2019-03-11 Campus API Security Account Identity

Meeting Details

Date/Time/Location

Attendees


Meeting Goals and Expected Preparation

Goals

  • Determine what we want Application Accounts to be in the future
  • Roadmap how to get there
  • Create guidance on how to create an account today that will start the application on the path to be ready for the future

Expected Preparation

Agenda

TimeTopicOwnerNotes and Details
2mWelcome and ArrivalSteven Maglio
  • Welcome!
3mAction Item ReviewNone
Future Application AccountSteven Maglio
  • What is an application account?
    • An application account does not represent a person or a team, only an individual application. Every application should have a separate account.
      • A general non-person entity
    • An application can be a website, a service, a mobile application, a scheduled task, batch processor, or any automated tooling.
      • May be multiple types, so there can be different classifications depending on the type
    • An individual device wouldn't be an application, but an application running on a device would be. (ie. Don't create application accounts for cell phones or physical devices)
  • What are the use cases? (This may be too large of scope ... this needs to get focused down to just the needs to describe Application accounts)
    • Application on campus wants to use Campus LDAP
    • Application on campus wants to use Campus API Gateway
    • Application on campus wants to use Connect API
    • Application off campus wants to use Campus API Gateway
    • Staff developed applications that are on campus servers
    • Staff developed applications that are in the cloud
    • Non-UCSB developed applications that are on Non-UCSB Servers
    • Non-UCSB developed applications that are on mobile devices
  • What information do we need in the Identity Systems to support these use cases?
    • Description
    • Technical Owner
    • Business Owner
    • Where does it live (Url)
    • Shea Lovan has a list that he will send to the group
    • Apigee Client ID
    • ucsbCampusId
  • What technology platforms need to be in place to support these use cases?
    • PingIdentity works to complete/configure the sync server to populate the LDAP and AD Servers
    • Add ucsbCampusId to ou=Applications
      • Data will need to flow through LDAP server and WaveSet
      • Have to move off of WaveSet first
    • CAS 5.3
    • We would need to set CAS to look at a higher level base DN in it's search.
    • May need to reconfigure the OU organizational structure
    • CAS OAuth
    • JWT Support
    • OpenID Discovery Endpoints for JWT Verification
    • Administrative Portal
      • Could be developer.ucsb.edu
      • The person that creates this should be a part of the Campus Identity Team or work very closely with the Campus Identity Team to develop the functionality.
Current StateSteven Maglio
  • Description of the current state
    • Campus Identity (how is it different that Campus LDAP?)
      • Application Accounts
        • An LDAP account that is outside the ou=Person
        • Allows an application to log into the LDAP and be granted permissions to data that exceeds the permissions of a regular persons access
        • Solely created to facilitate applications that needed access to directory data
      • People Accounts
Roadmap how to get from current to Future StateSteven Maglio
  • Probably will get worked out when answering these questions above:
    • What information do we need in the Identity Systems to support these use cases?
    • What technology platforms need to be in place to support these use cases?
Guidance for Campus Developers TodaySteven Maglio
  • Probably will get figured out when discussing the areas above, but ...
  • What documentation should be created?
    • How to request an ou=Applications Account.
    • Use https://estc.ucsb.edu
      • Under Advanced Technical
      • Under Identity
      • Use Create UCSBNetID Functional Account with Desription of "I need an ou=Applications account."
  • What systems should altered to improve the process?
  • What do we not want them to do
    • Have functional (ou=People) accounts created for applications
      • Zoom Rooms
      • Connect API
-Action Items