Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Page Properties


Project TitleCampus API Gateway
Target Release
Epic
Document Status
Status
titleDRAFT
Document Owner

Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)


...

  • An easy way to sign into the Developer Portal
    • Preferably you would be able to sign in using the Campus SSO solution
    • If possible, the ability to create a Campus IdM Team Account at the time of registration with the Developer Portal
  • An easy way for Teams of Developers to manage Groups of Applications
  • An easy way to associate API Gateway Applications with Campus IdM Service Accounts for use with OAuth Authentication
    • If possible, the ability to create a Campus IdM Service Account at the time of registering an Application
    • If possible, the ability to delete a Campus IdM Service Account at the time of Application removal
  • An easy way to pass in an Apigee Client ID to an attribute on a Campus IdM Service Account

Out of Scope

Assumptions

  • Campus IdM will support Application Accounts (Service Accounts).
    • Application Accounts (Service Accounts) Description from UCSB isDesk (ETSC RITM0023638):
       2018-05-25 10:06:09 - Laurie Branagan (Additional comments) App accounts were created to allow for programmatic access to the directory without embedding a person's credentials in the application. They were not scoped to be used for authorization beyond access to the directory. It's understood this utility is somewhat limited. If what you're requesting is non-person entities in the directory - That feature is on the roadmap document that the Identity Advisory Group drafted last year. It has not been implemented.
  • We will eventually integrate Developer Portal logins with Campus SSO.

...

Ticket(s)TitleUser StoryFuture PlanNotes

Apigee Developer Functional AccountAs an Application Developer, I would like to sign into the Developer Portal using an email address that is shared by a development team on campus (ends in @*.ucsb.edu)
Status
colourRed
titledeprecate

This is the way the system currently works. We would like to move away from this.

  • Currently the system has no way of sharing access to Applications between multiple logins. So, you need to create a "shared" login to be able to do that. We call these functional accounts.
  • These are used to register actual applications so they can be maintained by a team of people.
  • These accounts must be created using shared emails address with @*.ucsb.edu addresses.
  • The passwords for these are only usable in the Developer Portal. The password will not be stored anywhere or retrievable after creation.
  • It is a requirement that the person who created the password must store and share the password safely with their team.
  • There is a way to reset a password.

Apigee Application Personal AccountAs an Application Developer, I would like to Register an Application with the account I logged in with.
Status
colourRed
titledeprecate

This is the way the system currently works. We would like to move away from this.

  • Applications are only visible to Developer Account which created them.
  • Applications can be created and deleted by the Developer Account through the Developer Portal at any time.
  • Currently when system creates an Application it also generates a unique client_id as the identifier.
  • All permissions to Apigee API's are granted based upon the internal client_id.
  • For OAuth to work the client_id will need to be set as attribute on a Service Account record in our Campus Id system.

Third Party Company AccountAs a Third Party Company, if a department requires I use the Campus API Gateway to retrieve data then I need to be able to create an account within the Developer Portal.
Status
colourRed
titledeprecate
Currently, this is the same as the Apigee Developer Account story.

...

Current Account and App Creation (WebSequenceDiagram Link)


OAuth Requirements

Status
colourBlue
titleIDM Teams
 vs  vs 
Status
colourYellow
titleAPIgee TEAMS
 - We need a team management system.

Status
colourBlue
titleIDM Teams
is where UCSB Campus IdM implements Team Accounts.

Status
colourYellow
titleAPIgee TEAMS
 is where Apigee implements Teams; where Developers can belong to Teams and Teams own Applications. Apigee doesn't have this on their roadmap; and it's very unlikely to happenApigee calls this feature "Companies", in the version of Apigee we purchased this is turned on only in the Developer Portal as "apigee_nonmint_company".

Individual Accounts the Developer Portal to know what teams I belong toGrey
Ticket(s)TitleUser StoryPriorityNotes

Campus Service AccountsAs an Application Developer, I need the Campus to have the ability to create Service Accounts for my Applications. 
Status
colourGreen
titlemust have

Just noting that we would like for the Campus IdM System to support Service Accounts

  • They must have UCSB Net IDs and Passwords that can be Authenticated through OAuth
  • There will need to way to enter the Service Account UCSB Net ID for association.
  • When an Apigee Application is Created, the Apigee Client Id will need to be pushed into the Campus IdM's Service Account as an Attribute.
    • The Apigee Client Id attribute must be retrievable as an OAuth claim or "access token key/value pair".

Register Application
(Campus Service Account)
As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account which will belong to currently logged in account.
Status
colourGreen
titlemust have

This is needed in all scenarios.

  • There will need be a way add the Campus Service Account UCSB Net ID.
  • The ucsbNetId should be stored in Apigee as a custom attribute on the Application
  • The Campus IdM system should populate an apigeeClientId attribute on a Service Account record
    • If the Service Account already has an apigeeClientId associated with it, it should return an error. Campus IdM Service accounts should only be associated with one apigeeClientId.
    • If the UCSB Net ID given is not a Service Account it should throw an error.

Campus Service Account Creation in Developer PortalAs an Application Developer, I would like to manage UCSB Service Accounts that I create through the Developer Portal.
Status
colourYellow
titlenice to have
  • If Service Accounts can be created through the Developer Portal ...
    • Creation 
      • There should be a way to designate the ucsbNetId of the Service Account
      • There should be a way to designate the password of the Service Account 
      • Apigee generates a client_id and client_secret for every application registered with it. It would be possible to use those values. But, those values are not human friendly.
        • It would be preferable to have human friendly names for looking through audit logs
    • Deletion
      • When removing the application from there should be a way to remove the Service Account from the Campus IdM system at the same time.
        • This should be the default option.
    • Updating
      • This should be handled by a Campus IdM solution ...
      • But, if it's more convenient within the Developer Portal then these values might be possible candidates for update:
        • Service Account Name (assuming ucsbCampusId is the unique identifier in Campus IdM, and Apigee's client_id is the unique identifier in Apigee)
        • Service Account Password
        • Service Account Description
        • Service Account Url
    • Would SCIM be used for this? (Research)

SSO Enabled Individual Account Login
(Proof-of-Concept Work)
As an Application Developer, I would like to sign in using my UCSB Net ID and password in order to do Proof of Concept work.
Status
colourGreen
titlemust have

This is an edge case, not the main use case.

  • During account creation, the UcsbCampusId will be stored in Apigee as the foreign key.
  • These are intended for Developers to do Proof of Concept work and generally try things out.

SSO Enabled Campus Team Accounts
Status
colourBlue
titleIDM Teams
As an Application Developer, I need the Campus to have the ability to create Team Accounts for my Development Team 
Status
colour
Green
Grey
title
must have
wish list

Just noting that we would like for the Campus IdM System to support Team Accounts

  • They must have UCSB Net IDs and Passwords that can be Authenticated through  CAS (OAuth would work too)
  • These would be used as Apigee Developer Accounts

SSO Enabled Team Account Login
Status
colourBlue
titleIDM Teams
As an Application Developer, I would like to sign in using my Teams UCSB Net ID and password in order to work on our Applications.
Status
colour
Green
Grey
title
must have
wish list

Same as the SSO Enabled Individual Account Login (Proof-of-Concept Work) story, but logging in using the Campus IdM Team Account.


SSO Enabled Register Application
(Campus Service Account)

Status
colourBlue
titleIDM Teams

As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account which will belong to the Campus Developer Team.
Status
colour
Green
Grey
title
must have
wish list

Same as the Register Application (Campus Service Account) story, but associated with a Team instead of an Individual.



SSO Enabled Apigee Login

Status
colourYellow
titleAPIgee TEAMS

As an Application Developer, I would like to sign into the Developer Portal using my UCSB Net ID and Password.
Status
colour

This would require the Apigee Product Suite to implement a Teams functionality. 

  • Apigee would need to rearchitect their component model to have Teams.
  • A developer would belong to one or more Teams.
Apigee 
Green
title
wish list
must have

Same as SSO Enabled Individual Account Login (Proof-of-Concept Work). We would like for anyone in Campus Idenitty to be able to log into the Developer Portal using SSO.


SSO Enabled Apigee Teams
Status
colourYellow
titleAPIgee TEAMS
As an Application Developer, I would like to sign into the Developer Portal using my UCSB Net ID and Passwordthe Developer Portal to know what teams I belong to.
Status
colourGreyGreen
titlewish list

This would require the Apigee Product Suite to implement a Teams functionality. 

  • Apigee would need to rearchitect their component model to have Teams.
  • A developer would belong to one or more Teams
    must have

    Need to enable the Developer Portal's apigee_nonmint_company feature.

    • Individuals would be able to create a company just for themselves that could be used for Proof of Concept work
    • Individuals can also create Teams (ie. Companies) that would be used to ensure applications were shared between many team members.
    • Individuals can be a part of multiple teams.

    Register Application
    (Campus Service Account)
    Status
    colourYellow
    titleAPIgee TEAMS
    As an Application Developer, I would like to Register an Application using a UCSB Service Account with a Development Team.
    Status
    colourGreyGreen
    titlewish list
    This would require the Apigee Product Suite to implement a Teams functionality
    must have

    Need to enable the Developer Portal's apigee_nonmint_company feature.

    • This would be the same as the Register Application (Campus Service Account) story above, but you would also designate the Team of ownership at the time of registration.

    Third Party Company AccountAs a Third Party Company, if a department requires I use the Campus API Gateway to retrieve data then I need to be able to create an account within the Developer Portal.
    Status
    colourGreen
    titlemust have
    • Ideally, the Third Party Company would be able to register a Team Account in Campus IdM. Then it's the same as the SSO Enabled Team Account Login story.

    User Interaction, Design & Architecture

    CAS Sequence Diagram
    Login w/ CAS (WebSequenceDiagram Link)

    ...

    QuestionOutcomeDecision Date
    • Would SCIM be used for for managing users in Campus IdM?