Versions Compared

Old Version 5

changes.mady.by.user Steven Maglio

Saved on

compared with

New Version 6

changes.mady.by.user Steven Maglio

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Page Properties


Project TitleCampus API Gateway
Target Release
Epic
Document Status
Status
titleDRAFT
Document Owner

Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)


...

  • An easy way to sign into the Developer Portal
    • Preferably you would be able to sign in using the Campus SSO solution
  • An easy way for Teams of Developers to manage Groups of Applications
  • An easy way to associate Applications with Campus IdM Service Accounts for use with OAuth Authentication
    • If possible, the ability to create a Campus IdM Service Account at the time of registering an Application
  • An easy way to pass in an Apigee Client ID to an attribute on a Campus IdM Service Account

Out of Scope

Assumptions

  • Campus IdM will support Application Accounts (Service Accounts).
    • Application Accounts (Service Accounts) Description from ETSC (UCSB isDesk):
      > 2018-05-25 10:06:09 - Laurie Branagan (Additional comments)
      > App accounts were created to allow for programmatic access to the
      > directory without embedding a person's credentials in the application. They
      > were not scoped to be used for authorization beyond access to the
      > directory. It's understood this utility is somewhat limited.
      > If what you're requesting is non-person entities in the directory - That
      > feature is on the roadmap document that the Identity Advisory Group drafted
      > last year. It has not been implemented.
  • We will eventually integrate Developer Portal logins with Campus SSO.

...

Ticket(s)TitleUser StoryStory GroupingPriorityNotes

Apigee Developer AccountAs an Application Developer, I would like to sign into the Developer Portal using an email address that is shared by a development team on campus (ends in @*.ucsb.edu)
Status
colourRed
titledeprecate

This is the way the system currently works. We would like to move away from this.

  • Currently the system has no way of sharing access to Applications between multiple logins. So, you need to create a "shared" login to be able to do that. We call these functional accounts.
  • These are used to register actual applications so they can be maintained by a team of people.
  • These accounts must be created using shared emails address with @*.ucsb.edu addresses.
  • The passwords for these are only usable in the Developer Portal. The password will not be stored anywhere or retrievable after creation.
  • It is a requirement that the person who created the password must store and share the password safely with their team.
  • There is a way to reset a password.

Apigee Application AccountAs an Application Developer, I would like to Register an Application with the account I logged in with.
Status
colourRed
titledeprecate

This is the way the system currently works. We would like to move away from this.

  • Applications are only visible to Developer Account which created them.
  • Applications can be created and deleted by the Developer Account through the Developer Portal at any time.
  • Currently when system creates an Application it also generates a unique client_id as the identifier.
  • All permissions to Apigee API's are granted based upon the internal client_id.
  • For OAuth to work the client_id will need to be set as attribute on a Service Account record in our Campus Id system.


As a Third Party Company that is implementing a project with a campus department, I would like to register an account with the Developer Portal.
Status
colourGreen
titlemust have


Campus Application Service AccountAs an Application Developer, I need the Campus to have the ability to create Service Accounts for my Applications. 
Status
colourGreen
titlemust have
  • They must have UCSB Net IDs and Passwords that can be Authenticated through OAuth
  • There will need to way to enter the Service Account UCSB Net ID for association.
  • When an Apigee Application is Created, the Apigee Client Id will need to be pushed into the Campus IdM's Service Account as an Attribute.
    • The Apigee Client Id attribute must be retrievable as an OAuth claim or "access token key/value pair".


As an Application Developer, I would like to create a UCSB Service Account with a UCSB Net ID and Password for my Application at the time of Registration.
Status
colourYellow
titlenice to have



As an Application Developer, I would like to sign in using my UCSB Net ID and password in order to do Proof of Concept work.
Status
colourGrey
titleapi account
Status
colourGreen
titlemust have

This is IS NOT the way the system currently works. But, it can be easily implemented. This IS an edge-case, not the main use case.

  • During account creation, the UcsbCampusId will be stored in Apigee as the foreign key.
  • These are intended for Developers to do Proof of Concept work and generally try things out.


As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account which will belong to currently logged in account.
Status
colourGrey
titleapi account
Status
colourGreen
titlemust have

This is NOT the way the system currently works. But, is needed in all scenarios.

  • There will need be a way add the Campus Service Account UCSB Net ID.
  • The ucsbNetId should be stored in Apigee as a custom attribute on the Application
  • The Campus IdM system should populate an apigeeClientId attribute on a Service Account record
    • If the Service Account already has an apigeeClientId associated with it, it should return an error. Campus IdM Service accounts should only be associated with on apigeeClientId.
    • If the UCSB Net ID given is not a Service Account it should throw an error.


As an Application Developer, I would like to sign into Developer Portal using a UCSB Net ID and Password that was created for a Campus Development Team.
Status
colourBlue
titleIDM Teams
Status
colourYellow
titlenice to have
This would require the Campus IdM Team to implement "Group/Team Accounts" that would have UCSB Net ID's and Passwords.


As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account which will belong to the Campus Developer Team.
Status
colourBlue
titleIDM Teams
Status
colourYellow
titlenice to have
This would require the Campus IdM Team to implement "Group/Team Accounts" that would have UCSB Net ID's and Passwords.


As an Application Developer, I would like to sign into the Developer Portal using my UCSB Net ID and Password.
Status
colourYellow
titleAPI TEAMS
Status
colourYellow
titlenice to have

This would require the Apigee Product Suite to implement a Teams functionality.





As an Application Developer, I would like to belong to one or more Development Teams.
Status
colourYellow
titleAPI TEAMS
Status
colourYellow
titlenice to have

This would require the Apigee Product Suite to implement a Teams functionality.





As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account with a Development Team.
Status
colourYellow
titleAPI TEAMS
Status
colourYellow
titlenice to have

This would require the Apigee Product Suite to implement a Teams functionality.









...

Simple SSO and Service Account Association (WebSequenceDiagram Link)


Campus IdM Team SSO and Service Account OAuth Association (WebSequenceDiagram Link)

...