Details
-
Feature
-
Must have
-
None
-
SRCnet
-
-
-
4
-
4
-
0
-
Team_RED
-
Sprint 5
-
-
-
-
SRC23-PB SRCNet0.1 science-platform-services
Description
Science Platform adaptations required for multiple IdP support:
- modify cadc-util library to define a suitable immutable principal (issuer+subject) type; deprecate NumericPrincipal
- Use immutable principal in scenarios where caller identity is stored (uws)
- For token validation, have the Standard Identity Manager supports multiple issuers. (or, alternatively, configure a cooperating set of IdP proxies that work together to validate tokens.)
- modify posix-mapper service need to handle multiple IdPs and multiple GMS services: use immutable principal instead of HttpPrincipal(username), handle group URI collisions (same name, different authority) in a sane way... but the result is constrained by posix and visible to users in the platform.
- Token exchange for GMS calls: IAM to return or provide a scoped token for making the auth calls to GMS.
- cavern integration - cavern relies on the posix-mapper API to map subject<->uid/gid pair and uses PosixPrincipal to persist identity in the filesystem (so not effected directly, just reconfig and rebuild); will include uws updated identity handling
- skaha integration - skaha relies on the posix-mapper API to generate uidmap and gidmap for science containers (so not effected directly, just reconfig and rebuild)
- Create OIDC IdP selector on portal login.
possible additional work – maybe separate features:
- consider logging immutable identity? and/or consider GDPR -compliant logging?