Authentication and authorization

The GeoSpock database supports authentication using the following Identity Providers (IdP):

In all cases, the Identity Provider must be set up with appropriate users in advance of deploying GeoSpock DB. In particular, one user will need to be chosen as the "root account" - the one account that starts with administrative access.

Authorization for GeoSpock resources is managed by granting permissions to user groups using the GeoSpock CLI, initially using the root account. We recommend that the account chosen for the root account is a service account. Once appropriate user groups for dataset and user administration have been set up, this root account should no longer be used.

For more information on managing users and the use of the root account, refer to Managing users.

Using Amazon Cognito as an Identity Provider

For GeoSpock DB to be able to authenticate users to your IdP, you will need to set up an App client. To do this:

  1. In your Cognito User Pool, click on "App clients" and click on "Add another app client"
  2. Add a suitable name, and make sure "Generate client secret" is not ticked. Then click "Create app client."
  3. Make a note of the Client ID.

When the GeoSpock DB is deployed, you will need to supply both the Cognito User Pool ID and the Cognito App Client ID.

Using LDAPS as an Identity Provider

If you wish users to authenticate through an LDAPS server, you will need to supply

  • The host address and port of your LDAPS server;
  • The bind pattern for users.

Using OpenID as an Identity Provider

To be able to log in using an OpenID Identity Provider (IdP), you will need to supply the URL of the JSON Web Key Sets (JWKS). The JWKS will then be used to verify the JSON Web Token (JWT) used to log in.

The JWT must have a field in that corresponds to your username - for example the sub field may contain this information, or you may have to add a custom claim to your JWTs.

When the GeoSpock DB is deployed, you will need to supply

  • The URL of the JWKS;
  • The field in the JWT containing the username.

When logging in to the GeoSpock DB using this authentication route, users will need to use their OpenID username as the --user argument, and a JWT from your OpenID IdP as the --password argument.