Before users can log in to a research application, the application must be registered with SRAM and it must be connected to a collaboration:
- Registration means the administrator of the application has worked with SURF so 'bits can flow' from SRAM to the application (and back).
- If allowed, any collaboration can select the application and request a connection. Once approved (depending on configuration, this can be immediately), accounts for members of the collaboration will be created and managed automatically in the application.
- The application admin is always in control of which collaborations are allowed access.
We'll allow registration of any application that seems to be geared towards researchers. In some cases it's pretty clear an application is geared towards researchers. In other cases, there is a grey area. For instance: we know researchers often use virtual machines, which they love to spin up in clouds, as clouds offer great value, flexibility etc. So yes, we'll connect such clouds. But often, connecting such a cloud also opens up access to more generic applications.
Users on SRAM can only access an application if an collaboration admin decides to connect such an application to the collaboration, and invites the user to the collaboration. We assume the admin is the one that knows what applications are needed for the research collaboration, who to allow access to the research collaboration, what to inform users about relating to what they are allowed to and what happens with their data.
Basic checks
SRAM is great, but not the best solution for every situation. Some basic questions you might want to think about before you contact us at sram-support@surf.nl.
- If the application you want to register is
- web/browser based: does it already have support for federated authentication protocols such as SAML or OIDC? If not: is there anybody willing and able to change (and maintain) the application so it is able to handle a SAML or OIDC connection?
- a non-web application: SRAM will provision an LDAP under your control. Does your application already use an LDAP?
- What users need to access the application?
- Only people from the Netherlands? Or also from other parts of the world?
- Only people with an educational account, or also people without such an account, like from companies etc?
- Did or will the home organisation of the potential users connect their IdP to SRAM? (could be important, but users can always use a guest IdP).
- Do you actually need SRAM, or does SURFconext also supply what you want? SURFconext offers federated authentication for browser based applications, teams, authorization rules, SURFsecureID (step up/strong authentication), guest users etc.
Protocols
SRAM adheres to the following standards:
- SAML 2.0 (as implemented by SURF in SURFconext)
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect (preferred in accordance to SAML2int profile)
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST (can only be used in case your software doesn't support HTTP-Redirect)
- OpenID Connect (for application providers)
- LDAP
- SCIM
We're happy to talk to you in any case if you're interested in registering your application. What is needed on the technical side depends on your situation. We have documented some common ways of connecting your application to SRAM, using SAML, OIDC or LDAP. And also documented the attributes SRAM releases.
Groups, authorisation
SRAM offers collaborations to organise members into groups. Group information will be passed to the research applications when a user authenticates and accesses your application. Group information can for instance be used to decide on authorization, so which users are allowed access to what. You would need to map group information to whatever action you want.
Policy
We advise admins to check whether an application complies (so as an application owner, you might want to check these out):
- to the Research and Scholarship Entity Category (R&S)
- to the GÉANT Data Protection Code of Conduct ("CoCo"), with the intend to comply with v2 GDPR version of the Code of Conduct
- with and use Sirtfi
- to the REFEDS Assurance Framework
Configuring how collaborations can connect
You need to let us know whether any collaboration is allowed to connect without your approval, or whether you want to be emailed when a collaboration wants to use your application.