1 / 30

Friends of Penn State - FPS

Friends of Penn State - FPS. James A. Vuccolo Lead Research Programmer Advanced Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS). Agenda. Introduction The Development Process Using FPS Upcoming Features

Faraday
Download Presentation

Friends of Penn State - FPS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Friends of Penn State - FPS James A. Vuccolo Lead Research Programmer Advanced Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS)

  2. Agenda • Introduction • The Development Process • Using FPS • Upcoming Features • Application Providers • Wrap-Up

  3. Introduction

  4. Names Informal Authentication External Authentication FPS ITSEA FOPS Friends of Penn State

  5. What FPS IS • The Friends of Penn State Account System is a digital identity management system designed to be used by application providers from within the Penn State community to establish and manage an end-user’s identity who does not have a Penn State Access Account. (Most likely for Web-based applications.) • It is a database that holds various attributes about a person, including contact info AND a means for authentication. • It provides a set of APIs which establish and manage account information.

  6. What FPS is NOT • It is NOT a set of end-user applications. • It’s a database, Kerberos V (K5) KDC, and APIs. • It is NOT for organizations or companies outside of the Penn State community to use for their applications. • It enables people outside the Penn State community to access applications from within the Penn State community.

  7. The Development Process

  8. Assemble a Team • FPS team members include representatives from: • Administrative Information Systems (AIS) • Academic Services and Emerging Technologies (ASET) • Advanced Information Technologies (AIT) • Consulting and Support Services (CSS)

  9. Interview Stakeholders • Stakeholder • A person/group who has a vested interest in FPS for use in their Web-based applications. • Each organization was interviewed to determine what their needs are relative to FPS. • Who are they? • Office of Undergraduate Admissions, College of Agricultural Sciences, Alumni Association, Penn State Great Valley, University Library, Office of Human Resources (OHR), Outreach & Cooperative Extension (O&CE), PA State Data Center, Office of the University Registrar, Office of Student Aid, Office of the University Bursar, Undergraduate Education, World Campus and eCommerce

  10. What Did We Ask? • Indicate the number of users you intend to serve in the next 3,5, and 10 years. • What type of user identity is needed for your application(s)i.e., userid/password, personal cert., Penn State Id+ number, etc.?  • Indicate examples of data that would need to be stored and whether this data would be stored in our database (userid, emailaddress, address,...)? • Do you anticipate the migration of your users between theexternal and internal (production cell) authentication realms?  • Indicate what determines an inactive account and the length oftime in which data for this account should remain online. • Do you need specific APIs to a access the central data store toretrieve information about the user? • Do you interface with other universities and/or organizationswhere identity must be exchanged? • What authentication method is sufficient/needed now and in the future? • Do you have a need for different classifications of accounts?

  11. Design • After the stakeholder interviews the project team was able to do the following: • Derive FPS requirements • Determine the technology to be used to satisfy the requirements • Design the data store to be used to store user attributes • Determine what software would be developed

  12. Requirement Categories • General • Authentication • Database • Graphical User Interface (GUI) • Security • Application Programming Interface (API) • Migration • Stakeholder Specific

  13. Selected Technology • Authentication • Process for determining whether someone or something is, in fact, who or what it is declared to be. • MIT Kerberos V (K5) • Authorization • Process of giving someone permission to do or have something • IBM DB2 Database • IBM Directory Server (IDS) LDAP Server

  14. What is Kerberos? • Kerberos is: • “…a network authentication protocol. It is designed to provide strong authentication for client/server applications using secret-key cryptography” • http://www.mit.edu/kerberos/www/ • Components • Key Distribution Center (KDC) • Master (located in Computer Building) • Slave (located offsite) • Clients • Application Servers

  15. Database Design

  16. Architecture Native Kerberos Kerberos Propagation CLIENTS LDAP Replication FPS API • fops.offsite.psu.edu • Slave KDC • LDAP Replica • fps.psu.edu • Master KDC • LDAP Master • DB2 Database • Apache SSL Web Server

  17. Technology Summary

  18. Implement • CGI Programs (https://fps.psu.edu/) • Create identity, change password, reset password, remove identity, update information and check identity • HTTPS POST APIs (XML output) • Create identity, change password, reset password, authenticate identity, set data, get data, certify identity, un-certify identity, lock identity, unlock identity, sign identity, un-sign identity, remove identity, get all data and remove role • Help Desk Consultants Interface

  19. Test • Testing was performed in the following areas: • Verification and validation of FPS CGIs and APIs • Propagation of data from the Master to the Slave KDC • Creation and maintenance of information in the LDAP server

  20. Using FPS

  21. Obtaining An Account • Migration • People who leave the University (e.g. graduates) will be migrated automatically to the external realm. • FPS accounts holders who establish a formal relationship with Penn State (e.g. an applicant who registers) will be migrated automatically to the internal realm. • Web Site • Those who would like to have an FPS account can go to the FPS Web site (https://fps.psu.edu/) to create an account for themselves.

  22. Developing Applications • Interested groups who want to develop applications should do the following: • Consult the FPS project site at http://www.psu.edu/fpsproject/ • Contact the FPS development team at fps@psu.edu to discuss their specific application

  23. Using APIs • FPS APIs can be used with the following languages: • Perl • Java • C • ASP • Smalltalk

  24. A Sample API <html> <head><title>Test Create</title></head> <body> <form name=“auth_identity” method=“post” action=“https://fps.psu.edu/api/auth_identity.cgi”> <input type=“hidden” name=“userid” value=“jav5002> <input type=“hidden” name=“password” value=“someval”> <input type=“hidden” name=“group_id” value=“1”> <input type=“hidden” name=“in_fields” value=“userid,password”> <input type=“hidden” name=“min_flds” value=“userid,password”> <input type=“submit” name=“s” value=“submit”> </form> </body> </html>

  25. A Sample API (cont’d) <?xml version="1.0" encoding="utf-8" ?>-<authentication> <status>SUCCESS</status> <realm>external</realm> <personID>243649</personID> <roleList/> </authentication>

  26. What Are Roles? • Attributes that are assigned to a user • User paid using a credit card. • A picture ID was checked. • Identity was migrated from the internal realm. • A signature for a Penn State Access Account exists on file. • Notary • Enables access account holders to assign specific roles to an FPS identity

  27. Upcoming Features • Unified Lab Consultants Interface • Automated migration of identities from the internal to external realm • Will happen before identity is locked in the internal realm • Migration of identities from the external to the internal realm • Example: when an applicant becomes a paid accept

  28. Application Providers • World Campus • Automated Registration System • Courses.worldcampus.psu.edu • ANGEL • All auth via FPS server • CWC • Campus Advisory Committee Members • Admissions • Student Application

  29. Application Providers (cont’d) • Graduate School • AIS/Registrar • Transcripts Application • Dairy and Animal Science • Web based extension activities • Great Valley • Information kiosk • DLT • http://etda.libraries.psu.edu/

  30. Wrap-Up • Questions? • Comments!

More Related