Getting Started
Welcome to PRISMS Application Programming Interface Management (APIM) Portal which is the Gateway for using the PRISMS APIs. This guide is intended to help you get started quickly and easily.
Steps to Getting Started:
1. Express your interest to access the PRISMS API Staging or Production Environment by sending an email to prismsapi@education.gov.au.
2. To participate in the PRISMS API Staging or Production Environment you will need to first fill out the PRISMS High Level Cyber Security Questionnaire [DOCX 260KB] and return to prismsapi@education.gov.au.
3. We will send you a ‘Sign-up pack’:
• Complete and return the relevant ‘Access Request Form’ to provide your details to the Department of Education.
• You must attach your (RAM) certificate. Generate the certificate via Relationship Authorisation Manager.
• Our guide may assist and can be accessed here PRISMS Get Started User Guide for Relationship Authorisation Manager [DOCX 1060KB].
4. Once provisioned, you will receive a ‘Welcome pack’ which includes:
• How to access our API documentation in the APIM Portal for access technical content for developers.
• Explanation of how the APIs work, their methods and properties.
• Access our APIs in the PRISMS API Staging or Production environment.
Background
The PRISMS APIS are fully operational for Staging and Production
• Staging will be used by Vendors of Admissions Management Systems (AMS) or Student Managements System (SMS) and Providers with their own systems to develop and test the API integration the PRISMS Staging database
• Production will be utilised for production implementation of Vendors for their Providers, or Providers with their own software, to the PRISMS Production database.
The PRISMS APIs currently available
• Create and approve a Confirmation of Enrolment CoE
• Cancel a CoE as the student has left the Provider
• Cancel a CoE due to Non-commencement of studies
• Cancel a CoE due to student Cessation of Studies
• Cancel an Approved CoE due to Admin error
• Additional SCVs will be developed as funding and time allows
API Credentials are in the form of a ClientID based on:
• The environment Staging or Production.
• Provider CRICOS Code. In Staging the vendor will be allocated 2 dummy Provider CRICOS Codes, one for a Public Provide and the other for a Private Provider
• RAM certificate for authentication – see below for more details
• Redirect URL used in the Attended authorisation - see below for more details
• PRISMS Users IDs, dummy users for Staging and Production PRISMS Users for Production use for Attended Flow
• The ClientID will be used for all API calls both in Attended and Unattended flows together with the Subscription Key that will be created for each organisation in the PRISMS APIM portal. See Developer Guide for Staging and Developer Guide for Production for details.
RAM Certificate
• This is recommended method for certificate signing for use by the Australian Government is the Australian Tax Office (ATO) Relationship Authorisation Manager (RAM) Certification (RAM Certificate). This is a free service to the organisation.
• Vendors will create the RAM certificate in the Vendors name to create a ClientID to be used in the Staging environment to develop and test the API integration.
• For Vendor will create the RAM certificate on behalf of a Provider when using Vendors software in Production. This is required as the Vendor needs the private key portion of the certificate to perform any the transactions using the public certificate. A separate RAM certificate is created by the Vendor for each Provider to safeguard against compromise of one certificate.
• Providers running their own software or Vendors software in the Providers IT environment will create the RAM certificate in the name of the Provider’s organisation to be consumed by their systems for both Staging and Production.
RAM Certificate Expiry
• The RAM credentials are valid for 2 years.
• The machine credential custodian is notified at their current business email listed in RAM at 60 days, 30 days and 7 days before expiry.
• Vendors and Providers are to provide the Updates RAM credentials (the x509 Public Certificate) to DE to update the Client API credentials.
Subscription key
• The subscription key will be created by the Vendor or Provider in APIM Portal based on their developer account
• The Vendor will create a Subscription Key for their own development and testing in Staging
• The Vendor will create the Subscription Key on behalf of a Provider when using Vendors APIM Portal Access in Production e.g. Vendor ABC creating API credentials for University XYZ may create a developer login ABCXYZ@ABC.com and use this to create the for Subscription Key ABCXYZ
• The Subscription key is required in the header of every API Call
Attended Flow
• This mimics the PRISMS UI operations requiring users to authorise and then capture the User ID against required transactions e.g. CoE create.
• This workflow verifies the credentials of a user calling the PRISMS API by presenting a PRISMS Login Screen where they enter their PRISMS Login ID, password and MFA to authenticate and capture their details for the transaction.
• Once the user login is authorised, control is passed back to the Redirect URL with the Access token in the payload for the application to continue with the API call.
Redirect URL
• The Redirect URL is used in Attended flows to return control back to the application making the call providing the Access token created by the Attended flow
• The application can then continue the API call using this Access token which is valid for 1 hour
• The token can be refreshed to keep it alive for a maximum of 24 hours
• Typically 1 Redirect URL is required for each ClientID but if you have multiple environments e.g. development, test, preproduction using the one ClientID to PRISMS Staging there can be multiple Redirect URLs created.
Access Request Form to be provided in the Sign-Up Pack up depending on configuration required
Vendors Onboarding in Staging for their development and testing
• The Vendor, to use the PRISMS API, will return the completed form with the Vendor x509 Certificate (public certificate) of the RAM Certificate to develop and test in the Staging environment.
• This will be used in creating of the Vendor ClientID, together with the dummy Provider CRICOS code allocated to the Vendor.
• This ClientID, when used to call API, will utilise the Staging PRISMS Database.
• This will be also used for Providers with their own software to develop and test the APIs in the Staging environment.
Providers Onboarding by their Vendor in the Production Environment
• Vendors will return the PRISMS API Vendor Provider Access Request for Production Form, with the x509 Certificate created by the Vendor to request access, to PRISMS APIs for their Providers for Production environment.
• Providers will be set up with the Provider’s CRICOS code as per Production.
• This ClientID, when used to call API, will utilise the Production PRISMS Database.
Providers with Own IT Infrastructure Onboarding in the Production Environment
• This may be where Providers use their own software or using a Vendor software on the Providers own IT infrastructure.
• Providers will return the PRISMS API Provider Access Request for Production Form, with the x509 Certificate created by the Provider to request access, to PRISMS APIs for their Providers for Production environment.
• Providers will be set up with the Provider’s CRICOS code as per Production.
• This ClientID, when used to call API, will utilise the Production PRISMS Database.
To help us improve our portal, please provide your feedback at prismsapi@education.gov.au.