Page Comparison

Page Properties

Project Title

Campus API Gateway

Target Release

Epic

Document Status

Status

title	DRAFT

Document Owner

Document Sign-Off

Subject Matter Expert(s)

Technical Expert(s)

...

An easy way to sign into the Developer Portal
- Preferably you would be able to sign in using the Campus SSO solution
- If possible, the ability to create a Campus IdM Team Account at the time of registration with the Developer Portal
An easy way for Teams of Developers to manage Groups of Applications
An easy way to associate API Gateway Applications with Campus IdM Service Accounts for use with OAuth Authentication
- If possible, the ability to create a Campus IdM Service Account at the time of registering an Application
- If possible, the ability to delete a Campus IdM Service Account at the time of Application removal
An easy way to pass in an Apigee Client ID to an attribute on a Campus IdM Service Account

Out of Scope

Assumptions

Campus IdM will support Application Accounts (Service Accounts).
- Application Accounts (Service Accounts) Description from UCSB isDesk (ETSC RITM0023638):
  2018-05-25 10:06:09 - Laurie Branagan (Additional comments) App accounts were created to allow for programmatic access to the directory without embedding a person's credentials in the application. They were not scoped to be used for authorization beyond access to the directory. It's understood this utility is somewhat limited. If what you're requesting is non-person entities in the directory - That feature is on the roadmap document that the Identity Advisory Group drafted last year. It has not been implemented.
We will eventually integrate Developer Portal logins with Campus SSO.

...

colour

Apigee would need to rearchitect their component model to have Teams.
A developer would belong to one or more Teams.

This would be the same as the Register Application (Campus Service Account) story above, but you would also designate the Team of ownership at the time of registration.

Ticket(s) Title User Story Priority Notes

Campus Service Accounts

As an Application Developer, I need the Campus to have the ability to create Service Accounts for my Applications.

Status


colour	Green
title	must have

Just noting that we would like for the Campus IdM System to support Service Accounts

They must have UCSB Net IDs and Passwords that can be Authenticated through OAuth
There will need to way to enter the Service Account UCSB Net ID for association.
When an Apigee Application is Created, the Apigee Client Id will need to be pushed into the Campus IdM's Service Account as an Attribute.
- The Apigee Client Id attribute must be retrievable as an OAuth claim or "access token key/value pair".

Register Application
(Campus Service Account)

As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account which will belong to currently logged in account.

Status


colour	Green
title	must have

This is needed in all scenarios.

There will need be a way add the Campus Service Account UCSB Net ID.
The ucsbNetId should be stored in Apigee as a custom attribute on the Application
The Campus IdM system should populate an apigeeClientId attribute on a Service Account record
- If the Service Account already has an apigeeClientId associated with it, it should return an error. Campus IdM Service accounts should only be associated with one apigeeClientId.
- If the UCSB Net ID given is not a Service Account it should throw an error.

Campus Service Account Creation in Developer Portal

As an Application Developer, I would like to manage UCSB Service Accounts that I create through the Developer Portal.

Status


colour	Yellow
title	nice to have

If Service Accounts can be created through the Developer Portal ...
- Creation
  - There should be a way to designate the ucsbNetId of the Service Account
  - There should be a way to designate the password of the Service Account
  - Apigee generates a client_id and client_secret for every application registered with it. It would be possible to use those values. But, those values are not human friendly.
    - It would be preferable to have human friendly names for looking through audit logs
- Deletion
  - When removing the application from there should be a way to remove the Service Account from the Campus IdM system at the same time.
    - This should be the default option.
- Updating
  - This should be handled by a Campus IdM solution ...
  - But, if it's more convenient within the Developer Portal then these values might be possible candidates for update:
    - Service Account Name (assuming ucsbCampusId is the unique identifier in Campus IdM, and apigeeClientId is the unique identifier in Apigee)
    - Service Account Password
    - Service Account Description
    - Service Account Url

SSO Enabled Individual Account Login
(Proof-of-Concept Work)

As an Application Developer, I would like to sign in using my UCSB Net ID and password in order to do Proof of Concept work.

Status


colour	Green
title	must have

This is an edge case, not the main use case.

During account creation, the UcsbCampusId will be stored in Apigee as the foreign key.
These are intended for Developers to do Proof of Concept work and generally try things out.

SSO Enabled Campus Team Accounts

Status


colour	Blue
title	IDM Teams

As an Application Developer, I need the Campus to have the ability to create Team Accounts for my Development Team

Status


colour	Green
title	must have

Just noting that we would like for the Campus IdM System to support Team Accounts

They must have UCSB Net IDs and Passwords that can be Authenticated through CAS (OAuth would work too)
These would be used as Apigee Developer Accounts

SSO Enabled Team Account Login

Status


colour	Blue
title	IDM Teams

As an Application Developer, I would like to sign in using my Teams UCSB Net ID and password in order to work on our Applications.

Status


colour	Green
title	must have

Same as the SSO Enabled Individual Account Login (Proof-of-Concept Work) story, but logging in using the Campus IdM Team Account.

SSO Enabled Register Application
(Campus Service Account)

Status


colour	Blue
title	IDM Teams

As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account which will belong to the Campus Developer Team.

Status


colour	Green
title	must have

Same as the Register Application (Campus Service Account) story, but associated with a Team instead of an Individual.

Individual Accounts

Status


colour	Yellow
title	APIgee TEAMS

As an Application Developer, I would like the Developer Portal to know what teams I belong to.

Status


colour	Grey
title	wish list

This would require the Apigee Product Suite to implement a Teams functionality.

Apigee would need to rearchitect their component model to have Teams.
A developer would belong to one or more Teams.

Apigee

Status


colour	Yellow
title	APIgee TEAMS

As an Application Developer, I would like to sign into the Developer Portal using my UCSB Net ID and Password.

Status


colour	Grey
title	wish list

This would require the Apigee Product Suite to implement a Teams functionality.

Status

Yellow

title APIgee TEAMS

Register Application
(Campus Service Account)

Status


colour	Yellow
title	APIgee TEAMS

As an Application Developer, I would like to Register an Application using a UCSB Service Account with a Development Team.

Status


colour	Grey
title	wish list

This would require the Apigee Product Suite to implement a Teams functionality.status

colour Yellow

title APIgee TEAMS

Third Party Company Account

As a Third Party Company, if a department requires I use the Campus API Gateway to retrieve data then I need to be able to create an account within the Developer Portal.

Status


colour	Green
title	must have

Ideally, the Third Party Company would be able to register a Team Account in Campus IdM. Then it's the same as the SSO Enabled Team Account Login story.

User Interaction, Design & Architecture

CAS Login and Account Creation Login w/ CAS (WebSequenceDiagram Link)

Simple SSO and Service Account Association App Registration and Creation (WebSequenceDiagram Link)

SSO through CAS Sequence Diagram (CAS Documentation Link)
Prerequisites
- Service Accounts have to be in CAS
Service Account

Image Removed

Campus IdM Team SSO and Service Account OAuth Association (WebSequenceDiagram Link)

Maybe

Image Removed

Simple SSO with Apigee Teams and Service Account Association (WebSequenceDiagram Link)

The Apigee Team claimed they have something like this in the Roadmap; but it really didn't sound right. Like they were talking about something that used the term "Group" but didn't have to do with grouping Developers together.
If we did this, the Campus API Team would have to develop it from the ground up; so it would probably never happen.

...

Image Added

Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

...

Versions Compared

Old Version 8

New Version 9

Key

Out of Scope

Assumptions

User Interaction, Design & Architecture

Examples and References

Questions