Authentication/ Authorization
Authentication and Authorization in Gen3
Authentication (AuthN) and Authorization (AuthZ) are fundamental components of the Gen3 ecosystem, ensuring secure access and data protection within your Gen3 data commons. Gen3 provides flexibility and compatibility with various identity providers (IDPs) and uses specialized services for these purposes.
Authentication (AuthN)
Gen3 supports authentication with any OIDC (OpenID Connect) compatible Identity Provider (IDP), allowing users to securely access Gen3 resources with their existing credentials. The configuration for authentication is primarily managed within the Fence service, which acts as the gatekeeper for accessing Gen3 resources.
Key points about authentication in Gen3:
OIDC Compatibility: Gen3 is designed to work seamlessly with OIDC-compliant IDPs, including institutional authentication systems and cloud identity providers.
Fence Service: The Fence service handles authentication by validating user credentials against the configured OIDC IDP. It manages user authentication tokens, ensuring secure access to Gen3 resources.
- Single Sign-On (SSO): Through OIDC compatibility, Gen3 facilitates Single Sign-On (SSO), allowing users to access multiple Gen3 services without the need for separate logins.
Authorization (AuthZ)
Authorization in Gen3 is orchestrated by the Arborist service, which handles fine-grained access control to Gen3 data and resources. Arborist ensures that users and services can only access data and perform actions for which they are explicitly authorized.
Key points about authorization in Gen3:
Fine-Grained Access Control: Arborist enables granular access control, allowing administrators to define who can access specific data and what actions they can perform.
Policy-Based Access: Access policies are defined and managed in Arborist, providing a structured way to specify access rules based on user roles, data types, and more.
Data Access Governance: With Arborist, you can enforce data access governance and compliance requirements by ensuring that data is accessed only by authorized individuals and services.
Integration with Other Services: Arborist seamlessly integrates with other Gen3 services, such as the data commons portal and data submission services, to enforce access control consistently across the platform.
By configuring authentication through the Fence service and authorization through the Arborist service, Gen3 provides a robust security framework that protects your data while allowing controlled access to authorized users and services.
In the following sections, we will explore the specific configurations and roles of these services in more detail, empowering you to set up secure and controlled access within your Gen3 data commons environment.