clowder-framework / clowder

A data management system that allows users to share, annotate, organize and analyze large collections of datasets. It provides support for extensible metadata annotation using JSON-LD and a distribute analytics event bus for automatic curation of uploaded data.
https://clowderframework.org/
University of Illinois/NCSA Open Source License
37 stars 17 forks source link

SAML Capability #338

Open nladkins opened 2 years ago

nladkins commented 2 years ago

Is your feature request related to a problem? Please describe.

Federal Regulations are requiring us to adopt Security Assertion Markup Language (SAML) Authentication for our applications. As the market shifts more toward web applications and other services hosted in the cloud, SAML use is necessary to extend user credentials beyond on-prem implementations. As of today, Clowder does not offer SAML authentication.

Describe the solution you'd like

SAML authentication is required for us to move web apps into production. We would like to see Clowder have the back-end capability of using many common SAML solutions such as login.gov. We are utilizing cloud services to host Clowder including the use of an Elastic Compute Cloud (EC2) for the Clowder web application and a Simple Storage Service (S3) for the back-end storage. Because of the growing need for using cloud services, the federal government is requiring the use of SAML to ensure secure credentialing of users.

Describe alternatives you've considered

The first option we considered was the built-in authentication capability that Clowder has to offer. During a proof-of-concept and prototype stage, this was acceptable. However, increased adoption and using Clowder to deliver some of the agency’s large-scale data to the public now requires higher standards in authentication and credentialing. Although LDAP was considered, it is tailored toward on-prem implementations. Using LDAP to authenticate with an cloud hosted application introduces vulnerability. In fact, the U.S. Environmental Protection Agency (EPA) has prohibited any new externally hosted applications from using LDAP. Therefore, SAML capabilities are needed to extend user credentials to the cloud and other web applications.