Skip to content

Identity

Overview

Waldur ships its own user directory but is almost always fronted by an external identity provider (IdP) — SAML2 federation, an OIDC provider like Keycloak, an LDAP service, or a national auth service. SCIM provisioning lets the IdP push users and groups into Waldur, and outbound entitlement sync lets Waldur push group membership to downstream systems. Pick the topology that matches your federation; the platform role model is the same regardless.

Topology

Identity provider(SAML / OIDC / LDAP)SCIM source(IdP-side)Waldur authWaldur user directoryRoles & membershipsSCIM consumer(downstream system)FreeIPA / LDAP(allocation backend) SSO loginprovision users & groupsjust-in-time createassigned rolespush entitlementsaccount / project sync
Identity provider(SAML / OIDC / LDAP)SCIM source(IdP-side)Waldur authWaldur user directoryRoles & membershipsSCIM consumer(downstream system)FreeIPA / LDAP(allocation backend) SSO loginprovision users & groupsjust-in-time createassigned rolespush entitlementsaccount / project sync

Key concepts

Concept One-liner Reference
Identity provider The external system a user authenticates against (SAML2, OIDC, LDAP). Admin guide
Just-in-time provisioning Waldur creates a user record on first successful login.
SCIM (inbound) The IdP pushes user / group changes into Waldur. Admin guide
SCIM (outbound) Waldur pushes role / group entitlements to downstream systems. Admin guide
Offering user A backend-specific account Waldur creates on the provider side (e.g. a FreeIPA user for SLURM). Admin guide
Role mapping Translation of IdP groups / claims into Waldur roles. Roles

Supported providers

Provider Protocol Typical use
eduGAIN SAML2 Research-and-education federation.
eduTEAMS OIDC Group management for research collaborations.
Keycloak OIDC / SAML2 Open-source IdP; common standalone choice.
TARA OIDC Estonian state authentication.
MyAccessID OIDC European HPC federation gateway.
LDAP / LDAPS LDAP Existing enterprise directories.
FreeIPA REST Identity sync to a FreeIPA-backed allocation system.
Valimo, social OIDC / proprietary National mobile-ID and social logins.

Per-provider setup lives in admin-guide / identities.

Choosing the right combination

  • Single corporate IdP: front Waldur with Keycloak or your SAML IdP; let JIT handle user creation.
  • Federated research access: front with eduGAIN or MyAccessID; consider SCIM inbound if the federation supports it.
  • Sync to allocation backends: enable outbound SCIM (for SaaS targets) or FreeIPA sync (for SLURM/HPC clusters).
  • Hybrid: combine inbound SCIM (authoritative user list) with SAML SSO (authoritative login) and outbound entitlement sync.