Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

StepActionScreenshot
1

Visit SP Website and select Satosa SAML Proxy from the list of IdPs

2Select Home IdP from DS

3Login at Institutional IdP

4Account Linking

5Access SP

Results

A Pilot pilot instance has been was deployed and has been registered in the eduGAIN metadata and is undergoing testing.

Further information

underwent extensive testing using a number of existing LSC resources. Within the pilot, account linking between institutional identities and a user LSC identity was performed using a manual administration step.

Limitations


There are two areas where the use of federated identities is limited. Firstly, the the LIGO detectors are situated in remote locations loss of access to the internet are common and it would be impossible for anybody working thereto  connect to their home IdPs. Therefore, people working at or visiting the detectors will need to continue to use their LSC credentials and the local IdP replicas. Secondly, the LSC rely on X509 certificates to access compute clusters and other resources. Most users obtain their certificates from the CILogon service using the ligo-proxy-init command line tool which uses SAML ECP to obtain a certificate without a web browser. Although some institutional IdPs support ECP this is severely limited, and not expected to improve. Therefore, for users who require this they will still require a dedicated password to access this resource via the LIGO IdP.

Sustainability


Going forward an instance of COManage will be deployed to handle the account linking workflow, and as well as more aspects of user management. To move the pilot into production the SATOSA and PyFF services must be deployed in a fault tolerant manner. The LSC has recently deployed a fault tolerant instance of the main Identity Provider, and we will be take a similar approach to deploy thisFollowing the completion of this pilot the service will be adopted into the LSC Identity and Access Management core services. A fault tolerant service will be maintained in the cloud.