SURF Research Access Management - SRAM
Space shortcuts
Page tree
Skip to end of metadata
Go to start of metadata

In order for a user to login to a service using SURF Research Access Management (SRAM), the users needs to authenticate. Depending on the authentication method, a number of attributes are released to the service on a succesful authentication. A service can use attributes to identify the user, display their name and email address, provide the user with the right permissions based on memberships of collaborative organisations and groups, et cetera.

In some cases, some of the user attributes need to be provisioned to the service before the user's first authentication:

  • If the server needs to prepare, like creating a home directory or running scripts, to enable the user to authenticate. In this case just-in-time provisioning is not possible.
  • If the authentication method doesn't provide all the required attributes, e.g., SSH only providing a user name.

Authentication

SAML

SAML 2.0 is a browser based authentication protocol. It provides all available attributes about the authenticating user and their memberships.
Its functionality is considered equivalent to OIDC.

How to connect a service using SAML.

OIDC

OpenID Connect is a browser based authentication protocol. It provides all available attributes about the authenticating user and their memberships.
Its functionality is considered equivalent to SAML.

How to connect a service using OpenID Connect.

SSH public key

SSH public keys are widely used to authenticate a user logging into an SSH server. This method only provides an SSH user name as an attribute to the service (the 'short username' in the list of attributes), and the SSH public key needs to be provisioned to the server before the user can login. Both LDAP and SCIM can provide a server with they user's SSH keys.

PAM web login

PAM web login offers a way to bring federated authentication to a terminal based login, e.g., logging into an SSH server. This method only provides an SSH user name as an attribute to the service (the 'short username' in the list of attributes), to provide the user the right permissions, provisioning is required.

Provisioning

LDAP and SCIM provide the same set of attributes.

LDAP

LDAP is a time tested protocol and provides attributes about the users that can login to the service, before they do.

How to connect a service to LDAP.

SCIM

SCIM is a modern API that provides attributes about the users that can login to the service, before they do. The service can act as a SCIM client and/or SCIM server.

How to Connect a service to SCIM

Register your service

Please start by filling out the SRAM service registration form. As soon as we've processed your request, you will receive an email containing information you'll need to connect, in addition to the how-tos.

  • No labels