We've created a demo-flow. Any questions about this demo you can email to raoul.teeuwen@surfnet.nl . It's our intention this demo 'always works', but we don't test it every week or so. If it somehow broke, please let us know!

COmanage, part of the current SCZ FIAM, lets administrators define several types of invitation flows, which are workflows to onboard researchers. You can find more about those flows in the documentation. You can for instance configure whether and what approval you want from for instance an admin.

For this demo, imagine the following: you have a service intended for researchers or you are a research collaboration. Researchers in the collaboration need access to several services, one of which is a website, in this case a WordPress-site (but the idea works for all/most services). The services have been connected to the SCZ FIAM platform. Normally you would not allow anybody access to your research services without knowing who they are. But for this demo you have decided researchers are allowed to self sign up for access to edit content on the Wordpress site, without any approval. 

So for the demo we've configured a self signup invitation flow. It's basically a URL you can attach to a text or a button on a website of a research collaboration, with a text like

user Sign up for our XXX research collaboration

Now imagine you're a researcher that wants access.

Important: as your institution probably hasn't connected their IdP to the SCZ-proxy, you can't use your actual institutional account to login. For the demo, you can currently login with a Google- or Microsoft-account. If you don't have either, you can create one or we're sorry but currently you can't use this demo. Please email raoul.teeuwen@surfnet.nl if this is a problem for you, so we'll try to give more priority enabling more demo identity providers.

The demo

Assuming you've read the above, there are 3 steps in this demo. A generic part (which creates a user in the demo COmanage Collaborative Organisation), after which you can both access a Wordpress site via your browser as well as a VM via SSH. Apart from showing you this works for both web and non-web, this also shows you that by creating just one user at the SCZ, access is created in several connect services.

This demo currently is showing you how one flow (of many configurable flows) works and one (of many) way of how a researcher could access a service based on the credentials and attributes in COmanage. Over time, we plan to extend the demo to show more aspects.

Generic part of the demo

• To enter our demo, click the "Sign up for our XXX research collaboration"-link.
• As a new user, in this flow you're presented a form to fill out some personal information (Given name and Gmail or Microsoft email address).
• After clicking SUBMIT, you see the screen display some provisioning steps after which you're logged out of COmanage.
• Check your (Gmail or Microsoft) email inbox: an email is sent to the email address supplied, to confirm you have control over that email address (so normally this would be your institutional account). Click the link in the email.
• After clicking the link in the email, you're taken to a COmanage screen where you can Confirm the registration.
• After clicking CONFIRM, you're taken to a login screen with a Where Are You From (WAYF) screen. Depending on what email address you've used, you need to select the corresponding IdP ("SCZ Pilot Microsoft IdP" or "SCZ Pilot Google IdP"). As in most WAYF-screens you can start part of the name (suggestion: Gmail or Microsoft) of your IdP in the input field, instead of scrolling the whole list.
• Login at Google or Microsoft with your credentials.
• If your authentication was successful, you should now be signed into COmanage. Some steps of the enrollment will be automatically taken and displayed. After the final step, you're signed out. 
• In the demo you now have access to the demo service(s). Although it's not necessary, you could login to COmanage by clicking LOGIN and sign in with the Google or Microsoft IdP. Assuming you do so successfully, you should see:
  
  

Accessing a demo web service

• In the previous steps, you've created a COmanage account and linked it to your Google-id. Within COmanage there are many configuration options which amongst others enable a collaboration to specify whether someone first needs to approve any sign-up. For this demo, we have minimized the needed admin approval. So you can now use your membership of the SCZ demo CO to authenticate at the demo Wordpress-site, which you can visit directly (so without COmanage in between) via https://wordpress.demo.scz.lab.surf.nl/ . On the Wordpress site, you can find the Login option in the lower right corner
  
  
• After clicking 'Log in' select 'Log in via Science Collaboration Zone', the blue bar at the bottom, below the "OR"-line
  
• After clicking 'Log in via Science Collaboration Zone', select the SCZ Google or Microsoft IdP, and use the credentials you used to sign up for COmanage (depending on your actual activity, Single Sign-On might be active, making it so you don't need to enter your credentials again.
• In this demo, you're allowed access to the dashboard of Wordpress. 
• If you email raoul.teeuwen@surfnet.nl that you would like more rights in the SCZ What's Next demo (do so from your institutional account (so Raoul knows who he is giving additional rights)), and mention the gmail- or Microsoft-address you used) Raoul will at some moment grant you additional rights by adding you to a group "Wordpress:authors" in COmanage, at which moment you'll be notified of that action and on your next login at the Wordpress demo site, you have more rights and possibilities (you will be able to publish and edit blogs). Which shows you adding you to a group in SCZ COmanage makes the service aware you are allowed certain things; no need to manually edit rights in the service(s).

Accessing a demo non-web service

• Currently, for this demo, you need to check what id you got assigned for accessing non-web services. For that:
  • go to https://comanage.pilot.scz.lab.surf.nl/registry/
  • click LOGIN
  • sign in with the identity (provider) you signed up with at SCZ COmanage (Google or Microsoft)
  • within COmanage, if you're presented a list of "Available Collaborations", select the "What's Next? Demo CO" collaboration 
  • on the left, click People and select "My population"
  • find the row with your identity: at the end of that row you see an EDIT button. Click that Edit-button
  • in the new page, the second section is "Identifiers". You should see a row in that section with "<your userid>(UID)", for example "raoul89 (UID)"
  • remember that id (in the example: raoul89) 
• We can now access the non web service. We need to use SSH for that (instead of a web browser). If you know you can use SSH, continue to the next step. If not:
  • Windows-users might need to install an SSH client. One of the most used is PuTTY. You can download it here. More info about SSH can be found here
  • On Mac, you can open Terminal

• In the terminal window, we are going to access the machine at sandbox1.aws.scz.lab.surf.nl . So the command is:

  ssh <your userid>@sandbox1.aws.scz.lab.surf.nl  -p 2022

  So, as an example:

  ssh raoul86@sandbox1.aws.scz.lab.surf.nl  -p 2022

• Executing that command should connect you to that machine and should show you a command prompt like so:
  
  
• Type yes and press enter. This should bring up more text:
  
• Now, for this demo, you need to visit the shown URL to authenticate. So select and copy the URL (in the example above: XXZ) and open that URL in a browser
• The following website could be designed in any way ... we've kept it simple. You should see something like
  
•  Click the login button ... select your identity provider (probably Google or Microsoft) and authenticate
• On successfull authentication, you should see something like
  
  
• Remember the PIN. Go back to your SSH window and type the PIN. You won't see the PIN being typed. Upon pressing Enter, and assuming you typed the PIN correctly and did the whole process fast enough, you should see something like
  
• Success! This ends the demo. Go and do your High Performance Computing analysis .