Time | Topic | Owner | Notes and Details |
---|
2m | Welcome and Arrival | Steven Maglio | |
3m | Action Item Review | None | |
| Future Application Account | Steven Maglio | - What is an application account?
- An application account does not represent a person or a team, only an individual application. Every application should have a separate account.
- A general non-person entity
- An application can be a website, a service, a mobile application, a scheduled task, batch processor, or any automated tooling.
- May be multiple types, so there can be different classifications depending on the type
- An individual device wouldn't be an application, but an application running on a device would be. (ie. Don't create application accounts for cell phones or physical devices)
- What are the use cases? (This may be too large of scope ... this needs to get focused down to just the needs to describe Application accounts)
- Application on campus wants to use Campus LDAP
- Application on campus wants to use Campus API Gateway
- Application on campus wants to use Connect API
- Application off campus wants to use Campus API Gateway
- Staff developed applications that are on campus servers
- Staff developed applications that are in the cloud
- Non-UCSB developed applications that are on Non-UCSB Servers
- Non-UCSB developed applications that are on mobile devices
- What information do we need in the Identity Systems to support these use cases?
- Description
- Technical Owner
- Business Owner
- Where does it live (Url)
- Shea Lovan has a list that he will send to the group
- Apigee Client ID
- ucsbCampusId
- What technology platforms need to be in place to support these use cases?
- PingIdentity works to complete/configure the sync server to populate the LDAP and AD Servers
- Add ucsbCampusId to ou=Applications
- Data will need to flow through LDAP server and WaveSet
- Have to move off of WaveSet first
- CAS 5.3
- We would need to set CAS to look at a higher level base DN in it's search.
- May need to reconfigure the OU organizational structure
- CAS OAuth
- JWT Support
- OpenID Discovery Endpoints for JWT Verification
- Administrative Portal
- Could be developer.ucsb.edu
- The person that creates this should be a part of the Campus Identity Team or work very closely with the Campus Identity Team to develop the functionality.
|
| Current State | Steven Maglio | - Description of the current state
- Campus Identity (how is it different that Campus LDAP?)
- Application Accounts
- An LDAP account that is outside the ou=Person
- Allows an application to log into the LDAP and be granted permissions to data that exceeds the permissions of a regular persons access
- Solely created to facilitate applications that needed access to directory data
- People Accounts
|
| Roadmap how to get from current to Future State | Steven Maglio | - Probably will get worked out when answering these questions above:
- What information do we need in the Identity Systems to support these use cases?
- What technology platforms need to be in place to support these use cases?
|
| Guidance for Campus Developers Today | Steven Maglio | - Probably will get figured out when discussing the areas above, but ...
- What documentation should be created?
- How to request an ou=Applications Account.
- Use https://estc.ucsb.edu
- Under Advanced Technical
- Under Identity
- Use Create UCSBNetID Functional Account with Desription of "I need an ou=Applications account."
- What systems should altered to improve the process?
- What do we not want them to do
- Have functional (ou=People) accounts created for applications
|
- | Action Items | | |