COmanage is a PHP-based open source (Apache 2 license) person registry designed to manage the identity lifecycle of Virtual Organisation (VO) participants. The project is hosted by Internet2, with primary funding to date via the US National Science Foundation.
Features
The VO participant life cycle typically begins with Enrolment Flows, which can be customised to meet the business processes of the VO. Typical enrolment patterns include invitation, self signup, and administrator- driven signup. As part of enrolment, attributes are collected from authoritative sources such as SAML assertions (e.g. ePPN, name, organisational affiliation) as well as from the Enrolee (user-asserted attributes such as preferred name or mobile phone). VO administrators can customise the attributes collected. Identifiers can be automatically assigned for new VO participants upon enrolment.
In order to facilitate management of larger VOs, COmanage supports delegated administration via a hierarchical model similar to LDAP OUs. Administrators can add roles and manage attributes for participants within their COU ("Collaborative Organizational Unit"). These roles can drive group memberships, which in turn can drive access to services. VO administrators may define Expiration Policies to automatically transition participants out of the VO based on various criteria, allowing for grace periods and other common termination patterns. Both human readable transaction history as well as database level point-in-time audit capabilities are provided.
Application or service integration primarily occurs via a plugin based provisioning infrastructure. Out of the box plugins include support for LDAP, a common application integration pattern, but custom plugins can be written as well. COmanage supports other types of plugins as well to facilitate various types of customisation. A REST API is also available.
COmanage supports various other identity management components. A typical deployment leverages the Shibboleth SP and EDS (though neither are required) for authentication services, and can be easily configured to work with Grouper to provide advanced group management capabilities. A proof-of-concept integration with OpenConext has also been successfully completed.
Supported standards
COmanage itself is standard agnostic. A typical deployment involves a SAML federation, but this is not a requirement and other authentication protocols can be leveraged as well or instead. LDAP is supported for provisioning. Experimental VOOT support has been implemented. Support for the evolving TIER APIs (formerly CIFER APIs) is planned.
User Interfaces and APIs
COmanage ships with a fully internationalised, customisable, web-based user interface. A native REST API is also available. Custom functionality can be added by writing PHP-based plugins.
Support for Virtual Organisations
COmanage was designed around VO requirements, with enrolment and hierarchical/delegated administration capabilities to support typical VO models.
Dependencies on other technologies
COmanage is based on the CakePHP framework, and runs via a web server, typically Apache. An RDBMS is required, typically PostgreSQL or MySQL.
Operational overview
High Availability is achieved by making the relevant components (web server, etc.) highly available.
COmanage can be deployed in either single tenant or multi-tenant model.
Expected level of support
On-going maintenance will be funded by the Internet2 TIER initiative for the next several years. New feature development is currently funded from various sources, including grants and deployment specific funding.
The AARC requirements supported by the tool are:
- User and Service Provider friendliness