try at Atlassian Marketplace
ESRF Builds a Secure Remote Research Platform with Confluence and SSO

ESRF Builds a Secure Remote Research Platform with Confluence and SSO

With over 9,000 researchers utilizing their resources, ESRF needed a secure wiki for scientific collaboration that would work in fully remote scenarios.

Table of Contents

Industry: Scientific / Research

Company: The European Synchrotron Radiation Facility (ESRF) is the world’s most intense X-ray source and a centre of excellence for fundamental and innovation-driven research in condensed and living matter science. ESRF’s goal is ‘to make the invisible visible’.

Located in Grenoble, France, the ESRF owes its success to the international cooperation of 22 partner nations, all working in tandem to understand the world’s materials and living matter with atomic resolution. The spirit of open collaboration has brought top scientists from different countries and disciplines together, which leads to many cutting-edge pioneering achievements. 6 Nobel Prize winners since 2003 have conducted research in their facilities. Learn more here.

Overview

The ESRF started to use Confluence in early 2019 as a way to strengthen its international cooperation with other institutions globally. Their Confluence is separated into public, team and administration spaces with restricted access.

As one of the leading synchrotron research institutions in the world, ESRF receives approximately 9,000 visiting scientists and researchers onsite in Grenoble, France each year. These visiting scientists are given Confluence accounts to collaborate and share their experiences, results and challenges on specific experiments. The knowledge accumulated is an invaluable asset for for visitors, staff, and collaborators working with the ESRF.

The Challenge

On 16. March the entire facility was closed down due to COVID-19. However, employees and visitors who needed to use Confluence to document, collaborate and record progress had to access it remotely using a VPN and SSH gateway. This creates two problems:

  1. Access speed slows precipitously when traffic increases;
  2. It adds more steps/barriers to reach the Confluence pages than working onsite ( e.g. go to the VPN site, login to VPN, login to the firewall…).

Since editing content on Confluence became particularly tedious and difficult, ESRF staff and visiting researchers were not recording their progress as they otherwise would have, leading to the loss of valuable knowledge and miscommunication in project teams.

That’s such an unacceptable outcome that ESRF decided to make Confluence accessible directly through the internet without the VPN/ SSH.

The challenge is: how to make Confluence access both frictionless and secure?

The intellectual property and private data from thousands of research projects are at stake.

The Solution

Implement resolution’s SAML Single Sign-On to allow easy and secure access to Confluence from the Internet:

With SAML Single Sign-On, user authentication is delegated to a central source of identity, the SAML Identity Provider- Keycloak in this case. When users navigate to Confluence, SAML SSO redirects them to Keycloak to authenticate.

  • If a user has an account for Keycloak and authenticates successfully, users are redirected back into Confluence.
  • If a user already has an open session with Keycloak, then they are logged in without re-entering their credentials.
  • If someone with no Keycloak account attempts to login, they are denied access to Confluence. However, as the attempts to access Confluence are being tracked, the user will be contacted by an administrator to potentially create a new Confluence User… and another producer of information for the synchrotron.

“Once our facility opens again, we will continue to use SAML SSO and redirect Confluence users to the ESRF identity provider for authentication. Visitors inside ESRF will get instant access to all our public information in Confluence without having to log in thanks to the Redirection feature in the app; at the same time, anonymous visitors accessing Confluence from outside will be blocked.”

Staffan Ohlsson
IT Infrastructure Engineer, ESRF

The Results

With SAML Single Sign-On for Confluence successfully deployed, the scientists who have ESRF Confluence accounts can now access it securely, with 1 click, anywhere in the world. At the same time, any anonymous visitor using the intranet is allowed to read the public information stored in Confluence.

Now scientists across 22 partners nations can continue to share ideas and record progress within seconds.

Technologies used: SAML Single Sign-On for Confluence / Keykcloak

For more information on SAML Single Sign-On click here or schedule a screenshare with one of our technical engineers.

Subscribe to our newsletter:

Related articles: