Requesting external federation for your web-based service
Intended for:
Service providers of Fermilab web-based services
Scenario/Use case:
This article details how to request external federation for your web-based service that uses SSO authentication. By using external federation, you can provide access to individuals who don’t have Fermilab accounts by allowing them to use their home organization’s credentials to authenticate.
At this time, Fermilab supports three options for federated access:
1) DOE Complex: FNAL, ANL, BNL, DOE OneID, JLAB, LBL, ORNL, Stanford, ...
- See https://federation.fnal.gov/ for a current list.
- DOE OneID supports users from DOE and other DOE labs and organizations.
2) CERN: Requires a current agreement between your collaboration and CERN.
3) Both DOE Complex and CERN
Instructions:
To request external federation for your web-based service, open a General Request ticket in ServiceNow:
- Use Enable <site name> for external federation as the subject of your request ticket.
- In the ticket, describe:
- What data will be shared.
- What measures are in place to ensure that only the target audience has access to the data.
- Which federation option you request: DOE Complex, CERN or both.
- Once the ticket is submitted, the review and approval process will start.
Notes:
- Before requesting external federation, please review your web application/website. Access to your web application/website should be controlled by the application/website and should only be granted to authenticated users. You can use group membership that is provided in SSO assertion for authorization; this can be used for both granting and rejecting access.
- Instructions on how to allow an external user to access your web-based service after the request for external federation has been approved can be found in this article: KB0014129
- By default, all DOE Complex external Identity Providers (current and future) will be displayed as available for DOE Complex authentication to your web-based service. It is the responsibility of your web-based service to authorize users.
- Read-only is the default access for Federated accounts. Write privileges are given only under special approved circumstances for certain individuals and only to specific DocDB instances or SharePoint sites.
- Request Fermilab logical access via the ServiceNow form https://fermi.servicenowservices.com/expert_shell.do?sysparm_sys_id=63f9f6a8dbd148104e65ff621f961975 selecting the appropriate affiliation.