Abstract¶
COmanage is a user management system designed for academic and research collaborations. Rubin Observatory will use COmanage (as provided by CILogon) as the user identity store and group management system for the Rubin Science Platform. This tech note provides the specific details of the COmanage configuration used by the Science Platform and summarizes remaining COmanage work.
Note
This is part of a tech note series on identity management for the Rubin Science Platform. The primary documents are DMTN-234, which describes the high-level design; DMTN-224, which describes the implementation; and SQR-069, which provides a history and analysis of the decisions underlying the design and implementation. See the references section of DMTN-224 for a complete list of related documents.
Administrators¶
We use separate installations of COmanage for the three IDF environments so that we can test configuration changes and integrations without breaking other environments.
Each installation has at least two collaborations: the COmanage internal collaboration, and the LSST collaboration. The latter is where all the users are configured. It may have additional collaborations in the future to support delegated group management for specific science collaborations or other subgroups of users.
There are, correspondingly, two types of administrators for the COmanage instance.
Platform Administrators are users who are members of the COmanage internal collaboration and the CO:admins
group of that collaboration.
They can make any changes to any collaboration.
Regular administrators are members of the CO:admins
group of the LSST collaboration, but are not members of the COmanage collaboration (and thus will not see it in the UI).
They can approve petitions (COmanage’s term for approving new users), change user attributes, and manage any groups in the LSST collaboration, but don’t have special powers outside of that collaboration.
It’s possible to grant access to approve petitions to a different group by changing the enrollment flow configuration.
That plus making the people handling approval owners of any groups they may need to update would allow us to remove CO:admins
permissions in favor of more limited access.
Currently, we haven’t bothered with this.
Warning
Always use incognito or private browsing when juggling multiple identities in COmanage.
Administering COmanage often requires using multiple identities. For example, one may be a Platform Administrator under one identity and be approving and setting group membership for a separate identity for yourself that will be a regular administrator.
It is very easy to get your COmanage record into an awkward or broken state if those identities aren’t kept separate. Therefore, whenever manipulating Platform Administrators or onboarding yourself under a second identity as a distinct person (as opposed to adding a new identity to an existing record), always use separate incognito windows for each identity.
Platform administrators¶
COmanage strongly recommends using a separate identity for a Platform Administrator that is not a member of any other collaboration (and indeed, in the version of COmanage as of 2022-11-29, if a Platform Administrator is onboarded into the LSST collaboration, they lose their Platform Administrator powers).
We therefore use the Google *-admin
accounts in the lsst.cloud Google Cloud Identity domain as the identities for Platform Administrators.
(See RTN-020 for more details about that domain and those accounts.)
Only a few people need to be Platform Administrators. That access only needs to be used to make some configuration changes and to fix problems if other administrators are locked out.
Adding new Platform Administrators needs to be done manually, since there is no regular enrollment flow defined for the special COmanage collaboration.
Follow the Default Registry Enrollment instructions.
To get the login identifier used in step one, have the person being onboarded go to CILogon in a fresh icognito window and log on with their *-admin
account.
On the resulting screen, expand user attributes, and use the “CILogon User Identifier” string (which will look like a URL).
When adding this as an identifier to the Organizational Identity, use the “OIDC sub” identity type.
Once the user’s person record has been created using that process, go to the COmanage collaboration, choose Groups from the sidebar, choose All Groups, and add them as a member and owner of the CO:admins
group.
As mentioned above, make sure not to attempt to onboard this same identity into the LSST collaboration or add it as an additional entity to any person record in that collaboration, since this will currently cause it to lose Platform Administrator permissions.
Regular administrators¶
Regular administrators can be onboarded in the normal way, using the “Self Signup With Approval” flow like any other user.
Once their petition has been approved and their user record has been created, go to the LSST collaboration, choose Groups from the sidebar, choose All Groups, and add them as a member and owner of the CO:admins
group.
This is the appropriate permissions for users who will be approving the petitions of other users and sorting users into the appropriate groups.
Configuration¶
CILogon¶
(Not strictly part of COmanage, but closely related.)
We use custom CSS for CILogon, which we then specify by passing skin=LSST
in the parameters to the CILogon login page.
This has to be manually loaded by the CILogon folks.
The CSS we use is maintained in the lsst-sqre/cilogon-theme GitHub project.
src/rubin.css
is the file that we provide to CILogon.
This setup only has to be done once for all environments, not per-environment like the other COmanage configuration, and only needs to be redone if the CSS file changes. See DM-35698 for the process we followed when updating the CSS.
One of the things this skin does is hide the “Remember me” checkbox from the login page. This normally allows users to tell CILogon to remember which identity provider they use, so they never see the page to select an identity provider again. Unfortunately, we’ve found this causes confusion in practice, since users end up wanting to select a different identity provider and can’t, without going to an obscure-to-users CILogon page to remove that cookie. We therefore disable that button with CSS so that the user always sees the identity provider selection page. Their last selection is still remembered and selected by default.
Configure unique attribute for each person¶
CILogon generates a unique identifier for every authentication identity.
COmanage may map multiple authentication identities to the same person record (so that someone can log in via both GitHub and their local university, for example, which are separate authentication identities).
To resolve a login identity to a person in LDAP, those authentication identities must be present in the LDAP record.
The recommended attribute in which to store them is uid
, which is multivalued.
This means that a different attribute must be used for the unique identifier for each person.
That attribute must not be multivalued.
We use LSST Registry ID
as that attribute.
Go to
Add an extended type:
Name:
lsstregistryid
Display Name:
LSST Registry ID
Go to
Create an identifier assignment:
Description:
LSST Registry ID
Context:
CO Person
Type:
LSST Registry ID
(do not check the Login box)Algorithm:
Sequential
Format:
LSST(#)
(via “Select a common pattern”)Permitted Characters:
AlphaNumeric Only
Minimum:
1000000
(this doesn’t really matter but it will make all the identifiers the same length)
Configure LDAP provisioning target¶
Gafaelfawr requires the bare usernames be listed in an attribute in each group record so that they can be searched for.
This is supported by the eduMember
object class and the hasMember
attribute.
We also need to put the user’s canonical username (which COmanage calls the UID) in some attribute in the person record so that we can query on it.
We use voPersonApplicationUID
for that purpose.
Note that this is different than uid
(the CILogon federated identity strings) and the unique attribute for each person used in the person data hierarchy (voPersonID
).
Note that we use the preferred email and full name, not the official one. This must match the settings used during enrollment flow.
Go to
and configure Primary LDAPSet “People DN Identifier Type” to
LSST Registry ID
Set “People DN Attribute Name” to
voPersonId
Go down to the attribute configuration
Enable
displayName
, disablegivenName
, and set it to PreferredChange
mail
to PreferredChange
uid
to OIDC sub and select the box for “Use value from Organizational Identity”Enable
groupOfNames
objectclassEnable
isMemberOf
in theeduMember
objectclassEnable
hasMember
in theeduMember
objectclass and set it to UIDEnable
voPerson
objectclassEnable
voPersonApplicationUID
and set it to UIDEnable
voPersonID
and set it to LSST Registry IDEnable
voPersonSoRID
and set it to System of Record ID
Save and then Reprovision All to update existing records
OpenID Connect client¶
The important configuration setting here is to map voPersonApplicationUID
to the username
claim.
This is used by Gafaelfawr to get the username after authentication or, if that claim is not set, to know that the user is not enrolled in COmanage and to redirect to an enrollment flow.
Go to
Add a new client
Set the name to a reasonable short description of the deployment
Set the home URL to the top-level URL of the deployment
Set the callback to the home URL with
/login
appended (the Gafaelfawr callback URL)Enable the
org.cilogon.userinfo
scopeAdd an LDAP to claim mapping
LDAP attribute name:
voPersonApplicationUID
OIDC Claim Name:
username
Configure enrollment flow¶
Note that we use the preferred email and full name, not the official one. This must match the settings used during LDAP provisioning.
Edit “Self Signup With Approval” enrollment flow
Change “Email Confirmation Mode” to
review
and saveEdit its enrollment attributes
Edit the Name attribute, change its attribute definition to Preferred rather than Official, and make sure that only Given Name is required
Edit the Email attribute and change its attribute definition to Preferred rather than Official
Add a new enrollment attribute:
Label:
Users group
Attribute class:
CO Person
Attribute name:
Group member
Required:
Required
Default value:
g_users
(or whatever the name of the general users group is)Modifiable: unchecked
Hidden: checked
The email confirmation mode setting adds a confirmation screen when confirming an email address. If this is not done, just visiting the URL sent in an email address will automatically confirm the email address. This interacts poorly with email anti-virus systems that retrieve all URLs in incoming messages and thus would automatically confirm email addresses. Since anti-virus systems don’t interact with the retrieved page, requiring the user click a button addresses this problem.
The additional enrollment attribute automatically adds new users to the general users group, avoiding an additional step for the person approving new users unless that user needs to be a member of a special group.
In addition, we install the IdentifierEnroller Plugin and use it to capture the requested username after email verification. This plugin has better error handling than adding username to the list of enrollment attributes, particularly if that username is already in use. It is attached as an enrollment flow wedge to the “Self Signup With Approval” enrollment flow.
To configure this plugin:
Go to the “Self Signup With Approval” enrollment flow
Attach the IdentifierEnroller as a wedge
Select Configure
Select “Manage Indentifier Enroller Identifiers”
Set the label to
Username
Set the description to something appropriate
Set the identifier type to
UID
Finally, to work around CO-1244, we use a custom plugin that finds any groups a user was added to as part of the petition and reprovisions those groups. As with the identifier enroller plugin, this Lsst01Enroller plugin is installed as a wedge. It has no configuration options.
Currently, this flow does not mark the user’s chosen name as primary, and thus does not change the name under which they’re shown in COmanage screens such as My Population. This only affects COmanage, not the information that’s exported to LDAP and thus is used by the Science Platform. We have requested an additional enrollment wedge that would automatically set the user’s chosen name as their primary name.
Username validation¶
Ensure the Regex Identifier Validator Plugin is enabled. Then:
Go to
and add a new validatorSet the name to “Username validation”, the plugin to RegexIdentifierValidator, and the attribute to UID, and click Add
Set the regular expression to:
/^[a-z0-9](?:[a-z0-9]|-[a-z0-9])*[a-z](?:[a-z0-9]|-[a-z0-9])*$/
This implements the restrictions on valid usernames documented in DMTN-225.
Group name validation¶
Unlike with usernames, COmanage does not provide out-of-the-box support for validating group names with a regular expression. We therefore use a custom plugin to enforce the group naming constraints defined in DMTN-225.
The plugin used is GroupNameValidator with the following configuration:
Configure::write('GroupNameValidator.pattern', '/^g_[a-z0-9._-]{1,30}$/');
Configure::write('GroupNameValidator.flash_error_text', 'Name must start with g_ and use only a-z,0-9,.,_, and -');
Timeouts¶
When the user goes to COmanage (to manage their groups or identities, for example) and are redirected to CILogon to authenticate, they have 15 minutes to complete the authentication. If they take longer than that to complete their authentication, they will receive a Timeout red error message after returning to COmanage and will have to start again.
Once a user has authenticated to COmanage, the session timeout is eight hours, after which they’ll be logged out and will have to log in again.
API¶
LDAP¶
To make LDAP queries, use commands like:
$ ldapsearch -LLL -H ldaps://ldap-test.cilogon.org \
-D 'uid=readonly_user,ou=system,o=LSST,o=CO,dc=lsst,dc=org' \
-x -w PASSWORD -b 'ou=people,o=LSST,o=CO,dc=lsst,dc=org'
For IDF dev, the DNs end in dc=lsst_dev,dc=org
.
For IDF int, the DNs end in dc=lsst,dc=org
as shown above.
The password is in 1Password under the hostname of the COmanage registry.
Use ou=people,o=LSST,o=CO,dc=lsst,dc=org
for people and ou=groups,o=LSST,o=CO,dc=lsst,dc=org
for groups.
COmanage REST API¶
Only the REST v1 API is currently available.
The base URL is the hostname of the COmanage registry service with /registry
appended.
We currently don’t expect to use the REST API.
Use with Gafaelfawr¶
Here is an example configuration of the Gafaelfawr Helm chart to use CILogon and COmanage.
This is suitable for the values-*.yaml
file in Phalanx.
cilogon:
clientId: "cilogon:/client_id/46f9ae932fd30e9fb1b246972a3c0720"
enrollmentUrl: "https://registry-test.lsst.codes/registry/co_petitions/start/coef:6"
usernameClaim: "username"
firestore:
project: "rsp-firestore-dev-31c4"
ldap:
url: "ldaps://ldap-test.cilogon.org"
userDn: "uid=readonly_user,ou=system,o=LSST,o=CO,dc=lsst_dev,dc=org"
groupBaseDn: "ou=groups,o=LSST,o=CO,dc=lsst_dev,dc=org"
groupObjectClass: "eduMember"
groupMemberAttr: "hasMember"
userBaseDn: "ou=people,o=LSST,o=CO,dc=lsst_dev,dc=org"
userSearchAttr: "voPersonApplicationUID"
addUserGroup: true
This uses the CILogon test LDAP server (a production configuration will probably use a different LDAP server) and links to an enrollment flow in a test version of COmanage.
Open COmanage work¶
Add an enrollment wedge that will set the user’s entered name as the primary name so that it will be displayed in the COmanage screens. This will ensure the displayed name (such as when adding a user to groups) matches the name used by the Science Platform. It also works around the problem that CILogon is not requesting names from GitHub and thus all GitHub identities have CILogon identity URIs rather than names.
The landing pages before and after verifying the user’s email address need further customization. The current versions are in the cilogin/lsst-registry-landing GitHub repository.
COmanage can be themed following the instructions at Theming COmanage Registry. We haven’t yet looked in detail at this, let alone started. Any required custom CSS, JavaScript, or images will need to be uploaded to the server by the CILogon administrators before we can use it.
COmanage comes with a bunch of default components that we don’t want to use (announcement feeds, forums, etc.). Edit the default dashboard to remove those widgets and replace them with widges for group management and personal identity management (if there are any applicable ones).