...
- an IdP proxy on SimpleSAMLphp
- a COmanage server (configured as service provider) as aggregation service
- a cloud framework (OpenStack) as service provider.
It was used a For the purpose of this pilot, we have enabled federated access to the dashboard of a demo OpenStack Cloud deployment and we are using a set of dummy users registered in the testbed IdP. Specifically, the pilot IdP proxy has been configured to authenticate users and communicate the result of the authentication to a COmanage instance using SAML assertions. In COmanage it was created some collaborations (CO) which have a corresponding project into OpenStack in order to map properly the users, so it is added to the SAML assertion any eventual Entitlement regarding the users membership to the COs. At this point the new SAML assertion is passed to OpenStack's Identity service (Keystone), and it is mapped to keystone user groups, based on which, the authenticating user can access cloud resources using their federated AARC ID.
It was used . .
There was no need to create local accounts on the cloud framework, ephemeral users are using instead: it was created a set of mapping rules that, depending on the entitlements provided by COmanage (ownership to the COs with a precise role), associate the external users to the right group defined into openstack, and each of them can access to as particuale OpernStack particulare OpenStack project with different rights (either admin or simple user).
Schema
TBA
...
Demonstration workflow
to show through a screenshots serie how the users are properly mapped to a particular project in OpenStack depending on the COs membership in COmanage
...