Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »



HSPC user identities, IAM, and existing systems.

Following 14th general meeting, the Platform team has agreed to unify user authentication with a common OAuth Identity Provider (IDP). This is a DRAFT document for team comment. Written in the present tense using RFC 2119 terms.

FieldValue
Code NameHSPC-ID
CuratorPreston Lee
StatusInitial Draft

Effort: IAM


Problem

HSPC user accounts have not historically been centrally managed, with individual services maintaining their own user database for which it was authoritative. While this is a normal for startup-phase organizations, it becomes immensely problematic during growth. Core symptoms of poor IAM include:

Confusing and onboarding staff and members. (E.g. "Oh, to access service X, email Y.") 

Inconsisten

Inability to fully disable accounts. 

Objectives

For HSPC to mature and grow, a centralized IAM system became necessary. 

  • Establish an single sign-on (SSO) authority upon which all “Platform” systems, tools, and services may authenticate and authorize users.
  • Allow HSPC staff to centrally manage member and non-member access to digital content in services in a role-based, manner.
  • Provide a standards-based identity provider (IDP) for partners and cloud services to support HSPC member logins into 3rd-party systems.
  • Enable integrated account self-service for administrative membership functions.


Solution Qualities

Free for individuals to self-register, regardless of membership status. No approvals required, but requires email verification, ToS agreement, and CAPTCHA validation. Usernames MUST be unique within the HSPC domain, and is required for:

  • Membership self-management on the website.
  • Access to digital downloads requiring registration RBAC.
  • Logging into the FHIR sandbox.
  • Marketing email list opt-in/opt-out management. any materials
  • Access to members-only tools and services. 

All HSPC members and staff. Usernames do MAY or MAY NOT be used for email purposes in be future. For this reason, a blacklist will be maintained. 

Subject 

Identity Provider

To avoid confusion and use correct semantics, the HSPC IDP "issuer" and URI/URL SHALL be: https://id.hspconsortium.org . This cannot be trivially changed, and SHOULD be treated as a permanent, immutable decision. OAuth "subject" identifiers similarly need to be treated as immutable.

Identity Issuance Requirements

During registration, users:

  • MUST provide a first name, last name, email, and username. 
  • MUST complete an email verification step.
  • MUST NOT choose a blacklisted username to avoid potential conflicts with local system accounts and reserved words.
  • SHOULD provide additional contact information.
  • SHOULD use an email registered with a Gravatar profile.

@hspconsortium.org email namespace


Initial Consolidation Plan

  1. Either set up a new common IDP or use one of the existing instances.
  2. Migrate HSPC Sandbox to the new IDP.
  3. Reconfigure the WEBSITE to use the IDP in additional to local authentication.
    1. Install membership management 
  4. eee

All existing members will have accounts created. 


  • No labels