Copyright 2016 - INDIGO-DataCloud

INDIGO-DataCloud Identity Harmonization Service (IdH)

Sope

IdH works inside a computer centre, where it modifies user accounts via the LDAP protocol.

Description

The INDIGO-DataCloud Identity Harmonization Service uses external account linkage information (such as provided by IAM) to enact global linkage information at a local computer centre. Account linking is used if one user had multiple accounts (say mutliptle SAML accounts and a google one) and would like to link them. Sites that grant access for each of the users accounts, would normally map each account to a separate Unix UID and a set of GIDs. IdH uses linkage information which contains one primary and a set of multiple secondary accounts. It uses LDAP to modify the UIDs of all secondary account to be set to the primary one and changes group membership, so that all (primary and secondary) accounts are member of the superset of all groups the user is member of. This allows a user user to log in with his google account and access data which is accessible via groups his SAML account is a member of.

A typical scenario would be a user copying data in via ssh and then using it from the grid via gridftp and his X.509 certificate.

IdH was implemented as a RESTful web service. It also allows unlinking of accounts.