You might consider a secure login for users affiliated to other instutitutions than your lab as well. Then you can implement a redirection to a set of IdPs with delegated permissions to authenticate users against your LDAP but also against many other LDAPs. 


Feel free to come up with questions about this solution.


Nikolay



===============
Nikolay Vazov, PhD
Department for Research Computing, University of Oslo
From: galaxy-dev <galaxy-dev-bounces@lists.galaxyproject.org> on behalf of Dannon Baker <dannon.baker@gmail.com>
Sent: 29 September 2016 17:40
To: Simon Chang
Cc: galaxy-dev@lists.galaxyproject.org
Subject: Re: [galaxy-dev] Question about Galaxy integration with external access control
 
Hi Simon,

On Thu, Sep 29, 2016 at 11:22 AM, Simon Chang <simonychang.hutlab@gmail.com> wrote:
1)  Assuming Galaxy can read LDAP directory service information, to what extent is access control enforced?  Is it on a file system level?

The 'galaxy' user, or whichever user is running the files is the normal way to handle this, with other system users not being able to access galaxy owned files directly.

2)  If a researcher logs into Galaxy with his LDAP credentials, runs some analyses and obtains the results, how exactly are these results protected from other researchers who may be prohibited from accessing these results due to institutional policies?  Accordingly, if a researcher wants to share the data product with another LDAP user, how is that done exactly apart from simply downloading and emailing it?

Check out https://wiki.galaxyproject.org/Learn/Share for more information about galaxy's sharing abilities, and certainly feel free to ask more questions.  In short, there are systems built into Galaxy that allow users to share (or secure) Galaxy objects within the framework.

-Dannon