Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strategy for 2i2c engineer admin access to a hub when it uses SSO #936

Open
choldgraf opened this issue Jan 19, 2022 · 0 comments
Open

Strategy for 2i2c engineer admin access to a hub when it uses SSO #936

choldgraf opened this issue Jan 19, 2022 · 0 comments
Labels
Enhancement An improvement to something or creating something new.

Comments

@choldgraf
Copy link
Member

Description of problem and opportunity to address it

Context to understand the problem
We have recently been exploring using Single Sign On authentication for our hubs, so that a hub's community can be automatically authenticated via their institutional handle. For one example see #315

Problem or idea
This poses a problem, because 2i2c engineers generally do not have their own handles in those institutions. This means that if the authenticator SSO cannot support handles outside the institution's domain, then we won't be able to easily access the hub as administrators.

Proposed solution
There are a few ways that we could address this, in decreasing order of preference:

  • Use an authenticator that allows us to mix SSO-like behavior along with a list of handles that are attached to 2i2c team members. This would be best if we can find an authenticator setup that lets us do it.
  • Create some sort of "back-door" setup that lets us access the hub as admins via an authorized token, so we don't need a dedicated username each.
  • Create a single 2i2c access account (e.g., 2i2c-support@myuni.edu) that we can share across team members
  • Create a process for getting all 2i2c team members email addresses that we then add to the hub

What's the value and who would benefit
If we can find a way to gain admin access to these hubs without creating our own institutional emails for each university, it will make this pattern much more scalable and manageable, with less toil and complexity involved.

Implementation guide and constraints

  • It seems like CILogon could solve this problem for us. It seems to be able to authenticate against domains, as well as other kinds of usernames as well. If this is possible, then we could provide SSO via CILogon, and give 2i2c team members explicit access via email addresses. @GeorgianaElena may look into this as part of Enable authentication via CILogon #315
  • We agreed that there's a lot of security downside in having a "root access" token that gives us admin access to the hub. If we wanted to use a token like this, we'd probably need to build decently complex infrastructure to keep it safe.

Updates and ongoing work

No response
@choldgraf choldgraf added Enhancement An improvement to something or creating something new. 🏷️ authentication labels Jan 19, 2022
@choldgraf choldgraf mentioned this issue Jan 19, 2022
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement An improvement to something or creating something new.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@choldgraf