Starting to flesh out the lesson

README.md

@@ -20,7 +20,8 @@ Time | Section | Description
 ---- | ------- | -----------
   | [Setup](/episodes/setup.md) | Prepare for the lesson
 00:00 | 1. [Identity Registries](/episodes/identityRegistries.md) | COmanage is an Identity Registry. Why do these exist?
-00:10 | 2. [Registry Architecture](/episodes/architecture.md) | The registry position in an Identity and Access Management (IAM) architecture
+00:10 | 2. [What is COmanage?](/episodes/whyCOmanage.md) | What does COmanage do & who uses it?
+00:25 | 3. [Focus on Capabilities](/episodes/capabilities.md) | What capabilities should you consider for your registry?
 
 _The actual schedule may vary slightly depending on the topics and exercises chosen by the instructor._
 

episodes/capabilities.md

@@ -0,0 +1,47 @@
+---
+title: "Focus on Capabilities"
+teaching: 15
+exercises: 0
+questions:
+- "Question here"
+objectives:
+- "List the objectives"
+keypoints:
+- "List the key takeaways for the episode"
+---
+
+What capabilities should you consider as you select (or build) a registry for your higher education or research organization?
+
+## Onboarding Capabilities
+
+Onboarding is how the electronic identities for people come into the registry so they can be managed. There are two general categories of onboarding:
+
+1. Enrollment directly into the person registry
+2. Consumption from other systems of record (SOR)
+
+COmanage provides flexible onboarding models to establish person accounts in your systems
+
+## Match and Linking Capabilities
+
+As you onboard individuals from potentially multiple processes, it will be important to match and link these records to establish a single record to represent each person. COmanage has a sophisticated matching and linking capability to help ensure clean records.
+
+## Identifier Capabilities
+
+In order to link information to other systems, or even keep records connected among your own systems, it will be important to uniquely identify people and other concepts using identifiers. COmanage helps ensure that the IDs that you use are unique.
+
+## User Life Cycle Capabilities
+
+It is common for individuals to have different roles and connections to your institution under different circumstances. COmanage helps you to establish and manage a record of these relationships.
+
+## Provisioning Capabilities
+
+Once you have a single record for each of your users, you can use this information to provision access to systems, services and resources. COmanage can handle simple provisioning when your needs are modest, but also integrates with tools like Grouper to handle more complicated provisioning needs.
+
+## Web SSO Capabilities
+
+... to be described ...
+
+## Efficiency Capabilities
+
+... API, Bulk operations, Search
+

episodes/identityRegistries.md

@@ -22,3 +22,18 @@ A key benefit to storing this information in a registry rather than a file, spre
 
 Despite the usefulness of registries, there is no universal incumbent product that is used. For many years, each university wrote its own identity registry to satisfy its own local use cases; many universities still take this approach. More recently, some universities have been working together to create a "Registry for Higher Education and Research" (with mixed success.) There also are newer enterprise and open source efforts have been aimed at organizations of different sizes. 
 
+We'll talk about capabilities later... key tools:
+
+* COmanage
+* midPoint
+* WSO2 Identity Server
+* KeyCloak
+* OpenIAM
+* Apache Syncope
+* OpenAM
+* Microsoft AD
+* Microsoft Identity Manager 2016
+* NetIQ (Novell) Identity Manager
+* IBM Tivoli Identity Manager
+* Oracle Identity Manager
+* ForgeRock Identity Platform

episodes/whyCOmanage.md

@@ -0,0 +1,58 @@
+---
+title: "What is COmanage?"
+teaching: 15
+exercises: 0
+questions:
+- "Question here"
+objectives:
+- "List the objectives"
+keypoints:
+- "List the key takeaways for the episode"
+---
+
+Where does the Registry sit in an Identity and Access Management (IAM) architecture?
+
+## What COmanage does
+
+COmanage is a key tool for several things: 
+
+* Enrolling individuals into your Identity and Access Management systems in diverse ways
+* Combining information about a person that come from different sources into a single, comprehensive record
+* Modeling your organization as broad "groups" and attaching this group information to the combined identity records
+* Provisioning this information to other systems, either to use directly to manage access to systems or services, or to manage access via another tool like Midpoint or Grouper.
+
+## Who uses COmanage?
+
+COmanage is usually used by one of two audiences:
+
+* Virtual Organizations (VOs) and groups that have straight-forward person enrollment and privileged setting needs. 
+This group usually can use COmanage directly to manage all aspects of enrolling individuals into their group using customized enrollment processes. In addition, because of the sophisticated ability to model organizations in COmanage, these VOs can usually can use this feature to provision access to systems and services without the need of another system.
+
+* Organizations with multiple source systems, individuals that assume multiple relationships to the organization (for example, a student and an employee), and/or organizations with more complicated organizational structures.
+This group usually has a more complicated time establishing a single record of information about an individual, either because the individual potentially has a more complicated relationship to the organization, or because individual relationships to the organization are complicated by temporal, location-based, or group management considerations.
+
+## The architecture
+
+Consider the things that you'd want to do with identities:
+
+![Identity System Architecture](../fig/identitySysModel.png)
+
+### Establish who you will include
+
+Determine the internal Policy & Governance (decisions by your organization or group about who to include).
+
+### Enroll these individuals
+
+Using one or more enrollment models, register the included individuals so that you may provide identity and access management services to them. Enrollment processes may include  using information from Source Systems (data sources that contain information about these individuals), enrollment flows (for example, through a digital or in-person interaction with the person), or other models.
+
+### Enrich the information about these individual
+
+It is often helpful to create a comprehensive set of information about an individual to make it easier to set up access to systems, services and resources based on rules. To build these information sets, you may include information from multiple source systems, or enrich the identity information with information from teams, programs.
+
+### Model your organization and include the individuals where they belong
+
+Your organization may be modeled by departments and centers, but it may also have temporary groups like a research project or event enrollment. Your groups may be related to how individuals interact with your organization, what their relationship is to your organization or how they will use your resources and services. In addition, it is rare for there to only be one lens by which to view these groups. COmanage can be used to describe basic information about your organization and enroll individuals into these groups.
+
+### Provisioning
+
+Sometimes having individuals in groups is all you need to provide the correct access to your systems, services and resources. Other times you will have more complicated or sophisticated needs, so a dedicated tool for group management and provisioning will be helpful. Either way COmanage's single view of an individual is an asset to any system using the information.