User-onboarding: creating a Bamboo Identity

Created by SM
Last updated: Nov 22, 2012Version comment

A "Bamboo Person" is someone who has established an identity in the Bamboo Ecosystem. A Bamboo Identity is needed for two kinds of activity enabled by Bamboo:

  1. Activity that requires proof of an entitlement to access content or services, e.g., only people associated with a CIC university may view page images associated with TCP texts; and,
  2. Activity that requires a user's identifier to track her contribution to scholarly effort, e.g., Professor Lee asserted that the token Αθήνα in this text refers to the city of Athens in Greece.

No one logs in to Bamboo, per se. Bamboo does not maintain username + password credentials. Instead, people log in using identities they have established elsewhere. 'Elsewhere' can be:

  1. Institutional identity providers, such as a university campus; and/or,
  2. Social media identity providers, such as Google.

Bamboo never has access to the username and password utilized to log into either of these types of identity providers: that information is only shared between the user and her campus or Social Media provider.

The two listed categories of identity providers imply different levels of confidence in the assertion that the person logging in is the person s/he claims to be. I can create an account at Google under the name "Harold Bloom"; but Yale University would be unlikely to issue me a login and faculty affiliation under that name unless I was actually the Sterling Professor of Humanities.

For Bamboo's purposes, it makes sense to believe Yale University if Yale says that the logged in user is Professor Bloom; however, we'd be more skeptical if Google made a similar assertion. This has important consequences when Bamboo makes authorization decisions. If Professor Bloom authenticated through Yale, we can be confident that we're authorized to extend the full set of Bamboo permissions that accrues to faculty members at Yale; if someone claiming to be Professor Bloom logged in at Google, we could not confidently offer those permissions.

The 'heavy lifting' of creating and storing Bamboo identities is done by software that runs on a central Bamboo Services Platform so that there is a master repository of identity data. This software is accessed via RESTful web services, and is secured by exchange of x509 certificates that restrict access to only applications authorized to operate on the identity data. The APIs of the services that come into play during creation of Bamboo identities are published on the Project Bamboo wiki; the current pre-release set of services demonstrated in the video linked below are available on the in-progress API pages for the PersonProfile, and Contact services.

What users – people who want to establish a Bamboo Identity – interact with is the Account Services website. This site is built atop Drupal, an open source content management platform, and uses a custom module to interact with the Bamboo Person, Profile and Contact services. 

Here's a diagram showing the participating applications or technologies in a Bamboo user-onboarding process:

For an early look at how these elements work together, we've prepared a webcast demonstrating how new Bamboo Person identities are created using UC Berkeley and Google as identity providers: