Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
129 lines (94 sloc) 11.6 KB
title teaching exercises questions objectives keypoints workshopOverviewName workshopOverviewURL lessonOverviewName lessonOverviewURL previousEpisodeName previousEpisodeURL nextEpisodeName nextEpisodeURL
About Authenticators
20
0
Question here
List the objectives
List the key takeaways for the episode
COmanage Workshop: Managing Identities & Collaborations
CO330 - Linking to Systems Outside of COmanage
../index.md
CO Services
/_episodes/02-coServices.md

4. About Authenticators

Authenticators are used to prove a CO Person's identity to an application or service. An Authenticator combined with an Identifier is a credential.

How Authenticators Work

Because Authenticators are collaboration-issued, they are attached to the CO Person⚙️, not to Org Identities⚙️. In general, COmanage does not know how to validate Authenticators, they (or metadata about them) are simply stored in COmanage database. Authenticators are passed to the provisioning infrastructure, so that Provisioning Plugins may use the Authenticator information to populate downstream services. For example, the LDAP Provisioner Plugin may write a user password or SSH key attribute using Authenticator data. We will be talking in depth about provisioning tomorrow.

Accessing services with authenticators

Although COmanage is built around the concept of external identity, there are a number of use cases where it makes sense for collaboration managed credentials to be used to access services, including

  • Using SSH Keys or Passwords to log in to UNIX based servers.
  • Certificate access to grid computing resources.
  • Multi factor authentication, using a collaboration issued second factor.

Terminology

There are multiple concepts with similar names. Here are their definitions:

  • Authenticator Plugin: A COmanage Plugin, that implements the interfaces to a specific authentication technology (such as Passwords or SSH Keys).
  • Authenticator Backend: An instantiated Authenticator Plugin. That is, an Authenticator Plugin with a specific configuration.
  • Authenticator: A specific instance of an authenticator attached to a CO Person. eg: A given person's password.

Single vs Multiple Values

Authenticator Backends can support single or multiple values, as determined by the Authenticator Plugin. In general, whether an Authenticator Plugin supports multiple values depends on whether it makes sense for the CO Person to be able to manage multiple Authenticators of the same type for themselves.

For example, the Password Authenticator Plugin is single valued, meaning each instantiated backend may only have one password associated with it. (Each one has one password CO Person⚙️.) If you want to support multiple passwords to be managed, you can instantiate multiple Backends. A CO Person cannot create a second password for themselves.

On the other hand, the Certificate Authenticator Plugin is multi-valued, meaning each instantiated backend may support multiple certificates. (Each one can have many Certificates per CO Person⚙️.) This allows a CO Person to upload multiple certificates to attach to their record in COmanage.

Authenticator Operations <LADP - maybe too much?)

Registry supports the following operations on Authenticators for a CO Person:

  • Manage: Set or change the current Authenticator (for example, change a password). This operation may be performed by the CO Person (self service) or an administrator.
  • Lock: Lock the Authenticator so it may not be changed or used. When locked, the Authenticator is not available to provisioners. This operation may only be performed by an administrator. For Authenticator Backends that support multiple values, locking applies to the entire Authenticator Backend (ie: all Authenticators for the CO Person, including the ability to add new ones).
  • Unlock: Unlock the Authenticator so it may again be changed or used. If previously set, the original value will be maintained. This operation may only be performed by an administrator. For Authenticator Backends that support multiple values, unlocking applies to the entire Authenticator Backend.
  • Reset: Clear the current Authenticator. This operation may only be performed by an administrator. Once reset, the CO Person may again manage the authenticator (if it is not locked). This operation is not supported for Authenticator Backends that support multiple values, although individual values maybe edited or deleted.

Hands On - setting up an SSH Authenticator

Install the authenticator

Configure the authenticator

  1. Sign in (CO Admin and CMP Admin?)
  2. Go to CO & CO Configuration
  3. Go to the Authenticators link
  4. Select Add Authenticator
  5. Configure the SSH plugin that you just installed
  6. Use it?

Terminology & resources

COmanage Objects ⚙️

OBJECT DESCRIPTION Introduced in
Identifier⚙️ Objects that enable one to connect the information stored about people within the COmanage platform to representations of the same people in systems outside of COmanage CO330-01
CO Service⚙️ Services or applications that can be configured for CO Persons⚙️ to have access to by participating in the organization or collaboration. CO330-02
. ****** CO320 - Modeling Your Organization in COmanage ****** .
CO⚙️ any formal or informal group of individuals that work collaboratively in a digital setting. They have a goal of a shared infrastructure that supports their collaborations so that the traditional limitations of localized applications may be overcome. CO320-01
COU⚙️ an organizational structure within a CO that differs in how individuals join and/or leave the group, how applications get provisioned or deprovisioned, who manages person membership and privileges in the group, or in the information stored or used about members of the group. CO320-02
CO Group⚙️ A specific COmanage organizational structure for representing certain collections of CO Persons⚙️ CO320-03
CO Department⚙️ A COmanage object that is used to model organizational departments. They can be used to store a number of attributes about the department, including telephone numbers, email addresses, URLs, identifiers, and the sets of people associated with specific responsibilities within the department. CO320-04
. ****** CO310 - Modeling People in COmanage ****** .
CO Person⚙️ The representation of a person in COmanage CO310-01
CO Group⚙️ A specific COmanage organizational structure for representing certain collections of CO Persons⚙️ CO320-03
Organizational Identity Source⚙️ Information about a person as obtained from an external source such as LDAP, netFORUM or ORCID CO310-02
Organizational Identity Source Records⚙️ COmanage's cached value of the values at the source CO310-02
CO Person Role⚙️ The representation of a person's role in COmanage. This object describe the person's role with certain collections of people within your organization or collaboration. These objects are attached to ⚙️ CO Person objects; there may be any number of Roles. C0310-04

CO Person Roles 👑

ROLE DESCRIPTION Introduced in
. ****** CO320 - Modeling Your Organization in COmanage ****** .
CMP Administrators👑 CMP Administrators are effectively super users, with the ability to perform almost all operations on the platform. CO320-01
CO Administrators👑 CO⚙️ Administrators are super users within a CO. These individuals belong to the CO:admins group of the CO⚙️. CO320-01
System Administrators👑 System Administrators have privileges that enable them to maintain the COmanage application. CO320-01
COU Administrators👑 Individuals that have the ability to perform lifecycle management operations on the CO People⚙️ who have CO Person Roles⚙️ associated with the COU⚙️. CO320-02

Worksheets

WORKSHEET DESCRIPTION Introduced in
. ****** CO320 - Modeling Your Organization in COmanage ****** .
Modeling Organization 📝 Planning sheet used in this lesson for understanding how the parts of the COmanage Organization fit together CO320
CO Planning Worksheet 📝 Planning worksheet for creating your CO(s). Contains all of the configuration sections at a glance CO320-01
COU Planning Worksheet 📝 Planning worksheet for creating your CO(s). Contains all of the configuration sections at a glance. CO320-02
CO Group Planning Worksheet 📝 Planning worksheet for creating your CO Group(s). Contains all of the configuration sections at a glance. CO320-03
. ****** CO310 - Modeling People in COmanage ****** .
Modeling People 📝 Planning sheet used in this lesson for understanding how to model people in COmanage. This sheet is used to organize how specific people and their relationships would be expressed within COmanage CO310

PREVIOUS SECTION: 2. CO Services⚙️


LESSON OVERVIEW: CO330 - Linking to Systems Outside of COmanage

NEXT LESSON: CO340 - Workflows: Enrollment

WORKSHOP OVERVIEW: COmanage Workshop: Managing Identities & Collaborations

You can’t perform that action at this time.