In order for a multi-user cluster install to not quickly become unmanageable for us, we would like to have people log in with their SSO credentials (CAS would be ideal for us, but CILogon, shibboleth, etc would be workable too probably?) and map their log-in identity to their linux identity on our cluster. Is there any place for this in the roadmap? It would also have the very desirable side-effect of more easily enforcing data permissions if you can run processes/jobs as the local user.
We still have several folks just running separate installs each for themselves and it is quite cumbersome to support.
Sorry for the delay! We are interested in supporting this in the future - it’s on our to-do list.
If possible, could you email feedback@structura.bio with a little more information about your specific requirements and setup? It will help us design a system that works for a variety of use cases.
We have been investigating ways in which we can implement it that covers a wide range of use cases and different user directories. The most promising way forward for us would be integrating with a configurable identity and access management tool such as Keycloak (https://www.keycloak.org/). This would allow cryoSPARC installers to configure the access management tool based on their unique requirements and potentially integrate better with other tools hosted within the same domain. Could Keycloak work for your use case?
At first look I think it may; I’m forwarding this to another team member for verification. Thank you for the response and I’ll follow up once I know for sure.
@sdawood would the Keycloak identity just be used for access & permission within cryoSPARK or would there also be the option to run jobs as that authenticated user & use their local (Linux) account to work with existing posix permissions for data and results?
In general this is also a feature that we would be interested in.
Just to avoid confusion: we’re not talking about adding keycloak to cryosparc, but making it a ServiceProvider in the sense of OpenID or SAML (see https://en.wikipedia.org/wiki/Service_provider_(SAML) )? Keycloak itself is the Identity Provider (IdP) in that story.
Is this feature implemented or still in Roadmap ? We have the similar UseCase to mange cryosparc authentication/authorization centrally through an iam tool. If this is in roadmap still, can we please get some ETA ?
This is a very needed feature.
We are already handling our users somewhere, we would like to be able to use this already existing user base.
A lot of (if not every) labs or industries are using some SSO, this would be useful for a lot of admins.
A Keycloak integration would be way enough, at least for us.
That would be a very nice feature, for the job scheduler, and filesystem access based on user identity.
But in a first step I would be satisfied with a simple SSO Login.