SSO service

A single user authentication system - Single Sign-On (SSO) - has been put into trial operation in JINR. What does it mean for users and what are its benefits?

In JINR, there are many computing resources, such as components of the Multifunctional Information and Computing Complex (MICС) - Grid Infrastructure, DIC, HybriLIT, Govorun supercomputer; various storage systems - dCache, EOS, XrootD, AFS, NFS, CVMFS. Database services – of general use, administrative, regulating scientific activities, etc.

Each service has its own rules of providing services to a user and needs the user own accounts. In this case, the permitted capabilities of the user are limited by the tasks to be solved. To provide the user with certain resources, the user must be given:

  • Account (login-password);
  • Rights of access to resources.

Let's call access rights to resources "subscription" to the service. At the same time on different services "subscription" can be called differently: registration, initialization, personalization, obtaining rights, etc. And the content of the "subscription" will be different. For example: obtaining disk space (if they are disk storages); RAM capacity and number of processor cores (if they are computing systems); access rights to this or that part of the database (if they are information systems), etc.

Usually these procedures are combined during registration on the service. But in this case different services have to have a separate account (login and password).

SSO system allows JINR users to have one account on all services included in the system. However, the "subscription" to the service in each case will be different and it will have to be received separately. So find out the rules and features of a "subscription" to the service you want.

As mentioned above, the SSO service - a single system of user authentication. However, very often users confuse the terms authentication and authorization. This is due to the fact that they only appear when you use the service. If authentication is a confirmation of who you are, then authorization is what you can access.

Let's try to explain this difference by an example. And so, we have documents: passport (SSO-login/password) and ticket, which specifies the country, flight, ticket class (economy, first, business) - (subscription). We went to the airport to go on a trip. And that's where these documents are checked. At the check-in desk checks that this is us and this is our passport - after making sure the SSO system confirmed this, pass to the free zone. We passed the first check - we were authenticated. And, it would seem, fly wherever you want, and then another check is already a ticket - there are many flights, but you can only get on the plane according to the purchased ticket (subscription). And here we are in our plane, but will land us and will serve us accordingly class ticket (economy, first, business) - this is authorization, i.e., providing us with opportunities in accordance with the rights.

And now fasten your seatbelts, and have a happy flight!