Versions Compared

Old Version 7

changes.mady.by.user Mario Reale

Saved on

compared with

New Version 8

changes.mady.by.user Nicolas Liampotis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update user workflow

...

User Workflow for interested users: 

1.

...

Access the Openstack Dashboard to use the Openstack cluster configured as a SAML SP

...

at

...

https://am02.pilots.aarc-project.eu/horizonImage Added
2.

Click Connect and select your Identity Provider from the discovery page (WAYF).

...

You may select any of the following options:

  • Institutional IdP: AARC DIY Identity Provider (considered an official IdP for demo purposes only)
  • Social IdPs: Facebook, Google, LinkedIn
  • ORCID
Image Added
3.You will be

...

redirected to the Sign In page of

...

your IdP (e.g. Google)Image Added
4.

If this is your first time logging in, you will be redirected to the AARC Pilot User Community Sign Up page after succesful authentication. Alternatively, you may access the sign up page directly by visiting:

https://aai-dev.egi.eu/join-aarc

Image Added
5.

Depending on the LoA and/or attributes released by your Home IdP, there are two sign up workflows:

  1. If the LoA is substantial and all required attributes are released: Self-service Sign Up (typically for users coming from eduGAIN IdPs, or the AARC DIY Identity Provider for the purpose of this demo)
  2. If the upstream IdP

...

  1. cannot provide all attributes, or

...

  1. the

...

  1. LoA is low: Approval-based Sign Up. For example, in the case of Social IdPs the Affiliation Attribute will be missing; thus, you will be asked to provide any missing attribute values yourself.
 
6.

If your sign up request requires approval (second workflow), the Sponsors of the VO will be notified via email

 
7.One of the Sponsor users has to approve your request via the COmanage Registry at https://aai-dev.egi.eu/registry 
8.

After approval, your account will be activated in COmanage

...

-  Subject Identifier retained by Google - Unique, Persistent, non-Reassignable (not the email address of google)

...

 
9.Relogin to OpenStack's dashboard at 
https://am02.pilots.aarc-project.eu/horizon 
10.

...

  1. Mapped to keystone:  Mapping is based on eduPersonEntitlement or  MemberOf().   We also add the membership to specific collaborations inside COMANAGE in the mapping.
  2. In the pilot we mapped user afiflitation to a keystone Group ; next experiment:  map Entitlement to a Group.  What if a user does not have nor Entitlement or Affiliation
  3. --->   no registration finished ==> no service for him

...

You will be mapped to a Keystone group based on the values of the eduPersonEntitlement attribute