Proposed HSPC SSO Migration Plan
4 views
Skip to first unread message
Preston Lee
Feb 22, 2019, 3:49:47 PM2/22/19
to HSPC Platform
Hi Everyone,
Old topic, new thread. We discussed this briefly today on a Platform agenda planning call, but we all have a stake in this.
In short, with the Marketplace specification now in place, the main blocking issue is lack of a common HSPC SSO system. The Marketplace has a basic curation interface that needs to get authorization/scope information from a central SSO authority, and we are currently using multiple sources. What I propose to do is all migrate, on our own timelines, to Apache Keycloak (https://www.keycloak.org/), which is better supported that MITRE and I feel is a bit easier to administer. Keycloak supports self-registration, and this would become the system for assigning “member” status. (Laura: The Keycloak UI would be used to put individual accounts into a “Members” group that ends up getting relayed to any services requiring HSPC membership, thus allowing individual systems to know if the user is a member or not. We could do a membership “level” thing if needed, as well.) This would be jointly administered and the Sandbox could migrate on its own timeline as it sees fit, and direct access to the Postgres database can be provided to aid in migration if desired.
I have set up a dedicated AWS server for this purposes if folks would like to take a look at https://id.hspconsortium.org/ .
Preston
Old topic, new thread. We discussed this briefly today on a Platform agenda planning call, but we all have a stake in this.
In short, with the Marketplace specification now in place, the main blocking issue is lack of a common HSPC SSO system. The Marketplace has a basic curation interface that needs to get authorization/scope information from a central SSO authority, and we are currently using multiple sources. What I propose to do is all migrate, on our own timelines, to Apache Keycloak (https://www.keycloak.org/), which is better supported that MITRE and I feel is a bit easier to administer. Keycloak supports self-registration, and this would become the system for assigning “member” status. (Laura: The Keycloak UI would be used to put individual accounts into a “Members” group that ends up getting relayed to any services requiring HSPC membership, thus allowing individual systems to know if the user is a member or not. We could do a membership “level” thing if needed, as well.) This would be jointly administered and the Sandbox could migrate on its own timeline as it sees fit, and direct access to the Postgres database can be provided to aid in migration if desired.
I have set up a dedicated AWS server for this purposes if folks would like to take a look at https://id.hspconsortium.org/ .
Preston
Reply all
Reply to author
Forward
0 new messages