Secure identity tokens

Owned by Robert Hutton
Last updated: Oct 02, 2024 by Jared Winton
3 min read

Secure identity tokens are a type of login account that can be used in Mediaflux where using a regular domain/username/password is inconvenient. A secure identity token is always associated with a proxy user (the account you usually log in to Mediaflux with); all operations performed using the token will appear to have been performed by the proxy user.

Importantly, a token does not inherit the permissions of its proxy user; it is given its own set of permissions which may be more restrictive than those held by the proxy user. This allows compartmentalisation of access, with a user potentially using multiple tokens that each have different access levels if required. Note that a token is affected by ACLs as if it was its proxy user, so if your project uses custom ACLs to grant access, all of a user’s tokens will be able to access those same locations.

Secure identity tokens can be further restricted to a specified access application. This is most often used to restrict access to the https://rcs-knowledge-hub.atlassian.net/wiki/spaces/KB/pages/5474270.

Secure identity tokens can be used to access Mediaflux through one or more protocols. Valid protocols currently include http, sftp and smb.

Secure identity tokens do not require MFA push notifications when authenticating. This is ideal for long-lived https://rcs-knowledge-hub.atlassian.net/wiki/spaces/KB/pages/5473044 mounts where it would be impractical to action MFA notifications each time the client reauthenticates with the server.

Possible applications of secure identity tokens

There are various scenarios where it might be advisable to use a secure identity token. Here are some examples:

  • If you wish to be able to access Mediaflux from a shared host in an unattended fashion, for example with a scheduled task on Windows or a cron job on Linux. Storing your university username and password in a configuration file on a shared host may be a security risk; if it were compromised, an attacker may be able to access many systems using the stolen credential. A secure identity token compartmentalises this risk.

  • If you need to automate uploads in an unattended fashion from an instrument PC. You may not want to have to accept an MFA push notification each time an upload is commenced. Secure identity tokens support sftp and http (used by the https://rcs-knowledge-hub.atlassian.net/wiki/spaces/KB/pages/5474270).

  • If a long lived SMB mount is required on a server. It is best to use a secure identity token so that MFA push notifications are not sent each time the SMB client re-authenticates with the server. You would not need to update the mount configuration when changing your university password.

How to use secure identity tokens

When you request a secure identity token, you will receive a code like the one below:

P6YdrBcrRTGXYzpLhXdPAjm8iKxqZ8VOvSGFypEtJgDlM2FmOj6IFtKMpBTTWbsMBv5OrwMzyCf7KarCdEyKGrvlc7EqYPRay12474956

This is your token, and is used instead of your username and password.

Unimelb Command-Line Clients

When using the https://rcs-knowledge-hub.atlassian.net/wiki/spaces/KB/pages/5474270, you enter the secure identity token in your configuration file. See https://rcs-knowledge-hub.atlassian.net/wiki/spaces/KB/pages/5474302.

SFTP and SMB

When using SFTP or SMB, use the following credentials:

domain: token
username: your secure token
password: leave it blank, or use the token a second time

All secure identity tokens exist within a special domain, simply called token.

In most instances you can leave the password field blank. If the client you are using does not accept an empty password, you can enter the token a second time or use the word password (all lower-case).

How to apply for a secure identity token

To apply for a secure identity token, open a ticket in Service Now and specify:

Please use the links below to apply for a token: