The SURF Research Authentication Management method for authentication and authorization is enabled by SURF administrators upon request of the customer.
However, it requires that the customer takes care of some preliminary steps.
- The customer's organization must have an Identity Provider (IdP) connected to SRAM or use https://eduid.nl/.
- The customer's organization must have an organization entity defined in SRAM.
- The administrator of the SRAM customer's organization must provide an API token to SURF administrators.
That is enough from the customer perspective in case of a new deployment of the service.
Then the SURF administrators will take care to register the service in SRAM.
Migration from a different authentication method
In case the service was configured with another authentication methods and then SRAM is adopted a "migration" process is needed.
With "migration" we mean to register the existing users and groups in SRAM. They are considered registered when:
- each user has accepted an invite sent by SRAM.
each group has been mapped to a SRAM collaboration.
User invitation to SRAM
Even if a user exists in the service, they are not automatically registered in SRAM. When a user is invited to a Yoda group, they are immediately added to it and at the same time they receive an invite via email to join an SRAM collaboration with a name derived from that of the Yoda group.
Only when the user accepts the invite, clicking on the blue button in the email message and authenticating to SRAM using their organization's IdP or eduID, then they are registered in SRAM.
In case of "migration", it is necessary to re-add all the existing users to the existing groups and trigger new invites. If the number of users is small, that process can be done manually by the support team of each organization.
In case of a large number of users, SURF will execute a procedure to automatically migrate users. However, even if the procedure is automated, each user has to accept the invite received via email.
Groups mapped to SRAM collaborations
A group is mapped to an SRAM collaboration automatically when it is created. No additional action is required.
However, in case of "migration", the existing groups have to be registered in SRAM. It can be done following these steps:
- creating a collaboration in SRAM which reflects the name of the group in Yoda prefixed with the keyword "yoda-";
- getting the unique id of the collaboration in SRAM and adding it as metadata to the Yoda group, which can be done at iRODS level by an iRODS admin;
- promoting the users who are group managers in the Yoda group to the admin role in the SRAM collaboration.
If the number of groups is small, that process can be done manually by the support team of each organization.
In case of a large number of users, SURF will execute a procedure to automatically migrate groups.
Invite sender
Even though there is an actual person sending the invitations from within Yoda, when the user is invited, Yoda triggers SRAM to send the invites and thus the SRAM organisation administrator. The invite sender appears to be then the SRAM organization administrator.
In case there is a collaboration admin, the person listed as sender in the invitation mail is the collaboration admin. If there is no collaboration admin, the organisation administrator will be mentioned.