Requesting external federation for your web-based service
Intended for:
Service providers of Fermilab web-based services
Scenario/Use case:
This article details how to request external federation for your web-based service that uses SSO authentication. By using external federation, you can provide access to individuals who don’t have Fermilab accounts by allowing them to use their home organization’s credentials to authenticate.
At this time, Fermilab supports credentials from these organizations:
- CERN
- Other DOE labs and organizations using DOE OneID
- Jefferson Lab
- SLAC
- Argonne
Instructions:
To request external federation for your web-based service, open a General Request ticket in ServiceNow:
- Use Enable <site name> for external federation as the subject of your request ticket.
- In the ticket, describe what data will be shared and what measures are in place to ensure that only the target audience has access to the data.
- Once the ticket is submitted, the review and approval process will start.
Notes:
- Before requesting external federation, please review your web application/website. Access to your web application/website should be controlled by the application/website and should only be granted to authenticated users. You can use group membership that is provided in SSO assertion for authorization; this can be used for both granting and rejecting access.
- Instructions on how to allow an external user to access your web-based service after the request for external federation has been approved can be found in this article: KB0014129
- By default all external Identity Providers (current and future) will be displayed as available for authentication to your web service. It is the responsibility of the web service to authorize users.
- Read-only is the default access for Federated accounts. Write privileges are given only under special approved circumstances for certain individuals and only to specific DocDB instances or SharePoint sites.
- Request Fermilab logical access via the ServiceNow form https://fermi.servicenowservices.com/expert_shell.do?sysparm_sys_id=63f9f6a8dbd148104e65ff621f961975 selecting the appropriate affiliation.