| Ticket(s) | Title | User Story | Priority | Notes |
|---|
| Identify End User | As a Client Developer, I need a way to provide the Resource Service with authenticated identity information about who is using my application. | | Status |
|---|
| colour | Green |
|---|
| title | must have |
|---|
|
| - Should need both Service Account
ucsbNetId and password, and the End User ucsbNetId and password. - OAuth call should go against Apigee OAuth endpoint.
- Apigee will pass through the call to Campus IdM
- The Campus IdM response will pass through back to the client
|
| Authenticate End User | As a Campus IdM Admin, I need authenticate the End User before the Resource Service can grant access. | | Status |
|---|
| colour | Green |
|---|
| title | must have |
|---|
|
| - Should use password grant.
- The End User Token will only be valid for particular amount of time. The Web Application will need to have a Session Timeout Period the same time period or less.
- For Staff Web Applications, Student Affairs requires our SSO Token lifespan to be a minimum of 10 9 hours.
|
| Verify End User in Resource Server (Service) | As a Resource Service Developer, I need a way to provide the Resource Service with authenticated identity information about who is using my resource. | | Status |
|---|
| colour | Green |
|---|
| title | must have |
|---|
|
| |
| Authorize End User & App in Resource Server (Service) | As a Resource Service Developer, I need to be able to lookup permissions and enforce access authorization. | | Status |
|---|
| colour | Green |
|---|
| title | must have |
|---|
|
| - For application specific permissions, the Authorization Provider should be determined by the Resource Service Developer. This can be something created solely by the developer for their needs or it can be a campus provided solution.
|
| Verify App in Resource Server (Service) | As a Resource Service Developer, I need to be able to provide the Resource service with authenticated identity information about the client application using my resource. | | Status |
|---|
| |
|---|
| colour | Yellow |
|---|
| title | nice to have |
|---|
|
| - The PingIdentity server will need to validate the
access_token given. - This should use the PingIdentity servers validate_bearer grant type.
- The response should include the Client Service Account
ucsbNetId. There does not seem to be a way to get the Client Service Account ucsbCampusId. Because of this, it is a requirement that ucsbNetId's for Service Accounts must be unique and non-changing.- They should be able to be reused. But the expectation is that if a service account changes names, it will need to have it's permissions reestablished in all downstream systems.
|