Single Sign-On
Single Sign-On (SSO)¶
The ALTERNATIVE platform implements a robust Single Sign-On (SSO) solution, which is a key integration between the CKAN-based web application and the JupyterHub development environment. This feature enhances user experience and security across the platform.
Implementation with Keycloak¶
The SSO functionality is powered by Keycloak, an open-source Identity and Access Management solution. Keycloak serves as the central authentication and authorization server for the ALTERNATIVE platform.
Key aspects of the Keycloak-based SSO implementation include:
-
Centralized Authentication: Users authenticate once through Keycloak and gain access to multiple applications within the ALTERNATIVE ecosystem.
-
Seamless User Experience: From the web UI, users can launch Jupyter workspaces without the need for reauthentication, providing a smooth and efficient workflow.
-
Enhanced Security: By centralizing authentication, Keycloak helps maintain consistent security policies across all integrated applications.
-
Protocol Support: Keycloak implements industry-standard protocols such as OpenID Connect (OIDC) and OAuth 2.0, ensuring compatibility and security.
Benefits of SSO in ALTERNATIVE¶
The implementation of SSO brings several advantages to the ALTERNATIVE platform:
- Improved User Productivity: Users spend less time managing multiple credentials and logging in to different systems.
- Reduced Password Fatigue: With only one set of credentials to remember, users are less likely to resort to insecure password practices.
- Streamlined Access Management: Administrators can manage user access to multiple applications from a single point, simplifying user provisioning and deprovisioning.
- Enhanced Security Monitoring: Centralized authentication allows for better tracking and auditing of user access across the platform.
SSO Workflow¶
- User logs in to the ALTERNATIVE web application using their Keycloak credentials.
- Upon successful authentication, Keycloak issues a secure token.
- When the user accesses JupyterHub or other integrated services, the token is used to authenticate the user automatically.
- The user can seamlessly navigate between CKAN, JupyterHub, and other platform components without additional login prompts.