Campus API Developer Portal Security Requirements

Owned by Steven Maglio
Last updated: Oct 01, 2018
6 min read
Project TitleCampus API Gateway
Target Release
Epic
Document Status
DRAFT
Document Owner

Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)

Background & Business Value

We would like to simplify the usage of the Campus API Gateway by making it's Developer Portal integrated with the Campus IdM solutions.

Goals

  • An easy way to sign into the Developer Portal
    • Preferably you would be able to sign in using the Campus SSO solution
    • If possible, the ability to create a Campus IdM Team Account at the time of registration with the Developer Portal
  • An easy way for Teams of Developers to manage Groups of Applications
  • An easy way to associate API Gateway Applications with Campus IdM Service Accounts for use with OAuth Authentication
    • If possible, the ability to create a Campus IdM Service Account at the time of registering an Application
    • If possible, the ability to delete a Campus IdM Service Account at the time of Application removal
  • An easy way to pass in an Apigee Client ID to an attribute on a Campus IdM Service Account

Out of Scope

Assumptions

  • Campus IdM will support Application Accounts (Service Accounts).
    • Application Accounts (Service Accounts) Description from UCSB isDesk (ETSC RITM0023638):
       2018-05-25 10:06:09 - Laurie Branagan (Additional comments) App accounts were created to allow for programmatic access to the directory without embedding a person's credentials in the application. They were not scoped to be used for authorization beyond access to the directory. It's understood this utility is somewhat limited. If what you're requesting is non-person entities in the directory - That feature is on the roadmap document that the Identity Advisory Group drafted last year. It has not been implemented.
  • We will eventually integrate Developer Portal logins with Campus SSO.

Current System

Ticket(s)TitleUser StoryFuture PlanNotes

Apigee Functional AccountAs an Application Developer, I would like to sign into the Developer Portal using an email address that is shared by a development team on campus (ends in @*.ucsb.edu)
DEPRECATE

This is the way the system currently works. We would like to move away from this.

  • Currently the system has no way of sharing access to Applications between multiple logins. So, you need to create a "shared" login to be able to do that. We call these functional accounts.
  • These are used to register actual applications so they can be maintained by a team of people.
  • These accounts must be created using shared emails address with @*.ucsb.edu addresses.
  • The passwords for these are only usable in the Developer Portal. The password will not be stored anywhere or retrievable after creation.
  • It is a requirement that the person who created the password must store and share the password safely with their team.
  • There is a way to reset a password.

Apigee Personal AccountAs an Application Developer, I would like to Register an Application with the account I logged in with.
DEPRECATE

This is the way the system currently works. We would like to move away from this.

  • Applications are only visible to Developer Account which created them.
  • Applications can be created and deleted by the Developer Account through the Developer Portal at any time.
  • Currently when system creates an Application it also generates a unique client_id as the identifier.
  • All permissions to Apigee API's are granted based upon the internal client_id.
  • For OAuth to work the client_id will need to be set as attribute on a Service Account record in our Campus Id system.

Third Party Company AccountAs a Third Party Company, if a department requires I use the Campus API Gateway to retrieve data then I need to be able to create an account within the Developer Portal.
DEPRECATE
Currently, this is the same as the Apigee Developer Account story.

Apigee Product Suite Architecture & Current System Workflow

Product and Component Architecture of Apigee Suite with Descriptions


Current Account and App Creation (WebSequenceDiagram Link)


OAuth Requirements

IDM TEAMS vs APIGEE TEAMS - We need a team management system.

IDM TEAMS is where UCSB Campus IdM implements Team Accounts.

APIGEE TEAMS is where Apigee implements Teams; where Developers can belong to Teams and Teams own Applications. Apigee calls this feature "Companies", in the version of Apigee we purchased this is turned on only in the Developer Portal as "apigee_nonmint_company".

Ticket(s)TitleUser StoryPriorityNotes

Campus Service AccountsAs an Application Developer, I need the Campus to have the ability to create Service Accounts for my Applications. MUST HAVE

Just noting that we would like for the Campus IdM System to support Service Accounts

  • They must have UCSB Net IDs and Passwords that can be Authenticated through OAuth
  • There will need to way to enter the Service Account UCSB Net ID for association.
  • When an Apigee Application is Created, the Apigee Client Id will need to be pushed into the Campus IdM's Service Account as an Attribute.
    • The Apigee Client Id attribute must be retrievable as an OAuth claim or "access token key/value pair".

Register Application
(Campus Service Account)		As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account which will belong to currently logged in account.MUST HAVE

This is needed in all scenarios.

  • There will need be a way add the Campus Service Account UCSB Net ID.
  • The ucsbNetId should be stored in Apigee as a custom attribute on the Application
  • The Campus IdM system should populate an apigeeClientId attribute on a Service Account record
    • If the Service Account already has an apigeeClientId associated with it, it should return an error. Campus IdM Service accounts should only be associated with one apigeeClientId.
    • If the UCSB Net ID given is not a Service Account it should throw an error.

Campus Service Account Creation in Developer PortalAs an Application Developer, I would like to manage UCSB Service Accounts that I create through the Developer Portal.NICE TO HAVE
  • If Service Accounts can be created through the Developer Portal ...
    • Creation 
      • There should be a way to designate the ucsbNetId of the Service Account
      • There should be a way to designate the password of the Service Account 
      • Apigee generates a client_id and client_secret for every application registered with it. It would be possible to use those values. But, those values are not human friendly.
        • It would be preferable to have human friendly names for looking through audit logs
    • Deletion
      • When removing the application from there should be a way to remove the Service Account from the Campus IdM system at the same time.
        • This should be the default option.
    • Updating
      • This should be handled by a Campus IdM solution ...
      • But, if it's more convenient within the Developer Portal then these values might be possible candidates for update:
        • Service Account Name (assuming ucsbCampusId is the unique identifier in Campus IdM, and Apigee's client_id is the unique identifier in Apigee)
        • Service Account Password
        • Service Account Description
        • Service Account Url
    • Would SCIM be used for this? (Research)

SSO Enabled Individual Account Login
(Proof-of-Concept Work)		As an Application Developer, I would like to sign in using my UCSB Net ID and password in order to do Proof of Concept work.MUST HAVE

This is an edge case, not the main use case.

  • During account creation, the UcsbCampusId will be stored in Apigee as the foreign key.
  • These are intended for Developers to do Proof of Concept work and generally try things out.

SSO Enabled Campus Team Accounts
IDM TEAMS		As an Application Developer, I need the Campus to have the ability to create Team Accounts for my Development Team WISH LIST

Just noting that we would like for the Campus IdM System to support Team Accounts

  • They must have UCSB Net IDs and Passwords that can be Authenticated through  CAS (OAuth would work too)
  • These would be used as Apigee Developer Accounts

SSO Enabled Team Account Login
IDM TEAMS		As an Application Developer, I would like to sign in using my Teams UCSB Net ID and password in order to work on our Applications.WISH LIST

Same as the SSO Enabled Individual Account Login (Proof-of-Concept Work) story, but logging in using the Campus IdM Team Account.


SSO Enabled Register Application
(Campus Service Account)
IDM TEAMS

As an Application Developer, I would like to Register an Application with a UCSB Net ID Service Account which will belong to the Campus Developer Team.WISH LIST

Same as the Register Application (Campus Service Account) story, but associated with a Team instead of an Individual.



SSO Enabled Apigee Login
APIGEE TEAMS

As an Application Developer, I would like to sign into the Developer Portal using my UCSB Net ID and Password.MUST HAVE

Same as SSO Enabled Individual Account Login (Proof-of-Concept Work). We would like for anyone in Campus Idenitty to be able to log into the Developer Portal using SSO.


SSO Enabled Apigee Teams
APIGEE TEAMS		As an Application Developer, I would like the Developer Portal to know what teams I belong to.MUST HAVE

Need to enable the Developer Portal's apigee_nonmint_company feature.

  • Individuals would be able to create a company just for themselves that could be used for Proof of Concept work
  • Individuals can also create Teams (ie. Companies) that would be used to ensure applications were shared between many team members.
  • Individuals can be a part of multiple teams.

Register Application
(Campus Service Account)
APIGEE TEAMS		As an Application Developer, I would like to Register an Application using a UCSB Service Account with a Team.MUST HAVE

Need to enable the Developer Portal's apigee_nonmint_company feature.

  • This would be the same as the Register Application (Campus Service Account) story above, but you would also designate the Team of ownership at the time of registration.

Third Party Company AccountAs a Third Party Company, if a department requires I use the Campus API Gateway to retrieve data then I need to be able to create an account within the Developer Portal.MUST HAVE
  • Ideally, the Third Party Company would be able to register a Team Account in Campus IdM. Then it's the same as the SSO Enabled Team Account Login story.

User Interaction, Design & Architecture

CAS Sequence Diagram
Login w/ CAS (WebSequenceDiagram Link)


App Registration and Creation (WebSequenceDiagram Link)



Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

QuestionOutcomeDecision Date
  • Would SCIM be used for for managing users in Campus IdM?