HSPC Accounts System

[Travis Cummings]

Hi,

I've heard of some discussion of OpenID being used by the platform.  

Could I help out with this effort?

We've created 2 account systems for the sandbox that might be able to be used for HSPC in general:

- The Google Firebase account is used as our User Repository.  But in a larger sense, Firebase could be used as the backend for many platform efforts.  Check it out: https://firebase.google.com

- A Mitre OpenID Connect OAuth2 server is used by the HSPC Account, HSPC Sandbox systems for issuing OpenID/OAuth tokens to the Sandbox Manager website, HSPC Gallery, and others.  Our deployment of Mitre OpenID Connect uses Firebase as the user repo.  We also have versions of the Mitre OpenID connect that use LDAP and MySQL for the user repos.

Travis

[Preston Lee]

For sure!

The existing issuer we have set up is https://id.hspconsortium.org/ , just upgraded yesterday, and Isaac and I are testing and getting through initial integrations with both the new website (https://www.hspconsortium.org) and Marketplace prototypes. Some of the existing multi-identity management stuff is built into the Marketplace, but I’m going to scrap it because it should really be either part of the www app or a separate microservice. Firebase is pretty cool, but ultimately didn’t use it (nor Gluu) because, being a “reference platform”, didn’t want to violate our own policies of sticking to F/OSS-licensed software, limited to MIT, Apache 2 and BSD *-clause variants. Is there a similar F/OSS solution you’d recommend? …maybe something with SCIM support like OSIAM that can easily be integrated? …or do you think porting your self-serve account management app over to the “on-prem" PostgreSQL-backed issuer would make more sense? It’d obviously be nice to *not* need a custom app, if possible, though MITREid unfortunately does not support SCIM.

Brain dumping here, a few org-level stories should include:

- As a non-member user new to HSPC, I want to sign up for a free HSPC ID so I can use non-member services to which all identities are granted access, so I don’t need to wait to explore the ecosystem of HSPC-hosted or 3rd-party-authorized services.

- As a new user with an HSPC membership, either individual or though an organization, I want to sign up for an HSPC ID so I can use the services to which I’m allowed access.

- As a user, I want my email address validated at all times so authorized services may confidently send email to the address registered again my identity.

- As a user, I can change my password whenever I want so I can respond to security incidents as quickly as possible.

- As an HSPC manager, I can manage the membership levels assigned to individual users centrally, so I don’t have to make changes to every individual service.

Obviously there are some nuances and details here that need to be smoothed, such as how exactly custom membership claims should/will work, “groups” etc, but I think the overall approach makes sense. I don’t like how MITREid doesn’t support SCIM, but it works well.. and hey it still feels less icky than CAS. ;)

Preston

--
You received this message because you are subscribed to the Google Groups "HSPC Platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to platform+u...@hspconsortium.org.
To post to this group, send email to plat...@hspconsortium.org.
To view this discussion on the web visit https://groups.google.com/a/hspconsortium.org/d/msgid/platform/a19c9e2b-7969-47f7-9a29-d01e85598dac%40hspconsortium.org.

[Scott Narus]

I would like to be sure that we do not setup a second HSPC account system that requires users of the developer/sandbox sites to create a new account. I would prefer that we just expand what we have already setup for the sandbox. I don’t understand from Preston’s email below what the direction is. If there is some compelling reason to migrate to a different solution, then I would really like to figure out if we can migrate current accounts without disruption. Again, I do not want to create duplicate account systems. I also do not want to spend a lot of resources having our sandbox team reconfigure our current authentication/authorization solution, as we have limited funds for this and higher priorities.

 

-scott

 

 

From: Preston Lee <prest...@prestonlee.com>
Date: Thursday, December 21, 2017 at 10:27 AM
To: HSPC Platform <plat...@hspconsortium.org>
Subject: Re: HSPC Accounts System

 

WARNING: Stop. Think. Read. This is an external email.

To view this discussion on the web visit https://groups.google.com/a/hspconsortium.org/d/msgid/platform/2110A207-ED4D-45A1-B32B-5BA7004692BF%40prestonlee.com.

[Preston Lee]

I think everyone would agree that we don't want multiple IdPs, and that we should merge efforts. I'd spoken to Rick about this as well, but we never got into the details until now. The IdP I'm referring to is what we had discussed at the 14th General Meeting. It's summarized here, though mentally regex out Gluu for MITREid: https://healthservices.atlassian.net/wiki/spaces/PE/pages/106167539/Identity+and+Access+Management+for+HSPC+Services

So it sounds like the big immediate question is how to best de-dupe this. We're all running MITREid, but have different user stores and not a single management solution. The "https://id.hspconsortium.org/" issuer is a standalone v1.3.1 instance in us-east and there are actually only a few relevant tables to user migration if that's what we want to do. It's built as a maven overlay and doesn't currently have any custom code. 

Preston

[Travis Cummings]

Hi All,

Wrapping my head around this problem, it seems like we have these main use cases:

1) Internal tools used by HSPC collaborators and operations like AWS, Atlassian Confluence and Bitbucket, GitHub, Gmail, MailChimp, etc., each having their own user identity and user management solution

2) HSPC Sandbox cloud web app: 

  a) User id for the purpose of owning FHIR servers, owning app registrations, and collaborating with team members

  b) Synthesized authorization for the purpose of completing the SMART on FHIR authorization flow for a persona (simulated clinician or patient).  Note: SOF flow for a user (not a persona) is deprecated.

  c) User authorization roles (ex: a few admin accounts)

  d) (unplanned, future) ability to make payments to purchase a license (ex: "Pro" license allowing more HSPC tools or FHIR server space)

  e) (unplanned, future) ability to have user authorization based on current license 

  f) (unplanned, future) ability to have SSO from larger user organizations (for example, Intermountain Healthcare)

3) HSPC Sandbox code artifacts

  a) These are open source projects in Bitbucket, with committers role managed in Bitbucket

4) HSPC Platform cloud web app (please correct me)

  a) User id for the purpose of managing the site (roles and groups)

  b) User id for the purpose of downloading components to a site installation (account)

  c) Ability to make payments to purchase components or purchase a license

  d) Ability to have user authorization based on a purchase or a current license

5) HSPC Platform code artifacts (please correct me)

  a) These are open source projects in GitHub?

6) HSPC Platform site installation (please correct me)

  a) Ability to download components into a site installation (authorization within the site installation, not the cloud web app of #5)

  b) Ability to download a user management component into a site installation

  c) Ability to manage users (id and authorization) within the user management component

  d) SSO for the institution associated with the site installation

Did I miss any major use cases within HSPC for identity and authorization?

Travis

To view this discussion on the web visit https://groups.google.com/a/hspconsortium.org/d/msgid/platform/1513884417.897358.1212688736.6013A4B1%40webmail.messagingengine.com.