EFPF Security Portal

Overview

  • EFPF Security Portal (EFS) facilitates the federated security, SSO and security governance mechanisms in EFPF ecosystem. The following diagram gives an overview of the Design Goals of EFS. img Figure 1 : EFS Design Goals

Components

EFS consists of the following components:

  • Keycloak : Identity Provider for EFPF which facilities federated identity management and Single-Sign-On facilities with the connected platforms
  • Policy Enforcement Service : Enables the enforcement of role-based access policies for the services exposed via the Data Spine using user roles defined for EFPF platform.

Connection Details

EFPF SSO Setup

Following diagram depicts how SSO is setup in EFPF.

img Figure 2 : EFPF SSO Setup

How-To Guides:

  • The instructions on setting up SSO for platforms/tools/services (which already have their own, private Identity Providers) can be found in the EFS User Guide
  • If you want to enable SSO for your tools/services that do not already have an associated IdP and hence, you want to use the EFPF IdP (EFS Keycloak) as the primary IdP, then refer to the SSO instructions in the User Guide 101 for Tool/Service/Data Providers instead.

How’s SSO enabled & what’s possible with SSO:

  • SSO is currently achieved using “user replication”.
  • The EFPF users, when they visit the SSO-enabled/“connected” platforms for the first time, are replicated in the IdPs of those platforms.
  • As SSO is an authentication scheme, it only enables cross-platform authentication in the EFPF ecosystem.
  • Authorization needs to be enabled separately. Authorization policies can be defined on the platform/tool/service-side (or in the EFS Keycloak – tbc).
  • What’s possible with SSO and what’s not: Currently, top-down approach is supported, i.e., it is possible to access the resources (GUIs/APIs) of the connected platforms using an EFPF account. However, bottom-up approach is not supported, i.e., accessing the resources of EFPF or any other platforms using PlatformX’s user account is not possible.

Authorization

Note: SSO enables cross-platform authentication for EFPF accounts. Authorization (policy/permission definition, enforcement, etc.) can be handled completely on the platform/tool/service-side.

Authorization with EFS: EFS currently supports 2 types of permissions:

  • Resource based : The permission can be directly applied to a resource created in the identity server
  • Scope-Based: The permission can be assigned to scopes or both scopes and a resource.

Above access policies are defined in Keycloak and enforced using the API Security Gateway in the Data Spine.

Following diagram shows how EFS interacts with API Security Gateway to enforce Policies in the Authorization workflow.

img Figure 3 : Authorization workflow with EFS and API Security Gateway

EFS Documentation

See also