Forum Replies Created
-
Posts
-
I’m basing my statement on the attachment you had sent as that is all I have to go by…
Has the student reached out to RIT IT directly (as suggested by the error message)?
FABRIC simply consumes the results of an OIDC authentication transaction between the institution and CILogon as a client, and has no control over what errors may occur during the authentication process.
It may be worth checking to see if the student has any cached credentials in their system that they are unaware of by visiting: https://cilogon.org/me/ – cookies and/or sessions can be flushed from that page if they find anything unexpected.
Looks like the institution being used does not have a valid registry endpoint with CILogon – that is negotiated between said institution and CILogon independently, FABRIC has no control over this.
There was a notation about using ORCID instead, which is fine, but the student would need to submit a request form by using the “Initiate Petition” link found here: https://portal.fabric-testbed.net/signup/4
@Polycarp – Komal has made some updates to Jupyterhub that should allow you to launch properly
Couple of things to note
- In a previous screenshot your user email in the navbar appeared as an array of emails, this was due to multiple emails being associated to your account, which is fine, but was confusing JHub – that should now be a single email
- JHub uses the email as a unique identifier to create a storage allocation, with that email potentially being different from before its possible that your storage will be empty – this means that we’d need to copy your data from the prior storage allocation to the new one since they’ll be differently named due to the email change
Let us know how it goes
Worked with Vaiden and the issue is now resolved – notes below for reference
- Jupyterhub uses COmanage LDAP to reference user permissions, and if new email is not registered the user will be denied access
- Jupyterhub also uses email to uniquely name storage allocations, and if the email changes the data in the prior allocation will no longer be available to the user when the new allocation is generated from the new email
Solution
- add new email via COmanage and have user verify
- ensure new email propagates to LDAP
- ensure user has access to Jupyterhub container using new email (storage will likely be empty)
- copy jhub data from original storage allocation to new allocation as .tgz file
- ensure user has access to copied data
It may be more interesting to have more than one email account registered with FABRIC or use Github as an identity provider, if possible.
FABRIC already supports logically linking multiple email/IdP credentials together under the same user account through a COmanage backend that is part of CILogon’s authorization and group management stack.
There are some caveats when doing this however.
- Even though FABRIC can logically map more than one email to an individual user, Jupyterhub will allocate storage based on a user email attribute. As such the user will not see a consistent storage backend when logging into FABRIC using differing IdPs that are accessed through different email addresses
- If however the email address is consistent, then Jupyterhub storage will be consistent even when the IdPs differ from each other
- Some IdPs operate on alias email addresses and COmanage may know about one or more valid emails that are aliases of a primary or official email address. If these exist in COmanage then FABRIC will find them and the user may choose to use any of the valid emails as their “preferred email” for contact purposes
GitHub isn’t necessarily an identity provider in and of itself. In most cases GitHub is proxying your identity from another authority (e.g. Google) and simply relaying the claims it knows about you from the proxied provider.
This is analogous to what CILogon does in its federated identity model. It forwards the claims retrieved from your chosen identity provider along with additional attributes that it adds on for bookkeeping your information as being “unique” amongst 4000+ other identity providers.
For search purposes use “Preferred Email”
Behind the scenes CILogon Email is used as the initial value for Preferred Email, so they are often going to be the same.
