Identity Provider

This type of resource describes the interaction with third-party IdP.

An identity provider (IdP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. IdP offer user authentication as a service.

These resources are used by the following DIRAC instances:

  • Framework/TokenManager service

  • Framework/Auth endpoint

  • web portal

Note

With the start of IdP use, the bulk of user management relies on VO managers through the selected IdP.

Note

Since not all DIRAC services support token authorization, users still need to keep a fresh proxy in ProxyManager.

The following IdP are presented here: OAuth2, CheckIn, IAM.

OAuth2 identity provider

This is the base class for describing IdP that use OAuth2/OIDC, for example CheckIn and IAM. It is based on the authlib library.

What is required to register OAuth2 IdP?

  • first of all it is necessary to register there a confidential client, the registration process may be different for different IdPs, but in most cases it is sufficient to use the user interface on the IdP site. After successful registration you will receive client credentinals: client_id and client_secret. They need to be added to the local configuration of the server dirac.cfg.

  • give token exchange (https://tools.ietf.org/html/rfc8693) permission for this client. This is necessary so that DIRAC can receive new tokens to run asynchronous user tasks without his participation.

  • give refresh token permission for this client. This is necessary so that DIRAC can receive new access tokens without user participation.

CheckIn identity provider

EGI Check-in is a proxy service that operates as a central hub to connect federated Identity Providers (IdPs) with EGI service providers.

/Resources/IdProviders section
  EGI_Checkin
  {
    # What supported type of provider does it belong to
    ProviderType = CheckIn
    # Description of the client parameters registered on the identity provider side.
    # Look here for information about client parameters description https://tools.ietf.org/html/rfc8414#section-2
    issuer = https://issuer
    client_id = type_client_id_here_receved_after_client_registration
    client_secret = type_client_secret_here_receved_after_client_registration
    # Scopes that will be used by default
    scope = openid, profile, offline_access, eduperson_entitlement, cert_entitlement
  }

IAM identity provider

WLCG IAM is an INDIGO identity and access management service.

/Resources/IdProviders section
  WLCG_IAM
  {
    ProviderType = IAM
    issuer = https://issuer
    client_id = type_client_id_here_receved_after_client_registration
    client_secret = type_client_secret_here_receved_after_client_registration
    scope = openid, profile, offline_access, eduperson_entitlement, cert_entitlement
  }