Authentication

University of Münster CIT provides DFN-AAI/edugain federated authentication via a central SATOSA OpenID Connect proxy.

OpenID Connect

OpenID Connect (OIDC) is a widely used extension to the Oauth2 protocol. It provides an easy method for authenticating clients and serving user information to services.

Service Application

Please contact cloud@uni-muenster.de with the desired attributes, client_id and redirect_uri, if you want to use this service for your application. For exchanging the shared secret, we prefer encrypted and signed e-mails, so please create an e-mail certificate in the IT Portal.

Setup

Setting up the service typically requires a client_id, client_secret, redirect_uri and the OIDC discovery endpoint, which is found at: https://auth.k8s.wwu.de/.well-known/openid-configuration. If you which to use Oauth2 instead of OIDC, you may use the token_endpoint and jwks_uri from the discovery information. The service also needs to be configured to request scopes, which are determined by the attributes you require. Please see the next section on the connection between attributes and scopes. Remember, that your service can only access attributes, that have been granted on application.

Attributes

On application, you have to request access to attributes, such as the email address, given name or family name of the users. Due to data privacy regulations, only a small subset of really required attributes can be assigned to the service. Some of the attributes, like POSIX or group information is only available for accounts from University of Münster. Please be reminded, that due to privacy policies, many attributes have to be explicitly requested at foreign identity providers to be submitted to our service provider.

Scopes -> Attributes Mapping:

openid:
  - sub
  - eppn
  - epuid
  - eptid
profile:
  - name
  - given_name
  - family_name
email:
  - email
orcid:
  - orcid
posix:
  - uid
  - gid
  - gids
account:
  - username
  - groups
  - systems
  - domain
  - affiliation
  - entitlement
  - assurance
  - userstatus

Transparent Authentication in Kubernetes

We provide transparent authentication for webservices in our Kubernetes cluster. Please contact kube@uni-muenster.de with the desired attributes. We forward the id_token as signed JWT to your application using the Authorization: Bearer header. The information in the JWT can be used in Istio RequestAuthorization and AuthorizationPolicy resources to restrict access to your website based on the information in the token.