search

metadatacenter / cedar-project

Build project for all CEDAR Java repositories
https://github.com/metadatacenter/cedar-docs/wiki
Other
12 stars 1 forks source link

LINCS single sign on #467

Closed martinjoconnor closed 7 years ago

martinjoconnor commented 7 years ago

LINCK Keycloak: https://auth.ccs.miami.edu/auth/

martinjoconnor commented 7 years ago

LINCS Keycloak registration page:

https://auth.ccs.miami.edu/auth/realms/lincs/protocol/openid-connect/auth?client_id=dst-portal&redirect_uri=http%3A%2F%2Fdev3.ccs.miami.edu%3A8080%2Fdataset-submission%2F&state=f0dec867-8a62-4534-a44c-8c45fecf0756&nonce=06665b2e-5afb-48df-8403-32c49e21dd6e&response_mode=fragment&response_type=code&scope=openid

martinjoconnor commented 7 years ago

Now works with seamless browser-based SSO redirect.

Future task for REST-level SSO here: https://github.com/metadatacenter/cedar-project/issues/505

martinjoconnor commented 7 years ago

From BaseCamp post (https://3.basecamp.com/3464236/buckets/1508912/messages/586004716):

Single Sign On

We now have SSO working so that users from the LINCS DST can be seamlessly presented with a CEDAR Metadata Editor form without going through a manual login process.

The process involves wrapping the target URL with some Keycloak redirect magic.

The incantation is as follows:

https://auth.metadatacenter.net/auth/realms/CEDAR/protocol/openid-connect/auth?client_id=cedar-angular-app&redirect_uri= <Link to target template population URL>&kc_idp_hint=keycloak-oidc-lincs&&response_mode=fragment&response_type=code&scope=openid

The wrapper is boilerplate and <Link to target template population URL> is the target link to populate a particular template (with a folder ID included), e.g., 

https://cedar.metadatacenter.net/instances/create/https://repo.metadatacenter.net/templates/e32f6c30-c201-4473-87dd-a6a455ee837f?folderId=https:%2F%2Frepo.metadatacenter.net%2Ffolders%2F41d61d5b-d5d2-4d89-acbd-d9da2bc4803f

This link should be URL-encoded so a full example URL with this link would be as follows:

https://auth.metadatacenter.net/auth/realms/CEDAR/protocol/openid-connect/auth?client_id=cedar-angular-app&redirect_uri=https%3A%2F%2Fcedar.metadatacenter.net%2Finstances%2Fcreate%2Fhttps%3A%2F%2Frepo.metadatacenter.net%2Ftemplates%2Fe32f6c30-c201-4473-87dd-a6a455ee837f%3FfolderId%3Dhttps%3A%252F%252Frepo.metadatacenter.net%252Ffolders%252F41d61d5b-d5d2-4d89-acbd-d9da2bc4803f&kc_idp_hint=keycloak-oidc-lincs&&response_mode=fragment&response_type=code&scope=openid

If you use the above link and are already logged in to LINCS in the invoking browser you should be magically redirected to CEDAR without having to log in. If you are not logged in to LINCS you will be prompted for your LINCS username and password and then redirected to the CEDAR link.

Note for the moment all submissions will go into the /Shared/LINCS/submission folder on CEDAR. We will set the permissions on the folder so that only the LINCS user associated with the REST polling call to CEDAR will have read access.  Please let us know what the name of this user is and we can set the appropriate permissions.

Give it a spin and let us know if it works.