COmanage: Registry, Enrollment and Collaboration Management
By Heather Flanagan, Spherical Cow Consulting
A person’s electronic identity is composed of a broad collection of information that describes a person and his or her roles and relationships in a given institution. Maintaining evolving information about a person, such as basic names and identifiers, group memberships, and affiliations, is a complicated endeavor. COmanage, one of the tools in the TIER toolbox, serves as a person registry that collects and stores that information for use by integrated services. COmanage, together with Grouper and the Shibboleth IdP, make up the key components of the TIER application suite.
The original design for COmanage came out of a need for virtual organizations, in particular large research organizations, to have a richer set of identity management tools focused on their needs. As it turned out, their needs were remarkably similar to campus requirements, with complex enrollment processes, audit and reporting requirements, scalability needs, identifier management issues, group management issues, provisioning and application integration, and expiration and deprovisioning.
The primary purpose of COmanage is as a registry—a data store--not a provisioning engine. COmanage stores information in a database and can express that information via a plugin-based infrastructure that includes LDAP support out of the box; applications may then use that information to make access control decisions. COmanage, as originally designed, is not primarily intended to provision information directly to the applications.
(Above) COmanage Registry in the federated environment
COmanage version 2.0 was released in April 2017. This involves changes to the data model that are incompatible with the 1.0.x version of the software. New features include:
- Organizational Identity Sources and Pipelines
- ORCID Integration
- Services and Service Portal, and Service Tokens
- Population-Specific Provisioning
- Identifier Validation
The COmanage Project is an effort by Internet2 and various partners to develop tools and resources that allow collaborative organizations to meet their objectives using key collaboration tools in a secure and effective framework. By leveraging external (federated) identity management services, authentication and authorization of group members are handled in a single, efficient process that feeds from each member's home organization into the various applications (such as wikis, calendaring, and conferencing) that are available to all participants.