Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Start by clicking the name of one of the offered claims (grey boxes within red ones) within Undeclared Attestations. Click "startstart" and provide provide the data requested (e.g. fill the form, follow the QR link or log in with an identity provider) (in the demo, shouldn't every QR be accompanied by the corresponding text content?). Upon successful completion, this will result in an addition to Presented ClaimsPresented Claims. Once these these are approved by the Registration Authority (RA), they will be moved to Approved Claims and a corresponding Received Attestation will be produced. To see details or retract (remove?) / start (recreate?) , retract or start a claim, click on the claim or attestation title. To return, click on "homehome". More at https://wiki.geant.org/display/gn43wp5/CommTrust+demonstrator+usage#CommTrustdemonstratorusage-Gettingstarted(applicant). GÉANT Wiki.

Image AddedImage Removed

Getting started (RA)

...

Start by clicking the name of one of the Unapproved Claims (yellow boxes), tick if the applicant is present in person, and click "approveapprove" to confirm the claim(not "assertion"!). To disapprove, click on the title of one of the green claims that you approved (Claims Approved approved by ...) and click on"disapproveisapprove". Do we also need Other Approvals? More at https://wiki.geant.org/display/gn43wp5/CommTrust+demonstrator+usage#CommTrustdemonstratorusage-Gettingstarted(RA).More at GÉANT Wiki.

Image AddedImage Removed

Glossary

... for developers is provided here

...

Bob logs into the vetting portal https://app.incubator.geant.org/ with his guest identity student1/student1 and selects a token (from those he has and which he wishes to use), uses his token and is directed to a site giving him instructions on how to .

He proves his identity using his passport by clicking at Undeclared Attestations > ID document > ReadID and following on-screen instructions (do we need a link to the ReadID app ib stores along with the QR?Yes, for the case when Bob does not have the app on his phone we should. We should include a link.  Following Following the instructions, he scans the presented QR code and downloads an application onto his mobile device (in the event he already has the application, from a previous session (say) he can skip the downloading step). He opens the application and is instructed to use it to scan his passportpassport (PassportProof)   perhaps here we could align the name of the claim in the demo app with the component use case name - so ReadID becomes PassportProof  and receives confirmation that ‘vetting is in process’.

Bob also provides provides his ORCID ID ORCIDProof (ORCIDProof) and confirms his name and email with a login to ORCID, which also confirms the possession of his ORCID credentials.

Later that day Alice, who is the the vetting portal credential manager (RA), receives a notification that (we do not say how (smile)) Yes, that is a detail we do not need to cover  a new applicant request is pending. She opens the admin portal https://ra.incubator.geant.org/ with her staff1/staff1 credentials and searches for the applicant.

She makes contact with Bob and, using Bob’s mobile device camera using a video chat app and the picture from Unapproved Claims > ReadID (NO PHOTO YET!!!for data protection, the photo from Bob's password is not retrieved from ReadID), verifies that the picture from his identity document does , in fact, correspond with the living Bob (FaceMatch), This is the 'liveness' claim, so we could call it FaceMatch  checks if the document is valid, and confirms the claim by clicking on "approve" approve" (CheckRef). At that time she could also request Bob to provide a TOTP password. Since access to stored climate documents is subject to very strict checks (to prevent rogue history revisionists) she checks Bob’s ORCID ID (ORCIDProof) via the ORCID API (AttribRelease) integrated into the admin portal using Unapproved Claims > ReadID ORCID by following the link to the ORCID page on Bob  (we also need a new tab link such as https://orcid.org/0000-0002-5614-3516) We could  do this or we could just say this is something the RA does  by other means - does not have to be integrated into the application.Bob. She confirms that he has a convincing academic record in the field, in line with the MCAS Admittance Policy, by clicking on "approve". by asking Bob to produce a reference from an esteemed colleague (ProvideRef) and verifying that this colleague is indeed on the list of validated reference providers (CheckRef) (if Bob had not been able to do this Alice would follow normal procedure and request such a reference (RequestRef))  Perhaps as we do not have this functionality it  o could change in this example to be a self-asserted attestation that is approved by the RA.approve" and attests that Bob’s data is correct within the admin portal (SetAttribMediatore t) By and that he meets admittance criteria again we will need to describe this as a workflow that could be done, but is not a part of the demo - unless it can be added in a short time.(CheckRef). With this confirmation, Alice , thus satisfied, has created an a "MCAS member" attestation (we can bind this attestation to ORCID approval). binds Bob’s identity to the token (MFABinding) and sends an email to Bob with a QR code that invites him to activate his selected token. Bob opens the email, clicks on the activation code and receives a message informing him that the token is activated. again I'm not sure we have this final step although we have a TOTP token to useLibrary Access" attestation.

The IdP used by the MCAS portal can confirm Bob's identity and that he is entitled to access the MCAC API MCAS by invoking the JSON API https://app.incubator.geant.org/rest.php?id=<USER <USER ID>, e.g. https://app.incubator.geant.org/rest.php?id=1.