Project

General

Profile

Actions

Feature #15061

closed

Redirect users to log in with correct federated identity

Added by Peter Amstutz almost 6 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
04/18/2019
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
5.0

Description

New design, based on discussion Apr 17

Existing user:

  1. When a user logs into a home cluster, make ajax calls to known federated cluster login endpoints to say "this browser prefers cluster X as home" which returns a cookie.
  2. User arrives at a federated cluster. The login button takes user to login endpoint on API server. User can also choose a specific home cluster for log in.
  3. Request to login endpoint includes cookie saying user prefers cluster X, which can be overridden with an explicit query parameter that indicates a home cluster
  4. API server redirects login to proper home cluster

Migrating to remote account (because you have an existing account or created one by accident)

  1. User logs in to local account
  2. User selects "migrate account" and selects home cluster X
  3. Current token is saved in local session storage and user is redirected to log into cluster X
  4. User is redirected back to cluster with salted token from cluster X
  5. Everything owned by local user is reassigned to remote user and local user is marked "redirect_to_user_uuid" to the remote
  6. User now uses token as remote user

Logging into a redirected account, no cookies or other hints telling us which cluster to use:

  1. User logs in to local account
  2. After log in, we realize redirected user is not local
  3. Display a page that says "this has been migrated to a remote account, must log in at home cluster"
  4. Redirect to home cluster
  5. User logs in a second time (Existing user flow)

Scripted user migration

  1. Admin generates list of email address and/or usernames assigned to each home cluster
  2. Get list of users on each cluster
  3. If there are user records with the email address or username that doesn't match the assigned home cluster, perform account merge
  4. Need to tweak "merge" endpoint for admin variant which accepts "old_user_uuid" and "new_user_uuid" instead of using current token / "new_user_token"

Files

users.csv (9.36 KB) users.csv Peter Amstutz, 05/08/2019 06:23 PM

Subtasks 7 (0 open7 closed)

Task #15089: Detailed designResolvedPeter Amstutz04/18/2019

Actions
Task #15140: API server updatesResolvedPeter Amstutz04/18/2019

Actions
Task #15141: Workbench2 updatesResolvedEric Biagiotti04/18/2019

Actions
Task #15142: Review 15061-fed-loginResolvedPeter Amstutz04/18/2019

Actions
Task #15208: Migration scriptResolvedPeter Amstutz04/18/2019

Actions
Task #15219: Review 15061-fed-migrateResolvedPeter Amstutz04/18/2019

Actions
Task #15221: Review workbench2 updatesResolvedPeter Amstutz04/18/2019

Actions

Related issues 3 (0 open3 closed)

Related to Arvados - Story #15088: [Workbench2] Replicate Workbench1 merge account featureResolvedEric Biagiotti05/02/2019

Actions
Related to Arvados - Feature #15064: [Workbench2] Use long-lived cookies to improve login chooser defaultsResolvedPeter Amstutz05/14/2019

Actions
Related to Arvados - Feature #15531: [SDK] Migrate federation to central LoginClusterResolvedPeter Amstutz09/23/2019

Actions
Actions

Also available in: Atom PDF