Versions Compared

Old Version 1

changes.mady.by.user Mischa Salle

Saved on

compared with

New Version Current

changes.mady.by.user Mischa Salle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Adding workflows with screenshots for both demonstrators

...

The online CA is a service provider which has entered eduGAIN, and has as a CA been accredited by IGTF (as a so-called IOTA CA). In order to protect the service, a filtering WAYF has been implemented which only accepts Identity Providers that publish the R&S set of attributes and are conforming to the Sirtfi. The combined service is running on a production level. The Master Portals run by EGI and ELIXIR are running as pilot services.

A sustainability study for the model has been produced by AARC-NA3.

Demonstration

We have created two demonstrator Master Portal clients, which talk to a semi-production Master Portal (running for EGI), serviced by the production RCauth.eu online CA. We also have setup a test VOMS service with test VO, to test and showcase the integration with a VOMS attribute authority. The two demonstrators are:

  1. a simple PHP program showing the basic API and handshake, with a possibility to execute the same demonstrator code. The code additionally shows how to integrate with VOMS or how to specify a specific IdP at the WAYF.
  2. a simple Science Gateway allowing access to a gsiftp-enabled storage service (a test dCache instance, https://prometheus.desy.de/). This shows how X.509-based storage elements can be accessed using a science gateway, where authorization is based on VOMS attributes (group membership etc.).

Demonstrator workflows

Basic demo:

1.select one of the login pages, e.g. run VOMS demo to get a proxy certificate with VOMS attributesImage Added
2.choose your home IdP at the WAYF of the RCauth online CAImage Added
3.login at your home IdPImage Added
4.give consent at the RCauth online CA for attribute releaseImage Added
5a.The demo shows the returned OpenID Connect information and ...Image Added
5b.... obtains a proxy, showing its informationImage Added

GSIFTP demo:

1.Read the information about the demonstrator and choose to log in either with or without VOMS attributesImage Added
2.choose your home IdP at the WAYF of the RCauth online CAImage Added
3.login at your home IdPImage Added
4.give consent at the RCauth online CA for attribute releaseImage Added
5.choose to browse the remote dCache storage element (only works once you have access to the rcdemo VO, drop us a line to request access).Image Added
6go to the VO home directory for rcdemo.Image Added

 

Components

  • RCauth.eu online CA is based on CILogon-software from the US-based CILogon project. A few adaptations had to be made to conform to European privacy regulations. The backend CA is based on a myproxy-server with a an eToken as simple HSM plus some extra software to run the CA on a separate network.
  • The Master Portal is also based on the same software, implementing simultaneously an OA4MP client and server plus glue to connect the two. It has a backend myproxy-server for credential caching.

The adaptations of the code for this pilot can be found on the RCauth.eu github repository.

Additionally Additionally:

  • ansible scripts for setting up a Delegation Server (online CA) or a Master Portal
  • SimpleSAMLPHP has been used to build a filtering WAYF.
  • A VOMS server to run a test VO.
  • some simple PHP clients to test the flow and make a demonstrator.