|
|
Actions in the PEP system are subject to access control: to be able to do anything in PEP, users must be authorized to perform that action. Authorization is granted on the basis of previously acquired enrollment data. And enrollment, in turn, requires users to be authenticated first.
|
|
|
Actions in the PEP system are subject to access control: to be able to do anything in PEP, users must be authorized to perform that action. Authorization is granted on the basis of previously acquired enrollment data. Enrollment, in turn, is performed on the basis of an OAuth token. And such OAuth tokens are (usually) issued on the basis of prior authentication.
|
|
|
|
|
|
# Authentication
|
|
|
|
|
|
PEP does not provide its own user authentication mechanism. Instead users authenticate themselves to an external service, e.g. providing user name and password to an interactive logon (Web)page. Currently only the [SURFconext](https://www.surf.nl/en/surfconext-global-access-with-1-set-of-credentials) authentication service is supported.
|
|
|
|
|
|
The user's identity is passed to PEP's Authentication Server, which determines the role for which the user will be enrolled:
|
|
|
# Role determination
|
|
|
|
|
|
- If a user is included in a single access group, he or she will be enrolled for the corresponding role.
|
|
|
The user's identity is passed to PEP's Authentication Server (AS), which determines the role for which the user will be enrolled:
|
|
|
|
|
|
- If a user is included in a single access group, the user will be enrolled for the corresponding role.
|
|
|
- If a user is included in multiple access groups, they'll manually select the role for which they'll enroll.
|
|
|
- If a user is not assigned to an access group, they'll receive an error message and won't be able to proceed.
|
|
|
|
|
|
Authentication server then issues an OAuth token containing information on both the user's identity and the access group to which they have been assigned. Serving as proof of authentication (a "license to access PEP" if you will), this OAuth token is passed to PEP's Key Server for enrollment.
|
|
|
Authentication Server stores a list of known users and associated access groups. These assignments can only be managed by members of the `Access Administrator` role.
|
|
|
|
|
|
# OAuth token
|
|
|
|
|
|
Once the (single) access group is known, Authentication Server issues an OAuth token containing information on both the user's identity and the selected access group. Serving as proof of authentication (a "license to enroll" if you will), this OAuth token is passed to PEP's Key Server for enrollment.
|
|
|
|
|
|
Note that OAuth tokens can also be issued by Key Server (@@@really?@@@) administrators using the `pepToken` utility. Such OAuth tokens are structurally identical to tokens that are acquired interactively, and must also be passed to Key Server for enrollment.
|
|
|
|
... | ... | |