The INDIGO Identity and Access Management Service (IAM) provides user identity and policy information to services so that consistent authorization decisions can be enforced across distributed services.
IAM provides a layer where identities, enrollment, group membership and other attributes and authorization policies on distributed resources can be managed in a homogeneous way, supporting identity federations and various authentication mechanisms (X.509 certificates and social logins).
The IAM service has been successfully integrated with many off-the-shelf components like Openstack, Kubernetes, Atlassian JIRA and Confluence, Grafana and with key Grid computing middleware services (FTS, dCache, StoRM).
- Authentication: The IAM supports authentication via SAML IdPs or identity federations, OpenID Connect providers and X.509 certificates.
- Enrollment: The IAM provides enrollment and registration functionalities, so that users can join groups/collaborations according to well-defined flows.
- Attribute and identity management: The IAM provides services to manage group membership, attributes assignment and account linking functionality.
- User provisioning: the IAM provides endpoints to provision information about users identities to other services, so that consistent local account provisioning, for example, can be implemented.
Service access options
- IAM as a service
INFN provides IAM as a service to partner research communities. In this scenario, a dedicated IAM instance is deployed on the INFN infrastructure and configured according to the community needs. INFN takes care of keeping the service operational and up-to-date, while administrative control on the IAM instance is granted to the community. For more information on how to access IAM as a service, check the service website.
Places and languages