Secure identity tokens are a type of login account that can be used in Mediaflux where using a regular domain/username/password is inconvenient. A secure identity token is always associated with a proxy user (the account you usually log in to Mediaflux with); all operations performed using the token will appear to have been performed by the proxy user.
Importantly, a token does not inherit the permissions of its proxy user; it is given its own set of permissions which may be more restrictive than those held by the proxy user. This allows compartmentalisation of access, with a user potentially using multiple tokens that each have different access levels if required. Note that a token is affected by ACLs as if it was its proxy user, so if your project uses custom ACLs to grant access, all of a user’s tokens will be able to access those same locations.
Secure identity tokens can be further restricted to a specified access application. This is most often used to restrict access to the Mediaflux Unimelb Command-Line Clients.
Secure identity tokens can be used to access Mediaflux through one or more protocols. Valid protocols currently include http, sftp and smb.
Secure identity tokens do not require MFA push notifications when authenticating. This is ideal for long-lived Network Share (SMB Protocol) mounts where it would be impractical to action MFA notifications each time the client reauthenticates with the server.
Possible applications of secure identity tokens
There are various scenarios where it might be advisable to use a secure identity token. Here are some examples:
If you wish to be able to access Mediaflux from a shared host in an unattended fashion, for example with a scheduled task on Windows or a cron job on Linux. Storing your university username and password in a configuration file on a shared host may be a security risk; if it were compromised, an attacker may be able to access many systems using the stolen credential. A secure identity token compartmentalises this risk.
If you need to automate uploads in an unattended fashion from an instrument PC. You may not want to have to accept an MFA push notification each time an upload is commenced. Secure identity tokens support sftp and http (used by the Mediaflux Unimelb Command-Line Clients).
If a long lived SMB mount is required on a server. It is best to use a secure identity token so that MFA push notifications are not sent each time the SMB client re-authenticates with the server. You would not need to update the mount configuration when changing your university password.
How to use secure identity tokens
When you request a secure identity token, you will receive a code like the one below:
P6YdrBcrRTGXYzpLhXdPAjm8iKxqZ8VOvSGFypEtJgDlM2FmOj6IFtKMpBTTWbsMBv5OrwMzyCf7KarCdEyKGrvlc7EqYPRay12474956
This is your token, and is used instead of your username and password.
Unimelb Command-Line Clients
When using the Mediaflux Unimelb Command-Line Clients, you enter the secure identity token in your configuration file. See Configuration File.
SFTP and SMB
When using SFTP or SMB, use the following credentials:
domain: token
username: your secure token
password: leave it blank, or use the token a second time
All secure identity tokens exist within a special domain, simply called token.
If you do not have an auth-key, in most instances you can leave the password field blank. If the client you are using does not accept an empty password, you can enter the token a second time or use the word none or password (all lower-case).
How to apply for a secure identity token
To apply for a secure identity token, open a ticket in Service Now and specify:
The user account that you wish to use as the proxy account for the secure identity token
The client(s) you would like to use with the token (or 'all')
The protocol(s) you would like to use with the token (or 'all')
The project role you wish to grant to the secure identity token. Typically this would be:
For a read-only (download) token:
participant-a
For a read-write (upload-download) token:
participant-acm for a token used by the unimelb-mf-clients
participant-acmd-n for SFTP and SMB
See Standard Project Roles for more information
Please use the links below to apply for a token:
UoM Staff: http://go.unimelb.edu.au/or96
UoM Students: http://go.unimelb.edu.au/4exr
External Users: http://go.unimelb.edu.au/75vr