Loading...

Change Owns to Parent Ofs

Set start and due date...

Xporter

XML

Word

Printable

Details

Type: Feature
Priority: Must have
Fix Version/s: PI23
Component/s: None
Labels:

ARTs:

SRCnet
Benefit hypothesis:

Hide

BH: SRC Sites need to support user login from multiple SRCNet nodes and/or local AAI systems. To this aim, CANFAR will be extended to support the use of more than one identity provider.

BH: SRC Canada and other nodes with existing user bases will be able to reuse their existing data and compute resources to participate in SRCNet 0.1

Show
BH: SRC Sites need to support user login from multiple SRCNet nodes and/or local AAI systems. To this aim, CANFAR will be extended to support the use of more than one identity provider. BH: SRC Canada and other nodes with existing user bases will be able to reuse their existing data and compute resources to participate in SRCNet 0.1
Acceptance criteria:

Hide

AC: A user coming to a v0.1 SRCNet Science Platform installation can launch a session with SRCNet IAM credentials.

AC: A user coming to the Canadian CANFAR Science Platform installation can launch a session with SRCNet IAM credentials.

AC: Demonstration that users can login to the CADC CANFAR instance using both (1) national CADC account details or (2) SKA IAM account details

Show
AC: A user coming to a v0.1 SRCNet Science Platform installation can launch a session with SRCNet IAM credentials. AC: A user coming to the Canadian CANFAR Science Platform installation can launch a session with SRCNet IAM credentials. AC: Demonstration that users can login to the CADC CANFAR instance using both (1) national CADC account details or (2) SKA IAM account details
Feature Points:
4
Initial Size:
4
WSJF:
0
Agile Teams:

Team_RED
Due Sprint:
Sprint 5
Story Point Burn-up:
Overdue:

Requirement Status:

PI23 - UNCOVERED
Labels_MIRO:
SRC23-PB SRCNet0.1 science-platform-services

Description

Science Platform adaptations required for multiple IdP support:

modify cadc-util library to define a suitable immutable principal (issuer+subject) type; deprecate NumericPrincipal
Use immutable principal in scenarios where caller identity is stored (uws)
For token validation, have the Standard Identity Manager supports multiple issuers. (or, alternatively, configure a cooperating set of IdP proxies that work together to validate tokens.)
modify posix-mapper service need to handle multiple IdPs and multiple GMS services: use immutable principal instead of HttpPrincipal(username), handle group URI collisions (same name, different authority) in a sane way... but the result is constrained by posix and visible to users in the platform.
Token exchange for GMS calls: IAM to return or provide a scoped token for making the auth calls to GMS.
cavern integration - cavern relies on the posix-mapper API to map subject<->uid/gid pair and uses PosixPrincipal to persist identity in the filesystem (so not effected directly, just reconfig and rebuild); will include uws updated identity handling
skaha integration - skaha relies on the posix-mapper API to generate uidmap and gidmap for science containers (so not effected directly, just reconfig and rebuild)
Create OIDC IdP selector on portal login.

possible additional work – maybe separate features:

consider logging immutable identity? and/or consider GDPR -compliant logging?

Attachments

Structure

Activity

People

Assignee:: Perry, Robert

Reporter:: sharon goliath

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Feature Progress

Story Point Burn-up: (0%)

Feature Estimate: 4.0

	Issues	Story Points
To Do	2	0.0
In Progress	1	10.0
Complete	0	0.0
Total	3	10.0

Dates

Created:: 08/May/24 4:58 PM

Updated:: 6 days ago 7:39 PM

Due Sprint Date:: 20/Aug/24

Enable server-side support for multiple IdPs in the CANFAR Science Platform