Friends of Penn State - FPS

Download Report

Transcript Friends of Penn State - FPS 

Friends of Penn State - FPS
James A. Vuccolo
Lead Research Programmer
Advanced Information Technologies (AIT) in Academic Services and Emerging
Technologies (ASET), a unit of Information Technology Services (ITS)
Agenda
•
•
•
•
•
•
Introduction
The Development Process
Using FPS
Upcoming Features
Application Providers
Wrap-Up
Introduction
Names
What FPS IS
• The Friends of Penn State Account System is a digital
identity management system designed to be used by
application providers from within the Penn State
community to establish and manage an end-user’s identity
who does not have a Penn State Access Account. (Most
likely for Web-based applications.)
• It is a database that holds various attributes about a person,
including contact info AND a means for authentication.
• It provides a set of APIs which establish and manage
account information.
What FPS is NOT
• It is NOT a set of end-user applications.
– It’s a database, Kerberos V (K5) KDC, and APIs.
• It is NOT for organizations or companies outside
of the Penn State community to use for their
applications.
– It enables people outside the Penn State community to
access applications from within the Penn State
community.
The Development Process
Assemble a Team
• FPS team members include representatives from:
– Administrative Information Systems (AIS)
– Academic Services and Emerging Technologies
(ASET)
• Advanced Information Technologies (AIT)
– Consulting and Support Services (CSS)
Interview Stakeholders
• Stakeholder
– A person/group who has a vested interest in FPS for use
in their Web-based applications.
– Each organization was interviewed to determine what
their needs are relative to FPS.
• Who are they?
– Office of Undergraduate Admissions, College of Agricultural Sciences,
Alumni Association, Penn State Great Valley, University Library, Office
of Human Resources (OHR), Outreach & Cooperative Extension (O&CE),
PA State Data Center, Office of the University Registrar, Office of Student
Aid, Office of the University Bursar, Undergraduate Education, World
Campus and eCommerce
What Did We Ask?
1.
2.
3.
4.
5.
6.
7.
8.
9.
Indicate the number of users you intend to serve in the next 3, 5, and 10
years.
What type of user identity is needed for your application(s) i.e.,
userid/password, personal cert., Penn State Id+ number, etc.?
Indicate examples of data that would need to be stored and whether this data
would be stored in our database (userid, email address, address,...)?
Do you anticipate the migration of your users between the external and
internal (production cell) authentication realms?
Indicate what determines an inactive account and the length of time in which
data for this account should remain online.
Do you need specific APIs to a access the central data store to retrieve
information about the user?
Do you interface with other universities and/or organizations where identity
must be exchanged?
What authentication method is sufficient/needed now and in the future?
Do you have a need for different classifications of accounts?
Design
• After the stakeholder interviews the project team
was able to do the following:
– Derive FPS requirements
– Determine the technology to be used to satisfy the
requirements
– Design the data store to be used to store user attributes
– Determine what software would be developed
Requirement Categories
•
•
•
•
•
•
•
•
General
Authentication
Database
Graphical User Interface (GUI)
Security
Application Programming Interface (API)
Migration
Stakeholder Specific
Selected Technology
• Authentication
– Process for determining whether someone or something
is, in fact, who or what it is declared to be.
• MIT Kerberos V (K5)
• Authorization
– Process of giving someone permission to do or have
something
• IBM DB2 Database
• IBM Directory Server (IDS) LDAP Server
What is Kerberos?
• Kerberos is:
– “…a network authentication protocol. It is designed to provide
strong authentication for client/server applications using secret-key
cryptography”
• http://www.mit.edu/kerberos/www/
• Components
– Key Distribution Center (KDC)
• Master (located in Computer Building)
• Slave (located offsite)
– Clients
– Application Servers
Database Design
Architecture
Kerberos Propagation
LDAP Replication
fops.offsite.psu.edu
fps.psu.edu
•Master KDC
•LDAP Master
•DB2 Database
•Apache SSL Web Server
•Slave KDC
•LDAP Replica
Technology Summary
Authentication
MIT Kerberos (Master and
Slave KDCs)
Database
IBM DB2
Web Server
Apache+SSL
Development Tools
C, IBM SQL PL
Implement
• CGI Programs (https://fps.psu.edu/)
– Create identity, change password, reset password, remove identity,
update information and check identity
• HTTPS POST APIs (XML output)
– Create identity, change password, reset password, authenticate
identity, set data, get data, certify identity, un-certify identity, lock
identity, unlock identity, sign identity, un-sign identity, remove
identity, get all data and remove role
• Help Desk Consultants Interface
Test
• Testing was performed in the following areas:
– Verification and validation of FPS CGIs and APIs
– Propagation of data from the Master to the Slave KDC
– Creation and maintenance of information in the LDAP
server
Using FPS
Obtaining An Account
• Migration
– People who leave the University (e.g. graduates) will be migrated
automatically to the external realm.
– FPS accounts holders who establish a formal relationship with
Penn State (e.g. an applicant who registers) will be migrated
automatically to the internal realm.
• Web Site
– Those who would like to have an FPS account can go to the FPS
Web site (https://fps.psu.edu/) to create an account for themselves.
Developing Applications
• Interested groups who want to develop
applications should do the following:
– Consult the FPS project site at
http://www.psu.edu/fpsproject/
– Contact the FPS development team at [email protected] to
discuss their specific application
Using APIs
• FPS APIs can be used with the following
languages:
–
–
–
–
–
Perl
Java
C
ASP
Smalltalk
A Sample API
<html>
<head><title>Test Create</title></head>
<body>
<form name=“auth_identity” method=“post”
action=“https://fps.psu.edu/api/auth_identity.cgi”>
<input type=“hidden” name=“userid” value=“jav5002>
<input type=“hidden” name=“password” value=“someval”>
<input type=“hidden” name=“group_id” value=“1”>
<input type=“hidden” name=“in_fields” value=“userid,password”>
<input type=“hidden” name=“min_flds” value=“userid,password”>
<input type=“submit” name=“s” value=“submit”>
</form>
</body>
</html>
A Sample API (cont’d)
<?xml version="1.0" encoding="utf-8" ?> <authentication>
<status>SUCCESS</status>
<realm>external</realm>
<personID>243649</personID>
<roleList />
</authentication>
What Are Roles?
• Attributes that are assigned to a user
–
–
–
–
User paid using a credit card.
A picture ID was checked.
Identity was migrated from the internal realm.
A signature for a Penn State Access Account exists on
file.
• Notary
– Enables access account holders to assign specific roles
to an FPS identity
Upcoming Features
• Unified Lab Consultants Interface
• Automated migration of identities from the
internal to external realm
– Will happen before identity is locked in the internal
realm
• Migration of identities from the external to the
internal realm
– Example: when an applicant becomes a paid accept
Application Providers
• World Campus
– Automated Registration System
– Courses.worldcampus.psu.edu
• ANGEL
– All auth via FPS server
• CWC
– Campus Advisory Committee Members
• Admissions
– Student Application
Application Providers (cont’d)
• Graduate School
• AIS/Registrar
– Transcripts Application
• Dairy and Animal Science
– Web based extension activities
• Great Valley
– Information kiosk
• DLT
– http://etda.libraries.psu.edu/
Wrap-Up
• Questions?
• Comments!