and finding effective and innovative ways of addressing the needs and desires of the users and their supported populations.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Vaquero, that's great to hear. We are planning on releasing our first beta code here at the end of this week, end of day Friday 1/21. You should be able to download the code deployment any time after that (as well as the draft user guide).
Looking forward to hearing more from your testing at that point!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am an Oracle Identity and Access Management (IDM) consultant working with Vaquero Cooper and Univesity of Colorado Denver in assessing the feasibility of integrating ILIOS 2.0 application with Oracle IDM suite of products such as web based SSO and Federation services for authentication as well as provisioning of users from a central IDM repository into ILIOS database for authorization and entitlements. I have few questions below:
(1) Has any university integrated ILIOS with a 3rd party SSO solution such as Oracle Access Manager (OAM), CA Netegrity, IBM Tivoli Access, SUN Access, or RSA Access web based SSO solutions? If yes, do you have any case study or shed light on how to best approach this?
(2) We looked at the PHP code and it seems like a user supplied username and password once validated, the code will return e-mail id of the user to the Dashboard. The quicket non-Shibboleth way of integrating with Oracle OAM solution would be to delegate the authentication of ILIOS to OAM who can supply authenticated user's e-mail in a HTTP header. We would also run an agent on the Apache server that will talk to OAM backend server. Do you see anything wrong with this approach? I know the downside is that everytime you release a newer version, we will have to do this integration all over again. Is there a way for you to develop another authentication module that will allow ILIOS to delegate user authentication to another non-Shibboleth type SSO solution?
(3) For the above approach, we will auto-populate ILIOS user roles and user identities using Oracle's Identity Manager (OIM) provisioning product. Do you have any examples of other ILIOS campuses taking a similar approach and can share a case study?
(4) I have not found any documentation on how to setup ILIOS with Shibboleth. Can you point me to it? Normally, Shibboleth needs to publish its endpoint URLs (login url, forwarding url, service provider or identity provider information and certificates) in a metadata XML type file that can be loaded by another Identity Provider (IDP) or Service Provider (SP) who will also distribute this for ILIOS to load this. How do I get information on Shibboleth setup and setting this up?
(5) Relating to Shibboleth, it allows users to be provisioned on the fly (out of band) as well as allow it to share user profile attributes from the IDP. Is ILIOS capable of federating this level of dynamic user provisioning on the fly? Where can I find the right documentation. This approach will save us opening the source code for SSO integration as well as save the hassle to provision users from backend OIM product.
(6) Is there some high level diagrams or authentication flows in documentation that can be shared?
(7) Who else could be our point of contact from ILIOS for this type of information.
Thank you.
Best regards,
Abid Abbasi
Arisant IDM Consultant working with University of Colorado Denver and School of Medicine
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'll try my best to answer your questions below. For a little context, you should know that Ilios 2 is very new, and very young: our first out-the-gate beta code was only released in the final week of January of this year. Our immediate need is to have Ilios running here on the UCSF campus, and to address the needs of the professional schools here. As we progress, we are looking forward to seeing and helping other institutions adopt Ilios, and to adapt it to their needs as well. But we are still very early on in the game.
Our hope and expectation is that by providing an Open Source solution to the community, Ilios will allow for customization within the many various environments and situations found in the medical and health professions educational community, and will foster some real collaboration in developing modules and enhancements that can be shared back to the community at large.
1) Has any university integrated ILIOS with a 3rd party SSO solution such as Oracle Access Manager (OAM), CA Netegrity, IBM Tivoli Access, SUN Access, or RSA Access web based SSO solutions? If yes, do you have any case study or shed light on how to best approach this?
No. As mentioned above, Ilios 2 is barely 3 months old and still being piloted in beta. We have provided the shibboleth integration with the initial code release since this is both the implementation here at UCSF, and the most common implementation to date with other interested parties. I am as yet unaware of any institution taking on a different SSO solution with Ilios.
(2) We looked at the PHP code and it seems like a user supplied username and password once validated, the code will return e-mail id of the user to the Dashboard. The quicket non-Shibboleth way of integrating with Oracle OAM solution would be to delegate the authentication of ILIOS to OAM who can supply authenticated user's e-mail in a HTTP header. We would also run an agent on the Apache server that will talk to OAM backend server. Do you see anything wrong with this approach? I know the downside is that everytime you release a newer version, we will have to do this integration all over again. Is there a way for you to develop another authentication module that will allow ILIOS to delegate user authentication to another non-Shibboleth type SSO solution?
That sounds like a great approach, and I wouldn't foresee any serious issues. Your proposal should work pretty neatly as a solution for OAM.
As a FOSS application, Ilios is built on the premise of a collaborative community, as both users and contributors. Since UCSF and the schools we have been working with so far are all shibboleth institutions, there has been no call for internal development of a non-shib authentication module. But it would be fantastic if you folks were to build such a code module, and provide it back to the community--I can certainly see the utility os such an addition. We are extremely limited in our resources, and while I'd like to be able to address these sorts of needs internally, we are relying on the community and people like you to contribute when and where possible to help make Ilios an effective tool for all of our institutions.
(3) For the above approach, we will auto-populate ILIOS user roles and user identities using Oracle's Identity Manager (OIM) provisioning product. Do you have any examples of other ILIOS campuses taking a similar approach and can share a case study?
As I mention above, you would be the first campus I know of using Oracle tools or similar with Ilios. At UCSF, we are in the process of implementing a feed from the campus enterprise directory (EDS), but we are in the early stages of implementation. I would be very interested in hearing more about your experience should you choose to go this route.
(4) I have not found any documentation on how to setup ILIOS with Shibboleth. Can you point me to it? Normally, Shibboleth needs to publish its endpoint URLs (login url, forwarding url, service provider or identity provider information and certificates) in a metadata XML type file that can be loaded by another Identity Provider (IDP) or Service Provider (SP) who will also distribute this for ILIOS to load this. How do I get information on Shibboleth setup and setting this up?
The basic info is in the readme file with the current code release. Ilios currently depends on a shibboleth deployment, but if the shib conf file is set as described, and the header is returning the email as described, then an existing shibboleth implementation should be able to register Ilios and provide it AuthN as a 'shibbolized' application.
We are hoping to have more robust documentation in
(5) Relating to Shibboleth, it allows users to be provisioned on the fly (out of band) as well as allow it to share user profile attributes from the IDP. Is ILIOS capable of federating this level of dynamic user provisioning on the fly? Where can I find the right documentation. This approach will save us opening the source code for SSO integration as well as save the hassle to provision users from backend OIM product.
While we haven't done this, I'll reiterate: all Ilios is expecting is the (shibbolized) email returned in the header. If your shib conf file is configured and the header returns the email as described in the readme installation notes, then Ilios should not really care how IdP is handled.
(6) Is there some high level diagrams or authentication flows in documentation that can be shared?
For authentication, not at the moment.
(7) Who else could be our point of contact from ILIOS for this type of information.
As of right now, I am the best point of contact. Please don't hesitate to ping me for further info.
I hope this helps to answer your questions; please feel free to contact me directly if you would like to discuss more.
Sascha Benjamin Cohen
Project Director - Ilios 2 Initiative
sascha.cohen@ucsf.edu
Sascha,
What is your editing setup that you use? I've been analyzing the code using eclipse helios and looking for a slightly easier way to understand and update the ajax UI within the application. Can you make any recommendations on this.
Thanks,
Chris
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am copying below some of the general info my development team has collected to date on their preferred IDE setup and toolset. If you would like more, or it this doesn't quite get you what you need viz. information, just let me know and I'll connect you with one of our programmers.
ime, my daily tool / application usage has evolved into the following:
Firefox Plugins
Firebug – Firebug, IMO, is the best thing out there; i've totally blocked out what it was like to develop Javascript in those days before Firebug existed.. horrific. One thing super annoying that has started occurring since the FF4-FB1.7 pair started existing is that Javascript files are cached, even if they change on the server; this has forced me to start deleting my local cache via the FF preference panel each time i do a new deploy to the dev machine. Web Developer toolbar for Firefox. Essential for dissecting a web page. (You can also avoid the above Firebug's caching problem by disabling cache in the Web Developer toolbar, see here.)
A decent IDE NetBeans – I used to be an Eclipse kinda guy; but Eclipse's Navigator for Javascript suck-diddly-ucks for namespace-d code. (Don't get me wrong: NetBeans sucks for a number of other things, but other things that i run into with less frequency that the basic 'writing any code') - Loki Zend Studio - Eclipse-based IDE. Commercial Software, so get your employer to pay for it. Superb debugging- and refactoring tools. PDT - free, eclipse-based IDE.
Diff Viewer/Merge tools Araxis Merge. Beyond Compare - Great tool for diffing whole directory structures. Integrates nicely with TortoiseSVN/GIT. Commercial product. Windows only.
HTTP Proxy Charles - A HTTP(S) web debugging proxy application. Commercial software ($50/license). Great for reviewing raw HTTP requests/responses in AJAXy webapps. Fiddler2 - a free web debugger. Windows-only
PHP Debugger
The choices are either the Zend Debugger or XDebug. Both work and are available free-of-charge, however Zend Debugger seems to be the more robust/mature tool
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Welcome to the ilios 2 curriculum management project forum! Over the next few weeks, we here at ilios central will be populating the project site with up to date information and files for the project.
If you have particular questions or interests that are not addressed moving forward, please do not hesitate to contact us, and get involved.
As a new product with a new vision to the management of health profession curricular data, ilios 2 is very much a living work in progress. We look forward to growing with the community, and finding effective and innovative ways of addressing the needs and desires of the users and their supported populations.
Vaquero, that's great to hear. We are planning on releasing our first beta code here at the end of this week, end of day Friday 1/21. You should be able to download the code deployment any time after that (as well as the draft user guide).
Looking forward to hearing more from your testing at that point!
Hi Sascha,
I am an Oracle Identity and Access Management (IDM) consultant working with Vaquero Cooper and Univesity of Colorado Denver in assessing the feasibility of integrating ILIOS 2.0 application with Oracle IDM suite of products such as web based SSO and Federation services for authentication as well as provisioning of users from a central IDM repository into ILIOS database for authorization and entitlements. I have few questions below:
(1) Has any university integrated ILIOS with a 3rd party SSO solution such as Oracle Access Manager (OAM), CA Netegrity, IBM Tivoli Access, SUN Access, or RSA Access web based SSO solutions? If yes, do you have any case study or shed light on how to best approach this?
(2) We looked at the PHP code and it seems like a user supplied username and password once validated, the code will return e-mail id of the user to the Dashboard. The quicket non-Shibboleth way of integrating with Oracle OAM solution would be to delegate the authentication of ILIOS to OAM who can supply authenticated user's e-mail in a HTTP header. We would also run an agent on the Apache server that will talk to OAM backend server. Do you see anything wrong with this approach? I know the downside is that everytime you release a newer version, we will have to do this integration all over again. Is there a way for you to develop another authentication module that will allow ILIOS to delegate user authentication to another non-Shibboleth type SSO solution?
(3) For the above approach, we will auto-populate ILIOS user roles and user identities using Oracle's Identity Manager (OIM) provisioning product. Do you have any examples of other ILIOS campuses taking a similar approach and can share a case study?
(4) I have not found any documentation on how to setup ILIOS with Shibboleth. Can you point me to it? Normally, Shibboleth needs to publish its endpoint URLs (login url, forwarding url, service provider or identity provider information and certificates) in a metadata XML type file that can be loaded by another Identity Provider (IDP) or Service Provider (SP) who will also distribute this for ILIOS to load this. How do I get information on Shibboleth setup and setting this up?
(5) Relating to Shibboleth, it allows users to be provisioned on the fly (out of band) as well as allow it to share user profile attributes from the IDP. Is ILIOS capable of federating this level of dynamic user provisioning on the fly? Where can I find the right documentation. This approach will save us opening the source code for SSO integration as well as save the hassle to provision users from backend OIM product.
(6) Is there some high level diagrams or authentication flows in documentation that can be shared?
(7) Who else could be our point of contact from ILIOS for this type of information.
Thank you.
Best regards,
Abid Abbasi
Arisant IDM Consultant working with University of Colorado Denver and School of Medicine
Abid,
I'll try my best to answer your questions below. For a little context, you should know that Ilios 2 is very new, and very young: our first out-the-gate beta code was only released in the final week of January of this year. Our immediate need is to have Ilios running here on the UCSF campus, and to address the needs of the professional schools here. As we progress, we are looking forward to seeing and helping other institutions adopt Ilios, and to adapt it to their needs as well. But we are still very early on in the game.
Our hope and expectation is that by providing an Open Source solution to the community, Ilios will allow for customization within the many various environments and situations found in the medical and health professions educational community, and will foster some real collaboration in developing modules and enhancements that can be shared back to the community at large.
1) Has any university integrated ILIOS with a 3rd party SSO solution such as Oracle Access Manager (OAM), CA Netegrity, IBM Tivoli Access, SUN Access, or RSA Access web based SSO solutions? If yes, do you have any case study or shed light on how to best approach this?
No. As mentioned above, Ilios 2 is barely 3 months old and still being piloted in beta. We have provided the shibboleth integration with the initial code release since this is both the implementation here at UCSF, and the most common implementation to date with other interested parties. I am as yet unaware of any institution taking on a different SSO solution with Ilios.
(2) We looked at the PHP code and it seems like a user supplied username and password once validated, the code will return e-mail id of the user to the Dashboard. The quicket non-Shibboleth way of integrating with Oracle OAM solution would be to delegate the authentication of ILIOS to OAM who can supply authenticated user's e-mail in a HTTP header. We would also run an agent on the Apache server that will talk to OAM backend server. Do you see anything wrong with this approach? I know the downside is that everytime you release a newer version, we will have to do this integration all over again. Is there a way for you to develop another authentication module that will allow ILIOS to delegate user authentication to another non-Shibboleth type SSO solution?
That sounds like a great approach, and I wouldn't foresee any serious issues. Your proposal should work pretty neatly as a solution for OAM.
As a FOSS application, Ilios is built on the premise of a collaborative community, as both users and contributors. Since UCSF and the schools we have been working with so far are all shibboleth institutions, there has been no call for internal development of a non-shib authentication module. But it would be fantastic if you folks were to build such a code module, and provide it back to the community--I can certainly see the utility os such an addition. We are extremely limited in our resources, and while I'd like to be able to address these sorts of needs internally, we are relying on the community and people like you to contribute when and where possible to help make Ilios an effective tool for all of our institutions.
(3) For the above approach, we will auto-populate ILIOS user roles and user identities using Oracle's Identity Manager (OIM) provisioning product. Do you have any examples of other ILIOS campuses taking a similar approach and can share a case study?
As I mention above, you would be the first campus I know of using Oracle tools or similar with Ilios. At UCSF, we are in the process of implementing a feed from the campus enterprise directory (EDS), but we are in the early stages of implementation. I would be very interested in hearing more about your experience should you choose to go this route.
(4) I have not found any documentation on how to setup ILIOS with Shibboleth. Can you point me to it? Normally, Shibboleth needs to publish its endpoint URLs (login url, forwarding url, service provider or identity provider information and certificates) in a metadata XML type file that can be loaded by another Identity Provider (IDP) or Service Provider (SP) who will also distribute this for ILIOS to load this. How do I get information on Shibboleth setup and setting this up?
The basic info is in the readme file with the current code release. Ilios currently depends on a shibboleth deployment, but if the shib conf file is set as described, and the header is returning the email as described, then an existing shibboleth implementation should be able to register Ilios and provide it AuthN as a 'shibbolized' application.
We are hoping to have more robust documentation in
For further info on shibboleth, I would say https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration is the best place to start (but I assume you already know that).
(5) Relating to Shibboleth, it allows users to be provisioned on the fly (out of band) as well as allow it to share user profile attributes from the IDP. Is ILIOS capable of federating this level of dynamic user provisioning on the fly? Where can I find the right documentation. This approach will save us opening the source code for SSO integration as well as save the hassle to provision users from backend OIM product.
While we haven't done this, I'll reiterate: all Ilios is expecting is the (shibbolized) email returned in the header. If your shib conf file is configured and the header returns the email as described in the readme installation notes, then Ilios should not really care how IdP is handled.
(6) Is there some high level diagrams or authentication flows in documentation that can be shared?
For authentication, not at the moment.
(7) Who else could be our point of contact from ILIOS for this type of information.
As of right now, I am the best point of contact. Please don't hesitate to ping me for further info.
I hope this helps to answer your questions; please feel free to contact me directly if you would like to discuss more.
Sascha Benjamin Cohen
Project Director - Ilios 2 Initiative
sascha.cohen@ucsf.edu
415.704.4521 mobile
http://curriculum.ucsf.edu
Sascha,
What is your editing setup that you use? I've been analyzing the code using eclipse helios and looking for a slightly easier way to understand and update the ajax UI within the application. Can you make any recommendations on this.
Thanks,
Chris
Hi Chris,
I am copying below some of the general info my development team has collected to date on their preferred IDE setup and toolset. If you would like more, or it this doesn't quite get you what you need viz. information, just let me know and I'll connect you with one of our programmers.
ime, my daily tool / application usage has evolved into the following:
Firefox Plugins
Firebug – Firebug, IMO, is the best thing out there; i've totally blocked out what it was like to develop Javascript in those days before Firebug existed.. horrific. One thing super annoying that has started occurring since the FF4-FB1.7 pair started existing is that Javascript files are cached, even if they change on the server; this has forced me to start deleting my local cache via the FF preference panel each time i do a new deploy to the dev machine.
Web Developer toolbar for Firefox. Essential for dissecting a web page. (You can also avoid the above Firebug's caching problem by disabling cache in the Web Developer toolbar, see here.)
A decent IDE
NetBeans – I used to be an Eclipse kinda guy; but Eclipse's Navigator for Javascript suck-diddly-ucks for namespace-d code. (Don't get me wrong: NetBeans sucks for a number of other things, but other things that i run into with less frequency that the basic 'writing any code') - Loki
Zend Studio - Eclipse-based IDE. Commercial Software, so get your employer to pay for it. Superb debugging- and refactoring tools.
PDT - free, eclipse-based IDE.
Diff Viewer/Merge tools
Araxis Merge.
Beyond Compare - Great tool for diffing whole directory structures. Integrates nicely with TortoiseSVN/GIT. Commercial product. Windows only.
HTTP Proxy
Charles - A HTTP(S) web debugging proxy application. Commercial software ($50/license). Great for reviewing raw HTTP requests/responses in AJAXy webapps.
Fiddler2 - a free web debugger. Windows-only
PHP Debugger
The choices are either the Zend Debugger or XDebug. Both work and are available free-of-charge, however Zend Debugger seems to be the more robust/mature tool