...
Each member of the LSC is assigned an albert.einstein identity and they manage this account and their credentials via the my.ligo.org application. This pilot aims to investigate the infrastructure and organisational changes required to support the increased use of federated institutional entities alongside existing internal credentials. In particular it will identify technological components and deploy a pilot service to be used for evaluation. It will also work to understand the current limitations of federated identities as applied to the LSC, and recommend alternative approaches where relevant.
SAML proxies are increasingly being used to easily connect all of resources within a collaboration 's resources into the eduGAIN network federation and this would demonstrate it's success application for a large, established collaboration.
...
The goal of this AARC project is design and deploy a pilot SAML proxy instance so that LSC users can make better use of would allow users to use their Institutional Identities in a federated manner. SAML proxies are increasingly being used to easily connect all of a collaboration's resources into the eduGAIN network and this would demonstrate it's success for a large, established collaboration. It It will also investigate the limitations of a SAML proxy and recommend alternatives alternative solutions to these issues. Finally, we will look at other areas where the SAML proxy can be utilised.
Description
Following discussions within the LSC it was decided that the pilot will would deploy SATOSA and pyFF to create a SAML proxy between the eduGAIN institutional identity providers and the LSC's service providers. This would allow LSC and Virgo members to use their institutional credentials to access LSC resources directly. Institutional identies identifies would be mapped to a user's albert.einstein identity via an a internal account linking, and LIGO specific information; in particular group and identity information would be used to annotate the account. SATOSA will act as the central SAML Proxy of the project, while pyFF will be used to aggregate SAML metadata from Edugain EduGAIN and the LSC, and also provide the discovery service interface.
Components
| Component | Technology | Description | Why did we choose it | Link |
|---|---|---|---|---|
| SAML Proxy | SATOSA | SAML IdP to SAML SP Proxy | Popular Python based package that includes services for adding attributes from external source | https://github.com/IdentityPython/SATOSA |
| Metadata aggregation | PyFF | Aggregate and process SAML metadata from multiple sources | Popular Python based package that allows you to customise SAML metadata processing and also supports Metadata Query Service | http://pyff.io/ |
| Discovery Service | PyFF | Present list of IdPs to user | ||
| Attribute Store | LDAP | Source of additional user attributes | ||
| Account Linking Service | COManage | Link institutional IdP attributes to LSC user account |
- Metadata Aggregator: PyFF
- Discovery Service: PyFF
- Account Linking: COManage
Architecture
...
...
SATOSA
PyFF Discovery Service
...