Campus Service Account Requirements

Project TitleCampus API Security
Target Release
Epic
Document Status
DRAFT
Document Owner

Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)

Background & Business Value

Campus Application Accounts are used to uniquely identify applications across campus. They are also used to grant permissions to read extended LDAP information. The Campus Web API project would like to extend the Application Accounts to expose some more information from the campus Identity systems. Most notably, the Campus Web API group would like the ucsbCampusId as a foreign key for lookups in other systems and to have an apigeeClientId added to Campus IdM in order support OAuth lookup within Apigee. The combination of these values, plus a few others, would turn the Campus Application Accounts into Service Accounts.

Goals

  • Extend the LDAP ou=Applications information to include more attributes
  • Store the Apigee Client Id within Campus IdM
  • Allow for management of Service Accounts through Web APIs (more information within the Developer Portal Requirements)


  • Full set of attributes to expose in ou=Applications
    • ucsbCampusId
    • apigeeClientId - new attribute, populated by Campus Web API Team
      • We need to figure out the details of how to populate this (question)
    • callbackAppUrl - for use with SSO/OAuth; it's sometimes used for validation
    • Department (ucsbDisplayDept1?)
    • Contact Name (displayName?) - primary person responsible for application, ie. Andrew Espinoza 
    • Contact Email - (ucsbEmailBusiness1?) a shared email address, ie.itops-admins@library.ucsb.edu 

Assumptions

  • Campus IdM will be able to provide this information; if they don't currently collect it they will be able to start doing so in the future
  • Campus IdM will be able to add new attributes

Out of Scope

Requirements

Ticket(s)TitleUser StoryPriorityNotes

Add apigeeClientId to Campus IdMWithin the Apigee Authorization System, if a 3rd party Authentication Provider is used (Campus IdM) then that provider needs to send back the Apigee Client Id. This allows Apigee Authorization system to determine permissions.MUST HAVE

Add callbackAppUrl to Campus IdMMany OAuth2 based systems want a callback url during authentication as an extra level of authentication. It doesn't seem to be necessary, but it doesn't hurt to collect the information.NICE TO HAVE
  • Up to Campus IdM to determine if it's necessary.
  • Some OAuth 2.0 grant types validate that the callback url supplied during OAuth initialization matches the callback url previously registered with the system. It's an extra piece of validation that can ensure browsers don't get redirected back to unexpected endpoints.
  • OAuth2 with Apigee as Proxy
    • When Apigee would be acting as a proxy (example use case), the OAuth  2.0 grant type of client_credentials would be used, so the callback wouldn't be supplied.

Add other attributes about the applicationAs a Campus Web API member, it can help find who to contact when things go wrong if some "Developer/Owner" information is stored in Campus IdMMUST HAVE
  • We think these attributes could help in tracking down people to contact.
    • Department (ucsbDisplayDept1?)
    • Contact Name (displayName?) - primary person responsible for application, ie. Andrew Espinoza 
    • Contact Email - (ucsbEmailBusiness1?) a shared email address, ie.itops-admins@library.ucsb.edu 

User Interaction, Design & Architecture

Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

QuestionOutcomeDecision Date