Custos provides different layers of user filtering for authentication and authorization.
User filtering in authentication
- Institutional filtering
Custos provides the flexibility of configuring OIDC-based Identity federation services. By default, CILogon is integrated with Custos and supports all institutions provided by the In common federation. Any users from those institutions should be able to authenticate. In addition, the Custos provides an Institutional whitelisting API where clients can store a selected set of institutions with relevant metadata such as entityId to filter out the institutional loading only for those selected Institutions.
User filtering in the authorization
Custos supports the following authorization schemes.
Role-based authorization
Users can be assigned different roles and roles need to be pre-configured in the Custos tenant. (e.g gateway-admin, gateway-user)
Attribute-based authorization
Users can be assigned different attributes. (e.g email, phone)
Group-based authorization
Custos supports
a. Flat group creation, assign members to groups, assign group admins
b. Hiearachichal group creation, assing child groups, assign members to groups, assign group admins
In addition attributes and roles can be assigned to groups and they will be automatically inherited by member groups and users.
All aforementioned authorization schemes can be used to filter out the users. Group-based authorization is the most popular and fine-grained authorization. The configuration shows how group-based authorization is configured to allow access for Juypterhub users to access notebook servers.