...
All HSPC members and staff MUST have an HSPC ID to use any service requiring authentication. To allow for the plausibility of usernames being used for email purposes in be future, a blacklist of externally-used names SHOULD be maintained (e.g. "platform@hspconsortium.org", "roadmap@hspconsortium.org" etc). Long-term, this implies that future SaaS and on-premise services implemented by HSPC SHOULD strongly favor solutions capable of operating as an OpenID Connect resource server and/or client (preferred), or SAML relying party (also supported by this solution).
...
MUST be a "buy/license" product, as opposed to "build".
SHOULD be available under a F/OSS license.
MUST have a sensible release cycle for maintenancedeployment process and maintenance update cycle.
MUST include sufficient technical documentation and existent community of users. SHOULD be available as a F/OSS license.
SHOULD provide an option for paid support that HSPC MAY or MAY NOT elect to purchase in the future.
...
In terms of software and infrastructure, the HSPC ID System is an instance of Gluu Server , which is Community Edition: one of the leading fully - Open Source implementations of OIDC, SAML, UMA and other standards in a single software product, easier to configure than MITREid and friendlier to the Open Source-only deployment than OpenAM/OpenSSO. Gluu Server is deployed to the Platform Engineering Virtual Private Cloud on AWS and Internet accessible at https://id.hspconsortium.org. To avoid inadvertent circle dependencies, Gluu Server is run on a dedicated Ubuntu Server VM. The following standards are enabled in HSPC's deploy implementation:
- OAuth 2.0
- OpenID Connect
- SAML 2.0
- UMA (User-Managed Access OAuth 2 profile)
- SCIM - important for future ActiveDirectory synchronization
- Passport.js - Not a standard, but provides "inbound SAML"-like social login support to supersede the need for a custom social identity management application
This combination supports current usage scenarios, likely future ones, and social login without requiring HSPC, and the platform work group specifically, to maintain custom software products. Gluu Server is backend by a normal OpenLDAP directory than can, if necessary, be queried out-of-band from the Gluu Server application. SCIM support further "designs in" the possibility of user/group synchronization across organizational boundaries and some API compatibility with ActiveDirectory.
Gluu Server is very well documented.
Rough Project Tasks
- Establish Gluu Server
- Set up in Platform VPC
- test heavily Either set up a new common IDP or use one of the existing instances.
- Migration of existing services
- Migrate HSPC Sandbox to the new IDP.
- Need help from Travis with this one ... Hopefully some combination of adding the IDP configuration and migrating existing user accounts.
- Enable AWS to support SSO login.
- Update AWS IAM group policies
- SAML probably
- Remove unneeded users
- Account for lock-out situations (since Gluu is hosted on AWS)
- Reconfigure the WEBSITE to use the IDP in additional to local authentication.
- Evaluate and install membership management plugin(s), such as MemberPress.
- Add IDP configuration
- Possibly relocate hosting situation
- Add MSP support and configure applicable hooks to IDP
- Migrate Marketplace to the new IDP
- Probably disable the Google and Microsoft login options.
- Re-authorize existing accounts
- TermSpace? Need to ask Susan Matney and Peter Haug about this.
- Migrate HSPC Sandbox to the new IDP.
- Configuration of new services
- Terminology servers to support authenticated and authorized access.
- Ontoserver - not sure if this is possible
- HAPI-FHIR
- Developer instructions for future authoring tools
- Terminology servers to support authenticated and authorized access.
- Maintenance and updates
- Establish maintenance and availability policies
- Document all this stuff