Identity Provider
This type of resource describes the interaction with third-party IdP.
An identity provider (IdP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. IdP offer user authentication as a service.
These resources are used by the following DIRAC instances:
Framework/TokenManager service
Framework/Auth endpoint
web portal
Note
With the start of IdP use, the bulk of user management relies on VO managers through the selected IdP.
Note
Since not all DIRAC services support token authorization, users still need to keep a fresh proxy in ProxyManager.
The following IdP are presented here: OAuth2
, CheckIn
, IAM
.
OAuth2 identity provider
This is the base class for describing IdP that use OAuth2/OIDC, for example CheckIn
and IAM
. It is based on the authlib
library.
What is required to register OAuth2 IdP?
first of all it is necessary to register there a confidential client, the registration process may be different for different IdPs, but in most cases it is sufficient to use the user interface on the IdP site. After successful registration you will receive client credentinals:
client_id
andclient_secret
. They need to be added to the local configuration of the serverdirac.cfg
.give token exchange (https://tools.ietf.org/html/rfc8693) permission for this client. This is necessary so that DIRAC can receive new tokens to run asynchronous user tasks without his participation.
give refresh token permission for this client. This is necessary so that DIRAC can receive new access tokens without user participation.
CheckIn identity provider
EGI Check-in is a proxy service that operates as a central hub to connect federated Identity Providers (IdPs) with EGI service providers.
EGI_Checkin
{
# What supported type of provider does it belong to
ProviderType = CheckIn
# Description of the client parameters registered on the identity provider side.
# Look here for information about client parameters description https://tools.ietf.org/html/rfc8414#section-2
issuer = https://issuer
client_id = type_client_id_here_receved_after_client_registration
client_secret = type_client_secret_here_receved_after_client_registration
# Scopes that will be used by default
scope = openid, profile, offline_access, eduperson_entitlement, cert_entitlement
}
IAM identity provider
WLCG IAM is an INDIGO identity and access management service.
WLCG_IAM
{
ProviderType = IAM
issuer = https://issuer
client_id = type_client_id_here_receved_after_client_registration
client_secret = type_client_secret_here_receved_after_client_registration
scope = openid, profile, offline_access, eduperson_entitlement, cert_entitlement
}