Usage: SSO Enabled Application w/ User to Resource Server Requirements
Background & Business Value
For SSO enabled applications, when updating a resource not only does the Calling Application need to be known, but the End User that is attempting to perform the update also needs to be known. Either one or both are needed to properly determine if the action is authorized, while both are needed for audit logging.
Real World Scenario: An SSO Enabled web application needs to update the registration status for a given student. The web application will need to call through the API Gateway to the Registrations service. The Registrations service will need to know who the client application is in order to limit the scope of students that can be updated (ie. the Engineering web app call only look up Engineering students). Since this is an update, the audit log will also need to show who the user was that made the update. The user isn't used for access scoping, just audit logging.
Alternate Future Scenario: An SSO Enabled student created application needs to retrieve registrations information for a given student. The application will retrieve information on behalf of the student who has logged in; and only that students information. The student created web application will need to call through the API Gateway to the Registrations service. The Registrations service will need to know who the client application is and who the logged in student is in order to limit the scope of information to only the logged in students information. The web application and user information will be needed in order to limit access.
Goals
- All Goals from Usage: Application w/ User to Resource Server Requirements
- Needs to work with SSO enabled applications
Out of Scope
Assumptions
- Campus IdM will support
authorization_code
grant.
Requirements
Must meet shared requirements of Usage: Application w/ User to Resource Server Requirements
Ticket(s) | Title | User Story | Priority | Notes |
---|---|---|---|---|
SSO End User Authentication | As an Application Developer, I want to authenticate my end user using a Campus SSO solution. | MUST HAVE |
| |
User Interaction, Design & Architecture
Service Architecture for OAuth Token (PowerPoint)
Sequence Diagram for OAuth Token (WebSequenceDiagrams Link)
Service Architecture for OAuth JWT (PowerPoint)
Sequence Diagrams for OAuth JWT (WebSequenceDiagrams Link)
Examples and References
Questions
Below is a list of questions to be addressed as a result of this requirements document:
Question | Outcome | Decision Date |
---|---|---|
Can CAS 3.0 return a JWT? Will it be able to use the same keystore as the OAuth 2.0 endpoint? | ||
How similar will the CAS 3.0 verification response be to an Auth 2.0 authentication code response? |