Versions Compared

Old Version 31

changes.mady.by.user Arnout Terpstra

Saved on

compared with

New Version Current

changes.mady.by.user Alessandro Costa

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The work which has been carried out in the CTA pilot of AARC is aimed at onboarding providing to the CTA community into the eduGAIN authentication services ensuring at the same time a way to onboard this scientific community  into eduGAIN. An infrastructure has been deployed based on the model proposed by the AARC Blueprint Architecture to enable the management of users coming from both eduGAIN Identity Providers and the CTA standalone IdP. The core component of the new infratstrucure infrastructure is the SATOSA IdP/SP proxy, as the central AAI layer to serve the CTA community of users. In addition to that, an external attribute authority (COmanage) has been plugged to the  proxy, in order to manage user enrollment process, ensure injection of additional user authorization attributes, allow for account linking whenever appropriate, requested by the users and granted by the manager of the collaboration.

...

The first step implemented in this phase of the pilot consisted of the integration of COmanage and Grouper. Grouper is a Group management tool used by the CTA community to manage Authorization. One of the requirements for CTA is to keep making use of this tool as a front end to their services. COmanage is a comprehensive Attribute Authority, managing the enrollment of users via their IdPs through different configurable workflows. For CTA user self-enrollment via a moderator admin user has been implemented.

CTA pilot Architecture


Results

The AARC CTA pilot system  has been succesfully tested by the CTA AAI experts which have been able to succesfully authenticate and get authorized on specific CTA service providers.

The designed workflow, supported by the SaToSa proxy and its implemented microservices, has proven to work and be reliable, supporting the desired authentication and authorization processes.

The main benefits for the CTA community can be summarized as follows:

  •  Succesfully exploited an architecture capable of onboarding the whole CTA community to the eduGAIN trust model and flows.

  • Include COmanage and Grouper as community tools to support attribute management and highly grained authorization processes
  • Succesfully integrating legacy and new Service Providers of interest for the CTA community
  • Generation of the required ePUID as a unique, reliable identifier for the CTA users
  • Linking of identities between already existing CTA IDs and eduGAIN identitfiers

All the orginal goals of the pilot have been reached.

In a following phase,  social and eGov identities could be included via Identity Hub.

The AARC Blueprint Architecture was used as a model to design the pilot by clearly separating each component and its role in the system architecture. The pilot and its testbed will be maintained by INAF.