Friends of Penn State
advertisement
Friends of Penn State - FPS James A. Vuccolo Lead Research Programmer Advanced Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) Agenda • • • • • • Introduction The Development Process Using FPS Upcoming Features Application Providers Wrap-Up Introduction Names What FPS IS • The Friends of Penn State Account System is a digital identity management system designed to be used by application providers from within the Penn State community to establish and manage an end-user’s identity who does not have a Penn State Access Account. (Most likely for Web-based applications.) • It is a database that holds various attributes about a person, including contact info AND a means for authentication. • It provides a set of APIs which establish and manage account information. What FPS is NOT • It is NOT a set of end-user applications. – It’s a database, Kerberos V (K5) KDC, and APIs. • It is NOT for organizations or companies outside of the Penn State community to use for their applications. – It enables people outside the Penn State community to access applications from within the Penn State community. The Development Process Assemble a Team • FPS team members include representatives from: – Administrative Information Systems (AIS) – Academic Services and Emerging Technologies (ASET) • Advanced Information Technologies (AIT) – Consulting and Support Services (CSS) Interview Stakeholders • Stakeholder – A person/group who has a vested interest in FPS for use in their Web-based applications. – Each organization was interviewed to determine what their needs are relative to FPS. • Who are they? – Office of Undergraduate Admissions, College of Agricultural Sciences, Alumni Association, Penn State Great Valley, University Library, Office of Human Resources (OHR), Outreach & Cooperative Extension (O&CE), PA State Data Center, Office of the University Registrar, Office of Student Aid, Office of the University Bursar, Undergraduate Education, World Campus and eCommerce What Did We Ask? 1. 2. 3. 4. 5. 6. 7. 8. 9. Indicate the number of users you intend to serve in the next 3, 5, and 10 years. What type of user identity is needed for your application(s) i.e., userid/password, personal cert., Penn State Id+ number, etc.? Indicate examples of data that would need to be stored and whether this data would be stored in our database (userid, email address, address,...)? Do you anticipate the migration of your users between the external and internal (production cell) authentication realms? Indicate what determines an inactive account and the length of time in which data for this account should remain online. Do you need specific APIs to a access the central data store to retrieve information about the user? Do you interface with other universities and/or organizations where identity must be exchanged? What authentication method is sufficient/needed now and in the future? Do you have a need for different classifications of accounts? Design • After the stakeholder interviews the project team was able to do the following: – Derive FPS requirements – Determine the technology to be used to satisfy the requirements – Design the data store to be used to store user attributes – Determine what software would be developed Requirement Categories • • • • • • • • General Authentication Database Graphical User Interface (GUI) Security Application Programming Interface (API) Migration Stakeholder Specific Selected Technology • Authentication – Process for determining whether someone or something is, in fact, who or what it is declared to be. • MIT Kerberos V (K5) • Authorization – Process of giving someone permission to do or have something • IBM DB2 Database • IBM Directory Server (IDS) LDAP Server What is Kerberos? • Kerberos is: – “…a network authentication protocol. It is designed to provide strong authentication for client/server applications using secret-key cryptography” • http://www.mit.edu/kerberos/www/ • Components – Key Distribution Center (KDC) • Master (located in Computer Building) • Slave (located offsite) – Clients – Application Servers Database Design Architecture Kerberos Propagation LDAP Replication fops.offsite.psu.edu fps.psu.edu •Master KDC •LDAP Master •DB2 Database •Apache SSL Web Server •Slave KDC •LDAP Replica Technology Summary Authentication MIT Kerberos (Master and Slave KDCs) Database IBM DB2 Web Server Apache+SSL Development Tools C, IBM SQL PL Implement • CGI Programs (https://fps.psu.edu/) – Create identity, change password, reset password, remove identity, update information and check identity • HTTPS POST APIs (XML output) – Create identity, change password, reset password, authenticate identity, set data, get data, certify identity, un-certify identity, lock identity, unlock identity, sign identity, un-sign identity, remove identity, get all data and remove role • Help Desk Consultants Interface Test • Testing was performed in the following areas: – Verification and validation of FPS CGIs and APIs – Propagation of data from the Master to the Slave KDC – Creation and maintenance of information in the LDAP server Using FPS Obtaining An Account • Migration – People who leave the University (e.g. graduates) will be migrated automatically to the external realm. – FPS accounts holders who establish a formal relationship with Penn State (e.g. an applicant who registers) will be migrated automatically to the internal realm. • Web Site – Those who would like to have an FPS account can go to the FPS Web site (https://fps.psu.edu/) to create an account for themselves. Developing Applications • Interested groups who want to develop applications should do the following: – Consult the FPS project site at http://www.psu.edu/fpsproject/ – Contact the FPS development team at fps@psu.edu to discuss their specific application Using APIs • FPS APIs can be used with the following languages: – – – – – Perl Java C ASP Smalltalk A Sample API <html> <head><title>Test Create</title></head> <body> <form name=“auth_identity” method=“post” action=“https://fps.psu.edu/api/auth_identity.cgi”> <input type=“hidden” name=“userid” value=“jav5002> <input type=“hidden” name=“password” value=“someval”> <input type=“hidden” name=“group_id” value=“1”> <input type=“hidden” name=“in_fields” value=“userid,password”> <input type=“hidden” name=“min_flds” value=“userid,password”> <input type=“submit” name=“s” value=“submit”> </form> </body> </html> A Sample API (cont’d) <?xml version="1.0" encoding="utf-8" ?> <authentication> <status>SUCCESS</status> <realm>external</realm> <personID>243649</personID> <roleList /> </authentication> What Are Roles? • Attributes that are assigned to a user – – – – User paid using a credit card. A picture ID was checked. Identity was migrated from the internal realm. A signature for a Penn State Access Account exists on file. • Notary – Enables access account holders to assign specific roles to an FPS identity Upcoming Features • Unified Lab Consultants Interface • Automated migration of identities from the internal to external realm – Will happen before identity is locked in the internal realm • Migration of identities from the external to the internal realm – Example: when an applicant becomes a paid accept Application Providers • World Campus – Automated Registration System – Courses.worldcampus.psu.edu • ANGEL – All auth via FPS server • CWC – Campus Advisory Committee Members • Admissions – Student Application Application Providers (cont’d) • Graduate School • AIS/Registrar – Transcripts Application • Dairy and Animal Science – Web based extension activities • Great Valley – Information kiosk • DLT – http://etda.libraries.psu.edu/ Wrap-Up • Questions? • Comments!
