EFPF Security Portal
- EFPF Security Portal (EFS) facilitates the federated security, SSO and security governance mechanisms in EFPF ecosystem. The following diagram gives an overview of the Design Goals of EFS. Figure 1 : EFS Design Goals
EFS consists of the following components:
- Keycloak : Identity Provider for EFPF which facilities federated identity management and Single-Sign-On facilities with the connected platforms
- Policy Enforcement Service : Enables the enforcement of role-based access policies for the services exposed via the Data Spine using user roles defined for EFPF platform.
- Latest info: Connection Details page
- EFPF Development environment: https://efpf-security-portal.salzburgresearch.at/auth/
- EFPF Testing environment: https://ds-test.smecluster.com/auth/ EFPF Production environment: https://efpf.smecluster.com/auth/
EFPF SSO Setup
Following diagram depicts how SSO is setup in EFPF.
Figure 2 : EFPF SSO Setup
- The instructions on setting up SSO for platforms/tools/services (which already have their own, private Identity Providers) can be found in the EFS User Guide
- If you want to enable SSO for your tools/services that do not already have an associated IdP and hence, you want to use the EFPF IdP (EFS Keycloak) as the primary IdP, then refer to the SSO instructions in the User Guide 101 for Tool/Service/Data Providers instead.
How’s SSO enabled & what’s possible with SSO:
- SSO is currently achieved using “user replication”.
- The EFPF users, when they visit the SSO-enabled/“connected” platforms for the first time, are replicated in the IdPs of those platforms.
- As SSO is an authentication scheme, it only enables cross-platform authentication in the EFPF ecosystem.
- Authorization needs to be enabled separately. Authorization policies can be defined on the platform/tool/service-side (or in the EFS Keycloak – tbc).
- What’s possible with SSO and what’s not: Currently, top-down approach is supported, i.e., it is possible to access the resources (GUIs/APIs) of the connected platforms using an EFPF account. However, bottom-up approach is not supported, i.e., accessing the resources of EFPF or any other platforms using PlatformX’s user account is not possible.
Note: SSO enables cross-platform authentication for EFPF accounts. Authorization (policy/permission definition, enforcement, etc.) can be handled completely on the platform/tool/service-side.
Authorization with EFS: EFS currently supports 2 types of permissions:
- Resource based : The permission can be directly applied to a resource created in the identity server
- Scope-Based: The permission can be assigned to scopes or both scopes and a resource.
Above access policies are defined in Keycloak and enforced using the API Security Gateway in the Data Spine.
Following diagram shows how EFS interacts with API Security Gateway to enforce Policies in the Authorization workflow.
Figure 3 : Authorization workflow with EFS and API Security Gateway