This document discusses using SRAM (Research Access Management) for user authentication and provisioning in an iRODS cluster. It describes setting up an iRODS showcase docker cluster with an iCAT server, icommands, and davrods. The icommands container syncs user identities and credentials from the SRAM LDAP to provision home directories and iRODS access for researchers in collaborations. When users connect via icommands, the pam_interactive authentication scheme triggers an authentication flow via SRAM, either a custom SRAM token flow or standard OIDC authorization code or device code flows.

1. iRODS
PAM (Interactive)

2. Topics
● Short intro of SRAM
● https://github.com/HarryKodden/SRAM-iRODS-Showcase
● User flows

3. Short introduction on SRAM
SURF Research Access Management
Offers access to collaborating researchers working together on specific topics,
using services federatively authenticating using their (trusted-) home institute
Identity Providers
Big advantages:
● No additional account creation
● When home institute offers MFA, that is used,
● When home institute does not offer MFA, SRAM will offer 2nd factor to make
sure every researcher is properly authenticated before using the services
offered via SRAM.

4. SRAM - iRODS Showcase
This is a docker cluster, containing following services:
● database (postgres 9.1)
● icat : iRODS Server 4.3.0 on ubuntu 20.04
● icommands: 4.3.0 on ubuntu 20.04
● davrods (latest on irods-runtime & irods-dev 4.3.0)
The show case make use of submodule: https://github.com/HarryKodden/iRODS-
Development-Bootstrapper.git
With this packages all packages can be build on the requested version

5. User provisioning…
The icommands container is running a cron job that
syncs with the LDAP of SRAM to provision /
deprovision all identities of researchers that are
active members of a certain collaboration.
For each such member:
● a home directory is created /home/jdoe
● when the member has a SSH Public key
registered in SRAM, that public key is added to
the /home/jdoe/.ssh/authorized_keys file
● the user is registered at the irods server.
● in the home directory a subfolder is created
`.irods` and within that directory a file
`irods_environment.json`, containing:
https://github.com/HarryKodden/irods-ldap-sync
{
"irods_host": "icat",
"irods_port": 1247,
"irods_user_name": "jdoe",
"irods_zone_name": "tempZone",
"irods_authentication_scheme": "pam_interactive",
"irods_ssl_ca_certificate_file": "/var/lib/ssl/irods.crt"
}
https://github.com/stefan-wolfsheimer/irods_auth_pam_interactive

6. User flow…
Researcher starts the connecting to the icommands terminal session
ssh jdoe@icommands
then he starts a connection with iRODS, for example by initiating command `ils’
This will kick in the the pam_interactive authentication scheme…
$ ils

7. 3 demonstration flows…
1. SRAM Token flow - This is a custom SRAM flow
2. (SRAM) OIDC - Authorization Code Flow - This is a OIDC standard flow
3. (SRAM) OIDC - Device Code Flow - This is a OIDC standard flow

8. Long versus short loop…
The PAM flows asking user to step out and complete a web flow may become
irritating when it kicks in too often. (long loop)
When using the OAUTH refresh token mechanism we can offer a much friendlier
user experience. The Server then asks for token refreshment without asking
additional user input. (short loop)
In order for this to be a safe option depends on the binding of a session secret
(with a certain lifetime) that can be passed from icammands to icat server.
We the secure (ssl-) connection between icommands and icat server we can pass
such a secret. The secret could be locally stored in ~/.irodsA on the icommands
home directory.