Register your application
Please start by filling out the application registration form. (Or, on the acceptance environment, use that form instead.)
As soon as we've processed your request, we will contact you, with further information, if necessary.
If you don't know where to start, we can help you. Please contact us at sram-support@surf.nl.
Authentication
In order for a user to login to an application using SURF Research Access Management (SRAM), the users needs to authenticate. Depending on the authentication method, a number of attributes are released to the application on a succesful authentication. An application can use attributes to identify the user, display their name and email address, provide the user with the right permissions based on memberships of collaborative organisations and groups, et cetera.
In some cases, some of the user attributes need to be provisioned to the application before the user's first authentication:
- If the server needs to prepare, like creating a home directory or running scripts, to enable the user to authenticate. In this case just-in-time provisioning is not possible.
- If the authentication method doesn't provide all the required attributes, e.g., SSH only providing a username.
Web based
SAML
SAML 2.0 is a browser based authentication protocol. It provides all available attributes about the authenticating user and their memberships.
Its functionality is considered equivalent to OIDC.
How to connect an application using SAML.
OIDC
OpenID Connect is a browser based authentication protocol. It provides all available attributes about the authenticating user and their memberships.
Its functionality is considered equivalent to SAML.
How to connect an application using OpenID Connect.
Command line
Read the explainer about Using a CLI like SSH or iCommands.
SSH public key
SSH public keys are widely used to authenticate a user logging into an SSH server. This method only provides an SSH username as an attribute to the application (the 'short username' in the list of attributes), and the SSH public key needs to be provisioned to the server before the user can log in. Both LDAP and SCIM can provide a server with the user's SSH keys.
PAM web login
PAM web login brings federated authentication to a terminal based login, e.g., enabling login to an SSH server. This method only provides an SSH username as an attribute to the application (the 'short username' in the list of attributes), to provide the user the right permissions, provisioning is required.
Read more about PAM web login.
Provisioning
LDAP and SCIM provide the same set of attributes.
LDAP
LDAP is a time tested protocol and provides attributes about the users that can log into the application, before they do.
How to connect an application to LDAP.
SCIM
SCIM is a modern API that provides attributes about the users that can log into the application, before they do. The application can act as a SCIM client and/or SCIM server.