...
The HSPC ID (Identity) system (hereafter: "System") allows HSPC members to create and use an HSPC-managed identity across both HSPC-managed services and partner-managed services configured to accept HSPC logins.
...
HSPC IDs SHALL be free and open for individuals to self-register, regardless of current or intended membership status. Manual approval of IDs by HSPC management SHALL NOT be required; however, email addresses MUST be verified prior to ID activation, as is acceptance of the HSPC Terms of Service agreement. A CAPTCHA SHOULD be used, as well. Usernames MUST be unique within the HSPC ID namespace. An active HSPC ID is required for:
- Membership self-management on the website.
- Access to digital downloads requiring RBAC.
- Logging into the freely available public FHIR Sandbox system.
- Marketing email list opt-in/opt-out management.
- Access to JIRA, Confluence and Atlassian tools.
- Usage of members-only tools and services such as the HSP Marketplace, Terminology Server and
...
- others.
- Restricted access to the HSPC Amazon Web Services (AWS) account.
All HSPC members and staff MUST have an HSPC ID to use any service requiring authentication. To allow for the plausibility of usernames being used for email purposes in be future, a blacklist of externally-used names SHOULD be maintained . (Ee.g. "platform@hspconsortium.org", "roadmap@hspconsortium.org" etc)
Functional Requirements
SHOULD allow for two-factor authentication in the future.
Non-Functional Requirements
- MUST be a "buy/license" product, as opposed to "build".
- SHOULD be available as a F/OSS license
- Technology
In terms of software and infrastructure, HSPC ID is an instance of Gluu Server Open Source
Implications
e
Identity Provider
. Long-term, this implies that future SaaS and on-premise services implemented by HSPC SHOULD strongly favor solutions capable of operating as an OpenID Connect resource server and/or client (preferred) or SAML relying party (also supported by this solution).
To avoid confusion and use correct semantics, the HSPC IDP " issuer " and URI/ URL SHALL be: https://id.hspconsortium.org . This URIs used for native application purposes (such as iOS, Android etc) SHALL use namespace prefix of "hspc://" where applicable. These cannot be trivially changed, and SHOULD be treated as a permanent, immutable decisiondecisions. OAuth "subject" identifiers similarly need to be treated as immutable.
Identity
...
Creation Requirements
During registration, users:
...
@hspconsortium.org email namespace
Initial Consolidation Plan
Functional Requirements
The HSPC ID System:
- SHALL provide a web-based ID registration form for guests and members.
- SHALL provide a web-based management GUI for staff.
- SHALL serve as an OpenID Connect Provider (OP), and thus the core OAuth 2.0 flows.
- SHALL support the configuration of custom scopes.
- SHALL support OAuth 2.0 HEART extensions for User-Managed Access (UMA).
- SHOULD support core SAML authentication/authorization flows.
- SHOULD allow for two-factor authentication in the future that SHALL NOT be enabled at deployment time.
Non-Functional Requirements
The HSPC ID System:
MUST be a "buy/license" product, as opposed to "build".
MUST have a sensible release cycle for maintenance.
MUST include sufficient technical documentation and existent community of users.
SHOULD be available as a F/OSS license.
SHOULD provide an option for paid support that HSPC MAY or MAY NOT elect to purchase in the future.
Technology
In terms of software and infrastructure, the HSPC ID System is an instance of Gluu Server, which is one of the leading fully-Open Source implementations. Gluu Server is deployed to the Platform Engineering Virtual Private Cloud on AWS and Internet accessible at https://id.hspconsortium.org.
Rough Project Tasks
- Establish Gluu Server
- Set up in Platform VPC
- test heavily Either set up a new common IDP or use one of the existing instances.
- Migrate HSPC Sandbox to the new IDP.
- Need help from Travis with this one ... Hopefully some combination of adding the IDP configuration and migrating existing user accounts.
- Enable AWS to support SSO login.
- Update AWS IAM group policies
- SAML probably
- Remove unneeded users
- Account for lock-out situations (since Gluu is hosted on AWS)
- Reconfigure the WEBSITE to use the IDP in additional to local authentication.
- Install membership management
- eee
...
- Evaluate and install membership management plugin(s), such as MemberPress.
- Add IDP configuration
- Possibly relocate hosting situation
- Add MSP support and configure applicable hooks to IDP
- Migrate Marketplace to the new IDP
- Probably disable the Google and Microsoft login options.
- Re-authorize existing accounts
- Configure terminology servers to support authenticated and authorized access.
- Ontoserver
- HAPI-FHIR
- Document all this