300 likes | 616 Vues
Friends of Penn State - FPS. James A. Vuccolo Lead Research Programmer Advanced Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS). Agenda. Introduction The Development Process Using FPS Upcoming Features
E N D
Friends of Penn State - FPS James A. Vuccolo Lead Research Programmer Advanced Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS)
Agenda • Introduction • The Development Process • Using FPS • Upcoming Features • Application Providers • Wrap-Up
Names Informal Authentication External Authentication FPS ITSEA FOPS Friends of Penn State
What FPS IS • The Friends of Penn State Account System is a digital identity management system designed to be used by application providers from within the Penn State community to establish and manage an end-user’s identity who does not have a Penn State Access Account. (Most likely for Web-based applications.) • It is a database that holds various attributes about a person, including contact info AND a means for authentication. • It provides a set of APIs which establish and manage account information.
What FPS is NOT • It is NOT a set of end-user applications. • It’s a database, Kerberos V (K5) KDC, and APIs. • It is NOT for organizations or companies outside of the Penn State community to use for their applications. • It enables people outside the Penn State community to access applications from within the Penn State community.
Assemble a Team • FPS team members include representatives from: • Administrative Information Systems (AIS) • Academic Services and Emerging Technologies (ASET) • Advanced Information Technologies (AIT) • Consulting and Support Services (CSS)
Interview Stakeholders • Stakeholder • A person/group who has a vested interest in FPS for use in their Web-based applications. • Each organization was interviewed to determine what their needs are relative to FPS. • Who are they? • Office of Undergraduate Admissions, College of Agricultural Sciences, Alumni Association, Penn State Great Valley, University Library, Office of Human Resources (OHR), Outreach & Cooperative Extension (O&CE), PA State Data Center, Office of the University Registrar, Office of Student Aid, Office of the University Bursar, Undergraduate Education, World Campus and eCommerce
What Did We Ask? • Indicate the number of users you intend to serve in the next 3,5, and 10 years. • What type of user identity is needed for your application(s)i.e., userid/password, personal cert., Penn State Id+ number, etc.? • Indicate examples of data that would need to be stored and whether this data would be stored in our database (userid, emailaddress, address,...)? • Do you anticipate the migration of your users between theexternal and internal (production cell) authentication realms? • Indicate what determines an inactive account and the length oftime in which data for this account should remain online. • Do you need specific APIs to a access the central data store toretrieve information about the user? • Do you interface with other universities and/or organizationswhere identity must be exchanged? • What authentication method is sufficient/needed now and in the future? • Do you have a need for different classifications of accounts?
Design • After the stakeholder interviews the project team was able to do the following: • Derive FPS requirements • Determine the technology to be used to satisfy the requirements • Design the data store to be used to store user attributes • Determine what software would be developed
Requirement Categories • General • Authentication • Database • Graphical User Interface (GUI) • Security • Application Programming Interface (API) • Migration • Stakeholder Specific
Selected Technology • Authentication • Process for determining whether someone or something is, in fact, who or what it is declared to be. • MIT Kerberos V (K5) • Authorization • Process of giving someone permission to do or have something • IBM DB2 Database • IBM Directory Server (IDS) LDAP Server
What is Kerberos? • Kerberos is: • “…a network authentication protocol. It is designed to provide strong authentication for client/server applications using secret-key cryptography” • http://www.mit.edu/kerberos/www/ • Components • Key Distribution Center (KDC) • Master (located in Computer Building) • Slave (located offsite) • Clients • Application Servers
Architecture Native Kerberos Kerberos Propagation CLIENTS LDAP Replication FPS API • fops.offsite.psu.edu • Slave KDC • LDAP Replica • fps.psu.edu • Master KDC • LDAP Master • DB2 Database • Apache SSL Web Server
Implement • CGI Programs (https://fps.psu.edu/) • Create identity, change password, reset password, remove identity, update information and check identity • HTTPS POST APIs (XML output) • Create identity, change password, reset password, authenticate identity, set data, get data, certify identity, un-certify identity, lock identity, unlock identity, sign identity, un-sign identity, remove identity, get all data and remove role • Help Desk Consultants Interface
Test • Testing was performed in the following areas: • Verification and validation of FPS CGIs and APIs • Propagation of data from the Master to the Slave KDC • Creation and maintenance of information in the LDAP server
Obtaining An Account • Migration • People who leave the University (e.g. graduates) will be migrated automatically to the external realm. • FPS accounts holders who establish a formal relationship with Penn State (e.g. an applicant who registers) will be migrated automatically to the internal realm. • Web Site • Those who would like to have an FPS account can go to the FPS Web site (https://fps.psu.edu/) to create an account for themselves.
Developing Applications • Interested groups who want to develop applications should do the following: • Consult the FPS project site at http://www.psu.edu/fpsproject/ • Contact the FPS development team at fps@psu.edu to discuss their specific application
Using APIs • FPS APIs can be used with the following languages: • Perl • Java • C • ASP • Smalltalk
A Sample API <html> <head><title>Test Create</title></head> <body> <form name=“auth_identity” method=“post” action=“https://fps.psu.edu/api/auth_identity.cgi”> <input type=“hidden” name=“userid” value=“jav5002> <input type=“hidden” name=“password” value=“someval”> <input type=“hidden” name=“group_id” value=“1”> <input type=“hidden” name=“in_fields” value=“userid,password”> <input type=“hidden” name=“min_flds” value=“userid,password”> <input type=“submit” name=“s” value=“submit”> </form> </body> </html>
A Sample API (cont’d) <?xml version="1.0" encoding="utf-8" ?>-<authentication> <status>SUCCESS</status> <realm>external</realm> <personID>243649</personID> <roleList/> </authentication>
What Are Roles? • Attributes that are assigned to a user • User paid using a credit card. • A picture ID was checked. • Identity was migrated from the internal realm. • A signature for a Penn State Access Account exists on file. • Notary • Enables access account holders to assign specific roles to an FPS identity
Upcoming Features • Unified Lab Consultants Interface • Automated migration of identities from the internal to external realm • Will happen before identity is locked in the internal realm • Migration of identities from the external to the internal realm • Example: when an applicant becomes a paid accept
Application Providers • World Campus • Automated Registration System • Courses.worldcampus.psu.edu • ANGEL • All auth via FPS server • CWC • Campus Advisory Committee Members • Admissions • Student Application
Application Providers (cont’d) • Graduate School • AIS/Registrar • Transcripts Application • Dairy and Animal Science • Web based extension activities • Great Valley • Information kiosk • DLT • http://etda.libraries.psu.edu/
Wrap-Up • Questions? • Comments!