Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0
Note

work in progress

Wiki Markup
{note}work in progress{note}
{div:style=font-weight:bold;font-size:1.2em;}[Account Service Home]{div}

{
Table of Contents

...

minLevel

...

3

...

maxLevel

...

7

Description

Wiki Markup
{multi-excerpt:name=brief-description}
The Account service offers operations to manage a CollectionSpace account. To securely access the CollectionSpace services, an account for a user is required in the system. An account is associated with an identity. The identity could reside in the [CollectionSpace Identity Provider (CS IdP)] which is the default identity provider.  It could also reside in a foreign identity provider, such as an institution's single sign-on (SSO) system (e.g. [CalNet|https://calnet.berkeley.edu/]), or an [OpenID provider|http://openid.net/get-an-openid/].{multi-excerpt}

...

The

...

Account

...

service

...

also

...

provides

...

a

...

user

...

management

...

interface

...

for

...

the

...

CS

...

IdP.

...

}
Note

In

release

0.4

only

CS

IdP

is

supported{note} h3. Key Concepts A CollectionSpace

supported

Key Concepts

A CollectionSpace user's

...

identity

...

could

...

reside

...

in

...

the

...

default

...

identity

...

provider

...

or

...

a

...

foreign

...

identity

...

provider.

...

Account

...

Service

...

manages

...

an

...

identity

...

only

...

if

...

the

...

identity

...

is

...

stored

...

in

...

the

...

realm

...

managed

...

by

...

the

...

default

...

identity

...

provider.

...

That

...

means,

...

Account

...

Service

...

also

...

provides

...

identity

...

management

...

functions

...

for

...

the

...

default

...

identity

...

provider.

...

Relationships

Following describes the relationship between an Account, a Person and a User in the default identity provider.

  • An account is associated with one person.
  • An account could be associated with one or more tenants.
  • An account is always associated with one user identity. This user identity could be managed by CS IdP or by a 3rd party identity provider.

Assumptions

  1. Tenant provisioning has already taken place before provisioning any account for that tenant.
  2. At the time of provisioning a tenant, an administrator account is provisioned off-band (without using the account service).
  3. Account service is not a management interface for the 3rd party identity providers.

Anchor
account_provisioning
account_provisioning

Account Provisioning

Wiki Markup
{multi-excerpt:name=account provisioning description}
Every user of CollectionSpace should complete registration or signup process. This process is called account provisioning. During this process, in addition to typical user specific attributes such as screen name, userid, password (only for [default id provider|CollectionSpace Identity Provider (CS IdP)]), email, etc., the system would explicitly ask the user to provide tenant specific information. This information could include unique tenant identifier, tenant name, etc. It would be possible to associate with multiple tenants (e.g. all of BNHM) with the same account. On successful completion of the request, the system would create an entry into its [Accounts|collectionspace:Account Service Description and Assumptions] database for the user. The system would also associate that account with given tenant(s). 

h5. How to obtain tenant specific information?

The tenant specific information should be available to the user from the tenant organization. For example, the administrator of the Museum of Moving Images (MMI) could provide this information to the users of collection of MMI on CollectionSpace. It is assumed that the tenant is already provisioned in CollectionSpace. 

h5. Approval process

If users are registered by a tenant administrator, no approval would be necessary during account provisioning. If that is not the case and the user is self-registering, approval by the tenant would be needed for the account provisioning process to complete. On successful approval from the tenant administrator(s), user would be associated with the respective tenant(s). Note that it should be possible for a tenant administrator to associate an already registered user with the tenant. 

{multi-excerpt}

...

Account

...

Provisioning

...

Scenarios

...

This

...

section

...

describes

...

how

...

accounts

...

are

...

provisioned

...

in

...

CollectionSpace.

...

There

...

are

...

two

...

scenarios.

...

  1. Account

...

  1. for

...

  1. a

...

  1. user

...

  1. managed

...

  1. by

...

  1. CollectionSpace's

...

  1. default

...

  1. identity

...

  1. provider

...

  1. Account

...

  1. for

...

  1. a

...

  1. user

...

  1. managed

...

  1. by

...

  1. a

...

  1. 3rd

...

  1. party

...

  1. identity

...

  1. provider

...

  1. such

...

  1. as

...

  1. CalNet,

...

  1. LDAP,

...

  1. OpenId

...

  1. provider,

...

  1. etc.

...

...

User managed by CollectionSpace identity provider (CS IdP)

...

  1. The account create (POST) request from service consumer provides account information including user id and one or more tenant ids to which the user is associated with.
  2. The account service creates an account.
  3. Person service is called to create a person.
  4. Account service registers userid and password with CS IdP.
  5. Account service registers associates given tenant(s) with the account.

...

User managed by a 3rd party identity provider

...

  1. The account create (POST) request from service consumer provides account information including user id and one or more tenant ids to which the user is associated with.
  2. The account service creates an account.
  3. Person service is called to create a person.
  4. Account service registers associates given tenant(s) with the account.

Issues

Wiki Markup
{multi-excerpt-include:pageTitle=Authentication Service Description and Assumptions|name=issue sign up a user|nopanel=true}

 
{note}
* The Person Service is the System of Record 
Note
  • The Person Service is the System of Record (SOR),
  • or
  • authoritative
  • data
  • source,
  • for
  • personIds.
*
  • The
  • SOR
  • for
  • systemIds
  • is
  • TBD.
{note} h3. References # [collectionspace:Authentication Service Description and Assumptions] # [CollectionSpace Identity Provider (CS IdP)] # [Design notes for multi-tenancy in CollectionSpace] h3. Questions

References

  1. Authentication Service Description and Assumptions
  2. CollectionSpace Identity Provider (CS IdP)
  3. Design notes for multi-tenancy in CollectionSpace

Questions