About

Document that describes the end-user interactions with the EUDAT B2ACCESS service.

Service: B2ACCESS

Modified: 04 December 2017

Synopsis

B2ACCESS is the EUDAT federated cross-infrastructure authorisation and authentication framework for user identification and community-defined access control enforcement. Before accessing EUDAT services, users and OAuth clients need to register on the B2ACCESS portal. This document discusses the workflow of end-user login and registration and describes the end-user account management process.

Introduction

B2ACCESS allows EUDAT users to authenticate themselves using a variety of credentials. The following log-in options are supported:

  • User's Home Organisation Identity Provider
  • Social account (e.g. Google, Microsoft Live and Facebook)
  • B2ACCESS ID

The user's home organisation has the highest level of assurance and is the preferred way of authentication. If a user's home organisation is not available in the EUDAT B2ACCESS system, a social account or B2ACCESS ID are the alternatives. However, since these have a lower level of assurance, access to the EUDAT services and resources can be limited for users authenticated under these options. 

Figure 1 shows the interaction of different methods of authentication with the B2ACCESS system. The diagram shows external identity providers (IdPs) authenticating to the B2 services in EUDAT with B2ACCESS providing the Authentication/Authorisation Infrastructure (AAI). Thus, users can use their existing identities to identify themselves to the EUDAT services. The organisational identity will be provided by a user's home organisation. In order to support a wide range of IdPs we have joined the EduGain federation, if however you cannot find your IDP in the B2ACCESS list, please let us know. Not all EUDAT services have been integrated yet: currently (November 2017) B2SHARE, B2SAFE, B2STAGE and the Site & Service Registry are fully integrated; other EUDAT services will be integrated in the coming months. B2ACCESS uses the UNITY IDM technology.

 

Figure 1. B2ACCESS Components

This document introduces the B2ACCESS registration workflow, discusses how to use B2ACCESS to log in to an B2ACCESS-enabled EUDAT service and highlights the options for a user to manage their profile.

Account Registration

In order to use B2ACCESS for authentication and authorisation, the end-user needs to visit the EUDAT B2ACCESS portal and register an account at https://b2access.eudat.eu/. This is shown on Figure 2. Username-password is shown here, because when we took the screenshot that’s what the user had last used to log in.

Figure 2. B2ACCESS Home screen.

The home screen allows users to register with any of three different methods of authentication: organisational ID, social ID and B2ACCESS ID. We cover these below. In case of issues, see also the trouble-shooting section later in the document.

Register with Home Organisation Identity Provider

  1. Click the name of your home organisation in the Log in with your Organisation ID tab:
    1. Scroll through the list to find your home organisation
    2. Or type the name of your home organisation in the search box. Note that this filter applies to all ID Provider boxes.
  2. After selecting your home organisation, click the Authenticate button
  3. You are redirected to the login page provided by your home organisation. Provide your credentials and log in.
  4. After successful log-in, if you are not registered yet, you will be offered two possibilities:
    1. Register an account: a new local account will be created
    2. Associate an account: an existing local account will be associated with your external identity
  5. If you do not have an existing account in B2ACCESS, choose the Register option  
  6. The registration form will be presented, in which you need to fill in the name of your home organisation and (optionally) apply for membership in one of the presented groups. Your email address and common name will be automatically filled in using your external account data. You will have to agree to the EUDAT End-User Policy (EUP) by clicking the corresponding checkbox. Finally, enter the captcha and submit the form. A notification will pop up informing you about the status of the registration.

Register with Social account

At the time of writing (February 2016) Google, Microsoft Live and Facebook IDs are supported, with more to come. This section discusses Google as an example, though the workflow is similar for other social ID providers.

  1. Click the Google Account link in the Google Authentication tab and click Authenticate.You are then redirected to the login page of Google.
  2. Provide your Google credentials and log in.
  3. Give Google permission to publish your attributes to B2ACCESS.
  4. If you are not registered yet, you will be offered two possibilities:
    1. Register an account: a new local account will be created
    2. Associate an account: an existing local account will be associated with your Google identity
  5. After successful log-in, if you do not have an existing account in B2ACCESS, choose Register option
  6. The registration form will be presented, in which you need to fill in the name of your home organisation and (optionally) apply for membership in one of the presented groups. Your email address and common name will be automatically filled in using your Google account data. You will have to agree to the EUDAT End-User Policy (EUP) by clicking the corresponding checkbox. Finally, enter the captcha and submit the form. A notification will pop up telling you the status of the registration. 

Register with B2ACCESS ID

  1. Clicking on the Register a new account link on the top right of the page pops ups the registration form, shown on Figure 3.
  2. You will be offered three registration forms to choose from:
    1. OAuth Client Registration Form (not covered in this document)
    2. Create B2ACCESS Account (username only)
    3. Create B2ACCESS Account (certificate + optional username)
  3. If you choose B2ACCESS Account (username only) you will be presented with a web form where you have to fill in the following data:
    • User name
    • Password (twice). Note that the B2ACCESS site instructs your browser to not remember your username and password.
    • Email address
    • Organisation name (optional)
    • Common Name (CN, optional)
    • Comments (optional)
  4. If you choose B2ACCESS Account (certificate + optional username) you will be presented with a web form where you have to fill in the following (fewer) data:
    • Your Distinguished Name, where you can use the optional facility to extract it from an uploaded X.509 certificate. The format B2ACCESS follows is LDAP and an example distinguished name is as follows: CN=joe user,O=Example University,OU=students,C=TV. CN is Common Name, your full name; O is the name of your organisation; OU is Organisational Unit, a group where you belong in your organisation; and C is the Country where your organisation is based.
    • An optional preferred User name
    • Your email address
    • And optionally your organisation name
  5. In both cases, agree to the EUDAT End-User Policy (EUP) by clicking the corresponding checkbox, enter the captcha and submit the form.

Figure 3. B2ACCESS Registration form

Log in to B2ACCESS

You generally do not need to log in to B2ACCESS. The EUDAT services integrated with B2ACCESS present their own B2ACCESS interfaces, and once logged in with one such service, your session is valid for other integrated services. You may need to log in so as to manage your B2ACCESS account, which we discuss later.

After successful registration you can log in with your B2ACCESS ID / account at https://b2access.eudat.eu/. You can log in using your organisational ID, social ID or B2ACCESS ID. We cover these below.

Log in with Home Organisation Identity Provider

  1. Click the name of your Home Organisation in the Log in with your Organisation ID tab:
    1. Scroll through the list to find your Home Organisation
    2. Or type the name of your Home Organisation in the search box
  2. After selecting your Home Organisation, click the Authenticate button
  3. You are redirected to the login page provided by your home organisation. Provide your credentials and log in.

Log in with Social account

Again the example is from Google, with the other social accounts operating in a similar fashion.

  1. Click the Google Account link in the Google Authentication tab and click Authenticate
  2. Provided that you have previously registered, you will automatically login

Log in with B2ACCESS ID

  1. Click the Login with native B2ACCESS ID link in the Login with your B2ACCESS ID tab     
  2. Fill in your username and password in the two input fields and click Authenticate
  3. Provided that you have previously registered, you will automatically login

Profile and Credentials Management

To access you user profile page, please log in to https://b2access.eudat.eu/. After log in, you will be taken to your profile page, which will look like Figure 4.

Figure 4. B2ACCESS user profile page

 

There are two areas here, "Profile" and "Credentials Management".

Profile Management

A screenshot of this page is shown on Figure 4. You can see your email at the top and the logout button. The page shows your Displayed name and your credential status (which is whether you have set a B2ACCESS password), the Groups that you belong to, your unique, anonymous B2ACCESS ID, your username, canonical name, email and organisation name and also the Level of assurance for the credentials you have used to log in. The B2ACCESS team is working on making the Level of Assurance consistent, for example, the user who took the screenshot had logged in using a Google ID, which should display a “Medium” level of assurance, but the screen reads “Low”.

Remove account at the bottom right allows you schedule, or immediately delete your account.

Click on Remove account button, which pops up the form shown on Figure 5.

Figure 5. User removal form

The respective workflows are discussed below.

Temporary account deactivation

A user account can be deactivated for a chosen number of days and reactivated once the user logs in during the deactivation period. The account will be automatically removed if the user does not log in during this deactivation period.

To temporarily deactivate the account:

  1. Log in to B2ACCESS. You are presented with the profile management page. Click Remove account button.
  2. Select the option Disable immediately and remove after a grace period. Choose the number of days you want the account to be suspended.
  3. Confirm your choice. The deactivation takes place and you are redirected to the initial login page.

Permanent account removal

A user account can be permanently removed. To remove an account:

  1. Log in to B2ACCESS. You are presented with the profile management page. Click Remove account button.
  2. Select the option Remove immediately.
  3. Confirm your choice. The removal takes place and you are redirected to the initial login page.

Note that:

  1. Removing or deactivating an account with one of your identities does not affect accounts registered with other identities. E.g. if you remove your account registered with your Google identity you are still able to use your native B2ACCESS account.  
  2. You can register a new account with the same identity and same data (e.g. membership in the groups) after removing the old one.

Credentials Management

Click on Credentials management. If you have not set a B2ACCESS password or registered a B2ACCESS ID, you will see a screen similar to Figure 6.

Figure 6. Form to add B2ACCESS password

You do not need to set a password, and remember that the B2ACCESS ID has a low Level of Assurance. Setting a password here effectively registers your B2ACCESS ID.

But assuming you have set a password, changing your password is straightforward, as clicking on Credentials Management takes you to the screen shown on Figure 7. As expected, you need to know your previous password before you can change it.

Figure 7. Form to change B2ACCESS password

Possible Issues

  • You may go through the registration process but not get a “Registration successful” message. It’s a known problem that the B2ACCESS team is dealing with, but registrations are successful; just go back to the B2ACCESS page and log in as required.
  • Occasionally, the captcha appears only partially on the screen, which prevents you from completing the registration. Cancelling and retrying resolves this issue.
  • B2ACCESS requires certain attributes provided by your Home Organisation Identity Provider. If these attributes are not provided, login / registration will fail. Please inform us about the issue so we can take appropriate action.

Support

Support for B2ACCESS is available via the EUDAT ticketing system through the webform.

You can also access our online training material.

If you have comments on this page, please submit them though the EUDAT ticketing system.

Document Data

Version: 1.3.1

Authors:

Willem Elbers (CLARIN)

Arsen Hayrapetyan (KIT)

Maarten Plieger (KNMI)

Editors:

Hans van Piggelen (SURF)

Kostas Kavoussanakis (EPCC)