You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Custos provides different layers of user filtering for authentication and authorization.

User filtering  in authentication

  • Institutional filtering     

                Custos provides the flexibility of configuring OIDC-based Identity federation services. By default, CILogon is integrated with Custos and supports all institutions provided by the In common federation. Any users from those institutions should be able to authenticate. In addition, the Custos provides an Institutional whitelisting API where clients can store a selected set of institutions with relevant metadata such as entityId to filter out the institutional loading only for those selected Institutions.


User filtering in the authorization

  • Custos supports the following authorization schemes.

    • Role-based authorization

                Users can be assigned different roles and roles need to be pre-configured in the Custos tenant. (e.g gateway-admin, gateway-user)

    • Attribute-based authorization

              Users can be assigned different attributes. (e.g email, phone)

    • Group-based authorization    

              Custos supports 

                             a.  Flat group creation, assign members to groups, assign group admins 

                             b. Hiearachichal group creation, assing child groups,  assign members to groups, assign group admins

               In addition attributes and roles can be assigned to groups and they will be automatically inherited by member groups and users.


    All aforementioned authorization schemes can be used to filter out the users. Group-based authorization is the most popular and fine-grained authorization. The configuration shows how group-based authorization is configured to allow access for Juypterhub users to access notebook servers.






  • No labels