Wiki source code of User login from MitreId to IAM
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | == Subject == | ||
| 2 | |||
| 3 | This memo presents what happens when an existing HBP user tries to login to a service which uses Collaboratory 2 authentication (e.g. [[https:~~/~~/wiki.ebrains.eu>>https://wiki.ebrains.eu]]) | ||
| 4 | |||
| 5 | === __**Case 1:** User has an account in Collaboratory 1 but not in Collaboratory 2__ === | ||
| 6 | |||
| 7 | ==== __**Case 1.1:**__ User has a personal (non-institutional) email, e.g. at gmail.com ==== | ||
| 8 | |||
| 9 | When the user attempts to login, the login is rejected. This username is unknown in Collaboratory 2, and Collaboratory 1 authentication is not checked because it's an unauthorized email address in the Collaboratory 2 space. | ||
| 10 | |||
| 11 | [[image:Screenshot 2020-04-29 at 16.24.42.png||height="278" width="549"]] | ||
| 12 | |||
| 13 | |||
| 14 | **Possible actions:** | ||
| 15 | |||
| 16 | * The user registers for a new account by clicking "Getting Access" and uses an institutional email address. Or, | ||
| 17 | * The user asks Support to create exceptionally an account with a personal email and motivates the request. | ||
| 18 | |||
| 19 | ==== __**Case 1.2:**__ User has an institutional email, e.g. at epfl.ch ==== | ||
| 20 | |||
| 21 | ==== __Case 1.2.1:__ User has an SGA2 accreditation in the Collaboratory 1 ==== | ||
| 22 | |||
| 23 | At first login, the user will have to verify the email address linked to the user account in order to login. | ||
| 24 | |||
| 25 | [[image:Screenshot 2020-04-29 at 16.33.11.png||height="311" width="702"]] | ||
| 26 | |||
| 27 | |||
| 28 | ==== __Case 1.2.2:__ User does **not** have an SGA2 accreditation in the Collaboratory 1 ==== | ||
| 29 | |||
| 30 | A user account will be automatically created in the Collaboratory 2, but the user will be denied access to (% style="background-color:#f1c40f" %)the service(%%). The image below shows the message displayed to the user. (% style="background-color:#f1c40f" %)Pas de validation d email ici? | ||
| 31 | |||
| 32 | [[image:Screenshot 2020-04-29 at 16.24.22.png||height="345" width="683"]] | ||
| 33 | |||
| 34 | **Possible action :** | ||
| 35 | |||
| 36 | * If the user is an HBP member from an institution in the HBP Consortium, the user can request SGA2 accreditation in the Collaboratory 1 and then try to login again. Or, | ||
| 37 | * (% style="background-color:#f1c40f" %)in iam, put the user in his institution group or add manually to the user the role collaboratory_member | ||
| 38 | |||
| 39 | == __**Case 2 :** User has a Collaboratory 2 account__ == | ||
| 40 | |||
| 41 | If the user has a Collaboratory 2 account, access is completely independent of having a Collaboratory 1 account, and of having an SGA2 accreditation there or not. | ||
| 42 | |||
| 43 | At first login, the user will have to verify the email address linked to the user account in order to login. | ||
| 44 | |||
| 45 | We already have some users with a personal email for historical reasons (automated import of accredited SGA2 users from Collaboratory 1). These users all belong to the unit called //**imported**//. Access to the service then depends on the service itself. The //**imported**// unit has for now (exceptionally) the role //**collaboratory_member** //so its members have access to the Collaboratory services, e.g. at [[https:~~/~~/wiki.ebrains.eu>>https://wiki.ebrains.eu]]. | ||
| 46 | |||
| 47 | This has been tested: personal emails properly receive the verification email and access is then authorized. | ||
| 48 | |||
| 49 | (% style="color:#e74c3c" %)**There is no possible scenario currently for users with personal email to not be in the imported group, so they should all have access to wiki, except for those handmade created after a support request. Users created from a support request should be put in the appropriate unit with the appropriate access case by case.** |