Identity Access Manager (IAM)¶
The INDIGO Identity and Access Management (IAM) is an Authentication and Authorisation Infrastructure (AAI) service which manages users credentitials and attributes, like group membership, and authorization policies to access the resources.
Note
Current IAM version: v1.5.0.rc2
Note
After IAM installation it is needed to configure the Cloud provider identity service to accept the INDIGO IAM OpenID Connect authentication. For Openstack Keystone this is a standard configuration and the documentation can be found here. Furthermore, to enable more OpenID Connect providers configured in the apache mod_auth_openidc module used by Keystone, in order to not change Keystone configuration, it is possible to exploit the ESACO plugin. At the moment, for example, it is used with OpenStack at ReCaS-Bari datacenter. An example of integration is available here.
VM configuration¶
Create VM for IAM. The VM should meet the following minimum requirements:
| OS | Ubuntu 16.04 |
| vCPUs | 2 |
| RAM | 4 GB |
| Network | Public IP address. |
Warning
All the command will be run on the control machine.
Enable Google Authentication¶
To enable Google authentication access to Google developers console and create and configure a new credential project.
- Create Credentials > OAuth Client ID
- Application Type: Web Application
- Name: Set a custom Service Provider (SP) name
- Authorized JavaScript origins: https://<iam_vm_dns_name>.
- Authorized redirect URIs: https://<iam_vm_dns_name>/openid_connect_login
- Create the client
- Copy your client ID and client secret
Create the file indigopaas-deploy/ansible/application-oidc.yml, copying and pasting the client ID, client Secret and the IAM url
oidc:
providers:
- name: google
issuer: https://accounts.google.com
client:
clientId: <iam_google_client_id>
clientSecret: <iam_google_client_secret>
redirectUris: https://<iam_url>/openid_connect_login
scope: openid,profile,email,address,phone
loginButton:
text: Google
style: btn-social btn-google
image:
fa-icon: google
Enable ELIXIR-AAI Authentication¶
To enable you need to request a valid client ID and client Secret. Please read the corresponding documentation.
Then create the file indigopaas-deploy/ansible/application-oidc.yml, copying and pasting the client ID, client Secret and the IAM url:
oidc:
providers:
- name: elixir-aai
issuer: https://login.elixir-czech.org/oidc/
client:
clientId: <iam_elixiraai_client_id>
clientSecret: <iam_elixiraai_client_secret>
redirectUris: https://<iam_fqdn>/openid_connect_login
scope: openid,groupNames,bona_fide_status,forwardedScopedAffiliations,email,profile
loginButton:
text:
style: no-bg
image:
url: https://raw.githubusercontent.com/Laniakea-elixir-it/ELIXIR-AAI/master/login-button-orange.png
size: medium
Installation¶
In the following, both Google and ELIXIR-AAI authentication methods will be enabled. To achieve this the indigopaas-deploy/ansible/application-oidc.yml with Google and ELIXIR-AAI corresponding clients ID and clients Secret, looks like:
oidc:
providers:
- name: google
issuer: https://accounts.google.com
client:
clientId: <iam_google_client_id>
clientSecret: <iam_google_client_secret>
redirectUris: https://<iam_fqdn>/openid_connect_login
scope: openid,profile,email,address,phone
loginButton:
text: Google
style: btn-social btn-google
image:
fa-icon: google
- name: elixir-aai
issuer: https://login.elixir-czech.org/oidc/
client:
clientId: <iam_elixiraai_client_id>
clientSecret: <iam_elixiraai_client_secret>
redirectUris: https://<iam_fqdn>/openid_connect_login
scope: openid,groupNames,bona_fide_status,forwardedScopedAffiliations,email,profile
loginButton:
text:
style: no-bg
image:
url: https://raw.githubusercontent.com/Laniakea-elixir-it/ELIXIR-AAI/master/login-button-orange.png
size: medium
Create the file indigopaas-deploy/ansible/inventory/group_vars/iam.yaml with the following configured values:
iam_fqdn: <iam_vm_dns_name>
iam_mysql_root_password: *******
iam_organization_name: '<your_organization_name>'
iam_logo_url: <logo_url>
iam_account_linking_disable: true
iam_mysql_image: "mysql:5.7"
iam_image: indigoiam/iam-login-service:v1.5.0.rc2-SNAPSHOT-latest
iam_notification_disable: true
iam_notification_from: 'iam@{{iam_fqdn}}'
iam_enable_oidc_auth: true
iam_application_oidc_path: "/root/indigopaas-deploy/ansible/application-oidc.yml"
iam_admin_email: '<valid_email_address>'
Warning
Set also your custom mysql password with: iam_mysql_root_password.
Warning
Please provide a valid e-mail address, which is mandatory for Let’s Encrypt certificate creation.
It is possible to enable mail notification adding the following parameters:
iam_notification_disable: false
iam_notification_from: 'laniakea-alert@example.com'
iam_notification_admin_address: <valid_email_address>
iam_mail_host: <mail_server_address>
This is needed to allow user registration, e.g. to enable confirmation e-mails.
Run the role using the ansible-playbook command:
# cd indigopaas-deploy/ansible
# ansible-playbook -i inventory/inventory playbooks/deploy-iam.yml
Note
Default administrator credentials:
username: admin
password: password
Fig.2: IAM login page
Video tutorial¶
IAM test¶
Basic IAM tests.
Test 1: login as admin¶
Login as admin
username: admin password: password
Warning
Change the default password.
Test 2: Register a new user¶
- Click Register a new account
- Fill the form
- Login as admin and accept the request
- Login as new user
The full registration procedure is described in the Authentication section.
Test 3: Register using Google account (optional)¶
- Sign-in with Google
- Login as admin and accept the request
- Login with Google
The full registration procedure is described in the Authentication section.
Create IAM Client¶
Registered clients allow to request and receive information about authenticated end-users. Each INDIGO service must authenticate to a dedicated IAM client using a client id and a client secret.
To create a IAM client or a protetect resource, please follow these instructions:
Obtaining an IAM access token¶
To get a vaild IAM access token, please follow these instructions: