IAM for IRIS: Help Page
Last updated: 22nd February, 2021
Account Creation: Introduction.
The IRIS IAM provides an authentication and authorization service to a number of IRIS resources. The primary way of doing this is by creating an account associated with a users home instiution identity. By associating accounts with instiutional identities, it ensures that all members have an active affiliation with an IRIS partner at sign-in time. We are currently working on solutions for users whose instiution does not run an eduGAIN IdP. If your institution does not run its own IdP, please contact the IAM support desk for information about how to create an account: firstname.lastname@example.org, with subject line "ATTN: IAM Account Creation". Please note that all account requests require a member of the IRIS IAM admin team to approve them before they are activated. We endeavour to approve requests as quickly as possible, however at this stage requests are only monitored during working hours. This means that any requests made during the evening or over the weekend will likely see delays.
Registration using eduGAIN IdPs
IRIS members who belong to an academic institution may initiate a login flow by navigating to the IRIS IAM home page, and selecting the the eduGAIN button, as below.
On the resultant page you will be presented with a list of all registered academic institutions. You may start typing the name of your institution here and, if registered with eduGAIN, it will appear in the automatically updated list. Please be aware that due to the large number of institutions linked with eduGAIN, you may need to type several characters before finding yours (see below). Once you have selected an IdP to use, please select the option to "Sign in with IdP", which will then redirect you to the sign in portal for your home institution. Once authenticated, you will be asked to allow your institution to release your information to IRIS IAM. If you accept this, you will be redirected to the registration page, as seen below. This registration page should be mostly autofilled with information from your IdP, however you will need complete any remaining fields. This includes the notes field, which must be completed with the reasoning behind your registration request. After completing the registration page, please read and confirm your agreement to the IRIS IAM Acceptable Usage Policy. A link to the AUP can be found below the registration fields, and this governs your access to and use (including transmission, processing, and storage of data) of the resources provided by IRIS. The full policy can be found at: https://iris-iam.stfc.ac.uk/aup. Once you have signed the AUP, your registration will be sent to the IAM admin team for approval. Once your account has been approved, you will recieve an email informing you and you will then be able to use you new IRIS IAM account. With the current implementation of IAM, when you recieve your account confirmation you will also be requested to set a password. Please know that this not required and can be ignored - you do not need to set a password for you account. Should your account need a password at a later point (for example, you are looking to authenticate with a service whcih cannot redirect you - such as something terminal based), you can contact the IAM admin team for assistance.
Setting a Password
After your account has been created, you will receive an email asking you to set a password. This is not needed, and you may safely ignore this as setting a password is not required to access your account. The current version of the INDIGO IAM sends this email automatically so that users may access their account with local credentials, as well as their institutional ID. This automatic email will be disabled in a later version of the INDIGO IAM software, but for now please ignore this email.
Joining a Group
The IRIS IAM conveys authorization through your membership of relevant groups, which you will need to apply and then be subsequently accepted for before being able to access any corresponding resources. If you are applying after being given direction from a specific service, you should have been informed if you will require any group memberships. In order to join a group you will need to navigate to your profile page within the IAM dashboard. You can access this by selecting "View Profile Information" from the landing page, or clicking here. From your profile, you may apply for a group by selecting the "Join a Group" button within the Group Requests section, on the right side of this page. You will be presented with a new window with two text fields to be completed:
Select one or more groups
In the free-text box here you may search for the group you wish to apply for. You may apply to multiple groups at once, and please note that you do not need to be a member of a parent group to be a member of a sub-group. For example, being a member of "example/sub-group" does not also confer membership of "example" - both groups must be applied for separately.
Provide a motivation for your request(s)
This free-text field requires a justification for your request, which will be shown to group managers at approval time. Please make this information as comprehensive as possible, so that your request may be processed appropriately. Once submitted, your request will be reviewed by the group managers for that group. Once a decision has been made, you will be notified via email. This email will either inform you that your request has been approved or that is has been rejected. If your request has been rejected, there will be a note as to the reasoning of this decision. Should you require any assistance with the group membership process, please contact the IAM support team at: email@example.com, with subject line "ATTN: IAM Group Membership".