Professional Documents
Culture Documents
MeteorImplementation
Presentedby:
TimCameron&
JustinGreenough
PartI
MeteorOverview&
StepstoImplementation
Meteor
Meteorisawebbaseduniversalaccess
channelforfinancialaidinformation.
Informationfrommultipledataproviders
isaggregatedtoassistthefinancialaid
professionalandtheborrowerwiththe
financialaidprocess,repayment,and
defaultaversion.Meteorisacollaborative
effortandaccessisprovidedatnocharge.
MeteorServices
Accesstimely,studentspecificfinancialaid
informationfrommultiplesources
Onestop,common,onlinecustomerservice
resource
CurrentlyprovidesinformationonFFELP
andalternativeloans(visiontoincludeDirect
Loans,PerkinsLoans,PellGrants,andstate
aid)
MeteorVolume
Intwoshortyears,Meteorhasattained
(inproductionorcurrentlyplanned
forimplementation):
81%ofFFELPLoanGuaranteeData
60%ofFFELPLoanServicingData
64%ofAlternativeLoanData
5
MeteorinRelationshiptoOther
IndustryInitiatives
Meteor
ELMNet
NSLDS
Useofindustry
In
In
In
messaging
standardsforData Development Development Development
Inquiry
LoanOrigination&
Transactions
N/A
Yes
Transaction
only
Processing
6
MeteorinRelationshiptoOther
IndustryInitiatives
Meteor
ELMNet NSLDS
RealTime
Yes
Yes
No
AccessPoints
Multiple
Single
Single
Authentication
Multiple
Methods
Single
Single
7
TheMeteorProcess
Access
Providers
Data Providers
One
Financial Aid
Professional or Student
Two
Index Providers
Three
HowDoesMeteorWork
AccessProviders
AMeteorAccessProviderallowsinquirers
toobtaininformationthroughitswebsite
byhostingacopyoftheMeteorsoftware,
whichgeneratestherequesttotheData
Providersfortheborrowersinformation.
AccessproviderscanbeSchools,
Guarantors,Lenders,Servicers,or
SecondaryMarkets.
HowDoesMeteorWork
AccessProviders
MeteorprovidestheAccessProviders
withsoftwarethatverifiesthestatusof
theproviders,generatesrequestsfor
information,receivestheresponse
messages,performstheduplicateand
bestsourcelogic,anddisplaysthe
defaultscreens.
10
HowDoesMeteorWork
IndexProviders
AMeteorIndexProviderisusedto
identifythelocation(s)ofthe
requestedstudent/borrower
information.
ThecurrentMeteorIndexProvider
istheNationalStudent
Clearinghouse
11
HowDoesMeteorWork
IndexProviders
Inthefuture,otherindiceswillbe
addedbasedonthetypeofdatato
beincorporatedintothenetwork.
Thisisonlyanindex(pointer)to
theactualdataproviders.The
indexdoesnotprovidedatato
Meteor.
12
ClearinghouseasMeteorIndex
100%ofFFELPguaranteevolume
Over5.6millionDirectLoanProgram
accounts
Over13.2millionFFELPserviceraccounts
Over1.6millionPerkins/Private/Alternative
Loanserviceraccounts(includingsome
managedbyschoolsthemselves)
13
HowDoesMeteorWorkData
Providers
AMeteorDataProviderhostsacopyof
theMeteorsoftwarethatenablesthe
softwaretorespondtotheAccess
Providersrequestforinformation,
supplyingdatafromtheirsystem.
DataProvidersaretypicallyLenders,
Servicers,Guarantors,andSecondary
Markets.
14
HowDoesMeteorWorkData
Providers
Inthefuture,theDept.of
Education,StateGrantauthorities,
Schools,andotherscouldbecome
DataProviders.
15
HowDoesMeteorWorkData
Providers
Meteorprovidesthedataproviders
withsoftwarethatverifiesthe
authenticityoftheinformation
request,formatstheresponse
message,andfiltersdatabasedon
theroleoftheenduser.
16
ReliabilityandSecurity
Dataissentdirectlyfromthedata
providerssystemandisnotalteredin
anywaywithinMeteor.
Alldataiselectronicallytransmitted
securelyusingSSLencryption.
IndependentAuditshowednoserious
vulnerabilities.
17
Authentication
Nocentralauthenticationprocess
Utilizestransitivetrustmodel
EachAccessProviderusesitsexisting
authenticationmodel(singlesignon)
Leveloftrustassignedatregistration
18
Authentication
WorkedwithShibbolethShibboleth,aprojectof
Internet2/Mace,isdevelopingarchitectures,policy
structures,practicaltechnologies,andanopensource
implementationtosupportinterinstitutionalsharingof
webresourcessubjecttoaccesscontrols.Inaddition,
Shibbolethwilldevelopapolicyframeworkthatwill
allowinteroperationwithinthehighereducation
community.
ProjectparticipantsincludeBrownUniversity,Ohio
State,PennStateandmanyothercollegesand
universities.
19
BuildingTrustandIntegrity
TheMeteorAdvisoryTeamsoughtinputand
expertiseregardingprivacyandsecurityfromthe
sponsoringorganizationsandtheNCHELP
LegalCommittee.
AnalysiswasprovidedinrelationtoGLBand
individualstateprivacylaws.
TheanalysisrevealedthatMeteorcompliedwith
GLB,FERPA,andknownstateprivacy
provisions.
20
StepstoParticipation
Providerdownloadsandcompletesthe
followingformsfromtheNCHELP
website:
MeteorParticipantCertification
RegistrationProfile
AuthenticationProfile(s)
TechnicalProfile
21
StepstoParticipation
Authenticationprotocolreview
Providerissetupinthetest
registry
Installationofsoftware
Testing
22
StepstoParticipation
Providerissetupintheproduction
registry
Movetoproduction
Finalconnectivitytesting
GOLIVE!
23
PartII
BasicMeteorSetup
WhichTypeofProviderAre
You?
AuthenticationOnlyLogusersin
andpassofftoanotherAccess
Provider
Access/AuthenticationLogusersin
andprovideMeteorlookups
DataProviderProvideaccessto
loandataontheMeteornetwork
25
ThreeMajorSteps
Install
Configure
Customize
AppServer
Keys/Certificate
MeteorSoftware
PropertiesFiles
Authentication
Method
DataConnectors
SSLConnectivity
DataAccess
orDrivers
26
Step1Install
JavaApplicationServer
AnAppServerisawebserverthatservesJava
ServletsandJSPpages(similartoASP,PHP,
CGI,etc.).
Meteorisknowntoworkonseveralapp
servers.Greatestsupportisavailablefor
ApacheTomcat,whichisfree.
27
Step1Install
MeteorApplication(s)
Meteorapplicationswilldeployoutofthebox
onmostappservers.
InstallCustomDrivers/Connectors
Installanydrivers/connectorsnecessarytoaccess
yourlegacydatausingJava(SQL,Mainframe
bridge,etc.).
28
Step2Configure
CreateKeyPairandConfigureSSL
CreateaJKS(Java)keypair.
HavecertificatesignedbyaknownCA
(Verisign,Thawte,etc.).
PrivatekeyresidesonMeteorserver.
PublickeyisplacedintheMeteorRegistry.
ConfigureAppServertouseSSLCommunicationOnly.
Note:YougenerallycannotuseanexistingIISorApacheSSL
certificate.Theyrenotstoredinthesameformat.
29
Step2Configure
WhyUseaKeyPair?
Eachkeycanunlockdatathatwas
lockedbytheother
keybutcannotunlockinfoitlockeditself.
Ifadocumentismodifiedintransit,
unlockingitwillfail.
Assuresavalidmeteorparticipantis
requestingthedata.
30
Step2Configure
WhyUseaKeyPair?
Assuresthatarequesthasntbeen
modifiedbysomethirdparty.
StandardSSLencryptstherequestand
response.
Thirdpartysignature(Verisign,Thawte,
etc.)verifiesthateachorganizationis
valid/reputable.
31
Step3Customize
EndUserAuthentication
Meteordoesnotshipwithitsownauthentication
system.
Mustchooseoneoftwomethods:
1. ImplementJavacodeIUserAuthenticationtotalk
toyourexistingauthenticationsystem.
2. Implementcodeinyourexistingsystemtocreatea
SAMLAssertionthatcanbepassedtoMeteorto
verifythattheuserhasbeenloggedin.
(Recommended)
32
Step3Customize
EndUserAuthentication
Meteorteamcanprovidesample
Javacodeformethod#2.
Method#2cantheoreticallybe
performedinanylanguage.Some
proofsofconceptexist.
33
Step3Customize
WhatisaSAMLAssertion?
SAML=SecurityAuthenticationMarkup
Language.
SAMLassertionsareXMLdocuments.
ASAMLAssertionsays:
Iloggedthisuserin.
ImLevelNsureofthepersonsidentity(N=1to3).
Thisuserhasacertainaccessrole(FAO,Borrower,
etc.).
34
Step3Customize
WhatisaSAMLAssertion?
SAMLassertionsdigitallysignedwithan
entitysprivatekey.
SAMLassertionscanbeusedforsingle
signonapplications.
35
Step3Customize
AuthenticationUsingSAML(Recommended)
Organizationsexistingenterprisesignonsystemis
modifiedtocreateaSAMLAssertionafterauthenticating
theuser.
Userclicksformsubmitbuttonandassertionispassedto
MeteorviaHTTPPost.
MeteorvalidatesSAMLAssertionagainstthepublickeyin
theMeteorRegistryandgrantsordeniesaccessas
appropriate.
Note:Javaclassesandsamplecodeexisttocreatethe
SAMLAssertion.
36
Step3Customize
DataProviderCustomization
HowdoIlinkMeteortomydata?
ImplementDataServerAbstraction
Interface
RetrievingData
CreatingtheResponse
WherecanIfindhelp?
37
Step3Customize
ImplementingDataServerAbstraction
Interface
publicMeteorDataResponse
getData(MeteorContextcontext,Stringssn)
SecurityToken
ContainedwithintheMeteorContext
RequestorRole(Borrower,FAO,CSR)
OpaqueUserId
38
Step3Customize
RetrievingData
UseexistingMeteorsamplecode
Predefineddatabaseschema
Datamustbeloadedintodatabase
Directaccesstoproductiondata
SQLembedded
Realtimeaccesstodata
TransactionCalls
RPC,MQ,SOAP,CICSGateway
39
Step3Customize
CreatingtheResponse
MeteorDataResponseObject
MappingData
Dataismappedtocontainerclasses.
Startearlyintheprocess.
Seekhelpfrombusinessexperts.
Meteorsoftwarehandlesformattingthe
response.
40
Step3Customize
HelpResources
MeteorTechTeamListServer
SampleCode
http://www.meteorcentral.com
SourceCode
ProductionReleases
http://www.nchelp.org/meteor.htm
Documentation
MeteorSetupGuide
41
ContactInformation
Weappreciateyourfeedbackandcomments.
Wecanbereachedat:
TimCameron:MeteorProjectManager
meteor@nchelp.org
JustinGreenough:Member,MeteorTechnicalTeam
jgreenough@riheaa.org
42