We've created a demo-flow. Any questions about this demo you can email to raoul.teeuwen@surfnet.nl . It's our intention this demo 'always works', but we don't test it every week or so. If it somehow broke, please let us know!
COmanage, part of the current SCZ FIAM, lets administrators define several types of invitation flows, which are workflows to onboard researchers. You can find more about those flows in the documentation. You can for instance configure whether and what approval you want from for instance an admin.
For this demo, imagine the following: you have a service intended for researchers or you are a research collaboration. Researchers in the collaboration need access to several services, one of which is a website, in this case a WordPress-site (but the idea works for all/most services). The services have been connected to the SCZ FIAM platform. Normally you would not allow anybody access to your research services without knowing who they are. But for this demo you have decided researchers are allowed to self sign up for access to edit content on the Wordpress site, without any approval.
So for the demo we've configured a self signup invitation flow. It's basically a URL you can attach to a text or a button on a website of a research collaboration, with a text like
user
Sign up for our XXX research collaboration
Now imagine you're a researcher that wants access.
Important: as your institution probably hasn't connected their IdP to the SCZ-proxy, you can't use your actual institutional account to login. For the demo, you can currently login with a Google- or Microsoft-account. If you don't have either, you can create one or we're sorry but currently you can't use this demo. Please email raoul.teeuwen@surfnet.nl if this is a problem for you, so we'll try to give more priority enabling more demo identity providers.
The demo
Assuming you've read the above, there are 3 steps in this demo. A generic part (which creates a user in the demo COmanage Collaborative Organisation), after which you can both access a Wordpress site via your browser as well as a VM via SSH. Apart from showing you this works for both web and non-web, this also shows you that by creating just one user at the SCZ, access is created in several connect services.
This demo currently is showing you how one flow (of many configurable flows) works and one (of many) way of how a researcher could access a service based on the credentials and attributes in COmanage. Over time, we plan to extend the demo to show more aspects.
Generic part of the demo
- To enter our demo, click the "Sign up for our XXX research collaboration"-link.
- As a new user, in this flow you're presented a form to fill out some personal information (Given name and Gmail or Microsoft email address).
- After clicking SUBMIT, you see the screen display some provisioning steps after which you're logged out of COmanage.
- Check your (Gmail or Microsoft) email inbox: an email is sent to the email address supplied, to confirm you have control over that email address (so normally this would be your institutional account). Click the link in the email.
- After clicking the link in the email, you're taken to a COmanage screen where you can Confirm the registration.
- After clicking CONFIRM, you're taken to a login screen with a Where Are You From (WAYF) screen. Depending on what email address you've used, you need to select the corresponding IdP ("SCZ Pilot Microsoft IdP" or "SCZ Pilot Google IdP"). As in most WAYF-screens you can start part of the name (suggestion: Gmail or Microsoft) of your IdP in the input field, instead of scrolling the whole list.
- Login at Google or Microsoft with your credentials.
- If your authentication was successful, you should now be signed into COmanage. Some steps of the enrollment will be automatically taken and displayed. After the final step, you're signed out.
- In the demo you now have access to the demo service(s). Although it's not necessary, you could login to COmanage by clicking LOGIN and sign in with the Google or Microsoft IdP. Assuming you do so successfully, you should see:
Accessing a demo web service
- In the previous steps, you've created a COmanage account and linked it to your Google-id. Within COmanage there are many configuration options which amongst others enable a collaboration to specify whether someone first needs to approve any sign-up. For this demo, we have minimized the needed admin approval. So you can now use your membership of the SCZ demo CO to authenticate at the demo Wordpress-site, which you can visit directly (so without COmanage in between) via https://wordpress.demo.scz.lab.surf.nl/ . On the Wordpress site, you can find the Login option in the lower right corner
- After clicking 'Log in' select 'Log in via Science Collaboration Zone', the blue bar at the bottom, below the "OR"-line
- After clicking 'Log in via Science Collaboration Zone', select the SCZ Google or Microsoft IdP, and use the credentials you used to sign up for COmanage (depending on your actual activity, Single Sign-On might be active, making it so you don't need to enter your credentials again.
- In this demo, you're allowed access to the dashboard of Wordpress.
- If you email raoul.teeuwen@surfnet.nl that you would like more rights in the SCZ What's Next demo (do so from your institutional account (so Raoul knows who he is giving additional rights)), and mention the gmail- or Microsoft-address you used) Raoul will at some moment grant you additional rights by adding you to a group "Wordpress:authors" in COmanage, at which moment you'll be notified of that action and on your next login at the Wordpress demo site, you have more rights and possibilities (you will be able to publish and edit blogs). Which shows you adding you to a group in SCZ COmanage makes the service aware you are allowed certain things; no need to manually edit rights in the service(s).
Accessing a demo non-web service