External user account
The GitLab at KIT allows you to work with colleagues outside of KIT. A registration on FeLS system is an essential prerequisite for external user account. They can be then authorized to log in to the KIT-GitLab. A user from KIT can allow external user to a GitLab project or group of a KIT member in order to work together. As a project or group owner, you have to manage the external guests in FeLS and also GitLab. You are also responsible for ensuring that only authorized users have access to your groups and projects. To do this, the following processes must be carried out:
- Creating a so-called project group in FeLS. (abbreviated as FeLS-PG)
- Invite external users to this created FeLS-PG.
- Invited and accepted external users can register in the FeLs-PG.
If the created FeLs-PG is activated by a GitLab administrator after requesting, the external parties can authenticate themselves to the GitLab service by OIDC and can be assigned to the dedicated projects or groups in GitLab.
Note: External users are assigned the role “external user”. External users cannot therefore initiate their own projects.
The diagram shows an overview of the external user granting workflow.
Linking process to authorize external users
To authorize an external user account to access GitLab at KIT, please proceed following steps.
1. Create project group in FeLS
As a GitLab project owner, do create a project group in FeLS. To do this, log in with your KIT account at https://fels.scc.kit.edu/project/ and click on “Create new project“.
-
Enter your group information. The group name and short name must be all lowercase letters.
-
Define the purpose of the group project and invite all members who can be identified via email.
-
Connect to the service: you may select the “GitLab” resource.
-
Your request will be approved by the GitLab administrator within the next day.
-
Invite all external members to your FeLS-PG. The invitation is sent via an email to the person being invited, which contains an invitation code. In the FeLS-PG, continue adding the external members you want to work on your GitLab project.
-
The external user will receive a notification to register on FeLS (https://fels.scc.kit.edu). The recipient will receive a security code which the external member can be allowed to participate in your project.
2. Registration in GitLab for external users
Once registered, external users can log in to the GitLab.
-
Go to the GitLab am KIT site (https://gitlab.kit.edu) and log in with FeLS. The external user finds their home institute with which they registered in FeLS. You might be authenticated to your home IdP. The prerequisite for registration is that the account registered with FeLS has been authenticated in advance. You should have two options
- Your institution participates in the bw-AAI (bwIDM Federation) - i.e. your account is already connected with state-wide system. You can select your home IdP directly in FeLS and just log in.
- You can use another external organization, such as Helmholtz Login, Google, GitHub, or eduGain.
-
We recommend external users to use Helmholtz Login(via AAI) as it contains a wide range of registered facilities.
-
(Optional) If you select “Helmholtz-AAI”, you have the option to register in our GitLab as an external user via other academic institutions worldwide, Google or GitHib Single Sign-On (SSO).
-
Now, you might be assigned to a GitLab project and work on it.
-
On the GitLab main page, external users able to find their working project and group (associated institute/department) with Explore, if the GitLab group is set to public
-
The group owner must manage permissions and roles for external users in their GitLab groups and projects.
How can external users register in FeLS?
If your external guest does not yet have an authenticated FeLS account, they can register alternatively their Google, GitHub, eduGAin account via the Helmholtz-AAI connection.
To register with Helmholtz AAI, external user should visit the Helmholtz Cloud service, where provides the AAI service. Log in via “Sign in” at the top right of the Helmholtz Cloud page: https://helmholtz.cloud/
You can also access the login page via the another bundled services page: https://helmholtz.cloud/services
Helmholtz Cloud will ask you starting of registration process for your federated account(google or github), and request an access of your public data.
While signing up for a Helmholtz Cloud service, you will receive a confirmation email for your submission and a security token. If you confirm this email with the invitation token, registration will be completed without complexity.
This process ensures that you are successfully authenticated via OIDC and can register with our GitLab at KIT.
Further information and details about the Helmholtz Login & Helmholtz-AAI can be found under the link: https://hifis.net/aai/
Acht Monate nach dem letzten Login wird die hinterlegte Mail-Adresse angeschrieben und zum erneuten Login aufgefordert. Geschieht dies nicht, werden drei Monat nach dem Versand der Benachrichtigung das Konto und die Zugriffsberechtigungen gelöscht.
Deprovisioning rules
Eight months after the last login, the external user will be contacted with primary email and requested to log in again. If this does not happen, the account and access rights will be deleted three months after the notification was sent.