Campus Service Account Requirements
Background & Business Value
Campus Application Accounts are used to uniquely identify applications across campus. They are also used to grant permissions to read extended LDAP information. The Campus Web API project would like to extend the Application Accounts to expose some more information from the campus Identity systems. Most notably, the Campus Web API group would like the ucsbCampusId as a foreign key for lookups in other systems and to have an apigeeClientId added to Campus IdM in order support OAuth lookup within Apigee. The combination of these values, plus a few others, would turn the Campus Application Accounts into Service Accounts.
Goals
- Extend the LDAP ou=Applications information to include more attributes
- Store the Apigee Client Id within Campus IdM
- Allow for management of Service Accounts through Web APIs (more information within the Developer Portal Requirements)
- Full set of attributes to expose in ou=Applications
- ucsbCampusId
- apigeeClientId - new attribute, populated by Campus Web API Team
- We need to figure out the details of how to populate this
- callbackAppUrl - for use with SSO/OAuth; it's sometimes used for validation
- Department (ucsbDisplayDept1?)
- Contact Name (displayName?) - primary person responsible for application, ie. Andrew Espinoza
- Contact Email - (ucsbEmailBusiness1?) a shared email address, ie.itops-admins@library.ucsb.edu
Assumptions
- Campus IdM will be able to provide this information; if they don't currently collect it they will be able to start doing so in the future
- Campus IdM will be able to add new attributes
Out of Scope
Requirements
Ticket(s) | Title | User Story | Priority | Notes |
---|---|---|---|---|
Add apigeeClientId to Campus IdM | Within the Apigee Authorization System, if a 3rd party Authentication Provider is used (Campus IdM) then that provider needs to send back the Apigee Client Id. This allows Apigee Authorization system to determine permissions. | MUST HAVE |
| |
Add callbackAppUrl to Campus IdM | Many OAuth2 based systems want a callback url during authentication as an extra level of authentication. It doesn't seem to be necessary, but it doesn't hurt to collect the information. | NICE TO HAVE |
| |
Add other attributes about the application | As a Campus Web API member, it can help find who to contact when things go wrong if some "Developer/Owner" information is stored in Campus IdM | MUST HAVE |
|
User Interaction, Design & Architecture
Examples and References
Questions
Below is a list of questions to be addressed as a result of this requirements document:
Question | Outcome | Decision Date |
---|---|---|