Functional Architecture VO membership Service
COmanage delivers the VO Membership service which features:
- a registry for VO persistent Identifier
- VO specific Workflows for onboarding
- Limited set of attributes
- Accessible through eduGAIN & extIDp
COmanage uses an internal MySQL database (CO-DB). In addition it provisions towards a separate AA-DB database using a provisioning adapter which will be used to push information towards the SAML and VOOT Attribute Authorities.
Next to the CO-DB and AA-DB, a ACL-DB is filled to let the VO managers select which SPs should get what data from the VO. THis information is used to filter the data in the AAs.
The SAML AA implements the SAML attribute Query protocol. It is basically a Shibboleth IdP which reads attribute data from MySQL.
(Example implementation, see https://wiki.surfnet.nl/display/ORCIDAA/Technical+Setup, chapter 2)
the VOOT AA is a RESTfull, OAuth2 shielded resource providing group and attribute information using the VOOT protocol. Example implementation (https://github.com/OpenConextApps/php-voot-provider)
As its resource the AA-DB and ACL-db are used. To manage autherization, APIS can be used, however, for the pilots, it is proposed to use basic authentication (which is provided by the php-voot-provider by default)
TEIP (Transparent External Identity Proxy)
The TEIP service proxies multiple external identity providers to 1 single persistent SAML2 IdP. This allows VOs and federations to use 1 endpoint for all Guest/External Id scenarios, while at the same time allowing the endusers to choose the service they prefer.
TEIP functional overview. Note that Authentication sources shown are examples, and may not be present in actual setup.