Versions Compared

Old Version 7

changes.mady.by.user Steven Maglio

Saved on

compared with

New Version Current

changes.mady.by.user Steven Maglio

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Page Properties


Project TitleCampus API Gateway
Target Release
Epic
Document Status
Status
titleDRAFT
Document Owner

Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)


...

  • An easy way to sign into the Developer Portal
    • Preferably you would be able to sign in using the Campus SSO solution
    • If possible, the ability to create a Campus IdM Team Account at the time of registration with the Developer Portal
  • An easy way for Teams of Developers to manage Groups of Applications
  • An easy way to associate API Gateway Applications with Campus IdM Service Accounts for use with OAuth Authentication
    • If possible, the ability to create a Campus IdM Service Account at the time of registering an Application
    • If possible, the ability to delete a Campus IdM Service Account at the time of Application removal
  • An easy way to pass in an Apigee Client ID to an attribute on a Campus IdM Service Account

Out of Scope

Assumptions

  • Campus IdM will support Application Accounts (Service Accounts).
    • Application Accounts (Service Accounts) Description from ETSC ( UCSB isDesk (ETSC RITM0023638):
      > 2018
       2018-05-25 10:06:09 - Laurie Branagan (Additional comments)

      > App
       App accounts were created to allow for programmatic access to
      the
      > directory
      the directory without embedding a person's credentials in the application.
      They
      > were
      They were not scoped to be used for authorization beyond access to
      the
      > directory
      the directory. It's understood this utility is somewhat limited.

      >
      If what you're requesting is non-person entities in the directory - That

      >
      feature is on the roadmap document that the Identity Advisory Group drafted

      >
      last year. It has not been implemented.
  • We will eventually integrate Developer Portal logins with Campus SSO.

...

Current System

Ticket(s)TitleUser Story
Story GroupingPriority
Future PlanNotes

Apigee
Developer
Functional AccountAs an Application Developer, I would like to sign into the Developer Portal using an email address that is shared by a development team on campus (ends in @*.ucsb.edu)
Status
colourRed
titledeprecate

This is the way the system currently works. We would like to move away from this.

  • Currently the system has no way of sharing access to Applications between multiple logins. So, you need to create a "shared" login to be able to do that. We call these functional accounts.
  • These are used to register actual applications so they can be maintained by a team of people.
  • These accounts must be created using shared emails address with @*.ucsb.edu addresses.
  • The passwords for these are only usable in the Developer Portal. The password will not be stored anywhere or retrievable after creation.
  • It is a requirement that the person who created the password must store and share the password safely with their team.
  • There is a way to reset a password.

Apigee
Application
Personal AccountAs an Application Developer, I would like to Register an Application with the account I logged in with.
Status
colourRed
titledeprecate

This is the way the system currently works. We would like to move away from this.

  • Applications are only visible to Developer Account which created them.
  • Applications can be created and deleted by the Developer Account through the Developer Portal at any time.
  • Currently when system creates an Application it also generates a unique client_id as the identifier.
  • All permissions to Apigee API's are granted based upon the internal client_id.
  • For OAuth to work the client_id will need to be set as attribute on a Service Account record in our Campus Id system.

Third Party Company AccountAs a Third Party Company
that is implementing a project with a campus department, I would like to register an account with the Developer Portal
, if a department requires I use the Campus API Gateway to retrieve data then I need to be able to create an account within the Developer Portal.
Status
colourRed
titledeprecate
Currently, this is the same as the Apigee Developer Account story.

Apigee Product Suite Architecture & Current System Workflow

Product and Component Architecture of Apigee Suite with Descriptions

Image Added


Current Account and App Creation (WebSequenceDiagram Link)

Image Added


OAuth Requirements

Status
colourBlue
titleIDM Teams
 vs 
Status
colourYellow
titleAPIgee TEAMS
 - We need a team management system.

Status
colour

...

Blue
titleIDM Teams
is where UCSB Campus IdM implements Team Accounts.

Status
colourYellow
titleAPIgee TEAMS
 is where Apigee implements Teams; where Developers can belong to Teams and Teams own Applications. Apigee calls this feature "Companies", in the version of Apigee we purchased this is turned on only in the Developer Portal as "apigee_nonmint_company".

colour is NOT the way the system currently works. But, on This would require
Ticket(s)TitleUser StoryPriorityNotes

Campus Service AccountsAs an Application Developer, I need the Campus to have the ability to create Service Accounts for my Applications. 
Status
colourGreen
titlemust have

Just noting that we would like for the Campus IdM System to support Service Accounts

  • They must have UCSB Net IDs and Passwords that can be Authenticated through OAuth
  • There will need to way to enter the Service Account UCSB Net ID for association.
  • When an Apigee Application is Created, the Apigee Client Id will need to be pushed into the Campus IdM's Service Account as an Attribute.
    • The Apigee Client Id attribute must be retrievable as an OAuth claim or "access token key/value pair".
As an Application Developer, I would like to create a UCSB Service Account with a UCSB Net ID and Password for my Application at the time of Registration.
Status
colourYellow
titlenice to have
As an Application Developer, I would like to sign in using my UCSB Net ID and password in order to do Proof of Concept work.

Status
colourGrey
titleapi account
Status
colourGreen
titlemust have

This IS NOT the way the system currently works. But, it can be easily implemented. This IS an edge-case, not the main use case.

  • During account creation, the UcsbCampusId will be stored in Apigee as the foreign key.
  • These are intended for Developers to do Proof of Concept work and generally try things out.
Register Application
(Campus Service Account)		As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account which will belong to currently logged in account.
Status
Grey
titleapi account
Status
colourGreen
titlemust have

This

is needed in all scenarios.

  • There will need be a way add the Campus Service Account UCSB Net ID.
  • The ucsbNetId should be stored in Apigee as a custom attribute on the Application
  • The Campus IdM system should populate an apigeeClientId attribute on a Service Account record
    • If the Service Account already has an apigeeClientId associated with it, it should return an error. Campus IdM Service accounts should only be associated with
    • one apigeeClientId.
    • If the UCSB Net ID given is not a Service Account it should throw an error.

Campus Service Account Creation in Developer PortalAs an Application Developer, I would like to sign into Developer Portal using a UCSB Net ID and Password that was created for a Campus Development Team.to manage UCSB Service Accounts that I create through the Developer Portal.
Status
colourYellow
titlenice to have
  • If Service Accounts can be created through the Developer Portal ...
    • Creation 
      • There should be a way to designate the ucsbNetId of the Service Account
      • There should be a way to designate the password of the Service Account 
      • Apigee generates a client_id and client_secret for every application registered with it. It would be possible to use those values. But, those values are not human friendly.
        • It would be preferable to have human friendly names for looking through audit logs
    • Deletion
      • When removing the application from there should be a way to remove the Service Account from the Campus IdM system at the same time.
        • This should be the default option.
    • Updating
      • This should be handled by a Campus IdM solution ...
      • But, if it's more convenient within the Developer Portal then these values might be possible candidates for update:
        • Service Account Name (assuming ucsbCampusId is the unique identifier in Campus IdM, and Apigee's client_id is the unique identifier in Apigee)
        • Service Account Password
        • Service Account Description
        • Service Account Url
    • Would SCIM be used for this? (Research)

SSO Enabled Individual Account Login
(Proof-of-Concept Work)		As an Application Developer, I would like to sign in using my UCSB Net ID and password in order to do Proof of Concept work.
Status
colourGreen
titlemust have

This is an edge case, not the main use case.

  • During account creation, the UcsbCampusId will be stored in Apigee as the foreign key.
  • These are intended for Developers to do Proof of Concept work and generally try things out.

SSO Enabled Campus Team Accounts
Status
colourBlue
titleIDM Teams
As an Application Developer, I need the Campus to have the ability to create Team Accounts for my Development Team 
Status
colour
Yellow
Grey
title
nice to have
wish list

Just noting that we would like for the Campus IdM

Team to implement "Group/Team Accounts" that would have UCSB Net ID's and Passwords.

System to support Team Accounts

  • They must have UCSB Net IDs and Passwords that can be Authenticated through  CAS (OAuth would work too)
  • These would be used as Apigee Developer Accounts

SSO Enabled Team Account Login
Status
colourBlue
titleIDM Teams
As an Application Developer, I would like to sign in using my Teams UCSB Net ID and password in order to work on our Applications.
Status
colourGrey
titlewish list

Same as the SSO Enabled Individual Account Login (Proof-of-Concept Work) story, but logging in using the Campus IdM Team Account.


SSO Enabled Register Application
(Campus Service Account)

Status
colourBlue
titleIDM Teams

As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account which will belong to the Campus Developer Team.
Status
colour
Blue
Grey
title
IDM Teams
wish list

Same as the Register Application (Campus Service Account) story, but associated with a Team instead of an Individual.



SSO Enabled Apigee Login

Status
colourYellow
title

nice to haveThis would require the Campus IdM Team to implement "Group/Team Accounts" that would have UCSB Net ID's and Passwords.

APIgee TEAMS

As an Application Developer, I would like to sign into the Developer Portal using my UCSB Net ID and Password.
Status
colour
YellowtitleAPI TEAMS
Green
titlemust have

Same as SSO Enabled Individual Account Login (Proof-of-Concept Work). We would like for anyone in Campus Idenitty to be able to log into the Developer Portal using SSO.


SSO Enabled Apigee Teams
Status
colourYellow
titlenice to have
This would require the Apigee Product Suite to implement a Teams functionality.
APIgee TEAMS
As an Application Developer, I would like the Developer Portal to know what teams I belong to one or more Development Teams.
Status
colour
YellowtitleAPI TEAMS
Green
titlemust have

Need to enable the Developer Portal's apigee_nonmint_company feature.

  • Individuals would be able to create a company just for themselves that could be used for Proof of Concept work
  • Individuals can also create Teams (ie. Companies) that would be used to ensure applications were shared between many team members.
  • Individuals can be a part of multiple teams.

Register Application
(Campus Service Account)
Status
colourYellow
title
nice to have

This would require the Apigee Product Suite to implement a Teams functionality.

APIgee TEAMS
As an Application Developer, I would like to Register an Application with using a UCSB Net ID Service Account with a Development Team.
Status
colourYellowtitleAPI TEAMSGreen
titlemust have

Need to enable the Developer Portal's apigee_nonmint_company feature.

  • This would be the same as the Register Application (Campus Service Account) story above, but you would also designate the Team of ownership at the time of registration.

Third Party Company AccountAs a Third Party Company, if a department requires I use the Campus API Gateway to retrieve data then I need to be able to create an account within the Developer Portal.
Status
colour
Yellow
Green
title
nice to
must have
This would require the Apigee Product Suite to implement a Teams functionality
  • Ideally, the Third Party Company would be able to register a Team Account in Campus IdM. Then it's the same as the SSO Enabled Team Account Login story.

User Interaction, Design & Architecture

Product and Component Architecture of Apigee Suite

Image Removed

Current Account and App Creation (WebSequenceDiagram Link)

...

Simple SSO and Service Account Association (WebSequenceDiagram Link)

...

CAS Sequence Diagram

...

  • Service Accounts have to be in CAS

...

Image Removed

Campus IdM Team SSO and Service Account OAuth Association
Login w/ CAS (WebSequenceDiagram Link)

  • Maybe 

Image Removed

Simple SSO with Apigee Teams and Service Account Association Image Added


App Registration and Creation (WebSequenceDiagram Link)

  • The Apigee Team claimed they have something like this in the Roadmap; but it really didn't sound right. Like they were talking about something that used the term "Group" but didn't have to do with grouping Developers together.
  • If we did this, the Campus API Team would have to develop it from the ground up; so it would probably never happen.

Image Added



Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

QuestionOutcomeDecision Date
  • Would SCIM be used for for managing users in Campus IdM?