Integration with external identity management systems

I am assisting an organization with deployment and integration of GEN3. The organization has an identity management system that includes a person registry and group registry. People are onboarded into the organization via the person registry using enrollment workflows and once the person is onboarded their identity/roles is/are added to appropriate groups in the group registry. Both the person registry and group registry authenticate users using federated identities made available via eduGAIN/InCommon.

The organization would like enrolled users in the person registry to automatically become users in the GEN3 deployment with some GEN3 policies/roles (perhaps all) managed using membership in groups in the group registry.

For example, if a user is a member of the group project-abc-metadata-submitters in the group registry, then the user should automatically be granted a role metadata-submitter on the resource /projects/project-abc in GEN3 when the user onboards into the identity management system.

Since the person registry and the group registry have plugin capabilities that allow external calls to remote systems, and since both the Fence and Arborist tools have REST APIs, I believe the integration with the identity management system outlined above is possible.

Do the GEN3 identity and access management experts concur?

I note that the Fence API does not appear to include a call to create a user. I think it requires dropping a YAML file into place and executing a command. I can envision an integration where that is accomplished during onboarding with a plugin that is more "sophisticated" than just invoking a REST call on the Fence API.

Does that seem plausible to the GEN3 identity and access management experts?

Hello @skoranda,
thank you for your question.

Gen3 works with two different terminologies: AuthN and AuthZ.

AuthN establishes "who you are" with the application through communication with an Identity Provider.

AuthZ establishes "what you can do" and "which resources you have access to" within the application.

Currently, Fence does support AuthN with eduGAIN and InCommon, but Fence does not support AuthZ syncing from anything other than what is written in the user.YAML file and dbGaP.

Thank you for raising this important use case in our Forum. I will communicate this with our developers.

We're looking at the same sort of IdM integration, for the same use cases. In looking around it seems there is a mechanism to trigger a sync into Fence - is the mechanism you're referring to?

Hi @ndjones, welcome to the forum.

The mentioned Fence API in the link shared does not include endpoints to update AuthZ.

However, you can setup an SFTP server with authorization information by adding the configuration in the dbGaP list in the fence config file. The format of files in the server is described here. The other option is to generate a user.yaml file from your AuthZ source.

Best regards.