Skip to end of metadata
Go to start of metadata

We've created a demo-flow. Any questions about this demo you can email to raoul.teeuwen@surfnet.nl . It's our intention this demo 'always works', but we don't test it every week or so. If it somehow broke, please let us know! Our GÉANT colleagues are developing eduTEAMS, which, not entirely accidental, looks a lot like our SCZ. They also have a demo-environment, which you can use if ours doesn't work, or if you want to check out COmanage alternatives Hexa and/or Perun (GÉANT has a comparison of those three), or try other services.  

Important message

As your institution probably hasn't connected their IdP to SCZ-FIAM, you can't use your institutional account to login. For the demo, you can currently login with a Google- or Microsoft-account.
If you don't have either, you can create one or we're sorry but currently you can't use this demo. 

Also: please, always check whether you have followed this demo instructions before telling us something doesn't work.

Repeat the demo

If you want to show this demo to someone else while already having been signed-up, you can use a private browser window and sign-up again.
If you use this option, don't forget to execute EVERY step in a private window, also opening the confirmation email link.

How to get access again after finishing the sign-up flow

Already signed up, but want to access the demo service? Access the demo Wordpress-site at https://wordpress.demo.scz.lab.surf.nl/ or COmanage via https://comanage.pilot.scz.lab.surf.nl/registry/ .

COmanage, part of the current SCZ FIAM, lets administrators define several types of invitation flows, which are workflows to onboard researchers. You can find more about those flows in the documentation. You can for instance configure whether and what approval you want from for instance an admin.

For this demo, imagine the following: you have a service intended for researchers or you are a research collaboration. Researchers in the collaboration need access to several services, one of which is a website, in this case a WordPress-site (but the idea works for all/most services). The services have been connected to the SCZ FIAM platform. Normally you would not allow anybody access to your research services without knowing who they are. But for this demo you have decided researchers are allowed to self sign up for access to edit content on the Wordpress site, without any approval. 

So for the demo we've configured a self signup invitation flow. It's basically a URL you can attach to a text or a button on a website of a research collaboration, with a text like

user Sign up for our XXX research collaboration

Now imagine you're a researcher that wants access.

The demo

Assuming you've read the above, there are 3 steps in this demo. A generic part (which creates a user in the demo COmanage Collaborative Organisation), after which you can both access a Wordpress site via your browser as well as a VM via SSH. Apart from showing you this works for both web and non-web, this also shows you that by creating just one user at the SCZ, access is created in several connect services.

This demo currently is showing you how one flow (of many configurable flows) works and one (of many) way of how a researcher could access a service based on the credentials and attributes in COmanage. Over time, we plan to extend the demo to show more aspects.

Generic part of the demo

  • To enter our demo, click the "Sign up for our XXX research collaboration"-link.
  • As a new user, in this flow you're presented a form to fill out some personal information (Given name and Gmail or Microsoft email address).
  • After clicking SUBMIT, you see the screen display some provisioning steps after which you're logged out of COmanage.
  • Check your (Gmail or Microsoft) email inbox: an email is sent to the email address supplied, to confirm you have control over that email address (so normally this would be your institutional account). Click the link in the email.
  • After clicking the link in the email, you're taken to a COmanage screen where you can Confirm the registration.
  • After clicking CONFIRM, you're taken to a login screen with a Where Are You From (WAYF) screen. Depending on what email address you've used, you need to select the corresponding IdP ("SCZ Pilot Microsoft IdP" or "SCZ Pilot Google IdP"). As in most WAYF-screens you can start part of the name (suggestion: Gmail or Microsoft) of your IdP in the input field, instead of scrolling the whole list.
  • Login at Google or Microsoft with your credentials.
  • If your authentication was successful, you should now be signed into COmanage. Some steps of the enrollment will be automatically taken and displayed. After the final step, you're signed out. 
  • In the demo you now have access to the demo service(s). Although it's not necessary, you could login to COmanage by clicking LOGIN and sign in with the Google or Microsoft IdP. Assuming you do so successfully, you should see:

Accessing a demo web service

  • In the previous steps, you've created a COmanage account and linked it to your Google-id. Within COmanage there are many configuration options which amongst others enable a collaboration to specify whether someone first needs to approve any sign-up. For this demo, we have minimized the needed admin approval. So you can now use your membership of the SCZ demo CO to authenticate at the demo Wordpress-site, which you can visit directly (so without COmanage in between) via https://wordpress.demo.scz.lab.surf.nl/ . On the Wordpress site, you can find the Login option in the lower right corner

  • After clicking 'Log in' select 'Log in via Science Collaboration Zone', the blue bar at the bottom, below the "OR"-line
  • After clicking 'Log in via Science Collaboration Zone', select the SCZ Google or Microsoft IdP, and use the credentials you used to sign up for COmanage (depending on your actual activity, Single Sign-On might be active, making it so you don't need to enter your credentials again.
  • In this demo, you're allowed access to the dashboard of Wordpress. 
  • If you email raoul.teeuwen@surfnet.nl that you would like more rights in the SCZ What's Next demo (do so from your institutional account (so Raoul knows who he is giving additional rights)), and mention the gmail- or Microsoft-address you used) Raoul will at some moment grant you additional rights by adding you to a group "Wordpress:authors" in COmanage, at which moment you'll be notified of that action and on your next login at the Wordpress demo site, you have more rights and possibilities (you will be able to publish and edit blogs). Which shows you adding you to a group in SCZ COmanage makes the service aware you are allowed certain things; no need to manually edit rights in the service(s).

How does this work?

For people wanting to know how this works: when you click the button on the Wordpress site to sign in with SCZ, you get redirected to SCZ, which redirects you to your IdP (for instance Google) to authenticate. After authentication, you get redirected back to SCZ. Depending on whether you successfully authenticated, SCZ will gather some attributes and include those in the redirect back to Wordpress, upon which the authentication module of Wordpress is able to decide whether you get access and with what authorisation. All messages necessary for this process are digitally signed, so Wordpress knows the attributes are indeed received from the SCZ.

Accessing a demo non-web service

  • Currently, for this demo, you need to check what id you got assigned for accessing non-web services. For that:
    • go to https://comanage.pilot.scz.lab.surf.nl/registry/
    • click LOGIN
    • sign in with the identity (provider) you signed up with at SCZ COmanage (Google or Microsoft)
    • within COmanage, if you're presented a list of "Available Collaborations", select the "What's Next? Demo CO" collaboration 
    • on the left, click People and select "My population"
    • find the row with your identity: at the end of that row you see an EDIT button. Click that Edit-button
    • in the new page, the second section is "Identifiers". You should see a row in that section with "<your userid>(UID)", for example "raoul89 (UID)"
    • remember that id (in the example: raoul89) 
  • We can now access the non web service. We need to use SSH for that (instead of a web browser). If you know you can use SSH, continue to the next step. If not:
    • Windows-users might need to install an SSH client. One of the most used is PuTTY. You can download it here. More info about SSH can be found here
    • On Mac, you can open Terminal
  • In the terminal window, we are going to access the machine at sandbox1.aws.scz.lab.surf.nl . So the command is:

    ssh <your userid>@sandbox1.aws.scz.lab.surf.nl  -p 2022
    So, as an example:
    ssh raoul86@sandbox1.aws.scz.lab.surf.nl  -p 2022
  • Executing that command should connect you to that machine and should show you a command prompt like so:

  • Type yes and press enter. This should bring up more text:
  • Now, for this demo, you need to visit the shown URL to authenticate. So select and copy the URL (in the example above: XXZ) and open that URL in a browser
  • The following website could be designed in any way ... we've kept it simple. You should see something like
  •  Click the login button ... select your identity provider (probably Google or Microsoft) and authenticate
  • On successfull authentication, you should see something like

  • Remember the PIN. Go back to your SSH window and type the PIN. You won't see the PIN being typed. Upon pressing Enter, and assuming you typed the PIN correctly and did the whole process fast enough, you should see something like
  • Success! This ends the demo. Go and do your High Performance Computing analysis (wink).


  • No labels