Meteor Implementation

Presented by:Tim Cameron & Justin Greenough

Technical Track Session

Part I

Meteor Overview & Steps to Implementation

3

Meteor

• Meteor is a web-based universal access channel for financial aid information. Information from multiple data providers is aggregated to assist the financial aid professional and the borrower with the financial aid process, repayment, and default aversion. Meteor is a collaborative effort and access is provided at no charge.

4

Meteor Services

• Access timely, student-specific financial aid information from multiple sources

• One-stop, common, online customer service resource

• Currently provides information on FFELP and alternative loans (vision to include Direct Loans, Perkins Loans, Pell Grants, and state aid)

5

Meteor Volume

• In two short years, Meteor has attained (in production or currently planned for implementation):– 81% of FFELP Loan Guarantee Data

– 60 % of FFELP Loan Servicing Data

– 64 % of Alternative Loan Data

6

Meteor in Relationship to Other Industry Initiatives

Meteor ELMNet NSLDS

Use of industry messaging

standards for Data Inquiry

In Development

In Development

In Development

Loan Origination & Transaction Processing

N/A YesTransactions

only

7

Meteor in Relationship to Other Industry Initiatives

Meteor ELMNet NSLDS

Real Time Yes Yes No

Access Points Multiple Single Single

Authentication Methods

Multiple Single Single

8

The Meteor Process

One

Two

Access Providers

Data Providers

Financial Aid Professional or Student

Three

Index Providers

9

How Does Meteor Work – Access Providers• A Meteor Access Provider allows inquirers

to obtain information through its web site by hosting a copy of the Meteor software, which generates the request to the Data Providers for the borrower’s information.

• Access providers can be Schools, Guarantors, Lenders, Servicers, or Secondary Markets.

10

How Does Meteor Work – Access Providers• Meteor provides the Access Providers

with software that verifies the status of the providers, generates requests for information, receives the response messages, performs the duplicate and best source logic, and displays the default screens.

11

How Does Meteor Work – Index Providers• A Meteor Index Provider is used to

identify the location(s) of the requested student/borrower information.

• The current Meteor Index Provider is the National Student Clearinghouse

12

How Does Meteor Work – Index Providers• In the future, other indices will be

added based on the type of data to be incorporated into the network.

• This is only an index (pointer) to the actual data providers. The index does not provide “data” to Meteor.

13

Clearinghouse as Meteor Index

• 100% of FFELP guarantee volume

• Over 5.6 million Direct Loan Program accounts

• Over 13.2 million FFELP servicer accounts

• Over 1.6 million Perkins/Private/Alternative Loan servicer accounts (including some managed by schools themselves)

14

How Does Meteor Work – Data Providers• A Meteor Data Provider hosts a copy

of the Meteor software that enables the software to respond to the Access Provider’s request for information, supplying data from their system.

• Data Providers are typically Lenders, Servicers, Guarantors, and Secondary Markets.

15

How Does Meteor Work – Data Providers• In the future, the Dept. of

Education, State Grant authorities, Schools, and others could become Data Providers.

16

How Does Meteor Work – Data Providers• Meteor provides the data providers

with software that verifies the authenticity of the information request, formats the response message, and filters data based on the role of the end user.

17

Reliability and Security

• Data is sent directly from the data provider’s system and is not altered in any way within Meteor.

• All data is electronically transmitted securely using SSL encryption.

• Independent Audit showed no serious vulnerabilities.

18

Authentication

• No central authentication process

• Utilizes transitive trust model

• Each Access Provider uses its existing authentication model (single sign-on)

• Level of trust assigned at registration

19

Authentication• Worked with Shibboleth - Shibboleth, a project of

Internet2/Mace, is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. In addition, Shibboleth will develop a policy framework that will allow inter-operation within the higher education community.

• Project participants include Brown University, Ohio State, Penn State and many other colleges and universities.

20

Building Trust and Integrity

• The Meteor Advisory Team sought input and expertise regarding privacy and security from the sponsoring organizations and the NCHELP Legal Committee.

• Analysis was provided in relation to GLB and individual state privacy laws.

• The analysis revealed that Meteor complied with GLB, FERPA, and known state privacy provisions.

21

Steps to Participation

• Provider downloads and completes the following forms from the NCHELP web site:– Meteor Participant Certification

– Registration Profile

– Authentication Profile(s)

– Technical Profile

22

Steps to Participation

• Authentication protocol review

• Provider is set-up in the test registry

• Installation of software

• Testing

23

Steps to Participation

• Provider is set-up in the production registry

• Move to production

• Final connectivity testing

• GO LIVE!

Part II

Basic Meteor Setup

25

Which Type of Provider Are You?• Authentication Only – Log users in

and pass off to another Access Provider

• Access/Authentication – Log users in and provide Meteor lookups

• Data Provider – Provide access to loan data on the Meteor network

26

Install• App Server

• Meteor Software

• Data Connectors

or Drivers

Configure• Keys/Certificate

• Properties Files

• SSL Connectivity

Customize• Authentication Method

• Data Access

Three Major Steps

27

Step 1 - Install

• Java Application Server– An App Server is a web server that serves “Java

Servlets” and JSP pages (similar to ASP, PHP, CGI, etc.).

– Meteor is known to work on several app servers. Greatest support is available for Apache Tomcat, which is free.

28

Step 1 - Install

• Meteor Application(s)– Meteor applications will “deploy” out of the box

on most app servers.

• Install Custom Drivers/Connectors– Install any drivers/connectors necessary to access

your legacy data using Java (SQL, Mainframe bridge, etc.).

29

Step 2 - Configure• Create Key Pair and Configure SSL

– Create a JKS (Java) key pair.– Have certificate signed by a known CA

(Verisign, Thawte, etc.).– Private key resides on Meteor server.– Public key is placed in the Meteor Registry.– Configure App Server to use SSL Communication

Only.

Note: You generally cannot use an existing IIS or Apache SSL certificate. They’re not stored in the same format.

30

Step 2 - Configure

• Why Use a Key Pair?– Each key can “unlock” data that was

“locked” by the other key but cannot unlock info it locked itself.

– If a document is modified in transit, “unlocking” it will fail.

– Assures a valid meteor participant is requesting the data.

31

Step 2 - Configure

• Why Use a Key Pair?– Assures that a request hasn’t been

modified by some third-party.– Standard SSL encrypts the request and

response.– Third-party signature (Verisign, Thawte,

etc.) verifies that each organization is valid/reputable.

32

Step 3 – Customize• End-User Authentication

– Meteor does not ship with its own authentication system.

– Must choose one of two methods:1. Implement Java code “IUserAuthentication” to

“talk to” your existing authentication system.2. Implement code in your existing system to create

a “SAML Assertion” that can be passed to Meteor to verify that the user has been logged-in. (Recommended)

33

Step 3 – Customize

• End-User Authentication– Meteor team can provide sample

Java code for method #2.

– Method #2 can theoretically be performed in any language. Some proofs of concept exist.

34

Step 3 – Customize• What is a SAML Assertion?

– SAML = “Security Authentication Markup Language.”

– SAML assertions are XML documents.– A SAML Assertion says:

• I logged this user in.• I’m “Level N” sure of the person’s identity (N=1 to

3).• This user has a certain access role (FAO, Borrower,

etc.).

35

Step 3 – Customize• What is a SAML Assertion?

– SAML assertions digitally signed with an entity’s private key.

– SAML assertions can be used for single sign-on applications.

36

Step 3 – Customize• Authentication Using SAML (Recommended)

– Organization’s existing enterprise sign-on system is modified to create a SAML Assertion after authenticating the user.

– User clicks form submit button and assertion is passed to Meteor via HTTP Post.

– Meteor validates SAML Assertion against the public key in the Meteor Registry and grants or denies access as appropriate.Note: Java classes and sample code exist to create the SAML Assertion.

37

Step 3 – Customize

• Data Provider Customization– How do I link Meteor to my data?

• Implement DataServerAbstraction Interface

• Retrieving Data• Creating the Response

– Where can I find help?

38

Step 3 – Customize

• Implementing DataServerAbstraction Interface– public MeteorDataResponse

getData(MeteorContext context, String ssn)

– Security Token• Contained within the MeteorContext• Requestor Role (Borrower, FAO, CSR)• Opaque User Id

39

Step 3 – Customize• Retrieving Data

– Use existing Meteor sample code• Predefined database schema• Data must be loaded into database

– Direct access to production data• SQL embedded• Real time access to data

– Transaction Calls• RPC, MQ, SOAP, CICS Gateway

40

Step 3 – Customize

• Creating the Response– MeteorDataResponse Object– Mapping Data

• Data is mapped to container classes.• Start early in the process.• Seek help from business experts.

– Meteor software handles formatting the response.

41

Step 3 – Customize• Help Resources

– Meteor Tech Team List Server– Sample Code– http://www.meteorcentral.com

• Source Code• Production Releases

– http://www.nchelp.org/meteor.htm• Documentation• Meteor Setup Guide

42

We appreciate your feedback and comments. We can be reached at:

Tim Cameron: Meteor Project Manager

meteor@nchelp.org

Justin Greenough: Member, Meteor Technical Team

jgreenough@riheaa.org

Contact Information