Versions Compared

Old Version 12

changes.mady.by.user Preston Lee

Saved on

compared with

New Version Current

changes.mady.by.user Preston Lee

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Review assumptions at 16th General Meeting.


Section


Column
width50%

HSPC user identities, IAM, and existing systems.

Following 14th general meeting, the Platform team has agreed to unify user authentication with a common OpenID Connect OAuth Identity Provider (IDP or OP). This is a DRAFT document for team comment. Written in the present tense using RFC 2119 terms.

FieldValue
Code NameHSPC-ID
Curator
Preston Lee
StatusInitial Draft



Column
width50%

Table of Contents
outlinetrue
stylenone


...

Gluu Server is very well documented. A vendor-managed support portal is available for anyone to access, though priority support requires a commercial support contract. Source code is developed publicly on the GluuFederation GitHub account, which issue submission and tracking is also available.

Role-Based Service Access

Services and applications requiring a specific level of membership will need to request the appropriate scope(s) during the login flow as appropriate for that specific service/application. The System will be authoritative for maintaining role memberships and applicable authorization scopes as relevant to authentication and authorization flows.

Rough Project Tasks

  1. Establish Gluu Server
    1. Set up in Platform VPC
    2. test heavily Either set up a new common IDP or use one of the existing instances.
  2. Migration of existing services
    1. Migrate HSPC Logica Sandbox to the new IDP.
      1. Need help from Travis with this one  ... Hopefully some combination of adding the IDP configuration and migrating existing user accounts.
    2. Enable AWS to support SSO login.
      1. Update AWS IAM group policies
      2. SAML probably
      3. Remove unneeded users
      4. Account for lock-out situations (since Gluu is hosted on AWS)
    3. Reconfigure the WEBSITE to use the IDP in additional to local authentication.
      1. Evaluate and install membership management plugin(s), such as MemberPress.
      2. Add IDP configuration
      3. Possibly relocate hosting situation
      4. Add MSP support and configure applicable hooks to IDP 
    4. Migrate Marketplace to the new IDP
      1. Probably disable the Google and Microsoft login options.
      2. Re-authorize existing accounts
    5. TermSpace? Need to ask Susan Matney and Peter Haug about this.
  3. Configuration of new services
    1. Terminology servers to support authenticated and authorized access.
      1. Ontoserver - not sure if this is possible
      2. HAPI-FHIR
    2. Developer instructions for future authoring tools
  4. Maintenance and updates
    1. Establish maintenance and availability policies
    2. Document all this stuff

...