Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


A common requirement for research organizations is to provide access via SSH to command line tools hosted on Unix-based systems. Provisioning and deprovisioning the accounts required for access, and leveraging the researcher's existing credentials to authenticate the access, are common challenges in providing this access.


Leverage COmanage to enroll a researcher to a collaboration, collect the researcher's SSH public key, and create a Unix account for the researcher.

  1. Configure an Enrollment Flow to allow a researcher to join a collaboration.
  2. Configure an LDAP provisioner to write Unix account information to LDAP.
  3. Enroll the researcher.
  4. Upload the researcher's SSH keys.
  5. Login to the unix server as the researcher.

Architecture and Components

Gliffy Diagram


  • COmanage Registry, used to manage participant registration in the collaboration
    • SQL database backend, used by COmanage
  • UNIX Server, on which the command line tools run and to which the researcher desires access
  • Home IdP, used by the researcher to authenticate to the collaboration
  • SP Proxy and OpenConext, used to manage connectivity to federated identity and other authentication services
  • LDAP Server, provisioned by COmanage and used by the UNIX Server as a source of account information


This section assumes that each component is already installed and configured for basic connectivity.

LDAP Server

The following schemas must be enabled on the LDAP server, if not already enabled:


First, set up a suitable enrollment flow for onboarding participants. Various configurations are possible, but a typical configuration might be Self Signup With Approval:


Finally, configure a provisioning target using the LDAP provisioner. Enable both posixAccount and ldapPublicKey objectclasses, but be sure to read the notes in the documentation for considerations and restrictions.

Unix VM

Configure the VM to read account information from LDAP, according to the installed distribution and local requirements. Here are some pointers:



Enrollment takes place with the following steps:

  1. Assuming the self signup enrollment flow, the researcher begins the flow by authenticating using their home IdP. If the IdP is configured to release attributes and COmanage is appropriately configured, those attributes will be prepopulated into the signup form. Otherwise, and for any additional attributes, the researcher completes the signup form.
  2. The researcher will be asked to confirm control of their asserted email address by clicking a link sent to it.
  3. The collaboration administrator reviews the application and approves the enrollment.
  4. Once approved, COmanage will assign a login ID and write the researcher's record to the LDAP server, effectively creating the researcher's Unix account. As part of the approval process, a notification is sent to the researcher regarding the approval and including the login ID and server address.
  5. The researcher logs into COmanage and uploads their SSH public key.
  6. COmanage adds the public key to the LDAP record.
  7. The research may now log in to the Unix server, using the provided address, login ID, and their existing SSH private key.

Video on this work